< Home

display ipsec policy (User view)

Function

Using the display ipsec policy command, you can view information about the IPSec policy.

Format

display ipsec policy [ brief | name policy-name [ seq-number ] ] ctrl-plane

display ipsec policy [ brief | name policy-name [ seq-number ] ] slot slot-id cpu cpu-id

Parameters

Parameter Description Value

brief

Displays brief information about all the IPSec policies.

-

name policy-name

Specifies the name of an IPSec policy.

The value is an existing IPSec policy name.

seq-number

Specifies the sequence number of an IPSec policy

The value is an existing IPSec policy number.

ctrl-plane

Display the IPSec proposal on control plane.

All models except USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

-

slot slot-id

Specify the Slot ID.

Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

-

cpu cpu-id

Specify the CPU ID.

Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

-

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

If the policy name or the sequence number is not specified, detailed information about all IPSec policies is displayed.

Using the display ipsec policy brief command, you can view the following brief information about all IPSec policies. In this case, the information is displayed in brief format.

  • Name and sequence number
  • Negotiation mode
  • ACL number
  • IKE peer
  • Local address
  • Remote address

Using the name parameter, you can view details on the specified IPSec policy. In this case, the information is displayed in detailed format. If you specify name policy-name and does not specify seq-number, the command displays detailed information about an IPSec policy group.

Example

# Display brief information about all the IPSec policies.

<sysname> display ipsec policy brief ctrl-plane
Number of policies group : 1 
Number of policies       : 1 
  
Policy name           Mode     ACL         Peer name   Local address    Remote address
--------------------------------------------------------------------------------------
policy1-100           isakmp   3002/IPv4   peer1
Table 1 Description of the display ipsec policy brief command output
Item
Description
Number of policies group

Number of IPSec policy groups. An IPSec policy is identified by its name and sequence number, and multiple IPSec policies with the same name constitute an IPSec policy group.
Number of policies

Number of IPSec policies.
Policy name

Name and sequence number of an IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.
Mode
Mode in which an IPSec policy is created:
  • isakmp: The IPSec policy is created in IKE negotiation mode.
  • template: The IPSec policy is created using an IPSec policy template.
  • manual: The IPSec policy is created manually.

To configure IPSec policy creation mode, run the ipsec policy (system view) command.
ACL ACL referenced in the IPSec policy. To reference an ACL in an IPSec policy, run the security acl command.
Peer name

Name of the IKE peer referenced in the IPSec policy. To configure an IKE peer, run the ike-peer command.
Local address Local IP address used in IPSec negotiation. To configure the local IP address used in IPSec negotiation, run the tunnel local command.
Remote address Remote IP address used in IPSec negotiation. To configure the remote IP address used in IPSec negotiation, run the tunnel remote command.

# View the information about the security policy.

<sysname> display ipsec policy ctrl-plane
=========================================== 
IPSec policy group: "10"         
Using interface: GigabitEthernet0/0/6            
===========================================                    
     Sequence number: 10 
     Policy Alias: map1-10  
     Security data flow: 3000/IPv4
     Peer name    :  rut2 
     Perfect forward secrecy: DH group 14
     Proposal name:  prop1 
     IPSec SA local duration(time based): 3600 seconds 
     IPSec SA local duration(traffic based): 1843200 kilobytes 
     SA trigger mode: Traffic-based
     Route inject state: -
     Route inject nexthop: -                       
     Route inject preference: -  
     Policy state: Enable
     Anti-replay: -  
     Anti-replay window size: 1024         
     Fragment before-encryption: Disable
     Respond-only: Enable
     Policy status  : Inactive
     Smart-link profile: -
     Smart-link using interface: -
     Flow-vrf check : Disable
     Sa keep-holding-to hard-duration : Disable
Table 2 Description of the display ipsec policy command output
Item
Description
IPSec policy group Name of an IPSec policy group. To configure an IPSec policy group, run the ipsec policy (system view) command.
Using interface Interface to which an IPSec policy group is applied.
Sequence number Sequence number of an IPSec policy. To configure a sequence number, run the ipsec policy (system view) command.

Policy Alias

Alias of the IPSec policy. To configure an alias for an IPSec policy, run the alias (ISAKMP IPSec policy view, IPSec policy template view) command.

Security data flow

 ACL referenced in the IPSec policy. To reference an ACL in an IPSec policy, run the security acl command.

Peer name

 IKE peer referenced in the IPSec policy. To configure an IKE peer, run the ike-peer command.

Perfect forward secrecy
Perfect Forward Secrecy (PFS) used in IKE negotiation:
  • DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 15: 3072-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 16: 4096-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 18: 8192-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation.
  • DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation.
  • DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation.
  • DH group 24: 2048-bit Diffie-Hellman group that includes a 256-bit sub-group is used during IKE negotiation.

To configure the PFS used in IKE negotiation, run the pfs command.

Proposal name

 IPSec proposal referenced in the IPSec policy. To reference an IPSec proposal, run the proposal command.

IPSec SA local duration(time based)

 Time-based IPSec SA lifetime. To set the time-based lifetime of the local SA, run the sa duration time-based command in the IPSec policy view.

IPSec SA local duration(traffic based)

 Traffic-based IPSec SA lifetime. To set the traffic-based lifetime of the local SA, run the sa duration traffic-based command in the IPSec policy view.

SA trigger mode

SA trigger mode:

  • Automatic
  • Traffic-based

To configure an SA trigger mode, run the sa trigger-mode command.
Route inject state

Route injection status:

  • Dynamic: Dynamic route injection is enabled.
  • Static: Static route injection is enabled.

To configure route injection, run the route inject command.
Route inject nexthop
Next hop of a generated route:
  • Auto: The device searches its IP routing table for routes of packets based on packets' destination IP addresses, and specifies the next-hop IP address of the optimal route as that of the route to the remote end.
  • ip-address: The next-hop IP address of the route to the remote end is manually specified.
To configure route injection, run the route inject command.
Route inject preference

Priority of a generated route. To configure route injection, run the route inject command.

Policy state

Policy status:

  • Enable
  • Disable
Anti-replay

Whether the anti-replay function is enabled. To enable the anti-replay function, run the anti-replay enable command.

Anti-replay window size

IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window command.

Fragment before-encryption

IPSec fragmentation mode:

  • Enable: IPSec packets are fragmented before encryption.
  • Disable: IPSec packets are fragmented after encryption.

To configure an IPSec fragmentation mode, run the fragmentation before-encryption command.

Respond-only
Whether the local end is enabled to initiate IPSec negotiation when an IPSec policy in ISAKMP mode is used to create an IPSec tunnel.
  • Enable: The local end functions as the IPSec responder and does not initiate IPSec negotiation.
  • Disable: The local end initiates IPSec negotiation.

Smart-link profile

Smart route selection rule referenced by an IPSec policy. To configure a smart route selection rule, run the smart-link profile command.

Smart-link using interface

Interface selected based on the smart route selection rule.
Flow-vrf check
Whether to enable the check of the VPN instance in a data flow during IPSec encryption/decryption:
  • Enable
  • Disable

To enable this function, run the flow-vrf check disable command.
Policy status
IPSec policy status:
  • Active
  • Inactive
To set an IPSec policy to the active state, run the policy enable command.
Sa keep-holding-to hard-duration

Whether the device deletes the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation.

  • Enable: The device will delete the original IPSec SA after the hard lifetime expires.
  • Disable: The device deletes the original IPSec SA immediately.

To configure the device to delete the original IPSec SA after the hard lifetime expires, run the sa keep-holding-to hard-duration command.
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >