HP High-End Firewalls VPN Command Reference Part number: 5998-2642 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents GRE configuration commands ····································································································································· 1 destination ································································································································································· 1 display interface tunnel ···········································································································································
display ipsec sa ····················································································································································· 41 display ipsec statistics ··········································································································································· 44 display ipsec tunnel ··············································································································································· 46 encaps
display public-key peer ········································································································································· 85 peer-public-key end ··············································································································································· 86 public-key-code begin ··········································································································································· 86 public-key-code
Index ········································································································································································ 121 iv
GRE configuration commands destination Syntax destination ip-address undo destination View Tunnel interface view Default level 2: System level Parameters ip-address: Tunnel destination IPv4 address. Description Use the command destination to specify the destination address for the tunnel interface. Use the undo destination command to remove the configured tunnel destination address. By default, no tunnel destination address is configured.
display interface tunnel Syntax display interface tunnel [ number ] View Any view Default level 1: Monitor level Parameters number: Number of a tunnel interface. If no interface number is specified, information about all tunnel interfaces will be displayed. Description Use the display interface tunnel command to display information about tunnel interfaces, including the source address, destination address, and tunnel mode. Related commands: interface tunnel, source, destination, tunnel-protocol.
Table 1 Output description Field Description Physical state of the tunnel interface, which can be: • Administratively DOWN—Indicates that the interface is Tunnel0 current state administratively down; that is, the interface is shut down with the shutdown command. • DOWN—Indicates that the interface is administratively up but its physical state is down. • UP—Indicates that both the administrative and physical states of the interface are up.
Field Description input error Number of input error packets packets output Total number of output packets output error Number of output error packets interface tunnel Syntax interface tunnel number undo interface tunnel number View System view Default level 2: System level Parameters number: Number of the tunnel interface. The value ranges from 0 to 4095. The number of tunnels that can be created is restricted by the total number of interfaces and the memory.
Default level 2: System level Parameters None Description Use the gre checksum command to enable the GRE packet checksum function so as to verify the validity of packets and discard those invalid. Use the undo gre checksum command to disable the GRE packet checksum function. By default, the GRE packet checksum function is disabled. Related commands: interface tunnel and display interface tunnel.
[Sysname1] interface tunnel 3 [Sysname1-Tunnel3] gre key 123 system-view [Sysname2] interface tunnel 2 [Sysname2-Tunnel2] gre key 123 keepalive Syntax keepalive [ seconds [ times ] ] undo keepalive View Tunnel interface view Default level 2: System level Parameters seconds: Interval in seconds for transmitting keepalive packets, in the range 1 to 32,767. The default value is 10. times: Maximum number of attempts for transmitting a keepalive packet, in the range 1 to 255.
View Tunnel interface view Default level 2: System level Parameters ip-address: Tunnel source IPv4 address. interface-type interface-number: Specifies an interface. The interface types include GigabitEthernet, tunnel, and loopback. Description Use the source command to specify the source address or interface of the tunnel interface. Use the undo source command to remove the configured source address or interface of the tunnel interface.
ipsec ipv4: Specifies the IPsec over IPv4 tunnel mode. Description Use the tunnel-protocol command to specify the tunnel mode for the tunnel interface. Use the undo tunnel-protocol command to restore the default. You can select a tunnel mode according to the actual network topology and application. The two ends of a tunnel must have the same tunnel mode specified; otherwise, traffic transmission may fail. Only one automatic tunnel can be created at the start point of a tunnel.
IKE configuration commands authentication-algorithm Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm View IKE proposal view Default level 2: System level Parameters md5: Uses HMAC-MD5. sha: Uses HMAC-SHA1. Description Use the authentication-algorithm command to specify an authentication algorithm for an IKE proposal. Use the undo authentication-algorithm command to restore the default. By default, an IKE proposal uses the SHA1 authentication algorithm.
Description Use the authentication-method command to specify an authentication method for an IKE proposal. Use the undo authentication-method command to restore the default. By default, an IKE proposal uses the pre-shared key authentication method. Related commands: ike proposal and display ike proposal. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
Default level 2: System level Parameters group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1 group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1. group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1. group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1. Description Use the dh command to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
time_out: 5 --------------------------- Table 2 Output description Field Description references Number of IKE peers that use the DPD detector Interval-time DPD query trigging interval in seconds time_out DPD packet retransmission interval in seconds display ike peer Syntax display ike peer [ peer-name ] View Any view Default level 1: Monitor level Parameters peer-name: Name of the IKE peer, a string of 1 to 15 characters.
Field Description pre-shared-key Pre-shared key used in phase 1 peer id type ID type used in phase 1 peer ip address IP address of the remote security gateway local ip address IP address of the local security gateway peer name Name of the remote security gateway nat traversal Whether NAT traversal is enabled dpd Name of the peer DPD detector display ike proposal Syntax display ike proposal View Any view Default level 1: Monitor level Parameters None Description Use the display ike propos
Field Description authentication algorithm Authentication algorithm used by the IKE proposal encryption algorithm Encryption algorithm used by the IKE proposal Diffie-Hellman group DH group used in IKE negotiation phase 1 duration (seconds) ISAKMP SA lifetime of the IKE proposal in seconds display ike sa Syntax display ike sa [ verbose [ connection-id connection-id | remote-address remote-address ] ] View Any view Default level 1: Monitor level Parameters verbose: Displays detailed information.
Field Description Status of the SA: • RD (READY): The SA has been established. • ST (STAYALIVE): This end is the initiator of the tunnel negotiation. • RL (REPLACED): The tunnel has been replaced by a new one and will be deleted flag later. • FD (FADING): The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over. • TO (TIMEOUT): The SA has received no keepalive packets after the last keepalive timeout.
--------------------------------------------local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.5 authentication-method: PRE-SHARED-KEY authentication-algorithm: HASH-SHA1 encryption-algorithm: DES-CBC life duration(sec): 86400 remaining key duration(sec): 82480 exchange-mode: MAIN diffie-hellman group: GROUP1 nat traversal: NO # Display detailed information about the IKE SA with the remote address of 4.4.4.5.
Field Description transmitting entity Entity in the IKE negotiation local ip IP address of the local gateway local id type Identifier type of the local gateway local id Identifier of the local gateway remote ip IP address of the remote gateway remote id type Identifier type of the remote gateway remote id Identifier of the remote security gateway authentication-method Authentication method used by the IKE proposal authentication-algorithm Authentication algorithm used by the IKE proposal
encryption-algorithm Syntax encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } undo encryption-algorithm View IKE proposal view Default level 2: System level Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses 168-bit keys for encryption. aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses 128-bit, 192-bit, or 256-bit keys for encryption.
main: Main mode. Description Use the exchange-mode command to select an IKE negotiation mode. Use the undo exchange-mode command to restore the default. By default, main mode is used. If the user at one end of an IPsec tunnel obtains IP address automatically (for example, a dial-up user), IKE negotiation mode must be set to aggressive. In this case, an SA can be created as long as the username and password are correct. Related commands: id-type. Examples # Specify that IKE negotiation works in main mode.
ike dpd Syntax ike dpd dpd-name undo ike dpd dpd-name View System view Default level 2: System level Parameters dpd-name: Name for the dead peer detection (DPD) detector, a string of 1 to 15 characters. Description Use the ike dpd command to create a DPD detector and enter IKE DPD view. Use the undo ike dpd command to remove a DPD detector. Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: 1.
Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Description Use the ike local-name command to configure a name for the local security gateway. Use the undo ike local-name command to restore the default. By default, the device name is used as the name of the local security gateway.
[Sysname] ike next-payload check disabled ike peer (system view) Syntax ike peer peer-name undo ike peer peer-name View System view Default level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 15 characters. Description Use the ike peer command to create an IKE peer and enter IKE peer view. Use the undo ike peer command to delete an IKE peer. Examples # Create an IKE peer named peer1 and enter IKE peer view.
• Authentication algorithm HMAC-SHA1 • Authentication method Pre-shared key • DH group MODP_768 • SA lifetime 86400 seconds Related commands: display ike proposal. Examples # Create IKE proposal 10 and enter IKE proposal view.
View System view Default level 2: System level Parameters seconds: ISAKMP SA keepalive timeout in seconds, in the range 20 to 28,800. Description Use the ike sa keepalive-timer timeout command to set the ISAKMP SA keepalive timeout. Use the undo ike sa keepalive-timer timeout command to disable the function. By default, no keepalive packet is sent. The keepalive timeout configured at the local end must be longer than the keepalive interval configured at the remote end.
interval-time Syntax interval-time interval-time undo interval-time View IKE DPD view Default level 2: System level Parameters interval-time: Sets DPD interval in seconds, in the range of 1 to 300 seconds. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. Description Use the interval-time command to set the DPD query triggering interval for a DPD detector.
Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple. system-view [Sysname] ike peer xhy [Sysname-ike-peer-xhy] local multi-subnet local-address Syntax local-address ip-address undo local-address View IKE peer view Default level 2: System level Parameters ip-address: IP address of the local security gateway to be used in IKE negotiation.
Parameters None Description Use the nat traversal command to enable the NAT traversal function of IKE/IPsec. Use the undo nat traversal command to disable the NAT traversal function of IKE/IPsec. By default, the NAT traversal function is disabled. Examples # Enable the NAT traversal function for IKE peer peer1.
View IKE peer view Default level 2: System level Parameters key: Plaintext pre-shared key to be displayed in cipher text, a case-sensitive string of 1 to 128 characters. cipher key: Specifies the ciphertext pre-shared key to be displayed in cipher text, a case-sensitive string of 1 to 184 characters. simple key: Specifies the plaintext pre-shared key to be displayed in plain text, a case-sensitive string of 1 to 128 characters.
Description Use the remote-address command to configure the IP address of the IPsec remote security gateway. Use the undo remote-address command to remove the configuration.
gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer. Related commands: id-type, local-name, and ike local-name. Examples # Configure the remote security gateway name as apple for IKE peer peer1.
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT sa duration Syntax sa duration seconds undo sa duration View IKE proposal view Default level 2: System level Parameters Seconds: Specifies the ISAKMP SA lifetime in seconds, in the range 60 to 604800. Description Use the sa duration command to set the ISAKMP SA lifetime for an IKE proposal. Use the undo sa duration command to restore the default. By default, the ISAKMP SA lifetime is 86400 seconds. Before an SA expires, IKE negotiates a new SA.
The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
IPsec configuration commands NOTE: The term router in this document refers to both routers and firewall. ah authentication-algorithm Syntax ah authentication-algorithm { md5 | sha1 } undo ah authentication-algorithm View IPsec proposal view Default level 2: System level Parameters md5: Uses MD5. sha1: Uses SHA1. Description Use the ah authentication-algorithm command to specify an authentication algorithm for the authentication header (AH) protocol.
View System view Default level 2: System level Parameters slot slot-number: Specifies an interface card by its slot number. Description Use the cryptoengine enable command to enable the encryption engine. Use the undo cryptoengine enable command to disable the encryption engine. By default , the encryption engine Is enabled. Examples # Enable the encryption engine.
-----------------------------------------------------------------------bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa man-1 manual 3400 map-1 isakmp 3000 peer nat-1 isakmp 3500 nat test-1 isakmp 3200 test toccccc-1 isakmp 3003 tocccc IPsec-Policy-Name Mode acl Local-Address Remote-Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.1 3.3.3.
Interface: GigabitEthernet0/2 =========================================== ----------------------------------------IPsec policy name: "policy_man" sequence number: 10 mode: manual ----------------------------------------security data flow : 3002 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.
Field Description perfect forward secrecy Whether PFS is enabled. proposal name Proposal referenced by the IPsec policy. policy enable Whether the IPsec policy is enabled or not. inbound/outbound AH/ESP setting AH/ESP settings in the inbound/outbound direction, including the SPI and keys.
Field Description Remote Address Remote IP address # Display detailed information about all IPsec policy templates.
Description Use the display ipsec profile command to display the configuration information of IPsec profiles. If you do not specify any parameters, the command displays the configuration information of all IPsec profiles. Related commands: ipsec profile. Example # Display the configuration of all IPsec profiles.
Field Description Encapsulation mode for the IPsec profile: mode • dvpn: DVPN tunnel mode • tunnel: IPsec tunnel mode ACL referenced by the IPsec profile security data flow As an IPsec profile does not reference any ACL, this field is displayed as 0.
Table 12 Output description Field Description IPsec proposal name Name of the IPsec proposal encapsulation mode Encapsulation mode used by the IPsec proposal, transport or tunnel transform Security protocol(s) used by the IPsec proposal: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
Table 13 Output description Field Description Src Address Local IP address Dst Address Remote IP address SPI Security parameter index Protocol Security protocol used by IPsec Algorithm Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified. # Display the global SA lifetime settings.
status: active [outbound ESP SAs] spi: 801701189 (0x2fc8fd45) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa duration (kilobytes/sec): 4294967295/604800 sa remaining duration (kilobytes/sec): 1843200/2686 max sent sequence-number: 6 udp encapsulation used for nat traversal: N status: active =============================== Protocol: OSPFv3 =============================== ----------------------------IPsec policy name: "manual" sequence number: 1 mode: manual ----------------------------connection id: 2 encapsula
Field Description tunnel IPsec tunnel. local address Local IP address of the IPsec tunnel. remote address Remote IP address of the IPsec tunnel. flow Data flow. sour addr Source IP address of the data flow. dest addr Destination IP address of the data flow. port Port number. protocol Protocol type. inbound Information of the inbound SA. spi Security parameter index. proposal Security protocol and algorithms used by the IPsec proposal. sa duration Lifetime of the IPsec SA.
If you do not specify any parameters, the command displays the statistics for all IPsec packets. Related commands: reset ipsec statistics. Examples # Display statistics on all IPsec packets.
Field Description not enough memory Number of packets dropped due to lack of memory can't find SA Number of packets dropped due to finding no security association queue is full Number of packets dropped due to full queues authentication has failed Number of packets dropped due to authentication failure wrong length Number of packets dropped due to wrong packet length replay packet Number of packets replayed packet too long Number of packets dropped due to excessive packet length wrong SA Nu
# Display information about IPsec tunnels in aggregation mode. display ipsec tunnel total tunnel: 2 -----------------------------------------------connection id: 4 status: active perfect forward secrecy: SA's SPI: inbound : 2454606993 (0x924e5491) [ESP] outbound : 675720232 (0x2846ac28) [ESP] tunnel : local address: 44.44.44.44 remote address : 44.44.44.
Description Use the encapsulation-mode command to set the encapsulation mode that the security protocol uses to encapsulate IP packets. Use the undo encapsulation-mode command to restore the default. By default, a security protocol encapsulates IP packets in tunnel mode. Related commands: ipsec proposal. Examples # Configure IPsec proposal prop2 to encapsulate IP packets in transport mode.
[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1 esp encryption-algorithm Syntax esp encryption-algorithm { 3des | aes [ key-length ] | des } undo esp encryption-algorithm View IPsec proposal view Default level 2: System level Parameters 3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. aes: Uses the Advanced Encryption Standard (AES) in CBC mode as the encryption algorithm.
ike-peer (IPsec policy view, IPsec policy template view, IPsec profile view) Syntax ike-peer peer-name undo ike-peer peer-name View IPsec policy view, IPsec policy template view, IPsec profile view Default level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Description Use the ike-peer command to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured through IKE negotiation.
Description Use the ipsec anti-replay check command to enable IPsec anti-replay checking. Use the undo ipsec anti-replay check command to disable IPsec anti-replay checking. By default, IPsec anti-replay checking is enabled. Examples # Enable IPsec anti-replay checking.
Parameters None Description Use the ipsec decrypt check command to enable ACL checking of de-encapsulated IPsec packets. Use the undo ipsec decrypt check command to disable ACL checking of de-encapsulated IPsec packets. By default, ACL checking of de-encapsulated IPsec packets is enabled. Examples # Enable ACL checking of de-encapsulated IPsec packets.
ipsec policy (system view) Syntax ipsec policy policy-name seq-number [ isakmp | manual ] undo ipsec policy policy-name [ seq-number ] View System view Default level 2: System level Parameters policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included. seq-number: Sequence number for the IPsec policy, in the range 1 to 10000. isakmp: Sets up SAs through IKE negotiation. manual: Sets up SAs manually.
Default level 2: System level Parameters policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included. seq-number: Sequence number for the IPsec policy, in the range 1 to 10000. isakmp template template-name: Name of the IPsec policy template to be referenced.
In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Related commands: display ipsec policy template. Examples # Create an IPsec policy template with the name template1 and the sequence number 100.
Default level 2: System level Parameters profile-name: Name of the IPsec profile, a case-insensitive string of 1 to 15 characters. Description Use the ipsec profile command to apply an IPsec profile to an IPsec tunnel interface. Use the undo ipsec profile command to remove the application. By default, no IPsec profile is applied to an IPsec tunnel interface, and no IPsec protection is provided. Only one IPsec profile can be applied to a tunnel interface.
An IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default. Related commands: display ipsec proposal. Examples # Create an IPsec proposal named newprop1.
pfs Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs View IPsec policy view, IPsec policy template view, IPsec profile view Default level 2: System level Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group.
View IPsec policy view, IPsec policy template view, IPsec profile view Default level 2: System level Parameters proposal-name&<1-6>: Name of the IPsec proposal for the IPsec policy to reference, a string of 1 to 15 characters. &<1-6> means that you can specify the proposal-name argument for up to six times. Description Use the proposal command to specify the IPsec proposals for the IPsec policy or IPsec profile to reference.
Default level 2: System level Parameters None Description Use the qos pre-classify command to enable packet information pre-extraction. Use the undo qos pre-classify command to restore the default. By default, packet information pre-extraction is disabled. With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet, that is, the header of the IP packet that has not been encapsulated by IPsec.
Description Use the reset ipsec sa command to clear IPsec SAs. Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only when IKE negotiation is triggered by interesting packets. IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared.
sa authentication-hex Syntax sa authentication-hex { inbound | outbound } { ah | esp } hex-key undo sa authentication-hex { inbound | outbound } { ah | esp } View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. hex-key: Authentication key for the SA, in hexadecimal format.
sa duration Syntax sa duration { time-based seconds | traffic-based kilobytes } undo sa duration { time-based | traffic-based } View IPsec policy view, IPsec policy template view, IPsec profile view Default level 2: System level Parameters seconds: Time-based SA lifetime in seconds, in the range 180 to 604800. kilobytes: Traffic-based SA lifetime in kilobytes, in the range 2560 to 4294967295. Description Use the sa duration command to set an SA lifetime for the IPsec policy or IPsec profile.
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480 sa encryption-hex Syntax sa encryption-hex { inbound | outbound } esp hex-key undo sa encryption-hex { inbound | outbound } esp View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. esp: Uses ESP. hex-key: Encryption key for the SA, in hexadecimal format.
sa spi Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp } View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. spi-number: Security parameters index (SPI) in the SA triplet, in the range 256 to 4294967295.
sa string-key Syntax sa string-key { inbound | outbound } { ah | esp } string-key undo sa string-key { inbound | outbound } { ah | esp } View IPsec policy view Default level 2: System level Parameters inbound: Specifies the inbound SA through which IPsec processes the received packets. outbound: Specifies the outbound SA through which IPsec processes the packets to be sent. ah: Uses AH. esp: Uses ESP. string-key: Key string for the SA, consisting of 1 to 255 characters.
security acl Syntax security acl acl-number [ aggregation ] undo security acl View IPsec policy view, IPsec policy template view Default level 2: System level Parameters acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999. aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. Description Use the security acl command to specify the ACL for the IPsec policy to reference.
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation transform Syntax transform { ah | ah-esp | esp } undo transform View IPsec proposal view Default level 2: System level Parameters ah: Uses the AH protocol. ah-esp: Uses ESP first and then AH. esp: Uses the ESP protocol. Description Use the transform command to specify a security protocol for an IPsec proposal. Use the undo transform command to restore the default. By default, the ESP protocol is used.
Default level 2: System level Parameters ip-address: Local address for the IPsec tunnel. Description Use the tunnel local command to configure the local address of an IPsec tunnel. Use the undo tunnel local command to remove the configuration. By default, no local address is configured for an IPsec tunnel. This command applies to only manual IPsec policies. The local address, if not configured, will be the address of the interface to which the IPsec policy is applied.
An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end. Related commands: ipsec policy (system view). Examples # Set the remote address of the IPsec tunnel to 10.1.1.2. system-view [Sysname] ipsec policy policy1 10 manual [Sysname-ipsec-policy-policy1-10] tunnel remote 10.1.1.
L2TP configuration commands allow l2tp Syntax allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ] undo allow View L2TP group view Default level 2: System level Parameters virtual-template-number: Number of the virtual interface template for creating a virtual access (VA) interface, in the range of 0 to 1023. remote-name: Name of the tunnel peer initiating a connection request, a case sensitive string of 1 to 30 characters.
Examples # Accept the L2TP tunneling request initiated by the peer (LAC) of aaa and create a virtual access interface according to virtual template 1. system-view [Sysname] l2tp-group 2 [Sysname-l2tp2] allow l2tp virtual-template 1 remote aaa # Specify L2TP group 1 as the default L2TP group, accept the L2TP tunneling request initiated by any peer, and create a virtual access interface based on virtual template 1.
display l2tp tunnel Syntax display l2tp tunnel View Any view Default level 1: Monitor level Parameters None Description Use the display l2tp tunnel command to display information about L2TP tunnels. Examples # Display information about L2TP tunnels. display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1701 1 1 20.1.1.
Parameters virtual-template-number: Serial number for identifying the virtual interface template, in the range of 0 to 1023. Description Use the interface virtual-template command to create a virtual interface template and enter its view. Use the undo interface virtual-template command to remove a virtual interface template. By default, no virtual interface template exists.
l2tp sendaccm enable Syntax l2tp sendaccm enable undo l2tp sendaccm enable View System view Default level 2: System level Parameters None Description Use the l2tp sendaccm enable command to enable an LNS to send ACCM. Use the undo l2tp enable command to disable an LNS from sending ACCM. By default, an LNS sends ACCM. Examples # Disable the ACCM sending function.
Examples # Enable the L2TP multi-instance function for the LNS. system-view [Sysname] l2tpmoreexam enable l2tp-group Syntax l2tp-group group-number undo l2tp-group group-number View System view Default level 2: System level Parameters group-number: Number for identifying the L2TP group, in the range of 1 to 1000. Description Use the l2tp-group command to create an L2TP group and enter its view. Use the undo l2tp-group command to remove an L2TP group. By default, no L2TP group exists.
Description Use the mandatory-chap command to force the LNS to perform a CHAP authentication of the user. Use the undo mandatory-chap command to disable CHAP authentication on the LNS. By default, an LNS does not perform CHAP authentication of users. An LNS authenticates the client in addition to the proxy authentication that occurs at the LAC for higher security.
system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] mandatory-lcp reset l2tp tunnel Syntax reset l2tp tunnel { id tunnel-id | name remote-name } View User view Default level 2: System level Parameters tunnel-id: Local ID of the tunnel, in the range of 1 to 8191. remote-name: Name of the tunnel at the remote end, a case sensitive string of 1 to 30 characters. Description Use the reset l2tp tunnel command to disconnect one or more specified tunnels and all sessions of the tunnels.
domain-name: Name of the domain initiating a connection request, a case insensitive string of 1 to 30 characters. user-name: Fully qualified name of the user initiating a connection request, a case sensitive string of 1 to 32 characters. Description Use the start l2tp command to enable the firewall to initiate tunneling requests to one or more IP addresses for one or more specified VPN users. Use the undo start to remove the configuration. The start l2tp command is available for only LACs.
system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] undo tunnel authentication tunnel avp-hidden Syntax tunnel avp-hidden undo tunnel avp-hidden View L2TP group view Default level 2: System level Parameters None Description Use the tunnel avp-hidden command to specify to transfer attribute value pair (AVP) data in hidden mode. Use the undo tunnel avp-hidden command to restore the default. By default, AVP data is transferred over the tunnel in plain text mode.
Use the undo tunnel flow-control command to disable the L2TP tunnel flow control function. By default, the L2TP tunnel flow control function is disabled. Examples # Enable the L2TP tunnel flow control function. system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] tunnel flow-control tunnel name Syntax tunnel name name undo tunnel name View L2TP group view Default level 2: System level Parameters name: Name for the tunnel at the local end, a case sensitive string of 1 to 30 characters.
Parameters simple: Displays the password in plain text. cipher: Displays the password in cipher text. password: Password for tunnel authentication, case sensitive. If you specify the simple keyword, you can enter a password only in plain text. If you specify the cipher keyword, you can enter a password in either plain text or cipher text. A plain text password is a string of 1 to 16 characters that contains no space, for example, aabbcc.
Public key configuration commands display public-key local public Syntax display public-key local { dsa | rsa } public View Any view Default level 1: Monitor level Parameters dsa: DSA key pair. rsa: RSA key pair. Description Use the display public-key local public command to display the public key information of the local key pairs. Related commands: public-key local create. Examples # Display the public key information of the local RSA key pairs.
Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B 1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE751EE 0EC EF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
display public-key peer Syntax display public-key peer [ brief | name publickey-name ] View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all the public keys of peers. name publickey-name: Specifies a peer's host public key by its name, which is a case-sensitive string of 1 to 64 characters. Description Use the display public-key peer command to display information about the specified or all locally saved public keys of peers.
peer-public-key end Syntax peer-public-key end View Public key view Default level 2: System level Parameters None Description Use the peer-public-key end command to return from public key view to system view. Related commands: public-key peer. Examples # Exit public key view.
[Sysname] public-key peer key1 [Sysname-pkey-public-key] public-key-code begin [Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC 801 4F82515F6335A0A [Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164 313 5877E13B1C531B4 [Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80 EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE 675AC30CB020301 [Sysname-
EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE 675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] public-key local create Syntax public-key local create { dsa | rsa } View System view Default level 2: System level Parameters dsa: DSA key pair. rsa: RSA key pair. Description Use the public-key local create command to create local key pairs.
NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... * * public-key local destroy Syntax public-key local destroy { dsa | rsa } View System view Default level 2: System level Parameters dsa: DSA key pair. rsa: RSA key pair. Description Use the public-key local destroy command to destroy the local key pairs. Related commands: public-key local create. Examples # Destroy the local RSA key pairs.
ssh2: Uses the format of SSH2.0. filename: Name of the file for storing the public key. Description Use the public-key local export dsa command to display the local DSA public key on the screen or export it to a specified file. If you do not specify the filename argument, the command displays the local DSA public key on the screen; otherwise, the command exports the local DSA public key to the specified file and saves the file. SSH2.
w59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOLo2/RyGqDJIqB4FQ wmr kwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key public-key local export rsa Syntax public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5. ssh2: Uses the format of SSH2.0. filename: Name of the file for storing the public key.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5N Ic5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j+o0 MpO pzh3W768/+u1riz+1LcwVTs51Q== rsa-key public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Default level 2: System level Parameters keyname: Public key name, a case-sensitive string of 1 to 64 characters.
filename: Public key file name. Description Use the public-key peer import sshkey command to import the public key of a peer from the public key file. Use the undo public-key peer command to remove a configured peer public key. After execution of this command, the system automatically transforms the public key in SSH1, SSH2.0 or OpenSSH format to PKCS format, and imports the peer public key. This requires that you get a copy of the public key file from the peer through FTP or TFTP in advance.
PKI configuration commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value undo attribute { id | all } View Certificate attribute group view Default level 2: System level Parameters id: Sequence number of the certificate attribute rule, in the range 1 to 16. alt-subject-name: Specifies the name of the alternative certificate subject. fqdn: Specifies the FQDN of the entity.
system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use the certificate request entity command to specify the entity for certificate request. Use the undo certificate request entity command to remove the configuration. By default, no entity is specified for certificate request. Related commands: pki entity. Examples # Specify the entity for certificate request as entity1.
undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Requests a certificate in auto mode. key-length: Length of the RSA keys in bits, in the range 512 to 2048. It is 1024 bits by default. cipher: Displays the password in cipher text. simple: Displays the password in clear text. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. manual: Requests a certificate in manual mode.
interval minutes: Specifies the polling interval in minutes, in the range 5 to 168. Description Use the certificate request polling command to specify the certificate request polling interval and attempt limit. Use the undo certificate request polling command to restore the defaults. By default, the polling is executed every 20 minutes for up to 50 times. After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually.
common-name Syntax common-name name undo common-name View PKI entity view Default level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the common-name command to configure the common name of an entity, which can be, for example, the user name. Use the undo common-name command to remove the configuration. By default, no common name is specified.
Examples # Set the country code of an entity to CN. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Syntax crl check { disable | enable } View PKI domain view Default level 2: System level Parameters disable: Disables CRL checking. enable: Enables CRL checking. Description Use the crl check command to enable or disable CRL checking. By default, CRL checking is enabled. CRLs are files issued by the CA to publish all certificates that have been revoked.
Description Use the crl update-period command to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use the undo crl update-period command to restore the default. By default, the CRL update period depends on the next update field in the CRL file. Examples # Set the CRL update period to 20 hours.
View Any view Default level 2: System level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request. Description Use the display pki certificate command to display the contents or request status of a certificate. Related commands: certificate request polling, pki domain, and pki retrieval-certificate. Examples # Display the local certificate.
DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.crl … … A3A5A447 4D08387D … Table 20 Output description Field Description Version Version of the certificate Serial Number Serial number of the certificate Issuer Issuer of the certificate Validity Validity period of the certificate Subject Entity holding the certificate Subject Public Key Info Public key information of the entity X509v3 extensions Extensions of the X.
Field Description rule number Number of the access control rule display pki certificate attribute-group Syntax display pki certificate attribute-group { group-name | all } View Any view Default level 1: Monitor level Parameters group-name: Name of a certificate attribute group, a string of 1 to 16 characters. all: Specifies all certificate attribute groups. Description Use the display pki certificate attribute-group command to display information about one or all certificate attribute groups.
display pki crl domain Syntax display pki crl domain domain-name View Any view Default level 2: System level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. Description Use the display pki crl domain command to display the locally saved CRLs. Related commands: pki domain and pki retrieval-crl. Examples # Display the locally saved CRLs.
Field Description CRL extensions Extensions of CRL X509v3 Authority Key Identifier CA issuing the CRLs. The certificate version is X.509 v3. ID of the public key keyid A CA might have multiple key pairs. This field indicates the key pair used by the CRL’s signature.
View PKI entity view Default level 2: System level Parameters ip-address: IP address for an entity. Description Use the ip command to configure the IP address of an entity. Use the undo ip command to remove the configuration. By default, no IP address is specified for an entity. Examples # Configure the IP address of an entity as 11.0.0.1. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] ip 11.0.0.
locality Syntax locality locality-name undo locality View PKI entity view Default level 2: System level Parameters locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name. Use the undo locality command to remove the configuration. By default, no geographical locality is specified for an entity.
Examples # Configure the name of the organization to which an entity belongs as test-lab. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] organization test-lab organization-unit Syntax organization-unit org-unit-name undo organization-unit View PKI entity view Default level 2: System level Parameters org-unit-name: Organization unit name for distinguishing different units in an organization, a case-insensitive string of 1 to 31 characters. No comma can be included.
all: Specifies all certificate attribute-based access control policies. Description Use the pki certificate access-control-policy command to create a certificate attribute-based access control policy and enter its view. Use the undo pki certificate access-control-policy command to remove one or all certificate attribute-based access control policies. No access control policy exists by default. Examples # Configure an access control policy named mypolicy and enter its view.
View System view Default level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Name of the PKI domain whose certificates are to be deleted, a string of 1 to 15 characters. Description Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain. Examples # Delete the local certificate for PKI domain cer.
pki entity Syntax pki entity entity-name undo pki entity entity-name View System view Default level 2: System level Parameters entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters. Description Use the pki entity command to create a PKI entity and enter its view. Use the undo pki entity command to remove a PKI entity. By default, no entity exists. You can configure a variety of attributes for an entity in PKI entity view.
filename filename: Specifies the name of the certificate file, which is a case-insensitive string of 1 to 127 characters. It defaults to domain-name_ca.cer o domain-name_local.cer, the name for the file to be created to save the imported certificate. Description Use the pki import-certificate command to import a CA certificate or local certificate from a file and save it locally. Related commands: pki domain. Examples # Import the CA certificate for PKI domain cer in the format of PEM.
4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END CERTIFICATE REQUEST----- pki retrieval-certificate Syntax pki retrieval-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Retrieves the CA certificate.
Related commands: pki domain. Examples # Retrieve CRLs. system-view [Sysname] pki retrieval-crl domain 1 pki validate-certificate Syntax pki validate-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.
sha1: Uses a SHA1 fingerprint. string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal. Description Use the root-certificate fingerprint command to configure the fingerprint to be used for verifying the validity of the CA root certificate. Use the undo root-certificate fingerprint command to remove the configuration.
A certificate attribute group must exist to be associated with a rule. Examples # Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group mygroup.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall chassis or a firewall module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ACDEFGIKLMNOPQRSTW display pki certificate,101 A display pki certificate access-control-policy,103 ah authentication-algorithm,33 display pki certificate attribute-group,104 allow l2tp,71 display pki crl domain,105 attribute,94 display public-key local public,83 authentication-algorithm,9 display public-key peer,85 authentication-method,9 Documents,118 C dpd,17 ca identifier,95 E certificate domain,10 encapsulation-mode,47 certificate request entity,95 encryption-algorithm,18 cert
ipsec anti-replay window,51 pki validate-certificate,115 ipsec decrypt check,51 pre-shared-key,27 ipsec policy (interface view),52 proposal (IPsec policy view/IPsec policy template view/IPsec profile view),58 ipsec policy (system view),53 ipsec policy isakmp template,53 public-key local create,88 ipsec policy-template,54 public-key local destroy,89 public-key local export dsa,89 ipsec profile (system view),55 public-key local export rsa,91 ipsec profile (tunnel interface view),55 public-key pee
tunnel password,81 W tunnel remote,69 Websites,118 tunnel timer hello,82 tunnel-protocol,7 123
