HP VPN Firewall Appliances VPN Command Reference Part number: 5998-4178 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents GRE commands ···························································································································································· 1 display gre p2mp tunnel-table interface tunnel ····································································································· 1 gre checksum ···························································································································································· 2 gre key
local-address ·························································································································································· 45 local-name ······························································································································································ 46 nat traversal ·························································································································································
transform······························································································································································· 103 transform-set ························································································································································· 104 tunnel local ··························································································································································
pki retrieval-certificate ········································································································································· 142 pki retrieval-crl domain ······································································································································· 142 pki validate-certificate ········································································································································· 143 root-certifi
resend interval ····················································································································································· 184 server primary ······················································································································································ 184 server secondary ················································································································································· 185 user
GRE commands display gre p2mp tunnel-table interface tunnel Use display gre p2mp tunnel-table interface tunnel to display the tunnel entry information of a point to multipoint (P2MP) GRE tunnel interface. Syntax display gre p2mp tunnel-table interface tunnel number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters number: Specifies the tunnel interface number. |: Filters command output by specifying a regular expression.
gre checksum Use gre checksum to enable the GRE packet checksum function. This function verifies the validity of packets and discards invalid packets. Use undo gre checksum to disable the GRE packet checksum function. Syntax gre checksum undo gre checksum Default The GRE packet checksum function is disabled. Views Tunnel interface view Default command level 2: System level Examples # Enable the GRE packet checksum function for the tunnel between device Sysname1 and device Sysname2.
Views Tunnel interface view Default command level 2: System level Parameters key-number: Specifies the key for the GRE tunnel interface, in the range of 0 to 4294967295. Usage guidelines For a P2P GRE tunnel, both ends of the tunnel must be configured with the same GRE key. Otherwise, packets cannot pass the GRE key verification and will be discarded. This weak security mechanism can prevent packets from being received mistakenly.
Parameters aging-time: Specifies the aging time for tunnel entries, in the range of 1 to 86400, in seconds. Usage guidelines This command is available only for tunnel interfaces operating in P2MP GRE tunnel mode. If a device at the headquarters does not receive any packet from a branch before the aging time expires, it removes the corresponding tunnel entry. Too short a tunnel entry aging time might make tunnel entries age out too quickly, resulting in forwarding failures of packets to the branch.
gre p2mp branch-network-mask Use gre p2mp branch-network-mask to configure the mask or mask length of the private network addresses of a branch in tunnel entries. Use undo gre p2mp branch-network-mask to restore the default. Syntax gre p2mp branch-network-mask { mask | mask-length } undo gre p2mp branch-network-mask Default The mask of the private network addresses of a branch is 255.255.255.255, and the mask length is 32.
gre recursion Use gre recursion to specify a value for the Recursion Control field in the GRE header. Use undo gre recursion to restore the default. Syntax gre recursion recursion-value undo gre recursion Default The value of the Recursion Control field in the GRE header is 0, which means not to limit the number of encapsulations.
Views Tunnel interface view Default command level 2: System level Parameters seconds: Specifies the interval in seconds for transmitting keepalive packets, in the range of 1 to 32767. The default value is 10. times: Specifies the maximum number of attempts for transmitting a keepalive packet, in the range of 1 to 255. The default value is 3. Usage guidelines With the GRE keepalive function enabled on a tunnel interface, the device sends GRE keepalive packets from the tunnel interface periodically.
Usage guidelines If no parameters are specified, the command clears the tunnel entry information of all P2MP GRE tunnel interfaces. Examples # Clear all tunnel entries on all P2MP GRE tunnel interfaces. reset gre p2mp tunnel-table Warning: All tunnel table will be deleted. Continue? [Y/N]: # Clear all tunnel entries on the P2MP GRE tunnel interface Tunnel0. reset gre p2mp tunnel-table interface tunnel 0 Warning: All tunnel table will be deleted.
Tunneling commands default Use default to restore the default settings for the tunnel interface. Syntax default Views Tunnel interface view Default command level 2: System level Usage guidelines CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network. This command might fail to restore the default settings for some commands for reasons such as command dependencies and system restrictions.
Views Tunnel interface view Default command level 2: System level Parameters text: Specifies a description for the interface, a string of 1 to 80 characters. Examples # Configure the description for the interface Tunnel 1 as tunnel1. system-view [Sysname] interface tunnel 1 [Sysname-Tunnel1] description tunnel1 Related commands display interface tunnel destination Use destination to specify the destination address for a tunnel interface.
Examples # The interface GigabitEthernet 0/1 of Sysname 1 uses the IP address 193.101.1.1 and the interface GigabitEthernet 0/1 of Sysname 2 uses the IP address 192.100.1.1. Configure the source address 193.101.1.1 and destination address 192.100.1.1 for the tunnel interface of Sysname 1. system-view [Sysname1] interface tunnel 0 [Sysname1-Tunnel0] source 193.101.1.1 [Sysname1-Tunnel0] destination 192.100.1.1 # Configure the source address 192.100.1.1 and destination address 193.101.1.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify the tunnel keyword, this command displays information about all interfaces on the device. If you specify the tunnel keyword without the number argument, this command displays information about all existing tunnel interfaces. Examples # Display detailed information about interface Tunnel 0.
Field Description IP address of the tunnel interface. Internet Address If no IP address is assigned to the interface, this field displays Internet protocol processing : disabled, which means that the tunnel interface cannot process packets. Primary indicates it is the primary IP address of the interface. Sub indicates it is a secondary IP address of the interface. Encapsulation is TUNNEL The encapsulation protocol is tunnel. ID of the service loopback group referenced by the tunnel.
Field Description packets input Total number of input packets. input error Number of input error packets. packets output Total number of output packets. output error Number of output error packets. # Display brief information about interface Tunnel 0. display interface tunnel 0 brief The brief information of interface(s) under route mode: Link: ADM - administratively down; Stby - standby Protocol: (s) - spoofing Interface Link Protocol Main IP Tun0 UP UP Description 1.1.1.
Field Description Cause Cause of a DOWN physical link. If the port has been shut down with the shutdown command, this field displays Administratively. To bring up the port, use the undo shutdown command. Related commands • interface tunnel • source • destination • tunnel-protocol display ipv6 interface tunnel Use display ipv6 interface tunnel to display IPv6 information for tunnel interfaces.
FF02::1:FF00:1 FF02::1:FF00:0 FF02::2 FF02::1 MTU is 1480 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 45 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 45 OutRequests: 45 OutForwDatagrams: 0 InNoRoutes: 0 In
Field Description IPv6 is enabled IPv6 packet forwarding state of the tunnel interface. IPv6 packet forwarding is automatically enabled after an IPv6 address is assigned to the interface. IPv6 packet forwarding is enabled in the example. link-local address Link-local address configured for the tunnel interface. Global unicast address(es) Global unicast addresses configured for the tunnel interface. Joined group address(es) Multicast addresses of the tunnel interface.
Field Description InMcastNotMembers Incoming IPv6 multicast packets that were discarded because the interface did not belong to the corresponding multicast groups. OutMcastPkts IPv6 multicast packets sent by the interface. InAddrErrors IPv6 packets that were discarded due to invalid destination addresses. InDiscards Received IPv6 packets that were discarded due to resource problems rather than packet content errors.
Views Tunnel interface view Default command level 2: System level Parameters number: Specifies the number of nested encapsulations, in the range of 1 to 10. The default value is 4. Usage guidelines This command is only applicable to IPv6 over IPv6 tunnels. Examples # Set the maximum number of nested encapsulations to 3 on the tunnel interface.
[Sysname-Tunnel3] Related commands • display interface tunnel • display ipv6 interface tunnel • source • destination • tunnel-protocol mtu Use mtu to set the MTU for IPv4 packets on a tunnel interface. Use undo mtu to restore the default. Syntax mtu mtu-size undo mtu Default The MTU for IPv4 packets on a tunnel interface is 64000.
Parameters number: Specifies the tunnel interface number in the range of 0 to 4095. Usage guidelines If you want to observe new traffic statistics on a tunnel interface, you can use this command to clear old statistics: • If you do not specify any parameters, this command clears the statistics for all interfaces. • If you specify only the tunnel keyword, this command clears the statistics for all tunnel interfaces.
Default No source address or source interface is specified for the tunnel interface. Views Tunnel interface view Default command level 2: System level Parameters ip-address: Specifies the tunnel source IPv4 address. ipv6-address: Specifies the tunnel source IPv6 address. interface-type interface-number: Specifies the source interface type and number.
Views Tunnel interface view Default command level 2: System level Parameters bandwidth-value: Specifies the bandwidth value of the tunnel interface in kbps, in the range of 1 to 10000000. Usage guidelines The bandwidth set by the tunnel bandwidth command is for dynamical routing protocols to calculate the cost of the tunnel, It does not affect the actual bandwidth of the tunnel interface. Consider the bandwidth of the actual physical output interface when you set the tunnel interface bandwidth.
tunnel-protocol Use tunnel-protocol to specify the tunnel mode for the tunnel interface. Use undo tunnel-protocol to restore the default. Syntax tunnel-protocol { dvpn { gre | udp } | gre [ ipv6 | p2mp ] | ipsec ipv4 } | ipv4-ipv4 | ipv4-ipv6 [ dslite-aftr | dslite-cpe ] | ipv6-ipv4 [ 6to4 | auto-tunnel | isatap ] | ipv6-ipv6 } undo tunnel-protocol Default The tunnel mode is GRE over IPv4 tunnel mode.
gre p2mp: Specifies the point-to-multipoint GRE tunnel mode. ipsec ipv4: Specifies the IPsec over IPv4 tunnel mode. ipv4-ipv4: Specifies the IPv4 over IPv4 tunnel mode. ipv4-ipv6: Specifies the IPv4 over IPv6 manual tunnel mode. ipv4-ipv6 dslite-aftr: Specifies the IPv4 over IPv6 DS-Lite tunnel mode on the AFTR. ipv4-ipv6 dslite-cpe: Specifies the IPv4 over IPv6 DS-Lite tunnel mode on the CPE. ipv6-ipv4: Specifies the IPv6 over IPv4 manual tunnel mode.
IKE commands authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm Default An IKE proposal uses the SHA1 authentication algorithm. Views IKE proposal view Default command level 2: System level Parameters md5: Uses HMAC-MD5. MD5 is not supported in FIPS mode. sha: Uses HMAC-SHA1.
Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In non-FIPS mode, the default group is group1, the 768-bit Diffie-Hellman group. In FIPS mode, the default group is group2. Views IKE proposal view Default command level 2: System level Parameters group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1.
Parameters dpd-name: DPD name, a string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
• dh • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ active | standby | verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters active: Displays the summary of active IKE SAs in an IPsec stateful failover scenario.
# Display brief information about IKE SAs in an IPsec stateful failover scenario. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi status -------------------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC ACTIVE 2 202.38.0.2 RD|ST 2 IPSEC ACTIVE flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—-TIMEOUT Table 9 Command output Field Description total phase-1 SAs Total number of SAs for phase 1.
remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 86379 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the connection ID of 2.
local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82236 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO Table 10 Command output Field Description connection id Identifier of the ISAKMP SA. vpn-instance VPN that the protected data belongs to. transmitting entity Entity in the IKE negotiation.
dpd Use dpd to apply a DPD detector to an IKE peer. Use undo dpd to remove the application. Syntax dpd dpd-name undo dpd Default No DPD detector is applied to an IKE peer. Views IKE peer view Default command level 2: System level Parameters dpd-name: DPD detector name, a string of 1 to 32 characters. Examples # Apply dpd1 to IKE peer peer1.
aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses 128-bit, 192-bit, or 256-bit keys for encryption. key-length: Key length for the AES algorithm, which can be 128, 192 or 256 bits and is defaulted to 128 bits. des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses 56-bit keys for encryption. Examples # Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10.
[Sysname-ike-peer-peer1] exchange-mode main Related commands id-type id-type Use id-type to select the type of the ID for IKE negotiation. Use undo id-type to restore the default. Syntax id-type { ip | name | user-fqdn } undo id-type Default The ID type is IP address. Views IKE peer view Default command level 2: System level Parameters ip: Uses an IP address as the ID during IKE negotiation. name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.
ike dpd Use ike dpd to create a DPD detector and enter IKE DPD view. Use undo ike dpd to remove a DPD detector. Syntax ike dpd dpd-name undo ike dpd dpd-name Views System view Default command level 2: System level Parameters dpd-name: Name for the DPD detector, a string of 1 to 32 characters. Usage guidelines DPD irregularly detects dead IKE peers. It works as follows: 1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. 2.
undo ike local-name Default The device name is used as the name of the local security gateway. Views System view Default command level 2: System level Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.
Default command level 2: System level Examples # Disable Next payload field checking for the last payload of an IKE message. system-view [Sysname] ike next-payload check disabled ike peer Use ike peer to create an IKE peer and enter IKE peer view. Use undo ike peer to delete an IKE peer. Syntax ike peer peer-name undo ike peer peer-name Views System view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters.
Parameters proposal-number: IKE proposal number, in the range 1 to 65535. The lower the number, the higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is matched before a low priority IKE proposal.
[Sysname] ike sa keepalive-timer interval 200 Related commands ike sa keepalive-timer timeout ike sa keepalive-timer timeout Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout. Use undo ike sa keepalive-timer timeout to disable the function. Syntax ike sa keepalive-timer timeout seconds undo ike sa keepalive-timer timeout Default No keepalive packet is sent.
Views System view Default command level 2: System level Parameters seconds: NAT keepalive interval in seconds, in the range 5 to 300. Examples # Set the NAT keepalive interval to 5 seconds. system-view [Sysname] ike sa nat-keepalive-timer interval 5 interval-time Use interval-time to set the DPD query triggering interval for a DPD detector. Use undo interval-time to restore the default. Syntax interval-time interval-time undo interval-time Default The default DPD interval is 10 seconds.
undo local Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
[Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default. Syntax local-name name undo local-name Default The device name is used as the name of the local security gateway view. Views IKE peer view Default command level 2: System level Parameters name: Name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters.
Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] nat traversal peer Use peer to set the subnet type of the peer security gateway for IKE negotiation. Use undo peer to restore the default.
pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key Views IKE peer view Default command level 2: System level Parameters cipher: Sets a ciphertext pre-shared key. simple: Sets a plaintext pre-shared key. This keyword is not available for FIPS mode. key: Specifies the key string. This argument is case sensitive.
Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority. Usage guidelines In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any. An IKE peer can reference up to six IKE proposals.
low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses. high-ip-address: Highest address in the address range if you want to specify a range of addresses.
Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
Examples # Clear the IKE SA that uses connection ID 2. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.2 RD|ST 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT reset ike sa 2 display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.
undo sa duration Default The ISAKMP SA lifetime is 86400 seconds. Views IKE proposal view Default command level 2: System level Parameters Seconds: Specifies the ISAKMP SA lifetime in seconds, in the range 60 to 604800. Usage guidelines Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up, and the old one will be cleared automatically when it expires. Examples # Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes).
[Sysname] ike dpd dpd2 [Sysname-ike-dpd-dpd2] time-out 1 54
IPsec commands The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to restore the default. Syntax ah authentication-algorithm { md5 | sha1 } * undo ah authentication-algorithm Default In non-FIPS mode, the default algorithm is MD5.
connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured. Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters name: Specifies the IPsec connection name, a case-insensitive string of 1 to 32 characters.
Examples # Enable the encryption engine. system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies. Syntax display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies.
toccccc-1 isakmp 3003 IPsec-Policy-Name Mode acl tocccc Local-Address Remote-Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.1 3.3.3.2 Table 11 Command output Field Description IPsec-Policy-Name Name and sequence number of the IPsec policy separated by hyphen. Negotiation mode of the IPsec policy: • manual—Manual mode. • isakmp—IKE negotiation mode. • template—IPsec policy template mode. Mode acl ACL referenced by the IPsec policy.
=========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10 acl version: IPv4 mode: manual ----------------------------------------security data flow : 3002 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.
AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** Table 12 Command output Field Description security data flow ACL referenced by the IPsec policy.
Field Description synchronization outbound anti-replay-interval Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets. inbound/outbound AH/ESP setting AH/ESP settings in the inbound/outbound direction, including the SPI and keys. Related commands ipsec policy (system view) display ipsec policy-template Use display ipsec policy-template to display information about IPsec policy templates.
-----------------------------------------------------test-tplt300 2200 Table 13 Command output Field Description Policy-template-Name Name and sequence number of the IPsec policy template separated by hyphen. acl ACL referenced by the IPsec policy template. Remote Address Remote IP address. # Display detailed information about all IPsec policy templates.
Field Description IPsec sa local duration(traffic based) Traffic-based lifetime of the IPsec SAs at the local end. Related commands ipsec policy-template display ipsec profile Use display ipsec profile to display the configuration information of IPsec profiles.
ike-peer name: peer1 perfect forward secrecy: transform-set name: DH group 2 prop1 synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True =========================================== IPsec profile: "btoa" Interface: Tunnel1 =========================================== ----------------------------IPsec profile name
Field Description synchronization outbound anti-replay-interval Outbound anti-replay sequence number synchronization interval, expresses in the number of sent packets. IPsec sa local duration(time based) Time-based SA lifetime at the local end. IPsec sa local duration(traffic based) Traffic-based SA lifetime at the local end. policy enable Whether the IPsec policy is enabled. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs.
Examples # Display brief information about all IPsec SAs. display ipsec sa brief Src Address Dst Address SPI Protocol Algorithm -------------------------------------------------------10.1.1.1 10.1.1.2 300 ESP 10.1.1.2 10.1.1.1 400 ESP E:DES; A:HMAC-MD5-96 E:DES; A:HMAC-MD5-96 Table 16 Command output Field Description Src Address Local IP address. Dst Address Remote IP address. SPI Security parameter index. Protocol Security protocol used by IPsec.
sa remaining duration (kilobytes/sec): 1843200/2686 max sequence-number received: 5 anti-replay check enable: Y anti-replay window size: 32 udp encapsulation used for nat traversal: N status: active [outbound ESP SAs] spi: 801701189 (0x2fc8fd45) transform-set: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 max sequence-number sent: 6 udp encapsulation used for nat traversal: N status: active =============================== Pr
Field Description IPsec policy name Name of IPsec policy used. sequence number Sequence number of the IPsec policy. acl version ACL version. If no ACL is referenced, this field displays None. mode IPsec negotiation mode. connection id IPsec tunnel identifier. encapsulation mode Encapsulation mode, transport or tunnel. perfect forward secrecy Whether the PFC feature is enabled. DH group DH group used: 1, 2, 5, or 14. If no DH group is used, this field is not displayed. tunnel IPsec tunnel.
display ipsec statistics Use display ipsec statistics to display IPsec packet statistics. Syntax display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters tunnel-id integer: Specifies an IPsec tunnel by its ID in the range of 1 to 2000000000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: not enough memory: 0 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 Table 18 Command output Field Description Connection ID ID of the tunnel. input/output security packets Counts of inbound and outbound IPsec protected packets. input/output security bytes Counts of inbound and outbound IPsec protected bytes.
Parameters transform-set-name: Name of an IPsec transform set, a string of 1 to 32 characters. If you do not specify an IPsec transform set, the command displays information about all IPsec transform sets. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Related commands ipsec transform-set display ipsec tunnel Use display ipsec tunnel to display information about IPsec tunnels. Syntax display ipsec tunnel [ active | standby ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters active: Displays information about the active IPsec tunnels in an IPsec stateful failover scenario. standby: Displays information about the standby IPsec tunnels in an IPsec stateful failover scenario.
connection id: 5 perfect forward secrecy: SA's SPI: inbound: 12345 (0x3039) [ESP] outbound: 12345 (0x3039) [ESP] tunnel: flow: # Display information about IPsec tunnels in aggregation mode. display ipsec tunnel total tunnel: 2 -----------------------------------------------connection id: 4 status: active perfect forward secrecy: SA's SPI: inbound : 2454606993 (0x924e5491) [ESP] outbound : 675720232 (0x2846ac28) [ESP] tunnel : local address: 44.44.44.44 remote address : 44.44.44.
Default A security protocol encapsulates IP packets in tunnel mode. Views IPsec transform set view Default command level 2: System level Parameters transport: Uses transport mode. tunnel: Uses tunnel mode. Usage guidelines IPsec for IPv6 routing protocols supports only the transport mode. Examples # When IPsec uses IKE, configure IPsec transform set tran1 to use the transport encapsulation mode.
The undo esp authentication-algorithm command takes effect only if one or more encryption algorithms are specified for ESP. Examples # Configure IPsec transform set prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.
Examples # Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
ipsec anti-replay check Use ipsec anti-replay check to enable IPsec anti-replay checking. Use undo ipsec anti-replay check to disable IPsec anti-replay checking. Syntax ipsec anti-replay check undo ipsec anti-replay check Default IPsec anti-replay checking is enabled. Views System view Default command level 2: System level Examples # Enable IPsec anti-replay checking.
[Sysname] ipsec anti-replay window 64 ipsec decrypt check Use ipsec decrypt check to enable ACL checking of de-encapsulated IPsec packets. Use undo ipsec decrypt check to disable ACL checking of de-encapsulated IPsec packets. Syntax ipsec decrypt check undo ipsec decrypt check Default ACL checking of de-encapsulated IPsec packets is enabled. Views System view Default command level 2: System level Examples # Enable ACL checking of de-encapsulated IPsec packets.
Examples # Enable invalid SPI recovery. system-view [Sysname] ipsec invalid-spi-recovery enable ipsec policy (interface view) Use ipsec policy to apply an IPsec policy group to an interface. Use undo ipsec policy to remove the application.
Syntax ipsec policy policy-name seq-number [ isakmp | manual ] undo ipsec policy policy-name [ seq-number ] Default No IPsec policy exists. Views System view Default command level 2: System level Parameters policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included. seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535. isakmp: Sets up SAs through IKE negotiation. manual: Sets up SAs manually.
ipsec policy isakmp template Use ipsec policy isakmp template to create an IPsec policy by referencing an existing IPsec policy template, so that IKE can use the IPsec policy for SA negotiation. Use undo ipsec policy with the seq-number argument to delete an IPsec policy. Use undo ipsec policy without the seq-number argument to delete an IPsec policy group.
undo ipsec policy-template template-name [ seq-number ] Default No IPsec policy template exists. Views System view Default command level 2: System level Parameters template-name: Specifies the name for the IPsec policy template, a case-insensitive string of 1 to 41 characters. No hyphen (-) can be included. seq-number: Specifies the sequence number for the IPsec policy template, in the range of 1 to 65535.
Parameters profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 15 characters that cannot contain hyphens (-). Usage guidelines IPsec profiles can be applied to DVPN tunnel interfaces and IPsec tunnel interfaces. For information about DVPN tunnel interfaces and the hardware compatibility for DVPN, see VPN Configuration Guide. Examples # Create IPsec profile profile1 and enter its view.
Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface. system-view [Sysname] interface tunnel 0 [Sysname-Tunnel0] tunnel-protocol ipsec ipv4 [Sysname-Tunnel0] ipsec profile vtiprofile # Apply IPsec profile dvpnprofile to the DVPN tunnel interface.
Related commands • sa duration • display ipsec sa duration Examples # Set the time-based global SA lifetime to 7200 seconds (2 hours). system-view [Sysname] ipsec sa global-duration time-based 7200 # Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes). [Sysname] ipsec sa global-duration traffic-based 10240 ipsec synchronization enable Use ipsec synchronization enable to enable IPsec stateful failover.
Default No IPsec transform set exists. Views System view Default command level 2: System level Parameters transform-set-name: Specifies the name of an IPsec transform set, a case-insensitive string of 1 to 32 characters. Examples # Create an IPsec transform set named tran1 and enter its view.
Usage guidelines In terms of security and necessary calculation time, the following four groups are in the descending order: 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1). This command allows IPsec to perform an additional key exchange process during the negotiation phase 2, providing an additional level of security.
Related commands • ipsec policy (system view) • ipsec policy-template qos pre-classify Use qos pre-classify to enable packet information pre-extraction. Use undo qos pre-classify to restore the default. Syntax qos pre-classify undo qos pre-classify Default Packet information pre-extraction is disabled.
Parameters active: Specifies all active IPsec SAs in an IPsec stateful failover scenario. parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and SPI. dest-address: Specifies the destination address, in dotted decimal notation. protocol: Specifies the security protocol, which can be keyword ah or esp, case insensitive. spi: Specifies the security parameter index, in the range of 256 to 4294967295.
# Clear active IPsec SAs on an IPsec stateful failover device. reset ipsec sa active Related commands display ipsec sa reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics Views User view Default command level 1: Monitor level Examples # Clear IPsec packet statistics.
gateway: Creates two recursive routes: one to the remote tunnel endpoint and the other to the protected remote private network. Use the gateway keyword in an IKE-enabled IPsec policy to define an explicit default forwarding path for IPsec traffic. Usage guidelines IPsec RRI operates in static mode or dynamic mode: • Static IPsec RRI creates one static route for each destination address permitted by the ACL that the IPsec policy references.
Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or negotiated by the policy. To view static routes created by RRI, use the display ip routing-table command. For information about the routing table, see Network Management Configuration Guide. If you configure an address range in IKE peer view, static IPsec RRI does not take effect. Examples # Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network 3.0.0.
[Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. The expected route appears in the table after the IPsec SA negotiation succeeds. (Other routes are not shown.) [Sysname] display ip routing-table ... Destination/Mask Proto Pre 3.0.0.0/24 Static 60 Cost NextHop Interface 0 1.1.1.2 GE0/1 # Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take 1.1.1.3 as the next hop.
Default command level 2: System level Parameters preference-value: Sets a preference value for the static routes created by IPsec RRI. The value range is 1 to 255. A smaller value represents a higher preference. Usage guidelines The default preference for the static routes created by IPsec RRI is 60. When you change the route preference, static IPsec RRI deletes all static routes it has created and creates new static routes.
Examples # Set the tag value to 50 for the static routes created by IPsec RRI. system-view [Sysname] ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route tag 50 Related commands reverse-route sa authentication-hex Use sa authentication-hex to configure an authentication key for an SA. Use undo sa authentication-hex to remove the configuration.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the authentication keys of the inbound and outbound SAs that use AH as 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 in plain text.
• ipsec policy (system view) • ipsec profile (system view) Examples # Set the SA lifetime for IPsec policy1 to 7200 seconds (2 hours). system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200 # Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).
Usage guidelines If neither cipher nor simple is specified, you set a plaintext encryption key string. For security purposes, all keys, including keys configured in plain text, are saved in cipher text. This command applies to only manual IPsec policies. When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. spi-number: Specifies the security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies. When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. cipher: Sets a ciphertext key. simple: Sets a plaintext key. string-key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters. If neither cipher nor simple is specified, you set a plaintext key string.
Related commands ipsec policy (system view) security acl Use security acl to specify the ACL for the IPsec policy to reference. Use undo security acl to remove the configuration. Syntax security acl acl-number [ aggregation | per-host ] undo security acl Default An IPsec policy references no ACL.
system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Sysname-acl-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 # Configure IPsec policy policy2 to reference ACL 3002, and set the data flow protection mode to aggregation. system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.
Default command level 2: System level Parameters inbound-number: Specifies the interval at which the device, when functioning as the active device, synchronizes the inbound anti-replay window to the standby device. It is expressed in the number of received packets. The value range is 0 to 1000. If you set the argument to 0, inbound anti-replay window synchronization is disabled.
Default command level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol. Examples # Configure IPsec transform set prop1 to use AH.
An IPsec profile can reference up to six IPsec transform sets. The IKE negotiation process will search for and use the exactly matched transform set. Related commands • ipsec transform-set • ipsec policy (system view) • ipsec profile (system view) Examples # Configure IPsec policy policy1 to reference IPsec transform set tran1.
system-view [Sysname] interface loopback 0 [Sysname-LoopBack0] ip address 10.0.0.1 32 [Sysname-LoopBack0] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] tunnel local 10.0.0.1 Related commands ipsec policy (system view) tunnel remote Use tunnel remote to configure the remote address of an IPsec tunnel. Use undo tunnel remote to remove the configuration.
L2TP commands The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. allow l2tp Use allow l2tp to specify the VT interface for receiving calls, the tunnel name on the LAC, and the domain name. Use undo allow to remove the configuration. Syntax allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ] undo allow Default An LNS denies all incoming calls.
Examples # Accept the L2TP tunneling request initiated by the peer (LAC) of aaa and create a VA interface according to virtual template 1. system-view [Sysname] l2tp-group 2 [Sysname-l2tp2] allow l2tp virtual-template 1 remote aaa # Specify L2TP group 1 as the default L2TP group, accept the L2TP tunneling request initiated by any peer, and create a VA interface based on virtual template 1.
Field Description LocalSID Unique ID of the session at the local end. RemoteSID Unique ID of the session at the remote end. LocalTID Unique ID of the tunnel at the local end. Related commands display l2tp tunnel display l2tp tunnel Use display l2tp tunnel to display information about L2TP tunnels.
Field Description RemoteName Name of the tunnel at the peer. interface virtual-template Use interface virtual-template to create a VT interface and enter its view. Use undo interface virtual-template to remove a VT interface. Syntax interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number Default No VT interface exists.
Views System view Default command level 2: System level Usage guidelines L2TP must be enabled for relevant L2TP configurations to take effect. Examples # Enable the L2TP function. system-view [Sysname] l2tp enable Related commands l2tp-group l2tp-auto-client enable Use l2tp-auto-client enable to trigger an LAC to establish an L2TP tunnel. Use undo l2tp-auto-client enable to remove the established L2TP tunnel.
Default No L2TP group exists. Views System view Default command level 2: System level Parameters group-number: Number of an L2TP group, in the range of 1 to 1000. Usage guidelines When you use the undo l2tp-group command to remove an L2TP group, all configuration information associated with the group will be deleted. Examples # Create an L2TP group numbered 2, and enter its view.
Related commands l2tp enable mandatory-chap Use mandatory-chap to force the LNS to perform a CHAP authentication of the user. Use undo mandatory-chap to disable CHAP authentication on the LNS. Syntax mandatory-chap undo mandatory-chap Default An LNS does not perform CHAP authentication of users. Views L2TP group view Default command level 2: System level Usage guidelines An LNS authenticates the client in addition to the proxy authentication that occurs at the LAC for higher security.
Views L2TP group view Default command level 2: System level Usage guidelines When you start a PPP session, a client of NAS-initialized VPN will first negotiate with the NAS for LCP parameters. If the negotiation succeeds, the NAS initializes a tunnel and then transfers the negotiated results to the LNS. Then the LNS verifies whether the client is valid, depending on the proxy authentication information. You can use the mandatory-lcp command to force the LNS to perform LCP re-negotiation for the client.
name remote-name: Specifies tunnels by the tunnel name at the remote end, a case-sensitive string of 1 to 30 characters. Usage guidelines If you specify a tunnel name, all tunnels with the name will be disconnected. If no tunnel with the name exists, nothing happens. If you specify a tunnel ID, only the tunnel with the ID is disconnected. A tunnel disconnected by force can be re-established when a client makes a call. Examples # Disconnect all tunnels with the remote name of aaa.
When an LAC detects a VPN user, it initiates an L2TP tunneling request to LNSs one by one in their configuration order until it receives the acknowledgement of an LNS, which is considered the tunnel peer. Examples # Configure the device to initiate L2TP tunneling requests to LNS 202.1.1.1 for users in domain aabbcc.net. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] start l2tp ip 202.1.1.1 domain aabbcc.
Views L2TP group view Default command level 2: System level Usage guidelines The tunnel avp-hidden command is available to only LACs. This command takes effect only when tunnel authentication is enabled. Examples # Enable transferring AVP data in hidden mode. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] tunnel avp-hidden Related commands tunnel authentication tunnel flow-control Use tunnel flow-control to enable the L2TP tunnel flow control function.
Syntax tunnel name name undo tunnel name Default A tunnel takes the system name of the device as its name at the local end. Views L2TP group view Default command level 2: System level Parameters name: Specifies the name for the tunnel at the local end, a case-sensitive string of 1 to 30 characters. Examples # Specify the local name for a tunnel as itsme.
Usage guidelines Both ciphertext and plaintext passwords are saved in cipher text in the configuration file. Examples # Set the key for tunnel authentication to a plaintext key yougotit. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] tunnel password simple yougotit tunnel timer hello Use tunnel timer hello to set the hello interval in sending hello packets in a tunnel. Use undo tunnel timer hello to restore the default.
Certificate management commands attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
Examples # Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc. system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.
Syntax certificate request entity entity-name undo certificate request entity Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
[Sysname] pki domain 1 [Sysname-pki-domain-1] certificate request from ca certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used.
certificate request polling Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times.
Views PKI domain view Default command level 2: System level Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution. Examples # Specify the URL of the server for certificate request.
country Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China. Use undo country to remove the configuration. Syntax country country-code-str undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Country code for the entity, a 2-character case-insensitive string. Examples # Set the country code of an entity to CN.
Usage guidelines CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted. Examples # Disable CRL checking.
Default No CRL distribution point URL is specified. Views PKI domain view Default command level 2: System level Parameters url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display the local certificate. display pki certificate local domain 1 Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086 Signature Algorithm: md5WithRSAEncryption Issuer: emailAddress=myca@aabbcc.
Field Description Issuer Issuer of the certificate. Validity Validity period of the certificate. Subject Entity holding the certificate. Subject Public Key Info Public key information of the entity. X509v3 extensions Extensions of the X.509 (version 3) certificate. X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.
Table 25 Command output Field Description access-control-policy Name of the certificate attribute-based access control policy. rule number Number of the access control rule. display pki certificate attribute-group Use display pki certificate attribute-group to display information about one or all certificate attribute groups.
Field Description abc Value of attribute 1. issuer-name Name of the certificate issuer. fqdn FQDN of the entity. nctn Not-contain operations. app Value of attribute 2. display pki crl domain Use display pki crl domain to display the locally saved CRLs. Syntax display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters.
Revoked Certificates: Serial Number: 05a234448E… Revocation Date: Sep 6 12:33:22 2004 GMT CRL entry extensions:… Serial Number: 05a278445E… Revocation Date: Sep 7 12:33:22 2004 GMT CRL entry extensions:… Table 27 Command output Field Description Version Version of the CRL. Signature Algorithm Signature algorithm used by the CRLs. Issuer CA issuing the CRLs. Last Update Last update time. Next Update Next update time. CRL extensions Extensions of CRL.
Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Usage guidelines An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address. Examples # Configure the FQDN of an entity as pki.domain-name.com. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] fqdn pki.domain-name.
Default No LDP server is specified for a PKI domain. Views PKI domain view Default command level 2: System level Parameters ip-address: IP address of the LDAP server, in dotted decimal format. port-number: Port number of the LDAP server, in the range of 1 to 65535. The default is 389. version-number: LDAP version number, either 2 or 3. The default is 2. Examples # Specify an LDAP server for PKI domain 1. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.
organization Use organization to configure the name of the organization to which the entity belongs. Use undo organization to remove the configuration. Syntax organization org-name undo organization Default No organization name is specified for an entity. Views PKI entity view Default command level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Examples # Configure the name of the organization unit to which an entity belongs as group1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization-unit group1 pki certificate access-control-policy Use pki certificate access-control-policy to create a certificate attribute-based access control policy and enter its view. Use undo pki certificate access-control-policy to remove one or all certificate attribute-based access control policies.
Views System view Default command level 2: System level Parameters group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be "a", "al", or "all". all: Specifies all certificate attribute groups. Examples # Create a certificate attribute group named mygroup and enter its view.
Default No PKI domain exists. Views System view Default command level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters.
Parameters entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters. Usage guidelines You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands. Examples # Create a PKI entity named en and enter its view.
pki request-certificate domain Use pki request-certificate domain to request a local certificate from a CA through SCEP. If SCEP fails, you can use the pkcs10 keyword to print the request information in BASE64 format, or use the pkcs10 filename filename option to save the request information to a local file and send the file to the CA by an out-of-band means.
pki retrieval-certificate Use pki retrieval-certificate to retrieve a certificate from the server for certificate distribution. Syntax pki retrieval-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Retrieves the CA certificate. local: Retrieves the local certificate. domain-name: Name of the PKI domain used for certificate request.
system-view [Sysname] pki retrieval-crl domain 1 Related commands pki domain pki validate-certificate Use pki validate-certificate to verify the validity of a certificate. Syntax pki validate-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.
Views PKI domain view Default command level 2: System level Parameters md5: Uses an MD5 fingerprint. sha1: Uses a SHA1 fingerprint. string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal. Examples # Configure an MD5 fingerprint for verifying the validity of the CA root certificate.
group-name: Name of the certificate attribute group to be associated with the rule, a case-insensitive string of 1 to 16 characters. It cannot be "a", "al", or "all". all: Specifies all access control rules. Usage guidelines A certificate attribute group must exist to be associated with a rule. Examples # Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in the certificate attribute group mygroup.
Public key configuration commands display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs. Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. |: Filters command output by specifying a regular expression.
Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Type Module Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 30 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits. Name Name of the public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to return from public key view to system view.
Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant. Examples # Enter public key code view and input the key.
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164 3135877E13B1C531B4 [Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] Related commands • public-key peer • public-key-code begin public-key local create Use public-
Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ # Create a local DSA key pair. system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
system-view [Sysname] public-key local destroy dsa Warning: Confirm to destroy these keys? [Y/N] :y Related commands public-key local create public-key local export dsa Use public-key local export dsa without the filename argument to display the host public key of the local DSA key pair in a specific format. Use public-key local export dsa with the filename argument to export the host public key of the local DSA key pair to the specified file.
# Display the local DSA host public key in OpenSSH format.
Comment: "rsa-key-20070625" AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pairs in OpenSSH format.
[Sysname-pkey-public-key] Related commands • public-key-code begin • public-key-code end • peer-public-key end • display public-key peer public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key.
SSL VPN commands The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable Default The SSL VPN service is disabled.
Related commands ssl-vpn server-policy ssl-vpn server-policy Use ssl-vpn server-policy to specify the SSL server policy and port to be used by the SSL VPN service. Use undo ssl-vpn server-policy to restore the default. Syntax ssl-vpn server-policy server-policy-name [ port port-number ] undo ssl-vpn server-policy Default No SSL server policy is specified for the SSL VPN service.
AFT commands AFT is not supported on VLAN interfaces and does not support VPN instances. display aft address-group Use display aft address-group to display AFT address pool configuration information. Syntax display aft address-group [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display all AFT information. display aft all IPv4 Address Pool Information: 1 : from 1.1.1.1 to 1.1.1.4 2 : from 2.2.2.2 to 2.2.2.2 3 : from 3.3.3.3 to 3.3.3.3 4 : from 4.4.4.4 to 4.4.4.
Table 33 Command output Field Description IPv4 Address Pool Information AFT IPv4 address pool information. 1: Address pool number. from 1.1.1.1 Start IP address in an address pool. to 1.1.1.4 End IP address in an address pool. Address Mappings (V6toV4) IPv6-to-IPv4 address mapping information. IPv4 Address IPv4 address. IPv6 Address IPv6 address. V4toV6 Information 4to6 AFT policy, including the ACL number, DNS64 prefix and its length, and IVI prefix.
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Examples # Display AFT statistics. display aft statistics Statistics: Total Sessions: 0 Expired Sessions: 0 Hits: 0 Misses: 0 Total Address Mappings: 0 Enabled Interfaces: GigabitEthernet0/1 Table 34 Command output Field Description Total Sessions Total number of AFT sessions.
