< Home

reset ipsec sa

Function

The reset ipsec sa command deletes IPSec SAs.

Format

reset ipsec sa [ remote { ipv4-address | ipv6-address } | policy policy-name [ sequence-number ] | profile profile-name | parameters ipv4-address { ah | esp } spi | slot slot-id cpu cpu-id ]

Parameters

Parameter

Description

Value

remote ipv4-address

Specifies the IPv4 address of the remote end.

The value is in dotted decimal notation.

remote ipv6-address

Specifies the IPv6 address of the remote end.

The value is in colon hexadecimal notation.

policy policy-name [ seq-number ]

Specifies the name and sequence number of an IPSec policy.

If sequence-number is not specified, all the IPSec policies in the IPSec policy group with the specified name are used.

The value must be an existing IPSec policy name or sequence number.

profile profile-name

Specifies the name of an IPSec profile.

If profile is not specified, IPSec SAs established using all IPSec profiles are deleted.

The value must be an existing IPSec profile name.

parameters ipv4-address { ah | esp } spi

Specifies the three elements that uniquely identify an IPSec SA. The three elements are ipv4-address (destination address), protocol (AH or ESP), and Security Parameter Index (SPI). To reset an SA, the three elements must be specified.

If parameters is not specified, IPSec SAs established using any security protocol are deleted.
The three elements are described as follows:
  • ipv4-address: IPv4 address.
  • protocol: AH or ESP.
  • spi: an integer that ranges from 256 to 4294967295.

slot slot-id cpu cpu-id

Deletes IPSec SAs with the specified slot ID and CPU ID. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

The values of slot-id and cpu-id are integers and must be set according to the device configuration.

Views

User view

Default Level

3: Management level

Usage Guidelines

When you run the reset ipsec sa command to delete IPSec SAs, note the following points:

  • If no parameter is specified, all IPSec SAs are deleted.

  • If parameters is specified, the IPSec SAs in two directions are deleted simultaneously.

  • If a manually created IPSec SA is deleted, the IKE peers automatically create a new IPSec SA based on the manually configured parameters.

  • To delete IPSec SAs established through IKE negotiation, you must run the reset ipsec sa and reset ike sa commands in sequence. Otherwise, IPSec SAs established through IKE negotiation fail to be deleted. After the IPSec SAs are deleted, IKE peers re-negotiate IPSec SAs only when packets trigger IKE negotiation.

Example

# Delete all the IPSec SAs. 
<sysname> reset ipsec sa
# Delete the IPSec SA with remote IP address 10.1.1.2.
<sysname> reset ipsec sa remote 10.1.1.2
# Delete all IPSec SAs created through IPSec policy group policy1.
<sysname> reset ipsec sa policy policy1
# Delete the IPSec SA with IPSec policy name policy1 and sequence number 10.
<sysname> reset ipsec sa policy policy1 10
# Delete the IPSec SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is 10000.
<sysname> reset ipsec sa parameters 10.1.1.2 ah 10000
# Delete the IPSec SA established through IPSec profile profile1.
<sysname> reset ipsec sa profile profile1
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >