HP High-End Firewalls VPN Command Reference Part number: 5998-2661 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents GRE configuration commands ····································································································································· 1 display gre p2mp tunnel-table interface tunnel ····································································································· 1 gre checksum ···························································································································································· 2 gre key ·········
exchange-mode ····················································································································································· 44 id-type ····································································································································································· 45 ike dpd ································································································································································
qos pre-classify ······················································································································································ 92 reset ipsec sa ························································································································································· 93 reset ipsec statistics ··············································································································································· 94
fqdn ······································································································································································· 134 ip ··········································································································································································· 135 ldap-server ················································································································································
resend interval ····················································································································································· 174 server primary ······················································································································································ 174 server secondary ················································································································································· 175 user
GRE configuration commands display gre p2mp tunnel-table interface tunnel Syntax display gre p2mp tunnel-table interface tunnel number [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters number: Tunnel interface number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
gre checksum Syntax gre checksum undo gre checksum View Tunnel interface view Default level 2: System level Parameters None Description Use gre checksum to enable the GRE packet checksum function so as to verify the validity of packets and discard those invalid. Use undo gre checksum to disable the GRE packet checksum function. By default, the GRE packet checksum function is disabled. Related commands: interface tunnel and display interface tunnel.
Description Use gre key to configure a key for a GRE tunnel interface. Use undo gre key to remove the configuration. By default, no key is configured for a GRE tunnel interface. For a P2P GRE tunnel, both ends of the tunnel must be configured with the same GRE key. Otherwise, packets cannot pass the GRE key verification and thus will be discarded. This weak security mechanism can prevent packets from being received mistakenly. For a P2MP GRE tunnel, the GRE key identifies the priority of a tunnel entry.
Too short a tunnel entry aging time may make tunnel entries get aged out too quickly, resulting in forwarding failures of packets to the branch. Too long a tunnel entry aging time, on the other hand, may not be able to make sure that the tunnel entry table gets updated in time. Set the aging time properly as required. Examples # Set the P2MP tunnel entry aging time to 10 seconds.
Default level 2: System level Parameters mask: Mask of the private network IP addresses of the branch, in dotted decimal notation. mask-length: Mask length of the private network IP addresses of the branch, in the range of 0 to 32. Description Use gre p2mp branch-network-mask to configure the mask or mask length of the private network addresses of a branch in tunnel entries. Use undo gre p2mp branch-network-mask to restore the default.
Default level 2: System level Parameters seconds: Interval in seconds for transmitting keepalive packets, in the range of 1 to 32,767. The default value is 10. times: Maximum number of attempts for transmitting a keepalive packet, in the range of 1 to 255. The default value is 3. Description Use keepalive to enable the GRE keepalive function to detect the status of the tunnel interface and set the keepalive interval and the maximum number of attempts for transmitting a keepalive packet.
If no parameters are specified, the command clears the tunnel entry information of all P2MP GRE tunnel interfaces. Examples # Clear the tunnel entries of all P2MP GRE tunnel interfaces. reset gre p2mp tunnel-table Warning: All tunnel table will be deleted. Continue? [Y/N]: # Clear all tunnel entries of P2MP GRE tunnel interface Tunnel0. reset gre p2mp tunnel-table interface tunnel 0 Warning: All tunnel table will be deleted.
AFT configuration commands display aft address-group Syntax display aft address-group [ | { begin | exclude | include } regular-expression ] View Any view Default Level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
View Any view Default Level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays the lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display aft all to display all AFT information. Examples # Display all AFT information.
GigabitEthernet0/1 Table 4 Command output Field Description IPv4 Address Pool Information AFT IPv4 address pool information 1: Address pool number from 1.1.1.1 Start IP address in an address pool to 1.1.1.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display aft statistics to display AFT statistics. Related commands: reset aft statistics. Examples # Display AFT statistics.
Description Use aft address-group to create an AFT address pool. Use undo aft address-group to delete a specified AFT address pool. NOTE: • You can not delete an address pool that is referenced by a v6tov4 policy. To delete such an address pool, you must delete the policy first. • If start-ipv4-address equals end-ipv4-address, only one address is available in the address pool. Related commands: display aft address-group and display aft all.
aft prefix-dns64 Syntax aft prefix-dns64 dns64-prefix prefix-length undo aft prefix-dns64 dns64-prefix prefix-length View System view Default Level 2: System level Parameters dns64-prefix: DNS64 prefix. prefix-length: Prefix length, which can be 32, 40, 48, 56, 64, or 96 bits. Description Use aft prefix-dns64 to specify a DNS64 prefix. Use undo aft prefix-dns64 to delete a specified DNS64 prefix. By default, no DNS64 prefix is specified.
Parameters ivi-prefix: IVI prefix of an IPv6 address. Description Use aft prefix-ivi to specify an IVI prefix. Use undo aft prefix-ivi to delete a specified IVI prefix. By default, no IVI prefix is specified. The length of an IVI prefix is 32 bits. If an IPv6 address matches the specified IVI prefix format, AFT extracts the IPv4 address embedded in the IPv6 address to translate the IPv6 address into an IPv4 address. NOTE: The DNS64 prefix cannot be the same as the IVI prefix.
Use undo aft v4tov6 to delete a specified AFT policy. NOTE: • The DNS64 and IVI prefixes must be those configured through the aft prefix-dns64 and aft prefix-ivi commands. • The ACL specified in the aft v4tov6 acl number prefix-ivi command must be configured to check the destination addresses of packets. • Different AFT policies cannot reference the same ACL. Related commands: display aft all.
interface interface-type interface-number: Translates a matching source IPv6 address into the IPv4 address of the specified interface. interface-type interface-number specifies the interface type and number. Description Use aft v6tov4 to configure an AFT policy to translate the source addresses of IPv6 packets destined to IPv4 networks. Use undo aft v6tov4 to delete a specified AFT policy. NOTE: The DNS64 prefix must be configured through the aft prefix-dns64 command. Related commands: display aft all.
Tunneling configuration commands default Syntax default View Tunnel interface view Default level 2: System level Parameters None Description Use default to restore the default settings for the tunnel interface. This command might fail to restore the default settings for some commands for reasons such as command dependencies and system restrictions.
Parameters text: Description of an interface, a string of 1 to 80 characters. Description Use description to configure a description for the current interface. Use undo description to restore the default. By default, the description of a tunnel interface is Tunnelnumber Interface, for example, Tunnel1 Interface. Related commands: display interface tunnel. Examples # Configure the description of interface Tunnel 1 as tunnel1.
[Sysname1] interface tunnel 0 [Sysname1-Tunnel0] source 193.101.1.1 [Sysname1-Tunnel0] destination 192.100.1.1 system-view [Sysname2] interface tunnel 1 [Sysname2-Tunnel1] source 192.100.1.1 [Sysname2-Tunnel1] destination 193.101.1.
Description: Tunnel0 Interface The Maximum Transmit Unit is 1476 Internet Address is 1.1.1.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 10.1.1.1, destination 10.1.1.
Field Description Tunnel bandwidth Bandwidth of the tunnel interface Tunnel mode and transport protocol: • • • • • • • • • • • • • • • Tunnel protocol/transport UDP_DVPN/IP—DVPN UDP tunnel mode GRE_DVPN/IP—DVPN GRE tunnel mode GRE/IP—GRE over IPv4 tunnel mode GRE/IPv6—GRE over IPv6 tunnel mode GRE p2mp/IP—Point-to-multipoint GRE tunnel mode IPsec/IP—IPsec over IPv4 tunnel mode IP/IP—IPv4 over IPv4 tunnel mode IP/IPv6—IPv4 over IPv6 tunnel mode IP/IPv6 dslite-aftr—IPv4 over IPv6 DS-lite tunnel mode on
# Display brief information about interface Tunnel 1 in the DOWN state.
Parameters number: Displays IPv6 information on a specific tunnel interface. If no interface number is specified, IPv6 information about all tunnel interfaces will be displayed. brief: Displays brief information of tunnel interfaces. If this keyword is not specified, detailed information and IPv6 packet statistics for tunnel interfaces are displayed. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
OutRequests: 45 OutForwDatagrams: 0 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 0 InMcastNotMembers: 0 OutMcastPkts: 0 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 Table 8 Command output Field Description Physical state of the tunnel interface: • Administratively DOWN—The interface is administratively down; that is, the interface is shut down with the shutdown command.
Field Description ReasmReqds Received IPv6 fragments ReasmOKs Number of packets after reassembly rather than the number of fragments InFragDrops IPv6 fragments discarded due to certain errors InFragTimeouts IPv6 fragments discarded because the interval for which they had stayed in the system buffer exceeded the specified period OutFragFails Packets failed in fragmentation on the outbound interface InUnknownProtos Received IPv6 packets with unknown or unsupported protocol type InDelivers Recei
Field Description Interface Name of the tunnel interface Physical state of the tunnel interface: • *down—The interface is administratively down; that is, the interface is shut down with the shutdown command. Physical • down—The interface is administratively up but its physical state is down. • up—Both the administrative and physical states of the interface are up. Link layer protocol state of the tunnel interface: Protocol IPv6 Address • down—The protocol state of the interface is down.
View System view Default level 2: System level Parameters number: Number of the tunnel interface, ranging from 0 to 4095. The number of tunnels that can be created is restricted by the total number of interfaces and the memory. Description Use interface tunnel to create a tunnel interface and enter its view. Use undo interface tunnel to delete a specific tunnel interface. By default, no tunnel interface is created on the firewall. Use interface tunnel to enter the interface view of a specific tunnel.
Examples # Set the MTU for IPv4 packets on interface Tunnel 3 to 10000 bytes. system-view [Sysname] interface tunnel 3 [Sysname-Tunnel3] mtu 10000 reset counters interface Syntax reset counters interface [ tunnel [ number ] ] View User view Default level 2: System level Parameters number: Tunnel interface number. Description Use reset counters interface to clear the statistics of tunnel interfaces.
Description Use shutdown to shut down a tunnel interface. Use undo shutdown to bring up a tunnel interface. By default, a tunnel interface is in the up state. Examples # Shut down interface Tunnel 1. system-view [Sysname] interface tunnel 1 [Sysname-Tunnel1] shutdown source Syntax source { ip-address | ipv6-address | interface-type interface-number } undo source View Tunnel interface view Default level 2: System level Parameters ip-address: Tunnel source IPv4 address.
Or system-view [Sysname] interface tunnel 5 [Sysname-Tunnel5] source GigabitEthernet 0/1 tunnel bandwidth Syntax tunnel bandwidth bandwidth-value undo tunnel bandwidth View Tunnel interface view Default level 2: System level Parameters bandwidth-value: Bandwidth value of the tunnel interface in kbps, in the range of 1 to 10000000. Description Use tunnel bandwidth to set the bandwidth of the tunnel interface. Use undo tunnel bandwidth to restore the default.
Description Use tunnel discard ipv4-compatible-packet to enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses. Use undo tunnel discard ipv4-compatible-packet to restore the default. By default, IPv6 packets using IPv4-compatible IPv6 addresses are not dropped.
You can select a tunnel mode according to the actual network topology and application. The two ends of a tunnel must have the same tunnel mode specified; otherwise, traffic transmission may fail. Only one automatic tunnel can be created at the start point of a tunnel. For more information about GRE tunnel mode and IPsec tunnel mode, see VPN Configuration Guide. Examples # Specify the IPv4 over IPv4 tunnel mode for interface Tunnel 2.
IKE configuration commands The following matrix shows the feature and firewall compatibility: Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module FIPS No No No Yes authentication-algorithm Syntax authentication-algorithm { md5 | sha } undo authentication-algorithm View IKE proposal view Default level 2: System level Parameters md5: Uses HMAC-MD5. This keyword is not available for the FIPS mode sha: Uses HMAC-SHA1.
Default level 2: System level Parameters pre-share: Uses the pre-shared key method. rsa-signature: Uses the RSA digital signature method. Description Use authentication-method to specify an authentication method for an IKE proposal. Use undo authentication-method to restore the default. By default, an IKE proposal uses the pre-shared key authentication method. Related commands: ike proposal and display ike proposal. Examples # Specify that IKE proposal 10 uses the pre-shared key authentication method.
dh Syntax dh { group1 | group2 | group5 | group14 } undo dh View IKE proposal view Default level 2: System level Parameters group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1. This keyword is not available for the FIPS mode. group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1. group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1. group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display ike dpd to display information about Dead Peer Detection (DPD) detectors. If you do not specify any parameters, the command displays information about all DPD detectors. Related commands: ike dpd.
Description Use display ike peer to display information about IKE peers. If you do not specify any parameters, the command displays information about all IKE peers. Related commands: ike peer. Examples # Display information about all IKE peers. display ike peer --------------------------IKE Peer: rtb4tunn exchange mode: main on phase 1 pre-shared-key simple 123 peer id type: ip peer ip address: 44.44.44.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Parameters active: Displays the summary information of active IKE SAs in an IPsec stateful failover scenario. standby: Displays the summary information of standby IKE SAs in an IPsec stateful failover scenario. verbose: Displays detailed information. connection-id: Displays detailed information about IKE SAs by connection ID, in the range of 1 to 2000000000. remote-address: Displays detailed information about IKE SAs by remote address. |: Filters command output by specifying a regular expression.
Field Description peer Remote IP address of the SA Status of the SA: • RD (READY)—The SA has been established • ST (STAYALIVE)—This end is the initiator of the tunnel negotiation • RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted flag later • FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over • TO (TIMEOUT)—The SA has received no keepalive packets after the last keepalive timeout.
--------------------------------------------connection id: 2 vpn-instance: vpn1 transmitting entity: initiator status: active --------------------------------------------local ip: 4.4.4.4 local id type: IPV4_ADDR local id: 4.4.4.4 remote ip: 4.4.4.5 remote id type: IPV4_ADDR remote id: 4.4.4.
Table 14 Command output Field Description connection id Identifier of the ISAKMP SA vpn-instance VPN to which the protected data belongs. transmitting entity Entity in the IKE negotiation status Stateful failover status of the SA, active or standby. This field appears only in an IPsec stateful failover scenario.
Examples # Apply dpd1 to IKE peer peer1. system-view [Sysname] ike peer peer1 [Sysname-ike-peer-peer1] dpd dpd1 encryption-algorithm Syntax encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } undo encryption-algorithm View IKE proposal view Default level 2: System level Parameters 3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses 168-bit keys for encryption. This keyword is not available for the FIPS mode.
View IKE peer view Default level 2: System level Parameters aggressive: Aggressive mode. This keyword is not available for the FIPS mode. main: Main mode. Description Use exchange-mode to select an IKE negotiation mode. Use undo exchange-mode to restore the default. By default, main mode is used. If the user at one end of an IPsec tunnel obtains IP address automatically (for example, a dial-up user), IKE negotiation mode must be set to aggressive.
By default, the ID type is IP address. In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. In aggressive mode, either type can be used. If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, test@foo.bar.com.
Examples # Create a DPD detector named dpd2. system-view [Sysname] ike dpd dpd2 ike local-name Syntax ike local-name name undo ike local-name View System view Default level 2: System level Parameters name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters. Description Use ike local-name to configure a name for the local security gateway. Use undo ike local-name to restore the default.
Default level 2: System level Parameters None Description Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero. Use undo ike next-payload check disabled to restore the default. By default, the Next payload field is checked. Examples # Disable Next payload field checking for the last payload of an IKE message.
View System view Default level 2: System level Parameters proposal-number: IKE proposal number, in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is matched before a low priority IKE proposal. Description Use ike proposal to create an IKE proposal and enter IKE proposal view. Use undo ike proposal to delete an IKE proposal.
The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end. Related commands: ike sa keepalive-timer timeout. Examples # Set the keepalive interval to 200 seconds.
Default level 2: System level Parameters seconds: NAT keepalive interval in seconds, in the range of 5 to 300. Description Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval. Use undo ike sa nat-keepalive-timer interval to disable the function. By default, the NAT keepalive interval is 20 seconds. Examples # Set the NAT keepalive interval to 5 seconds.
undo local View IKE peer view Default level 2: System level Parameters multi-subnet: Sets the subnet type to multiple. single-subnet: Sets the subnet type to single. Description Use local to set the subnet type of the local security gateway for IKE negotiation. Use undo local to restore the default. By default, the subnet is a single one. Use this command to enable interoperability with a NetScreen device. Examples # Set the subnet type of the local security gateway to multiple.
[Sysname] ike peer xhy [Sysname-ike-peer-xhy] local-address 1.1.1.1 local-name Syntax local-name name undo local-name View IKE peer view Default level 2: System level Parameters name: Name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters. Description Use ike local-name to configure a name for the local security gateway to be used in IKE negation. Use undo local-name to restore the default.
Default level 2: System level Parameters None Description Use nat traversal to enable the NAT traversal function of IKE/IPsec. Use undo nat traversal to disable the NAT traversal function of IKE/IPsec. By default, the NAT traversal function is disabled. Examples # Enable the NAT traversal function for IKE peer peer1.
pre-shared-key Syntax pre-shared-key [ cipher | simple ] key undo pre-shared-key View IKE peer view Default level 2: System level Parameters key: Plaintext pre-shared key to be displayed in cipher text, a case-sensitive string of 1 to 128 characters. cipher key: Specifies the ciphertext pre-shared key to be displayed in cipher text, a case-sensitive string of 1 to 184 characters.
Description Use proposal to specify the IKE proposals for the IKE peer to reference. Use undo proposal to remove one or all IKE proposals referenced by the IKE peer. By default, an IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view. In the IKE negotiation phase 1, the local peer uses the IKE proposals specified for it, if any. An IKE peer can reference up to six IKE proposals.
The local peer can be the initiator of IKE negotiation if the remote address is a host IP address or a host name. The local end can only be the responder of IKE negotiation if the remote address is an address range that the local peer can respond to. If the IP address of the remote address changes frequently, configure the host name of the remote gateway with the dynamic keyword so that the local peer can use the up-to-date remote IP address to initiate IKE negotiation.
reset ike sa Syntax reset ike sa [ connection-id | active | standby ] View User view Default level 2: System level Parameters connection-id: Connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000. active: Clears all active IKE SAs in an IPsec stateful failover scenario. standby: Clears all standby IKE SAs in an IPsec stateful failover scenario. Description Use reset ike sa to clear IKE SAs. If you do not specify any parameter, the command clears all IKE SAs.
display ike sa total phase-1 SAs: connection-id 2 peer flag phase doi status ---------------------------------------------------------------1 202.38.0.2 RD|ST 1 IPSEC ACTIVE 1 201.31.0.9 RD|ST 1 IPSEC STANDBY 2 202.38.0.2 RD|ST 2 IPSEC ACTIVE 2 201.31.0.
time-out Syntax time-out time-out undo time-out View IKE DPD view Default level 2: System level Parameters time-out: DPD packet retransmission interval in seconds, in the range of 1 to 60. Description Use time-out to set the DPD packet retransmission interval for a DPD detector. Use undo time-out to restore the default. The default DPD packet retransmission interval is 5 seconds. Examples # Set the DPD packet retransmission interval to 1 second for dpd2.
IPsec configuration commands The term "router" in this document refers to both routers and Layer 3 firewalls. IMPORTANT: The FIPS mode is available only for the firewall modules. For more information about FIPS, see Access Control Configuration Guide. ah authentication-algorithm Syntax ah authentication-algorithm { md5 | sha1 } undo ah authentication-algorithm View IPsec proposal view Default level 2: System level Parameters md5: Uses MD5. This keyword is not available for FIPS mode. sha1: Uses SHA1.
connection-name Syntax connection-name name undo connection-name View IPsec policy view, IPsec policy template view Default level 2: System level Parameters name: IPsec connection name, a case-insensitive string of 1 to 32 characters. Description Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy. Use undo connection-name to restore the default. By default, no IPsec connection name is configured.
system-view [Sysname] cryptoengine enable display ipsec policy Syntax display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all IPsec policies. name: Displays detailed information about a specified IPsec policy or IPsec policy group. policy-name: Name of the IPsec policy, a string of 1 to 15 characters.
toccccc-1 isakmp 3003 IPsec-Policy-Name Mode acl tocccc Local-Address Remote-Address -----------------------------------------------------------------------man-1 manual 3400 3.3.3.1 3.3.3.
----------------------------------------IPsec policy name: "policy_man" sequence number: 10 mode: manual ----------------------------------------security data flow : 3002 tunnel local address: 162.105.10.1 tunnel remote address: 162.105.10.
ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: 1234567890abcdef1234567890abcdef1234567812345678 ESP authentication hex key: 1234567890abcdef1234567890abcdef outbound AH setting: AH spi: AH string-key: AH authentication hex key: outbound ESP setting: ESP spi: 23456 (0x5ba0) ESP string-key: ESP encryption hex key: 1234567890abcdef1234567890abcdef1234567812345678 ESP authentication hex key: 1234567890abcdef1234567890abcdef Table 16 Command output Field Description security data flow ACL re
display ipsec policy-template Syntax display ipsec policy-template [ brief | name template-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters brief: Displays brief information about all IPsec policy templates. name: Displays detailed information about a specified IPsec policy template or IPsec policy template group. template-name: Name of the IPsec policy template, a string of 1 to 15 characters.
Field Description Remote Address Remote IP address # Display detailed information about all IPsec policy templates.
Default level 1: Monitor level Parameters name profile-name: Displays the configuration information of an IPsec profile. The profile-name argument specifies the name of the IPsec profile and is a case-insensitive string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Field Description ACL referenced by the IPsec profile security data flow As an IPsec profile does not reference any ACL, this field is displayed as 0. ike-peer name IKE peer referenced by the IPsec profile perfect forward secrecy Whether PFS is enabled proposal name IPsec proposal referenced by the IPsec profile Synchronization inbound anti-replay-interval Inbound anti-replay window information synchronization interval, expresses in the number of received packets.
encapsulation mode: tunnel transform: ah-new AH protocol: authentication sha1-hmac-96 IPsec proposal name: prop1 encapsulation mode: transport transform: esp-new ESP protocol: authentication md5-hmac-96, encryption des Table 20 Command output Field Description IPsec proposal name Name of the IPsec proposal encapsulation mode Encapsulation mode used by the IPsec proposal, transport or tunnel transform Security protocol(s) used by the IPsec proposal: AH, ESP, or both.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display ipsec sa to display information about IPsec SAs. If you do not specify any parameters, the command displays information about all IPsec SAs. Related commands: reset ipsec sa and ipsec sa global-duration. Examples # Display brief information about all IPsec SAs.
dest addr: 192.168.1.0/255.255.255.
Table 22 Command output Field Description Interface Interface referencing the IPsec policy. path MTU Maximum IP packet length supported by the interface. Protocol Name of the protocol to which the IPsec policy is applied. IPsec policy name Name of IPsec policy used. sequence number Sequence number of the IPsec policy. mode IPsec negotiation mode. connection id IPsec tunnel identifier. encapsulation mode Encapsulation mode, transport or tunnel.
display ipsec statistics Syntax display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range of 1 to 2000000000. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: not enough memory: 0 queue is full: 0 authentication has failed: 0 wrong length: 0 replay packet: 0 packet too long: 0 wrong SA: 0 Table 23 Command output Field Description Connection ID ID of the tunnel input/output security packets Counts of inbound and outbound IPsec protected packets input/output security bytes Counts of inbound and outbound
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
outbound : 675720232 (0x2846ac28) [ESP] tunnel : local address: 44.44.44.44 remote address : 44.44.44.45 flow : as defined in acl 3001 Table 24 Command output Field Description connection id Connection ID, used to uniquely identify an IPsec Tunnel status Whether the tunnel is in the active or standby state. This field is displayed only when IPsec stateful failover is enabled.
Examples # Configure IPsec proposal prop2 to encapsulate IP packets in transport mode. system-view [Sysname] ipsec proposal prop2 [Sysname-ipsec-proposal-prop2] encapsulation-mode transport esp authentication-algorithm Syntax esp authentication-algorithm { md5 | sha1 } undo esp authentication-algorithm View IPsec proposal view Default level 2: System level Parameters md5: Uses the MD5 algorithm, which uses a 128-bit key. This keyword is not available for FIPS mode.
esp encryption-algorithm Syntax esp encryption-algorithm { 3des | aes [ key-length ] | des } undo esp encryption-algorithm View IPsec proposal view Default level 2: System level Parameters 3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. This keyword is not available for FIPS mode. aes: Uses the Advanced Encryption Standard (AES) in CBC mode as the encryption algorithm.
ike-peer (IPsec policy view, IPsec policy template view, IPsec profile view) Syntax ike-peer peer-name undo ike-peer peer-name View IPsec policy view, IPsec policy template view, IPsec profile view Default level 2: System level Parameters peer-name: IKE peer name, a string of 1 to 32 characters. Description Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured through IKE negotiation. Use undo ike peer to remove the reference.
Description Use ipsec anti-replay check to enable IPsec anti-replay checking. Use undo ipsec anti-replay check to disable IPsec anti-replay checking. By default, IPsec anti-replay checking is enabled. Examples # Enable IPsec anti-replay checking. system-view [Sysname] ipsec anti-replay check ipsec anti-replay window Syntax ipsec anti-replay window width undo ipsec anti-replay window View System view Default level 2: System level Parameters width: Size of the anti-replay window.
Parameters None Description Use ipsec decrypt check to enable ACL checking of de-encapsulated IPsec packets. Use undo ipsec decrypt check to disable ACL checking of de-encapsulated IPsec packets. By default, ACL checking of de-encapsulated IPsec packets is enabled. Examples # Enable ACL checking of de-encapsulated IPsec packets.
View Interface view Default level 2: System level Parameters policy-name: Name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters. Description Use ipsec policy to apply an IPsec policy group to an interface. Use undo ipsec policy to remove the application. Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first.
manual: Sets up SAs manually. Description Use ipsec policy to create an IPsec policy and enter its view. Use undo ipsec policy to delete the specified IPsec policies. By default, no IPsec policy exists. When creating an IPsec policy, you must specify the generation mode. You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode. IPsec policies with the same name constitute an IPsec policy group.
Use undo ipsec policy to delete an IPsec policy. Using the undo ipsec policy command without the seq-number argument deletes an IPsec policy group. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. Related commands: ipsec policy (system view) and ipsec policy-template. Examples # Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1.
undo ipsec profile profile-name View System view Default level 2: System level Parameters profile-name: Name for the IPsec profile, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included. Description Use ipsec profile to create an IPsec profile and enter its view. An IPsec profile defines the IPsec proposals to be used to protect the data and the IKE negotiation parameters to be used to set up the SAs. Use undo ipsec profile to delete an IPsec profile.
Examples # Apply IPsec profile vtiprofile to the IPsec tunnel interface. system-view [Sysname] interface tunnel 0 [Sysname-Tunnel0] tunnel-protocol ipsec ipv4 [Sysname-Tunnel0] ipsec profile vtiprofile ipsec proposal Syntax ipsec proposal proposal-name undo ipsec proposal proposal-name View System view Default level 2: System level Parameters proposal-name: Name for the proposal, a case-insensitive string of 1 to 32 characters .
Parameters seconds: Time-based global SA lifetime in seconds, in the range of 180 to 604800. kilobytes: Traffic-based global SA lifetime in kilobytes, in the range of 2560 to 4294967295. Description Use ipsec sa global-duration to configure the global SA lifetime. Use undo ipsec sa global-duration to restore the default. By default, the time-based global SA lifetime is 3,600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes.
system-view [Sysname] ipsec synchronization enable pfs Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } undo pfs View IPsec policy view, IPsec policy template view, IPsec profile view Default level 2: System level Parameters dh-group1: Uses 768-bit Diffie-Hellman group. This keyword is not available for FIPS mode. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group.
View IPsec policy view, IPsec policy template view Default level 2: System level Parameters None Description Used policy enable to enable the IPsec policy. Use undo policy enable to disable the IPsec policy. By default, the IPsec policy is enabled. The command is not applicable to manual IPsec policies. If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation. Related commands: ipsec policy (system view) and ipsec policy-template.
A manual IPsec policy can reference only one IPsec proposal. To replace a referenced IPsec proposal, use the undo proposal command to remove the original proposal binding and then use the proposal command to reconfigure one. An IKE negotiated IPsec policy can reference up to six IPsec proposals. The IKE negotiation process will search for and use the exactly matched proposal. An IPsec profile can reference up to six IPsec proposals.
Examples # Enable packet information pre-extraction. system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify reset ipsec sa Syntax reset ipsec sa [ active | parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote ip-address | standby ] View User view Default level 2: System level Parameters active: Specifies all active IPsec SAs in an IPsec stateful failover scenario.
When standby IPsec SAs on a device are cleared, the device requests the active device to synchronize active IPsec SAs to itself. Related commands: display ipsec sa. Examples # Clear all IPsec SAs. reset ipsec sa # Clear the IPsec SA with a remote IP address of 10.1.1.2. reset ipsec sa remote 10.1.1.2 # Clear all IPsec SAs of IPsec policy template policy1.
View IPsec policy view, IPsec policy template view Default level 2: System level Parameters static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references. This keyword is available only in IPsec policy view. If this keyword is not specified, you enable dynamic IPsec RRI, which creates static routes based on IPsec SAs. remote-peer ip-address: Specifies a next hop for the static routes.
Command IPsec RRI mode Route destination Next hop address Remote tunnel endpoint reverse-route reverse-route remote-peer ip-address Protected peer private network Dynamic reverse-route remote-peer ip-address gateway Address identified by the ip-address argument, typically, the next hop address of the interface where the IPsec policy is applied Protected peer private network Remote tunnel endpoint Remote tunnel endpoint The address specified by the ip-address argument (outgoing interface: the inte
[Sysname] ipsec policy 1 1 isakmp [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 static [Sysname-ipsec-policy-isakmp-1-1] quit # Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.) [Sysname] display ip routing-table ... Destination/Mask Proto Pre 3.0.0.0/24 Static 60 Cost NextHop Interface 0 1.1.1.3 GE0/1 # Configure dynamic IPsec RRI to create static routes based on IPsec SAs.
reverse-route preference Syntax reverse-route preference preference-value undo reverse-route preference View IPsec policy view Default level 2: System level Parameters preference-value: Sets a preference value for the static routes created by IPsec RRI. The value range is 1 to 255. A smaller value represents a higher preference. Description Use reverse-route preference to change the preference of the static routes created by IPsec RRI. Use undo reverse-route preference to restore the default.
Use undo reverse-route tag to restore the default. By default, the tag value is 0 for the static routes created by IPsec RRI. This command makes sense only when used together with the reverse-route command. When you change the route tag, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new route tag only to subsequent static routes. It does not delete or modify static routes it has created.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the outbound SA must be identical. At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format. Related commands: ipsec policy (system view). Examples # Configure the authentication keys of the inbound and outbound SAs that use AH as 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 respectively.
system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200 # Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes). system-view [Sysname] ipsec policy policy1 100 isakmp [Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480 # Set the SA lifetime for IPsec profile profile1 to 7200 seconds (two hours).
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the outbound SA must be identical. At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format. Related commands: ipsec policy (system view). Examples # Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 respectively.
neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. Related commands: ipsec policy (system view). Examples # Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
• Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group. • Enter the keys in the same format on all routers.
When the two peers support both data flow protection modes, they must be configured to work in the same mode. Related commands: ipsec policy (system view). Examples # Configure IPsec policy policy1 to reference ACL 3001. system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.
Use undo synchronization anti-replay-interval to restore the defaults. By default, the inbound anti-replay window information synchronization interval is 1000, and the outbound anti-replay sequence number synchronization interval is 100000. In an IPsec stateful failover scenario, the active device synchronizes anti-replay information to the standby device at the specified intervals.
Related commands: ipsec proposal. Examples # Configure IPsec proposal prop1 to use AH. system-view [Sysname] ipsec proposal prop1 [Sysname-ipsec-proposal-prop1] transform ah tunnel local Syntax tunnel local ip-address undo tunnel local View IPsec policy view Default level 2: System level Parameters ip-address: Local address for the IPsec tunnel. Description Use tunnel local to configure the local address of an IPsec tunnel. Use undo tunnel local to remove the configuration.