Parameters group-number: Specifies the number of an address pool, in the range of 1 to 32. start-ipv4-address: Specifies the start IPv4 address in a pool. end-ipv4-address: Specifies the end IPv4 address in a pool. Usage guidelines You cannot delete an address pool that is referenced by a v6tov4 policy. To delete such an address pool, delete the policy first. If start-ipv4-address equals end-ipv4-address, only one address is available in the address pool.
[Sysname-GigabitEthernet0/1] aft enable Related commands • display aft statistics • display aft all aft prefix-dns64 Use aft prefix-dns64 to specify a DNS64 prefix. Use undo aft prefix-dns64 to delete a specific DNS64 prefix. Syntax aft prefix-dns64 dns64-prefix prefix-length undo aft prefix-dns64 dns64-prefix prefix-length Default No DNS64 prefix is specified. Views System view Default command level 2: System level Parameters dns64-prefix: Specifies the DNS64 prefix.
Use undo aft prefix-ivi to delete a specific IVI prefix. Syntax aft prefix-ivi ivi-prefix undo aft prefix-ivi ivi-prefix Default No IVI prefix is specified. Views System view Default command level 2: System level Parameters ivi-prefix: Specifies the IVI prefix of an IPv6 address. Usage guidelines The length of an IVI prefix is 32 bits.
prefix-dns64 dns64-prefix prefix-length: Specifies the DNS64 prefix, which is used to translate source IPv4 addresses into IPv6 addresses for packets that match the specified ACL. The dns64-prefix argument represents the DNS64 prefix, and the prefix-length argument represents the length of the prefix, which can be 32, 40, 48, 56, 64, or 96 bits. prefix-ivi ivi-prefix: Specifies the IVI prefix.
prefix-dns64 dns64-prefix prefix-length: Specifies the DNS64 prefix for matching destination IPv6 addresses. If the destination address of a packet from an IPv6 network to an IPv4 network contains the specified DNS64 prefix, the AFT translates the source IPv6 address into an IPv4 address. The dns64-prefix argument represents the DNS64 prefix, and the prefix-length argument represents the prefix length, which can be 32, 40, 48, 56, 64, or 96 bits.
DVPN commands The following matrix shows the feature and hardware compatibility: Hardware DVPN compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules No VAM server configuration commands authentication-algorithm Use authentication-algorithm to specify the algorithms for protocol packet authentication and their priorities. Use undo authentication-algorithm to restore the default.
Examples # Specify the authentication algorithm of MD5 for VPN domain 1. system-view [Sysname] vam server vpn 1 [Sysname-vam-server-vpn-1] authentication-algorithm md5 Related commands • authentication-method • vam server vpn authentication-method Use authentication-method to specify the authentication mode that the VAM server uses to authenticate clients. Use undo authentication-method to restore the default.
display vam server address-map Use display vam server address-map to display address mapping information about clients registered on the server. Syntax display vam server address-map { all | vpn vpn-name [ private-ip private-ip ] } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the address mapping information of all VAM clients registered on the VAM server.
# Display the address mapping information of the VAM client with a private IP address of 10.0.0.1 in VPN domain 1. display vam server address-map vpn 1 private-ip 10.0.0.1 VPN: 1 Private-ip Public-ip Type Holding time 10.0.0.1 222.222.222.1 Hub 0H 3M 34S Table 35 Command output Field Description VPN Name of the VPN domain. Total address-map number Total number of address mappings. Private-ip Private address that the VAM client registers with the VAM server.
Total spoke number: 121 Total hub number: 3 VPN name: Service: 1 enable Holding time: 0h 1m 47s Registered spoke number: 98 Registered hub number: 2 Address resolution times: 11 Succeeded resolution times: 10 Failed resolution times: VPN name: Service: 1 9 enable Holding time: 0h 33m 53s Registered spoke number: 23 Registered hub number: 1 Address resolution times: 150 Succeeded resolution times: Failed resolution times: 148 2 # Display statistics about VAM clients in VPN domain 1.
encryption-algorithm Use encryption-algorithm to specify the algorithms for protocol packet encryption and their priorities. Use undo encryption-algorithm to restore the default. Syntax encryption-algorithm { { 3des | aes-128 | aes-256 | des } * | none } undo encryption-algorithm Default Four encryption algorithms are available and preferred in this order: AES-128, AES-256, 3DES, DES. Views VPN domain view Default command level 2: System level Parameters 3des: Uses the 3DES encryption algorithm.
undo hub private-ip private-ip-address Default No hub is configured. Views VPN domain view Default command level 2: System level Parameters private-ip-address: Specifies the private IP address of the hub. public-ip public-ip-address: Specifies the public IP address of the hub. Usage guidelines The public IP address is optional. The VAM server can get the public address of a hub when the hub registers. Up to two hubs can be configured on a VAM server.
Usage guidelines The VAM server sends this setting in a registration response to its clients. All clients in a VPN use the same keepalive settings. However, if you change the keepalive settings of the server, the new settings are sent to only clients that register later. All clients registering before use the old settings. Examples # Set the client keepalive interval to 30 seconds.
Related commands • keepalive interval • vam server vpn pre-shared-key (VPN domain view) Use pre-shared-key to configure the pre-shared key of the VAM server, which is used to generate the keys for encryption and integrity validation of the VAM protocol packets. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key { cipher | simple } key-string undo pre-shared-key Default No pre-shared key is configured.
Syntax server enable undo server enable Default The VAM server feature is disabled. Views VPN domain view Default command level 2: System level Examples # Enable the VAM server feature for VPN domain 1. system-view [Sysname] vam server vpn 1 [Sysname-vam-server-vpn-1] server enable Related commands • display vam server statistic • vam server enable • vam server vpn vam server enable Use vam server enable to enable the VAM server feature for all VPN domains or a specific VPN domain.
Examples # Enable the VAM server feature for all VPN domains. system-view [Sysname] vam server enable all Related commands • display vam server statistic • server enable • vam server vpn vam server ip-address Use vam server ip-address to configure the listening IP address and UDP port number for a VAM server. Use undo vam server ip-address to remove the configuration.
Use undo vam server vpn to remove a VPN domain. Syntax vam server vpn vpn-name undo vam server vpn vpn-name Default There is no VPN domain. Views System view Default command level 2: System level Parameters vpn-name: VPN domain name, a case-insensitive string of 1 to 15 characters. Valid characters are A to Z, a to z, 0 to 9, and the dot sign (.). Examples # Create VPN domain 1 and enter its view.
Related commands • vam client enable • vam client name display vam client Use display vam client to display registration information about VAM clients, which is received from the server. Syntax display vam client { address-map | fsm } [ client-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters address-map: Specifies the address mapping information between public and private network addresses of VAM clients.
Username: user1 Primary server: 28.1.1.23 Current state: ONLINE Holding time: 9h 20m 30s Encryption-algorithm: AES-128 Authentication-algorithm: SHA1 Secondary server: 28.1.1.33 Current state: OFFLINE Holding time: 1h 24m 1s Encryption-algorithm: AES-128 Authentication-algorithm: SHA1 Table 37 Command output Field Description Client name Name of the VAM client. VPN name Name of the VPN domain where the VAM client resides. Interface DVPN tunnel interface of the VAM client.
Field Description Private-ip Private IP address. Public-ip Public IP address corresponding to the private IP address. Type VAM client type, spoke or hub. Remaining-time(s) Remaining time before the mapping entry ages out. pre-shared-key (VAM client view) Use pre-shared-key to configure the pre-shared key of a VAM client, which is used to generate the keys for encryption and integrity validation of the VAM protocol packets. Use undo pre-shared-key to remove the configuration.
resend interval Use resend interval to set the interval for the VAM client to resend VAM protocol packets. Use undo resend interval to restore the default. Syntax resend interval time-interval undo resend interval Default The protocol packet retransmission interval is 5 seconds. Views VAM client view Default command level 2: System level Parameters time-interval: Protocol packet retransmission interval in the range of 3 to 30 seconds.
Default command level 2: System level Parameters ip-address: Public IP address of the primary VAM server. port-number: Port number of the primary VAM server, in the range of 1025 to 65535. The default is 18000. Usage guidelines If you execute the command repeatedly, the last configuration takes effect. Examples # Specify the primary VAM server for the client, setting the public IP address and port number to 1.1.1.1 and 2000 respectively.
Examples # Specify the secondary VAM server for the client, setting the public IP address and port number to 1.1.1.2 and 3000 respectively. system-view [Sysname] vam client name abc [Sysname-vam-client-name-abc] server secondary ip-address 1.1.1.2 port 3000 Related commands • display vam client • server primary • vam client name user Use user to create a local user by configuring a username and a password for a VAM client. Use undo user to remove the configuration.
[Sysname-vam-client-name-abc] user user password simple user Related commands • display vam client • vam client name vam client enable Use vam client enable to enable the VAM client feature for all VAM clients or a specific VAM client. Use undo vam client enable to disable the VAM client feature for all VAM clients or a specific VAM client. Syntax vam client enable { all | name client-name } undo vam client enable { all | name client-name } Default The VAM client feature is disabled.
Default No VAM client exists. Views System view Default command level 2: System level Parameters client-name: Name for the VAM client, a case-insensitive string of 1 to 31 characters. Valid characters are A to Z, a to z, 0 to 9 and the dot sign (.). Usage guidelines A VAM client applied to an interface cannot be removed directly. Examples # Create a VAM client named abc.
[Sysname] vam client name abc [Sysname-vam-client-name-abc] vpn 100 Related commands • display vam client • vam client name DVPN tunnel configuration commands display dvpn session Use display dvpn session to display information about DVPN sessions.
58 multicasts, Output: 279 packets, 0 errors 103 data packets, 93 multicasts, 0 errors Private IP: 10.0.0.22 Public IP: 28.1.1.22 Session type: State: 176 control packets Hub-Spoke SUCCESS Holding time: 0h 44m 9s Input: 279 packets, 100 data packets, 91 multicasts, Output: 273 packets, 0 errors 99 data packets, 91 multicasts, 179 control packets 174 control packets 0 errors Table 39 Command output Field Description Interface DVPN tunnel interface. VPN name Name of a VPN domain.
Default The quiet period is 120 seconds. Views Tunnel interface view Default command level 2: System level Parameters time-interval: Quiet period of a DVPN tunnel, in the range of 10 to 600 seconds. Usage guidelines During the quiet period, the DVPN tunnel is in the sleep state and no tunnel connection exists. Examples # Set the quiet period of the DVPN tunnel to 100 seconds.
Examples # Set the idle timeout for a spoke-spoke DVPN tunnel to 800 seconds. system-view [Sysname] interface tunnel 0 [Sysname-tunnel0] dvpn session idle-time 800 Related commands • interface tunnel • tunnel-protocol keepalive Use keepalive to set the DVPN keepalive interval and the maximum number of attempts for transmitting a keepalive packet. Use undo keepalive to restore the default.
reset dvpn session Use reset dvpn session to delete the specified DVPN sessions on the local client. Syntax reset dvpn session { all | interface interface-type interface-number [ private-ip ip-address ] } Views User view Default command level 2: System level Parameters all: Specifies all DVPN sessions of the VAM client. interface interface-type interface-number: Specifies the DVPN sessions on an interface. The interface-type argument can only be tunnel.
Usage guidelines If you use the tunnel vpn-instance command to specify the VPN to which the tunnel destination address belongs, the device searches the routing table of the specified VPN instance to forward tunneled packets. Examples # On tunnel interface Tunnel0, specify that the tunneled packets belong to VPN vpn10.
Related commands • interface tunnel • tunnel-protocol 195
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ACDEFGHIKLMNOPQRSTUVW display aft all,160 A display aft statistics,162 aft address-group,163 display dvpn session,189 aft enable,164 display gre p2mp tunnel-table interface tunnel,1 aft prefix-dns64,165 display ike dpd,28 aft prefix-ivi,165 display ike peer,29 aft v4tov6,166 display ike proposal,30 aft v6tov4,167 display ike sa,32 ah authentication-algorithm,55 display interface tunnel,11 allow l2tp,107 display ipsec policy,57 attribute,120 display ipsec policy-template,61 authent
esp encryption-algorithm,75 K exchange-mode,37 keepalive,6 F keepalive,192 fqdn,133 keepalive interval,175 keepalive retry,176 G L gre checksum,2 l2tp enable,110 gre key,2 l2tp-auto-client enable,111 gre p2mp aging-time,3 l2tp-group,111 gre p2mp backup-interface,4 l2tpmoreexam enable,112 gre p2mp branch-network-mask,5 ldap-server,134 gre recursion,6 local,44 H local-address,45 hub private-ip,174 locality,135 I local-name,46 id-type,38 M ike dpd,39 mandatory-chap,113 ike local
proposal,48 shutdown,21 public-key local create,151 source,21 public-key local destroy,152 ssl-vpn enable,157 public-key local export dsa,153 ssl-vpn server-policy,158 public-key local export rsa,154 start l2tp,115 public-key peer,155 state,145 public-key peer import sshkey,156 Subscription service,196 public-key-code begin,149 synchronization anti-replay-interval (IPsec policy view/IPsec policy template view/IPsec profile view),102 public-key-code end,150 Q T qos pre-classify,88 time-out
