HP Firewalls and UTM Devices VPN Configuration Guide Part number: 5998-4168 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents GRE configuration commands ····································································································································· 1 display gre p2mp tunnel-table interface tunnel ····································································································· 1 gre checksum ···························································································································································· 2 gre key ·········
local-address ·························································································································································· 50 local-name ······························································································································································ 51 nat traversal ·························································································································································
transform······························································································································································· 109 transform-set ························································································································································· 110 tunnel local ··························································································································································
pki retrieval-certificate ········································································································································· 147 pki retrieval-crl domain ······································································································································· 148 pki validate-certificate ········································································································································· 148 root-certifi
resend interval ····················································································································································· 190 server primary ······················································································································································ 190 server secondary ················································································································································· 191 user
GRE configuration commands display gre p2mp tunnel-table interface tunnel Use display gre p2mp tunnel-table interface tunnel to display the tunnel entry information of a point to multipoint (P2MP) GRE tunnel interface. Syntax display gre p2mp tunnel-table interface tunnel number [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters number: Tunnel interface number. |: Filters command output by specifying a regular expression.
Table 1 Command output Field Description Dest Addr Branch network address. Mask Mask of the branch network address. Tunnel Dest Addr Destination address of the tunnel. Gre Key GRE key, which identifies the priority of the tunnel entry. This field is blank if the peer device is not configured with a GRE key. gre checksum Use gre checksum to enable the GRE packet checksum function. This function verifies the validity of packets and discards invalid packets.
Use undo gre key to remove the configuration. Syntax gre key key-number undo gre key Default No key is configured for a GRE tunnel interface. Views Tunnel interface view Default command level 2: System level Parameters key-number: Key for the GRE tunnel interface, in the range of 0 to 4294967295. Usage guidelines For a P2P GRE tunnel, both ends of the tunnel must be configured with the same GRE key. Otherwise, packets cannot pass the GRE key verification and will be discarded.
Default The tunnel entry aging time is five seconds. Views Tunnel interface view Default command level 2: System level Parameters aging-time: Aging time for tunnel entries, in the range of 1 to 86400, in seconds. Usage guidelines This command is available only for tunnel interfaces operating in P2MP GRE tunnel mode. If a device at the headquarters does not receive any packet from a branch before the aging time expires, it removes the corresponding tunnel entry.
Views Tunnel interface view Default command level 2: System level Parameters tunnel number: Specifies a backup interface. The number argument indicates the number of the tunnel interface. Usage guidelines This command is available only for P2MP GRE tunnel interfaces. The backup interface to be specified must exist and be a GRE over IPv4 tunnel interface.
Default command level 2: System level Parameters mask: Mask of the private network IP addresses of the branch, in dotted decimal notation. mask-length: Mask length of the private network IP addresses of the branch, in the range of 0 to 32.
Use undo gre recursion to restore the default. Syntax gre recursion recursion-value undo gre recursion Default The value of the Recursion Control field in the GRE header is 0, which means not to limit the number of encapsulations. Views Tunnel interface view Default command level 2: System level Parameters recursion-value: Value for the Recursion Control field in the GRE header, in the range of 1 to 7.
Parameters seconds: Interval in seconds for transmitting keepalive packets, in the range of 1 to 32767. The default value is 10. times: Maximum number of attempts for transmitting a keepalive packet, in the range of 1 to 255. The default value is 3. Usage guidelines With the GRE keepalive function enabled on a tunnel interface, the device sends GRE keepalive packets from the tunnel interface periodically.
Hardware Command compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Examples # Clear all tunnel entries on all P2MP GRE tunnel interfaces. reset gre p2mp tunnel-table Warning: All tunnel table will be deleted. Continue? [Y/N]: # Clear all tunnel entries on the P2MP GRE tunnel interface Tunnel0. reset gre p2mp tunnel-table interface tunnel 0 Warning: All tunnel table will be deleted.
Tunneling configuration commands default Use default to restore the default settings for the tunnel interface. Syntax default Views Tunnel interface view Default command level 2: System level Usage guidelines CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network.
Default command level 2: System level Parameters text: Description for the interface, a string of 1 to 80 characters. Examples # Configure the description for the interface Tunnel 1 as tunnel1. system-view [Sysname] interface tunnel 1 [Sysname-Tunnel1] description tunnel1 Related commands display interface tunnel destination Use destination to specify the destination address for a tunnel interface. Use undo destination to remove the configured tunnel destination address.
Usage guidelines The tunnel destination address is the address of the peer interface receiving packets and should be configured as the source address of the peer tunnel interface. Automatic tunnel interfaces using the same encapsulation protocol must have different source addresses. Manual tunnel interfaces using the same encapsulation protocol must have different source and destination addresses.
Views Any view Default command level 1: Monitor level Parameters number: Number of a tunnel interface. brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information. down: Displays information about interfaces in the DOWN state and the causes. If you do not specify this keyword, this command displays information about interfaces in all states. |: Filters command output by specifying a regular expression.
0 output error Table 2 Command output Field Description Physical state of the tunnel interface: • Administratively DOWN—The interface has been shut down by the Tunnel0 current state shutdown command. • DOWN—The interface is administratively up but its physical state is down. • UP—Both the administrative and physical states of the interface are up. Link layer state of the tunnel interface: Line protocol current state • DOWN—The protocol state of the interface is down.
Field Description Checksumming of GRE packets disabled GRE packet checksum function is disabled. Output queue : (Urgent queuing : Size/Length/Discards) Statistics of packets in the urgent output queue. Output queue : (Protocol queuing : Size/Length/Discards) Statistics of packets in the protocol output queue. Output queue : (FIFO queuing : Size/Length/Discards) Statistics of packets in the FIFO output queue. Last clearing of counters Last time of clearing of counters.
Field Description Protocol: (s) - spoofing (s) indicates that the network layer protocol state is UP, but the link is not available because it is either an on-demand link or not present at all. Interface Abbreviated interface name. Physical link state of the interface: • UP—The link is physically up. • DOWN—The link is physically down. • ADM—The link has been administratively shut down. To bring it up, Link perform the undo shutdown command. • Stby—The interface is a backup interface.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
InUnknownProtos: 0 InDelivers: 45 OutRequests: 45 OutForwDatagrams: 0 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 0 InMcastNotMembers: 0 OutMcastPkts: 0 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 Table 4 Command output Field Description Physical state of the tunnel interface: • Administratively DOWN—The interface has been shut down by the Tunnel0 current state shutdown command.
Field Description InBadOptions Received IPv6 packets with bad extension headers. ReasmReqds Received IPv6 fragments. ReasmOKs Number of packets after reassembly rather than the number of fragments. InFragDrops IPv6 fragments discarded due to certain errors. InFragTimeouts IPv6 fragments discarded because the interval for which they had stayed in the system buffer exceeded the specified period. OutFragFails Packets failed in fragmentation on the outbound interface.
Field Description Physical state of the tunnel interface: Physical • *down—The interface has been shut down by the shutdown command. • down—The interface is administratively up but its physical state is down. • up—Both the administrative and physical states of the interface are up. Link layer protocol state of the tunnel interface: Protocol IPv6 Address • down—The protocol state of the interface is down. • up—The protocol state of the interface is up. IPv6 address of the tunnel interface.
system-view [Sysname] interface tunnel 2 [Sysname-Tunnel2] tunnel-protocol ipv6-ipv6 [Sysname-Tunnel2] encapsulation-limit 3 interface tunnel Use interface tunnel to create a tunnel interface and enter tunnel interface view. Use undo interface tunnel to delete a specific tunnel interface. Syntax interface tunnel number undo interface tunnel number Default No tunnel interface is created on the device.
Use undo mtu to restore the default. Syntax mtu mtu-size undo mtu Default The MTU for IPv4 packets on a tunnel interface is 64000. Views Tunnel interface view Default command level 2: System level Parameters mtu-size: MTU for IPv4 packets on the interface. The value ranges from 100 to 64000. Examples # Set the MTU for IPv4 packets on the interface Tunnel 3 to 10000 bytes.
shutdown Use shutdown to shut down a tunnel interface. Use undo shutdown to bring up a tunnel interface. Syntax shutdown undo shutdown Default A tunnel interface is in the up state. Views Tunnel interface view Default command level 2: System level Examples # Shut down interface Tunnel 1. system-view [Sysname] interface tunnel 1 [Sysname-Tunnel1] shutdown source Use source to specify the source address or source interface for the tunnel interface. Use undo source to restore the default.
Hardware ipv6-address F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No interface-type interface-number: Specifies the source interface type and number. Usage guidelines The tunnel source address is the address of the interface sending packets and should be configured as the destination address of the peer tunnel interface. Automatic tunnel interfaces using the same encapsulation protocol must have different source addresses.
Views Tunnel interface view Default command level 2: System level Parameters bandwidth-value: Bandwidth value of the tunnel interface in kbps, in the range of 1 to 10000000. Usage guidelines The bandwidth set by the tunnel bandwidth command is for dynamical routing protocols to calculate the cost of the tunnel, It does not affect the actual bandwidth of the tunnel interface. Consider the bandwidth of the actual physical output interface when you set the tunnel interface bandwidth.
tunnel-protocol Use tunnel-protocol to specify the tunnel mode for the tunnel interface. Use undo tunnel-protocol to restore the default. Syntax tunnel-protocol { dvpn { gre | udp } | gre [ ipv6 | p2mp ] | ipsec { ipv4 | ipv6 } | ipv4-ipv4 | ipv4-ipv6 [ dslite-aftr | dslite-cpe ] | ipv6-ipv4 [ 6to4 | auto-tunnel | isatap ] | ipv6-ipv6 } undo tunnel-protocol Default The tunnel mode is GRE over IPv4 tunnel mode.
The following matrix shows the values for the gre ipv6 keyword on different firewalls and UTM devices: Hardware Keyword compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No gre p2mp: Specifies the point-to-multipoint GRE tunnel mode.
Hardware Keyword compatibility F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No ipv4-ipv6 dslite-aftr: Specifies the IPv4 over IPv6 DS-lite tunnel mode on the AFTR.
Hardware Keyword compatibility U200-S No ipv6-ipv4 6to4: Specifies the IPv6 over IPv4 6to4 tunnel mode. The following matrix shows the values for the ipv6-ipv4 6to4 keyword on different firewalls and UTM devices: Hardware Keyword compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No ipv6-ipv4 auto-tunnel: Specifies the IPv6 over IPv4 automatic tunnel mode.
Hardware Keyword compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Usage guidelines You can select a tunnel mode according to the actual network topology and application. The two ends of a tunnel must have the same tunnel mode specified. Otherwise, traffic transmission may fail. Only one automatic tunnel can be created at the start point of a tunnel. Examples # Specify the IPv4 over IPv4 tunnel mode for interface Tunnel 2.
IKE configuration commands authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm Default An IKE proposal uses the SHA1 authentication algorithm. Views IKE proposal view Default command level 2: System level Parameters md5: Uses HMAC-MD5. MD5 is not supported in FIPS mode. sha: Uses HMAC-SHA1.
Views IKE proposal view Default command level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
dh Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax dh { group1 | group2 | group5 | group14 } undo dh Default In non-FIPS mode, the default group is group1, the 768-bit Diffie-Hellman group. In FIPS mode, the default group is group2. Views IKE proposal view Default command level 2: System level Parameters group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1.
Parameters dpd-name: DPD name, a string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Syntax display ike proposal [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
• dh • sa duration display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ active | standby | verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters active: Displays the summary of active IKE SAs in an IPsec stateful failover scenario.
Usage guidelines If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs. Examples # Display brief information about the current IKE SAs. display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC 2 202.38.0.
# Display detailed information about the current IKE SAs. display ike sa verbose --------------------------------------------connection id: 2 vpn-instance: 1 transmitting entity: initiatorstatus: active --------------------------------------------local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.
diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the remote address of 4.4.4.5. display ike sa verbose remote-address 4.4.4.5 --------------------------------------------connection id: 2 vpn-instance: vpn1 transmitting entity: initiator status: active --------------------------------------------local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.
Field Description life duration(sec) Lifetime of the ISAKMP SA in seconds. remaining key duration(sec) Remaining lifetime of the ISAKMP SA in seconds. exchange-mode IKE negotiation mode in phase 1. diffie-hellman group DH group used for key negotiation in IKE phase 1. nat traversal Whether NAT traversal is enabled. Related commands • ike proposal • ike peer dpd Use dpd to apply a DPD detector to an IKE peer. Use undo dpd to remove the application.
Default In non-FIPS mode, the default encryption algorithm is the 56-bit DES encryption algorithm in CBC mode. In FIPS mode, DES-CBC and 3DES-CBC are not supported and AES-CBC-128 is default algorithm. Views IKE proposal view Default command level 2: System level Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses 168-bit keys for encryption. aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm.
main: Main mode. Usage guidelines When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends setting the IKE negotiation mode to aggressive at the local end. In FIPS mode, the device cannot initiate or respond to an aggressive-mode IKE negotiation. Examples # Specify that IKE negotiation operates in main mode.
[Sysname] ike peer peer1 [Sysname-ike-peer-peer1] id-type name Related commands • local-name • ike local-name • remote-name • remote-address • local-address • exchange-mode ike dpd Use ike dpd to create a DPD detector and enter IKE DPD view. Use undo ike dpd to remove a DPD detector. Syntax ike dpd dpd-name undo ike dpd dpd-name Views System view Default command level 2: System level Parameters dpd-name: Name for the DPD detector, a string of 1 to 32 characters.
Related commands • display ike dpd • interval-time • time-out ike local-name Use ike local-name to configure a name for the local security gateway. Use undo ike local-name to restore the default. Syntax ike local-name name undo ike local-name Default The device name is used as the name of the local security gateway. Views System view Default command level 2: System level Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.
ike next-payload check disabled Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero. Use undo ike next-payload check disabled to restore the default. Syntax ike next-payload check disabled undo ike next-payload check disabled Default The Next payload field is checked.
ike proposal Use ike proposal to create an IKE proposal and enter IKE proposal view. Use undo ike proposal to delete an IKE proposal. Syntax ike proposal proposal-number undo ike proposal proposal-number Views System view Default command level 2: System level Parameters proposal-number: IKE proposal number, in the range 1 to 65535. The lower the number, the higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is matched before a low priority IKE proposal.
