display ipsec policy-template (User view)

Function

The display ipsec policy-template command displays information about the IPSec policy template.

Format

display ipsec policy-template [ brief | name policy-template-name [ seq-number ] ] ctrl-plane

display ipsec policy-template [ brief | name policy-template-name [ seq-number ] ] slot slot-id cpu cpu-id

Parameters

Parameter	Description	Value
brief	Displays brief information about all the IPSec policy templates.	-
name policy-template-name	Specifies the name of an IPSec policy template.	The value is an existing IPSec policy template name.
seq-number	Specifies the sequence number of an IPSec policy template.	The value is an existing IPSec policy template number.
ctrl-plane	Display the IPSec policy template on control plane. All models except USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.	-
slot slot-id	Specify the Slot ID. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.	-
cpu cpu-id	Specify the CPU ID. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.	-

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

If the no parameter is not specified, detailed information about all IPSec policy templates is displayed.

If brief is specified, you can view the following brief information about the IPSec policy template. In this case, the information is displayed in brief format.

Template name and sequence number
ACL number
IKE Peer

If name is specified, the command displays detailed information about the IPSec policy template.

Example

# Display information about all the IPSec policy template.

<sysname> display ipsec policy-template brief ctrl-plane
Number of templates group : 1                                                    
Number of templates       : 1                                                    
                                                                                 
Policy template name     ACL           Peer name                                 
------------------------------------------------------                           
temp1-10                 3001/IPv4     rut3

**Table 1** Description of the **display ipsec policy-template brief** command output
Item	Description
Number of templates group	Number of IPSec policy template groups. An IPSec policy template is identified by its name and sequence number. Multiple IPSec policy templates with the same IPSec policy template name constitute an IPSec policy template group.
Number of templates	Number of IPSec policy templates.
Policy template name	Name and sequence number of an IPSec policy template. To configure an IPSec policy template, run the ipsec policy-template command.
ACL	ACL referenced in the IPSec policy template. To reference an ACL in an IPSec policy template, run the security acl command.
Peer name	Name of the IKE peer referenced in the IPSec policy template. To reference an IKE peer, run the ike-peer command.

# Display information about a specified IPSec policy template.

<sysname> display ipsec policy-template name tem3 ctrl-plane
                                                                                
===============================================                                 
IPSec policy template group: "tem3"                                             
===============================================                                 
                                                                                
    Sequence number: 1                                                          
    Policy Alias: tem3-1                                                        
    Security data flow: 3001/IPv4
    Peer name    :  zc3                                                         
    Perfect forward secrecy: DH group 14
    Proposal name:  3                                                           
    IPSec SA local duration(time based): 3600 seconds                           
    IPSec SA local duration(traffic based): 1843200 kilobytes
    Anti-replay: Enable
    Anti-replay window size: 1024                                               
    Fragment before-encryption: Disable
    Route inject state: -
    Route inject nexthop: -                       
    Route inject preference: -  
    Policy state: Enable
    Acl-rule modification response: Enable
    Flow-vrf check : Enable   
    Sa keep-holding-to hard-duration : Disable

**Table 2** Description of the **display ipsec policy-template name** command output
Item	Description
IPSec policy template group	Name of an IPSec policy template. To configure an IPSec policy template, run the ipsec policy-template command.
Sequence number	Sequence number of an IPSec policy template. To configure an IPSec policy template, run the ipsec policy-template command.
Policy Alias	Alias of an IPSec policy template. To configure an alias, run the alias (ISAKMP IPSec policy view, IPSec policy template view) command.
Security data flow	ACL referenced in the IPSec policy template. To reference an ACL referenced in an IPSec policy template, run the security acl command.
Peer name	Name of the IKE peer referenced in the IPSec policy template. To reference an IKE peer, run the ike-peer command.
Perfect forward secrecy	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation. DH group 15: 3072-bit Diffie-Hellman group is used during IKE negotiation. DH group 16: 4096-bit Diffie-Hellman group is used during IKE negotiation. DH group 18: 8192-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 24: 2048-bit Diffie-Hellman group that includes a 256-bit sub-group is used during IKE negotiation. To specify an algorithm used to generate a pseudo random number, run the pfs command.
Proposal name	Name of an IPSec proposal referenced in the IPSec policy template. To reference an IPSec proposal, run the proposal command.
IPSec SA local duration(time based)	Time-based lifetime of the local SA. To set the time-based lifetime of the local SA, run the sa duration time-based command.
IPSec SA local duration(traffic based)	Traffic-based lifetime of the local SA. To set the traffic-based lifetime of the local SA, run the sa duration traffic-based command.
Anti-replay	Whether IPSec anti-replay is enabled in an IPSec policy template: Enable: IPSec anti-replay is enabled. -: IPSec anti-replay is disabled for an IPSec tunnel. The global IPSec anti-replay function is used. To enable IPSec anti-replay, run the anti-replay enable command.
Anti-replay window size	IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command.
Fragment before-encryption	Packet fragmentation mode for an IPSec tunnel: Enable: IPSec packets are fragmented before encryption. Disable: IPSec packets are fragmented after encryption. To configure a packet fragmentation mode for an IPSec tunnel, run the fragmentation before-encryption command.
Route inject state	Route injection status. Dynamic: Dynamic route injection is enabled To configure route injection, run the route inject command.
Route inject nexthop	Next hop of a generated route: Auto: The device searches its IP routing table for routes of packets based on packets' destination IP addresses, and specifies the next-hop IP address of the optimal route as that of the route to the remote end. ip-address: The next-hop IP address of the route to the remote end is manually specified. To configure route injection, run the route inject command.
Route inject preference	Priority of a generated route. To configure route injection, run the route inject command.
Policy state	Status of the IPSec policy that references the IPSec policy template: Enable: The IPSec policy is enabled. Disable: The IPSec policy is disabled. To set an IPSec policy to the state, run the policy enable command.
Acl-rule modification response	Whether the device is enabled to trigger IPSec tunnel re-negotiation immediately after an ACL rule is modified: Enable Disable To enable this function, run the security acl-rule modification response disable command.
Flow-vrf check	Whether to enable the check of the VPN instance in a data flow during IPSec encryption/decryption: Enable Disable To enable this function, run the flow-vrf check disable command.
Sa keep-holding-to hard-duration	Whether the device deletes the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation. Enable: The device will delete the original IPSec SA after the hard lifetime expires. Disable: The device deletes the original IPSec SA immediately. To configure the device to delete the original IPSec SA after the hard lifetime expires, run the sa keep-holding-to hard-duration command.