Views System view Default command level 2: System level Parameters seconds: Transmission interval of ISAKMP SA keepalives in seconds, in the range 20 to 28,800. Usage guidelines The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end. Examples # Set the keepalive interval to 200 seconds.
Related commands ike sa keepalive-timer interval ike sa nat-keepalive-timer interval Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval. Use undo ike sa nat-keepalive-timer interval to disable the function. Syntax ike sa nat-keepalive-timer interval seconds undo ike sa nat-keepalive-timer interval Default The NAT keepalive interval is 20 seconds. Views System view Default command level 2: System level Parameters seconds: NAT keepalive interval in seconds, in the range 5 to 300.
Examples # Set the DPD interval to 1 second for dpd2. system-view [Sysname] ike dpd dpd2 [Sysname-ike-dpd-dpd2] interval-time 1 local Use local to set the subnet type of the local security gateway for IKE negotiation. Use undo local to restore the default. Syntax local { multi-subnet | single-subnet } undo local Default The subnet is a single one. Views IKE peer view Default command level 2: System level Parameters multi-subnet: Sets the subnet type to multiple.
Views IKE peer view Default command level 2: System level Parameters ip-address: IP address of the local security gateway to be used in IKE negotiation. Examples # Set the IP address of the local security gateway to 1.1.1.1. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Use local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default.
[Sysname-ike-peer-peer1] local-name localgw Related commands • remote-name • id-type nat traversal Use nat traversal to enable the NAT traversal function of IKE/IPsec. Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. Syntax nat traversal undo nat traversal Default The NAT traversal function is disabled. Views IKE peer view Default command level 2: System level Examples # Enable the NAT traversal function for IKE peer peer1.
single-subnet: Sets the subnet type to single. Usage guidelines Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the peer security gateway to multiple. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] peer multi-subnet pre-shared-key Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation. Use undo pre-shared-key to remove the configuration.
Use undo proposal to remove one or all IKE proposals referenced by the IKE peer. Syntax proposal proposal-number&<1-6> undo proposal [ proposal-number ] Default An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. Views IKE peer view Default command level 2: System level Parameters proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535.
Parameters hostname: Host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server. dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.
Views IKE peer view Default command level 2: System level Parameters name: Name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters. Usage guidelines If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator.
Hardware Keywords compatible F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Usage guidelines If you do not specify any parameter, the command clears all ISAKMP SAs. When you clear the active ISAKMP SAs on the active device, the active device automatically notifies the standby device to clear the standby ISAKMP SAs.
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT reset ike sa active display ike sa total phase-1 SAs: connection-id 1 peer flag phase doi status ---------------------------------------------------------------1 201.31.0.9 RD|ST 1 IPSEC STANDBY 2 201.31.0.9 RD|ST 2 IPSEC STANDBY Related commands display ike sa sa duration Use sa duration to set the ISAKMP SA lifetime for an IKE proposal. Use undo sa duration to restore the default.
Use undo time-out to restore the default. Syntax time-out time-out undo time-out Views IKE DPD view Default command level 2: System level Parameters time-out: DPD packet retransmission interval in seconds, in the range 1 to 60. Usage guidelines The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
IPsec configuration commands The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. The following matrix shows the hardware compatibility for configuring IPsec for IPv6 routing protocols: Hardware Feature compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
[Sysname-ipsec-transform-set-prop1] transform ah [Sysname-ipsec-transform-set-prop1] ah authentication-algorithm sha1 Related commands • ipsec transform-set • transform connection-name Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. Syntax connection-name name undo connection-name Default No IPsec connection name is configured.
Default command level 2: System level Parameters slot slot-number: Specifies an interface card by its slot number. Examples # Enable the encryption engine. system-view [Sysname] cryptoengine enable display ipsec policy Use display ipsec policy to display information about IPsec policies.
bbbbbbbbbbbbbbb-1 template man-1 manual 3400 aaaaaaaaaaaaaaa map-1 isakmp 3000 peer nat-1 isakmp 3500 nat test-1 isakmp 3200 test toccccc-1 isakmp 3003 tocccc IPsec-Policy-Name Mode acl Local-Address Remote-Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.1 3.3.3.2 Table 11 Command output Field Description IPsec-Policy-Name Name and sequence number of the IPsec policy separated by hyphen.
policy enable: True =========================================== IPsec Policy Group: "policy_man" Interface: GigabitEthernet0/2 =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10 acl version: IPv4 mode: manual ----------------------------------------security data flow : 3002 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.
security data flow : tunnel local address: tunnel remote address: transform-set name: prop1 inbound AH setting: AH spi: AH string-key: AH authentication hex key: inbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: ****** ESP authentication hex key: ****** Table 12 Command outp
Field Description transform-set name Transform set referenced by the IPsec policy. policy enable Whether the IPsec policy is enabled or not. synchronization inbound anti-replay-interval Interval for synchronizing anti-replay windows in inbound direction, expressed in the number of received packets. synchronization outbound anti-replay-interval Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets.
Examples # Display brief information about all IPsec policy templates. display ipsec policy-template brief Policy-template-Name acl Remote-Address -----------------------------------------------------test-tplt300 2200 Table 13 Command output Field Description Policy-template-Name Name and sequence number of the IPsec policy template separated by hyphen. acl ACL referenced by the IPsec policy template. Remote Address Remote IP address.
Field Description synchronization outbound anti-replay-interval Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets. IPsec sa local duration(time based) Time-based lifetime of the IPsec SAs at the local end. IPsec sa local duration(traffic based) Traffic-based lifetime of the IPsec SAs at the local end.
mode: tunnel ----------------------------security data flow : ike-peer name: peer1 perfect forward secrecy: transform-set name: DH group 2 prop1 synchronization inbound anti-replay-interval: 1000 packets synchronization outbound anti-replay-interval: 10000 packets IPsec sa local duration(time based): 3600 seconds IPsec sa local duration(traffic based): 1843200 kilobytes policy enable: True =========================================== IPsec profile: "btoa" Interface: Tunnel1 =============================
Field Description synchronization inbound anti-replay-interval Inbound anti-replay window information synchronization interval, expresses in the number of received packets. synchronization outbound anti-replay-interval Outbound anti-replay sequence number synchronization interval, expresses in the number of sent packets. IPsec sa local duration(time based) Time-based SA lifetime at the local end. IPsec sa local duration(traffic based) Traffic-based SA lifetime at the local end.
Hardware Keywords compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Usage guidelines If you do not specify any parameters, the command displays information about all IPsec SAs. Examples # Display brief information about all IPsec SAs. display ipsec sa brief Src Address Dst Address SPI Protocol Algorithm -------------------------------------------------------10.1.1.1 10.1.1.2 300 ESP 10.1.1.2 10.1.1.
encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP dest addr: 192.168.1.0/255.255.255.
No duration limit for this sa [outbound AH SAs] spi: 1234563 (0x12d683) transform-set: AH-MD5HMAC96 No duration limit for this sa Table 17 Command output Field Description Interface Interface referencing the IPsec policy. path MTU Maximum IP packet length supported by the interface. Protocol Name of the protocol to which the IPsec policy is applied. IPsec policy name Name of IPsec policy used. sequence number Sequence number of the IPsec policy. acl version ACL version.
Field Description max sequence-number sent Maximum sequence number of the sent packets (relevant to the anti-replay function provided by the security protocol). anti-replay check enable Whether IPsec anti-replay checking is enabled. anti-replay window size Size of the anti-replay window. Whether the SA is in the active or standby state. status This field is displayed only when IPsec stateful failover is enabled.
queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 # Display IPsec packet statistics for Tunnel 3.
display ipsec transform-set Use display ipsec transform-set to display information about IPsec transform sets. Syntax display ipsec transform-set [ transform-set-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters transform-set-name: Name of an IPsec transform set, a string of 1 to 32 characters. If you do not specify an IPsec transform set, the command displays information about all IPsec transform sets.
Table 19 Command output Field Description IPsec transform-set name Name of the IPsec transform set. encapsulation mode Encapsulation mode used by the IPsec transform set, transport or tunnel. ESN Whether the ESN function is enabled. ESN scheme • NO—Supports the ESN function. • YES—Does not support the ESN function. transform Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Usage guidelines If you do not specify any parameters, the command displays information about all IPsec tunnels. Examples # Display information about IPsec tunnels.
Table 20 Command output Field Description connection id Connection ID, used to uniquely identify an IPsec Tunnel. status Whether the tunnel is in the active or standby state. This field is displayed only when IPsec stateful failover is enabled. perfect forward secrecy Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2. SA's SPI SPIs of the inbound and outbound SAs. tunnel Local and remote addresses of the tunnel.
esp authentication-algorithm Use esp authentication-algorithm to specify authentication algorithms for ESP. Use undo esp authentication-algorithm to restore the default. Syntax esp authentication-algorithm { md5 | sha1 } * undo esp authentication-algorithm Default In non-FIPS mode, the default algorithm is MD5. In FIPS mode, MD5 is not supported, and SHA1 is default algorithm.
Syntax esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } * undo esp encryption-algorithm Default In non-FIPS mode, the default algorithm is DES. In FIPS mode, DES and 3DES are not supported and AES-128 is default algorithm. Views IPsec transform set view Default command level 2: System level Parameters 3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key.
Syntax ike-peer peer-name undo ike-peer peer-name Views IPsec policy view, IPsec policy template view, IPsec profile view Default command level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Examples # Configure a reference to an IKE peer in an IPsec policy. system-view [Sysname] ipsec policy policy1 10 isakmp [Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1 # Configure a reference to an IKE peer in an IPsec profile.
ipsec anti-replay window Use ipsec anti-replay window to set the size of the anti-replay window. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The size of the anti-replay window is 32. Views System view Default command level 2: System level Parameters width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024. Usage guidelines Your configuration affects only IPsec SAs negotiated later.
ipsec invalid-spi-recovery enable Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ipsec invalid-spi-recovery enable to restore the default. Syntax ipsec invalid-spi-recovery enable undo ipsec invalid-spi-recovery enable Default The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.
Usage guidelines Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first. An IPsec policy group can be applied to more than one interface. With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows.
You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode. IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.
After you create an IPsec policy by referencing an IPsec policy template, to modify the configuration for the IPsec policy, you must enter the IPsec policy template view instead of the IPsec policy view. You cannot change the negotiation mode of an IPsec policy. To do so, you must delete the IPsec policy and then re-create it.
Related commands display ipsec policy template ipsec profile (system view) Use ipsec profile to create an IPsec profile and enter its view. An IPsec profile defines the IPsec transform sets to be used to protect the data and the IKE negotiation parameters used to set up the SAs. Use undo ipsec profile to delete an IPsec profile. Syntax ipsec profile profile-name undo ipsec profile profile-name Default No IPsec profile exists.
Default No IPsec profile is applied to a DVPN tunnel interface or an IPsec tunnel interface, and no IPsec protection is provided. Views Tunnel interface view Default command level 2: System level Parameters profile-name: Name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Usage guidelines Only one IPsec profile can be applied to a DVPN tunnel interface or an IPsec tunnel interface. To apply another IPsec profile to the tunnel interface, remove the original application first.
Views System view Default command level 2: System level Parameters seconds: Time-based global SA lifetime in seconds, in the range 180 to 604800. kilobytes: Traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295. Usage guidelines When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
Usage guidelines You enable IPsec stateful failover typically on two redundant gateways in active/standby mode to ensure instant IPsec tunnel failover for nonstop services. Disabling IPsec stateful failover will delete all active or standby IPsec SAs and IKE SA.
Related commands display ipsec transform-set pfs Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation. Use undo pfs to remove the configuration. Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs Default The PFS feature is not used for negotiation.
policy enable Use policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. Syntax policy enable undo policy enable Default The IPsec policy is enabled. Views IPsec policy view, IPsec policy template view Default command level 2: System level Usage guidelines The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Usage guidelines With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec. Examples # Enable packet information pre-extraction.
Hardware Keywords compatible F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Usage guidelines Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only when IKE negotiation is triggered by interesting packets. IPsec SAs appear in pairs.
Syntax reset ipsec statistics Views User view Default command level 1: Monitor level Examples # Clear IPsec packet statistics. reset ipsec statistics Related commands display ipsec statistics reverse-route Use reverse-route to enable and configure the IPsec Reverse Route Inject (RRI) feature. Use undo reverse-route to disable IPsec RRI. Syntax reverse-route [ remote-peer ip-address [ gateway | static ] | static ] undo reverse-route Default IPsec RRI is disabled.
peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static mode applies to scenarios where the topologies of branch networks seldom change. • Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes when the IPsec SAs are deleted. The dynamic mode applies to scenarios where the topologies of branch networks change frequently.
[Sysname] ike peer 1 [Sysname-ike-peer-1] remote-address 1.1.1.2 [Sysname-ike-peer-1] quit [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0 0.0.0.
[Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. The expected route appears in the routing table after the IPsec SA negotiation succeeds. (Other routes are not shown.) [Sysname] display ip routing-table ... Destination/Mask Proto Pre 3.0.0.0/24 Static 60 Cost NextHop Interface 0 1.1.1.3 GE0/1 # Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 via the remote tunnel endpoint 1.1.1.
Examples # Set the preference to 100 for static routes populated by IPsec RRI. system-view [Sysname] ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route preference 100 Related commands reverse-route reverse-route tag Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies. Use undo reverse-route tag to restore the default.
Use undo sa authentication-hex to remove the configuration. Syntax sa authentication-hex { inbound | outbound } { ah | esp } [ cipher string-key | simple hex-key ] undo sa authentication-hex { inbound | outbound } { ah | esp } Views IPsec policy view Default command level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP.
Related commands ipsec policy (system view) sa duration Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile. Use undo sa duration to restore the default. Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime. The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
# Set the SA lifetime for IPsec profile profile1 to 7200 seconds (two hours). system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration time-based 7200 # Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes). system-view [Sysname] ipsec profile profile1 [Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 sa encryption-hex Use sa encryption-hex to configure an encryption key for an SA.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel. Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
When you configure IPsec for an IPv6 routing protocol, follow these guidelines: • The inbound and outbound SAs at the local end must use the same SPI. • Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process.
For secrecy, all keys, including keys configured in plain text, are saved in cipher text. Usage guidelines This command applies to only manual IPsec policies. When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs. The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA. Enter keys in the same format for the local and remote inbound and outbound SAs.
Views IPsec policy view, IPsec policy template view Default command level 2: System level Parameters acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999. aggregation: Specifies the data flow protection mode as aggregation. This mode is configurable only in IPsec policies that use IKE negotiation. per-host: Specifies the data flow protection mode as per-host. This mode is configurable only in IPsec policies that use IKE negotiation.
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation # Configure IPsec policy policy3 to reference ACL 3003, and set the data flow protection mode to per-host. system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.
A short interval improves the anti-replay information consistency between the active device and the standby device, but also increases the anti-replay information synchronization frequency and the impact on the performance of the devices.
ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Usage guidelines The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol. Examples # Configure IPsec transform set prop1 to use AH. system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] transform ah Related commands ipsec transform-set transform-set Use transform-set to specify an IPsec transform set for the IPsec policy or IPsec profile to reference.
• ipsec profile (system view) Examples # Configure IPsec policy policy1 to reference IPsec transform set tran1. [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] transform-set tran1 # Configure IPsec profile profile1 to reference IPsec transform set tran2.
Related commands ipsec policy (system view) tunnel remote Use tunnel remote to configure the remote address of an IPsec tunnel. Use undo tunnel remote to remove the configuration. Syntax tunnel remote ip-address undo tunnel remote [ ip-address ] Default No remote address is configured for the IPsec tunnel. Views IPsec policy view Default command level 2: System level Parameters ip-address: Remote address for the IPsec tunnel. Usage guidelines This command applies to only manual IPsec policies.
L2TP configuration commands The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. allow l2tp Use allow l2tp to specify the VT interface for receiving calls, the tunnel name on the LAC, and the domain name. Use undo allow to remove the configuration. Syntax allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ] undo allow Default An LNS denies all incoming calls.
Examples # Accept the L2TP tunneling request initiated by the peer (LAC) of aaa and create a VA interface according to virtual template 1. system-view [Sysname] l2tp-group 2 [Sysname-l2tp2] allow l2tp virtual-template 1 remote aaa # Specify L2TP group 1 as the default L2TP group, accept the L2TP tunneling request initiated by any peer, and create a VA interface based on virtual template 1.
Field Description RemoteSID Unique ID of the session at the remote end. LocalTID Unique ID of the tunnel at the local end. Related commands display l2tp tunnel display l2tp tunnel Use display l2tp tunnel to display information about L2TP tunnels. Syntax display l2tp tunnel [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
interface virtual-template Use interface virtual-template to create a VT interface and enter its view. Use undo interface virtual-template to remove a VT interface. Syntax interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number Default No VT interface exists. Views System view Default command level 2: System level Parameters virtual-template-number: Number of a VT interface, in the range of 0 to 1023.
Usage guidelines L2TP must be enabled for relevant L2TP configurations to take effect. Examples # Enable the L2TP function. system-view [Sysname] l2tp enable Related commands l2tp-group l2tp-auto-client enable Use l2tp-auto-client enable to trigger an LAC to establish an L2TP tunnel. Use undo l2tp-auto-client enable to remove the established L2TP tunnel. Syntax l2tp-auto-client enable undo l2tp-auto-client enable Default An LAC does not establish an L2TP tunnel.
Default command level 2: System level Parameters group-number: Number of an L2TP group, in the range of 1 to 1000. Usage guidelines When you use the undo l2tp-group command to remove an L2TP group, all configuration information associated with the group will be deleted. Examples # Create an L2TP group numbered 2, and enter its view.
mandatory-chap Use mandatory-chap to force the LNS to perform a CHAP authentication of the user. Use undo mandatory-chap to disable CHAP authentication on the LNS. Syntax mandatory-chap undo mandatory-chap Default An LNS does not perform CHAP authentication of users. Views L2TP group view Default command level 2: System level Usage guidelines An LNS authenticates the client in addition to the proxy authentication that occurs at the LAC for higher security.
Usage guidelines When you start a PPP session, a client of NAS-initialized VPN will first negotiate with the NAS for LCP parameters. If the negotiation succeeds, the NAS initializes a tunnel and then transfers the negotiated results to the LNS. Then the LNS verifies whether the client is valid, depending on the proxy authentication information. You can use the mandatory-lcp command to force the LNS to perform LCP re-negotiation for the client.
Usage guidelines If you specify a tunnel name, all tunnels with the name will be disconnected. If no tunnel with the name exists, nothing happens. If you specify a tunnel ID, only the tunnel with the ID is disconnected. A tunnel disconnected by force can be re-established when a client makes a call. Examples # Disconnect all tunnels with the remote name of aaa.
Examples # Configure the device to initiate L2TP tunneling requests to LNS 202.1.1.1 for users in domain aabbcc.net. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] start l2tp ip 202.1.1.1 domain aabbcc.net tunnel authentication Use tunnel authentication to enable the L2TP tunnel authentication function. Use undo tunnel authentication to disable the L2TP tunnel authentication function. Syntax tunnel authentication undo tunnel authentication Default L2TP tunnel authentication is enabled.
Default command level 2: System level Usage guidelines The tunnel avp-hidden command is available for only LACs. Examples # Transfer AVP data in hidden mode. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] tunnel avp-hidden tunnel flow-control Use tunnel flow-control to enable the L2TP tunnel flow control function. Use undo tunnel flow-control to disable the L2TP tunnel flow control function.
Default command level 2: System level Parameters name: Specifies the name for the tunnel at the local end, a case-sensitive string of 1 to 30 characters. Examples # Specify the local name for a tunnel as itsme. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] tunnel name itsme Related commands sysname (Fundamentals Command Reference) tunnel password Use tunnel password to specify the key for tunnel authentication. Use undo tunnel password to remove the configuration.
tunnel timer hello Use tunnel timer hello to set the hello interval in sending hello packets in a tunnel. Use undo tunnel timer hello to restore the default. Syntax tunnel timer hello hello-interval undo tunnel timer hello Default The interval is 60 seconds. Views L2TP group view Default command level 2: System level Parameters hello-interval: Specifies the interval at which the LAC or the LNS sends Hello packets when receiving no packets, in the range of 60 to 1000 seconds.
Certificate management commands attribute Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name. Use undo attribute to delete the attribute rules of one or all certificates.
system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Default No entity is specified for certificate request. Views PKI domain view Default command level 2: System level Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Examples # Specify the entity for certificate request as entity1.
certificate request mode Use certificate request mode to set the certificate request mode. Use undo certificate request mode to restore the default. Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } undo certificate request mode Default Manual mode is used. Views PKI domain view Default command level 2: System level Parameters auto: Requests a certificate in auto mode.
Syntax certificate request polling { count count | interval minutes } undo certificate request polling { count | interval } Default The polling is executed every 20 minutes for up to 50 times. Views PKI domain view Default command level 2: System level Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range of 1 to 100. interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168.
Parameters url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution. Examples # Specify the URL of the server for certificate request.
undo country Default No country code is specified. Views PKI entity view Default command level 2: System level Parameters country-code-str: Country code for the entity, a 2-character case-insensitive string. Examples # Set the country code of an entity to CN. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Use crl check to enable or disable CRL checking. Syntax crl check { disable | enable } Default CRL checking is enabled.
crl update-period Use crl update-period to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use undo crl update-period to restore the default. Syntax crl update-period hours undo crl update-period Default The CRL update period depends on the next update field in the CRL file. Views PKI domain view Default command level 2: System level Parameters hours: CRL update period in hours, in the range of 1 to 720.
Usage guidelines When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP. Examples # Specify the URL of the CRL distribution point. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] crl url ldap://169.254.0.30 display pki certificate Use display pki certificate to display the contents or request status of a certificate.
C=CN ST=Country A L=City X O=abc OU=bjs CN=new-ca Validity Not Before: Jan 13 08:57:21 2004 GMT Not After : Jan 20 09:07:21 2005 GMT Subject: C=CN ST=Country B L=City Y CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.
display pki certificate access-control-policy Use display pki certificate access-control-policy to display information about one or all certificate attribute-based access control policies. Syntax display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.
Views Any view Default command level 1: Monitor level Parameters group-name: Name of a certificate attribute group, a string of 1 to 16 characters. all: Specifies all certificate attribute groups. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Views Any view Default command level 1: Monitor level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Field Description Next Update Next update time. CRL extensions Extensions of CRL. X509v3 Authority Key Identifier CA issuing the CRLs. The certificate version is X.509 v3. ID of the public key. keyid A CA might have multiple key pairs. This field indicates the key pair used by the CRL's signature. Revoked Certificates Revoked certificates. Serial Number Serial number of the revoked certificate. Revocation Date Revocation date of the certificate.
ip (PKI entity view) Use ip to configure the IP address of an entity. Use undo ip to remove the configuration. Syntax ip ip-address undo ip Default No IP address is specified for an entity. Views PKI entity view Default command level 2: System level Parameters ip-address: IP address for an entity. Examples # Configure the IP address of an entity as 11.0.0.1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] ip 11.0.0.
Examples # Specify an LDAP server for PKI domain 1. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] ldap-server ip 169.254.0.30 locality Use locality to configure the geographical locality of an entity, which can be, for example, a city name. Use undo locality to remove the configuration. Syntax locality locality-name undo locality Default No geographical locality is specified for an entity.
Default command level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Configure the name of the organization to which an entity belongs as test-lab. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization test-lab organization-unit Use organization-unit to specify the name of the organization unit to which this entity belongs. Use undo organization-unit to remove the configuration.
undo pki certificate access-control-policy { policy-name | all } Default No access control policy exists by default. Views System view Default command level 2: System level Parameters policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1 to 16 characters. It cannot be "a", "al", or "all". all: Specifies all certificate attribute-based access control policies. Examples # Configure an access control policy named mypolicy and enter its view.
pki delete-certificate Use pki delete-certificate to delete the certificate locally stored for a PKI domain. Syntax pki delete-certificate { ca | local } domain domain-name Views System view Default command level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters. Examples # Delete the local certificate for PKI domain cer.
Hardware Maximum number of PKI domains F1000-E 32 F5000 32 12500/10500 Enhanced FW: 2 Firewall module Others: 32 U200-A 32 U200-S 32 Examples # Create a PKI domain and enter its view. system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity. Syntax pki entity entity-name undo pki entity entity-name Default No entity exists.
Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Views System view Default command level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. der: Specifies the certificate format of DER. p12: Specifies the certificate format of P12. pem: Specifies the certificate format of PEM.
Default command level 2: System level Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
Usage guidelines The retrieved certificate is saved in the root directory of the device, with the file name domain-name_ca.cer or domain-name_local.cer. Examples # Retrieve the CA certificate from the certificate issuing server. system-view [Sysname] pki retrieval-certificate ca domain 1 Related commands pki domain pki retrieval-crl domain Use pki retrieval-crl domain to retrieve the latest CRLs from the server for CRL distribution.
Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Usage guidelines The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Examples # Verify the validity of the local certificate.
# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate. [Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93 rule (PKI CERT ACP view) Use rule to create a certificate attribute access control rule. Use undo rule to delete one or all access control rules. Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } Default No access control rule exists.
Syntax state state-name undo state Default No state or province is specified. Views PKI entity view Default command level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Examples # Specify the state where an entity resides.
Public key configuration commands display public-key local public Use display public-key local public to display the public key information of local asymmetric key pairs. Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. |: Filters command output by specifying a regular expression.
Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
Views Any view Default command level 1: Monitor level Parameters brief: Displays brief information about all peer public keys. name publickey-name: Displays information about a peer public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Type Module Name --------------------------RSA 1024 idrsa DSA 1024 10.1.1.1 Table 30 Command output Field Description Type Key type: RSA or DSA. Module Key modulus length in bits. Name Name of the public key. Related commands • public-key peer • public-key peer import sshkey peer-public-key end Use peer-public-key end to return from public key view to system view.
Default command level 2: System level Usage guidelines If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant. Examples # Enter public key code view and input the key.
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164 3135877E13B1C531B4 [Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] Related commands • public-key peer • public-key-code begin public-key local create Use public-
Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ +++ # Create a local DSA key pair. system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
[Sysname] public-key local destroy dsa Warning: Confirm to destroy these keys? [Y/N] :y Related commands public-key local create public-key local export dsa Use public-key local export dsa without the filename argument to display the host public key of the local DSA key pair in a specific format. Use public-key local export dsa with the filename argument to export the host public key of the local DSA key pair to the specified file.
system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSr
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pairs in OpenSSH format.
Related commands • public-key-code begin • public-key-code end • peer-public-key end • display public-key peer public-key peer import sshkey Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key.
SSL VPN configuration commands The following matrix shows the feature and hardware compatibility: Hardware SSL VPN compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No Firewall module No U200-A Yes U200-S Yes ssl-vpn enable Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. Syntax ssl-vpn enable undo ssl-vpn enable Default The SSL VPN service is disabled.
Related commands ssl-vpn server-policy ssl-vpn server-policy Use ssl-vpn server-policy to specify the SSL server policy and port to be used by the SSL VPN service. Use undo ssl-vpn server-policy to restore the default. Syntax ssl-vpn server-policy server-policy-name [ port port-number ] undo ssl-vpn server-policy Default No SSL server policy is specified for the SSL VPN service.
AFT configuration commands NOTE: AFT is not supported on VLAN interfaces and does not support VPN instances. The following matrix shows the feature and hardware compatibility: Hardware AFT compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes Firewall module Yes U200-A No U200-S No display aft address-group Use display aft address-group to display the AFT address pool configuration information.
Table 31 Command output Field Description 1 Address pool number of the AFT. from 1.1.1.1 Start IP address in an address pool. to 1.1.1.4 End IP address in an address pool. display aft address-mapping Use display aft address-mapping to display IPv6-to-IPv4 AFT address mappings. Syntax display aft address-mapping [ | { begin | exclude | include } regular-expression ] Views Any view Default Level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Syntax display aft all [ | { begin | exclude | include } regular-expression ] Views Any view Default Level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression.
0006:: IVI Statistics: Total Sessions: 0 Expired Sessions: 0 Hits: 0 Misses: 0 Total Address Mappings: 0 Enabled Interfaces: GigabitEthernet0/1 Table 33 Command output Field Description IPv4 Address Pool Information AFT IPv4 address pool information. 1: Address pool number. from 1.1.1.1 Start IP address in an address pool. to 1.1.1.4 End IP address in an address pool. Address Mappings (V6toV4) IPv6-to-IPv4 address mapping information. IPv4 Address IPv4 address.
Default Level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Views System view Default Level 2: System level Parameters group-number: Number of an address pool, in the range of 1 to 32. start-ipv4-address: Start IPv4 address in a pool. end-ipv4-address: End IPv4 address in a pool. Usage guidelines You cannot delete an address pool that is referenced by a v6tov4 policy. To delete such an address pool, delete the policy first. If start-ipv4-address equals end-ipv4-address, only one address is available in the address pool.
system-view [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] aft enable Related commands • display aft statistics • display aft all aft prefix-dns64 Use aft prefix-dns64 to specify a DNS64 prefix. Use undo aft prefix-dns64 to delete a specific DNS64 prefix. Syntax aft prefix-dns64 dns64-prefix prefix-length undo aft prefix-dns64 dns64-prefix prefix-length Default No DNS64 prefix is specified.
aft prefix-ivi Use aft prefix-ivi to specify an IVI prefix. Use undo aft prefix-ivi to delete a specific IVI prefix. Syntax aft prefix-ivi ivi-prefix undo aft prefix-ivi ivi-prefix Default No IVI prefix is specified. Views System view Default Level 2: System level Parameters ivi-prefix: IVI prefix of an IPv6 address. Usage guidelines The length of an IVI prefix is 32 bits.
Parameters acl number acl-number: Specifies an IPv4 ACL for matching IPv4 packets, in the range of 2000 to 3999. prefix-dns64 dns64-prefix prefix-length: Specifies the DNS64 prefix, which is used to translate source IPv4 addresses into IPv6 addresses for packets that match the specified ACL. The dns64-prefix argument represents the DNS64 prefix, and the prefix-length argument represents the length of the prefix, which can be 32, 40, 48, 56, 64, or 96 bits. prefix-ivi ivi-prefix: Specifies the IVI prefix.
Parameters acl6 number acl6-number: Specifies an IPv6 ACL for matching source IPv6 addresses, in the range of 2000 to 3999. If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address is translated into an IPv4 address accordingly. prefix-dns64 dns64-prefix prefix-length: Specifies the DNS64 prefix for matching destination IPv6 addresses.
DVPN configuration commands The following matrix shows the feature and hardware compatibility: Hardware DVPN compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No VAM server configuration commands authentication-algorithm Use authentication-algorithm to specify the algorithms for protocol packet authentication and their priorities. Use undo authentication-algorithm to restore the default.
Examples # Specify the authentication algorithm of MD5 for VPN domain 1. system-view [Sysname] vam server vpn 1 [Sysname-vam-server-vpn-1] authentication-algorithm md5 Related commands • authentication-method • vam server vpn authentication-method Use authentication-method to specify the authentication mode that the VAM server uses to authenticate clients. Use undo authentication-method to restore the default.
display vam server address-map Use display vam server address-map to display address mapping information about clients registered on the server. Syntax display vam server address-map { all | vpn vpn-name [ private-ip private-ip ] } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Displays the address mapping information of all VAM clients registered on the VAM server.
# Display the address mapping information of the VAM client with a private IP address of 10.0.0.1 in VPN domain 1. display vam server address-map vpn 1 private-ip 10.0.0.1 VPN: 1 Private-ip Public-ip Type Holding time 10.0.0.1 222.222.222.1 Hub 0H 3M 34S Table 35 Command output Field Description VPN Name of the VPN domain. Total address-map number Total number of address mappings. Private-ip Private address that the VAM client registers with the VAM server.
Total hub number: VPN name: Service: 3 1 enable Holding time: 0h 1m 47s Registered spoke number: 98 Registered hub number: 2 Address resolution times: 11 Succeeded resolution times: Failed resolution times: VPN name: Service: 10 1 9 enable Holding time: 0h 33m 53s Registered spoke number: 23 Registered hub number: 1 Address resolution times: 150 Succeeded resolution times: Failed resolution times: 148 2 # Display statistics about VAM clients in VPN domain 1.
encryption-algorithm Use encryption-algorithm to specify the algorithms for protocol packet encryption and their priorities. Use undo encryption-algorithm to restore the default. Syntax encryption-algorithm { { 3des | aes-128 | aes-256 | des } * | none } undo encryption-algorithm Default Four encryption algorithms are available and preferred in this order: AES-128, AES-256, 3DES, DES. Views VPN domain view Default command level 2: System level Parameters 3des: Uses the 3DES encryption algorithm.
Default No hub is configured. Views VPN domain view Default command level 2: System level Parameters private-ip-address: Specifies the private IP address of the hub. public-ip public-ip-address: Specifies the public IP address of the hub. Usage guidelines The public IP address is optional. The VAM server can get the public address of a hub when the hub registers. Up to two hubs can be configured on a VAM server.
Usage guidelines The VAM server sends this setting in a registration response to its clients. All clients in a VPN use the same keepalive settings. However, if you change the keepalive settings of the server, the new settings are sent to only clients that register later. All clients registering before use the old settings. Examples # Set the client keepalive interval to 30 seconds.
Related commands • keepalive interval • vam server vpn pre-shared-key (VPN domain view) Use pre-shared-key to configure the pre-shared key of the VAM server, which is used to generate the keys for encryption and integrity validation of the VAM protocol packets. Use undo pre-shared-key to remove the configuration. Syntax pre-shared-key { cipher | simple } key-string undo pre-shared-key Default No pre-shared key is configured.
Syntax server enable undo server enable Default The VAM server feature is disabled. Views VPN domain view Default command level 2: System level Examples # Enable the VAM server feature for VPN domain 1. system-view [Sysname] vam server vpn 1 [Sysname-vam-server-vpn-1] server enable Related commands • display vam server statistic • vam server enable • vam server vpn vam server enable Use vam server enable to enable the VAM server feature for all VPN domains or a specific VPN domain.
Examples # Enable the VAM server feature for all VPN domains. system-view [Sysname] vam server enable all Related commands • display vam server statistic • server enable • vam server vpn vam server ip-address Use vam server ip-address to configure the listening IP address and UDP port number for a VAM server. Use undo vam server ip-address to remove the configuration.
Use undo vam server vpn to remove a VPN domain. Syntax vam server vpn vpn-name undo vam server vpn vpn-name Default There is no VPN domain. Views System view Default command level 2: System level Parameters vpn-name: VPN domain name, a case-insensitive string of 1 to 15 characters. Valid characters are A to Z, a to z, 0 to 9, and the dot sign (.). Examples # Create VPN domain 1 and enter its view.
Related commands • vam client enable • vam client name display vam client Use display vam client to display registration information about VAM clients, which is received from the server. Syntax display vam client { address-map | fsm } [ client-name ] [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters address-map: Specifies the address mapping information between public and private network addresses of VAM clients.
Username: user1 Primary server: 28.1.1.23 Current state: ONLINE Holding time: 9h 20m 30s Encryption-algorithm: AES-128 Authentication-algorithm: SHA1 Secondary server: 28.1.1.33 Current state: OFFLINE Holding time: 1h 24m 1s Encryption-algorithm: AES-128 Authentication-algorithm: SHA1 Table 37 Command output Field Description Client name Name of the VAM client. VPN name Name of the VPN domain where the VAM client resides. Interface DVPN tunnel interface of the VAM client.
Field Description Private-ip Private IP address. Public-ip Public IP address corresponding to the private IP address. Type VAM client type, spoke or hub. Remaining-time(s) Remaining time before the mapping entry ages out. pre-shared-key (VAM client view) Use pre-shared-key to configure the pre-shared key of a VAM client, which is used to generate the keys for encryption and integrity validation of the VAM protocol packets. Use undo pre-shared-key to remove the configuration.
resend interval Use resend interval to set the interval for the VAM client to resend VAM protocol packets. Use undo resend interval to restore the default. Syntax resend interval time-interval undo resend interval Default The protocol packet retransmission interval is 5 seconds. Views VAM client view Default command level 2: System level Parameters time-interval: Protocol packet retransmission interval in the range of 3 to 30 seconds.
Default command level 2: System level Parameters ip-address: Public IP address of the primary VAM server. port-number: Port number of the primary VAM server, in the range of 1025 to 65535. The default is 18000. Usage guidelines If you execute the command repeatedly, the last configuration takes effect. Examples # Specify the primary VAM server for the client, setting the public IP address and port number to 1.1.1.1 and 2000 respectively.
Examples # Specify the secondary VAM server for the client, setting the public IP address and port number to 1.1.1.2 and 3000 respectively. system-view [Sysname] vam client name abc [Sysname-vam-client-name-abc] server secondary ip-address 1.1.1.2 port 3000 Related commands • display vam client • server primary • vam client name user Use user to create a local user by configuring a username and a password for a VAM client. Use undo user to remove the configuration.
Related commands • display vam client • vam client name vam client enable Use vam client enable to enable the VAM client feature for all VAM clients or a specific VAM client. Use undo vam client enable to disable the VAM client feature for all VAM clients or a specific VAM client. Syntax vam client enable { all | name client-name } undo vam client enable { all | name client-name } Default The VAM client feature is disabled.
Views System view Default command level 2: System level Parameters client-name: Name for the VAM client, a case-insensitive string of 1 to 31 characters. Valid characters are A to Z, a to z, 0 to 9 and the dot sign (.). Usage guidelines A VAM client applied to an interface cannot be removed directly. Examples # Create a VAM client named abc.
Related commands • display vam client • vam client name DVPN tunnel configuration commands display dvpn session Use display dvpn session to display information about DVPN sessions. Syntax display dvpn session { all | interface interface-type interface-number [ private-ip ip-address ] } [ | { begin | exclude | include } regular-expression ] Views Any view Default command level 1: Monitor level Parameters all: Specifies all DVPN sessions of the VAM client.
93 multicasts, 0 errors Private IP: 10.0.0.22 Public IP: 28.1.1.22 Session type: State: Hub-Spoke SUCCESS Holding time: 0h 44m 9s Input: 279 packets, 100 data packets, 91 multicasts, Output: 273 packets, 0 errors 99 data packets, 91 multicasts, 179 control packets 174 control packets 0 errors Table 39 Command output Field Description Interface DVPN tunnel interface. VPN name Name of a VPN domain. Total number Number of DVPN tunnels established on the tunnel interface.
Views Tunnel interface view Default command level 2: System level Parameters time-interval: Quiet period of a DVPN tunnel, in the range of 10 to 600 seconds. Usage guidelines During the quiet period, the DVPN tunnel is in the sleep state and no tunnel connection exists. Examples # Set the quiet period of the DVPN tunnel to 100 seconds.
[Sysname-tunnel0] dvpn session idle-time 800 Related commands • interface tunnel • tunnel-protocol keepalive Use keepalive to set the DVPN keepalive interval and the maximum number of attempts for transmitting a keepalive packet. Use undo keepalive to restore the default. Syntax keepalive [ seconds [ times ] ] undo keepalive Default The DVPN keepalive interval is 180 seconds and the maximum number of transmission attempts is 3.
Views User view Default command level 2: System level Parameters all: Specifies all DVPN sessions of the VAM client. interface interface-type interface-number: Specifies the DVPN sessions on an interface. The interface-type argument can only be tunnel. private-ip ip-address: Specifies the DVPN session to a peer VAM client. The ip-address specifies the private IP address of the peer VAM client. Examples # Remove the DVPN session whose peer private IP address is 169.254.0.1 from tunnel 0.
[Sysname-vpn-instance-vpn10] vpn-target 1:1 [Sysname-vpn-instance-vpn10] quit [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] ip address 1.1.1.1 24 [Sysname-GigabitEthernet0/1] quit [Sysname] interface tunnel 0 [Sysname-Tunnel0] tunnel-protocol dvpn udp [Sysname-Tunnel0] source gigabitethernet 0/1 [Sysname-Tunnel0] tunnel vpn-instance vpn10 vam client Use vam client to bind a VAM client to a DVPN tunnel interface. Use undo vam client to remove the binding.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ACDEFGHIKLMNOPQRSTUVW display aft all,166 A display aft statistics,168 aft address-group,169 display dvpn session,195 aft enable,170 display gre p2mp tunnel-table interface tunnel,1 aft prefix-dns64,171 display ike dpd,33 aft prefix-ivi,172 display ike peer,34 aft v4tov6,172 display ike proposal,35 aft v6tov4,173 display ike sa,37 ah authentication-algorithm,60 display interface tunnel,12 allow l2tp,113 display ipsec policy,62 attribute,126 display ipsec policy-template,66 authent
esp encryption-algorithm,80 K exchange-mode,42 keepalive,198 F keepalive,7 fqdn,139 keepalive interval,181 keepalive retry,182 G L gre checksum,2 l2tp enable,116 gre key,2 l2tp-auto-client enable,117 gre p2mp aging-time,3 l2tp-group,117 gre p2mp backup-interface,4 l2tpmoreexam enable,118 gre p2mp branch-network-mask,5 ldap-server,140 gre recursion,6 local,50 H local-address,50 hub private-ip,180 locality,141 I local-name,51 id-type,43 M ike dpd,44 mandatory-chap,119 ike local
proposal,53 shutdown,23 public-key local create,157 source,23 public-key local destroy,158 ssl-vpn enable,163 public-key local export dsa,159 ssl-vpn server-policy,164 public-key local export rsa,160 start l2tp,121 public-key peer,161 state,150 public-key peer import sshkey,162 Subscription service,201 public-key-code begin,155 synchronization anti-replay-interval (IPsec policy view/IPsec policy template view/IPsec profile view),108 public-key-code end,156 Q T qos pre-classify,93 time-out