View IPsec policy view Default level 2: System level Parameters ip-address: Remote address for the IPsec tunnel. Description Use tunnel remote to configure the remote address of an IPsec tunnel. Use undo tunnel remote to remove the configuration. By default, no remote address is configured for the IPsec tunnel. This command applies to only manual IPsec policies. If you configure the remote address repeatedly, the last one takes effect. An IPsec tunnel is established between the local and remote ends.
L2TP configuration commands NOTE: The term "router" in this chapter refers to both routers and firewalls running routing protocols. allow l2tp Syntax allow l2tp virtual-template virtual-template-number remote remote-name [ domain domain-name ] undo allow View L2TP group view Default level 2: System level Parameters virtual-template-number: Number of the virtual template interface for creating a virtual access (VA) interface, in the range of 0 to 1023.
Related commands: l2tp-group. Examples # Accept the L2TP tunneling request initiated by the peer (LAC) of aaa and create a virtual access interface according to virtual template 1. system-view [Sysname] l2tp-group 2 [Sysname-l2tp2] allow l2tp virtual-template 1 remote aaa # Specify L2TP group 1 as the default L2TP group, accept the L2TP tunneling request initiated by any peer, and create a virtual access interface based on virtual template 1.
Table 26 Command output Field Description Total session Number of active sessions LocalSID Unique ID of the session at the local end RemoteSID Unique ID of the session at the remote end LocalTID Unique ID of the tunnel at the local end display l2tp tunnel Syntax display l2tp tunnel [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
Field Description Sessions Number of sessions within the tunnel RemoteName Name of the tunnel at the peer interface virtual-template Syntax interface virtual-template virtual-template-number undo interface virtual-template virtual-template-number View System view Default level 2: System level Parameters virtual-template-number: Serial number for identifying the virtual template interface, in the range of 0 to 1023.
Parameters None Description Use l2tp enable to enable the L2TP function. Use undo l2tp enable to disable the L2TP function. By default, the L2TP function is disabled. L2TP must be enabled for relevant L2TP configurations to take effect. Related commands: l2tp-group. Examples # Enable the L2TP function.
View Virtual template interface view Default level 2: System level Parameters None Description Use l2tp-auto-client enable to trigger an LAC to establish an L2TP tunnel. Use undo l2tp-auto-client enable to remove the established L2TP tunnel. By default, an LAC does not establish an L2TP tunnel. Examples # Trigger the LAC to establish an L2TP tunnel.
l2tpmoreexam enable Syntax l2tpmoreexam enable undo l2tpmoreexam enable View System view Default level 2: System level Parameters None Description Use l2tpmoreexam enable to enable the L2TP multi-instance function. Use undo l2tpmoreexam enable to disable the L2TP multi-instance function. By default, the L2TP multi-instance function is disabled. This command is available for only LNSs. Related commands: l2tp enable. Examples # Enable the L2TP multi-instance function for the LNS.
connected to the VPN through an NAS-initialized tunnel: one on the NAS side and the other on the LNS side. Some PPP clients may not support the second authentication. In this case, the LNS-side CHAP authentication will fail. Related commands: mandatory-lcp. Examples # Perform CHAP authentication by force.
reset l2tp tunnel Syntax reset l2tp tunnel { id tunnel-id | name remote-name } View User view Default level 2: System level Parameters tunnel-id: Local ID of the tunnel, in the range of 1 to 8191. remote-name: Name of the tunnel at the remote end, a case-sensitive string of 1 to 30 characters. Description Use reset l2tp tunnel to disconnect one or more specified tunnels and all sessions of the tunnels. A tunnel disconnected by force can be re-established when a client makes a call.
Description Use start l2tp to enable the firewall to initiate tunneling requests to one or more IP addresses for one or more specified VPN users. Use the undo start to remove the configuration. The start l2tp command is available for only LACs. An LAC can initiate tunneling requests for users in a specific domain. For example, if the domain name of a company is aabbcc.net, users with such a domain name are considered VPN users. To specify a single VPN user, provide the fully qualified name of the user.
tunnel avp-hidden Syntax tunnel avp-hidden undo tunnel avp-hidden View L2TP group view Default level 2: System level Parameters None Description Use tunnel avp-hidden to specify to transfer attribute value pair (AVP) data in hidden mode. Use undo tunnel avp-hidden to restore the default. By default, AVP data is transferred over the tunnel in plain text mode. The tunnel avp-hidden command is available for only LACs. Examples # Transfer AVP data in hidden mode.
system-view [Sysname] l2tp-group 1 [Sysname-l2tp1] tunnel flow-control tunnel name Syntax tunnel name name undo tunnel name View L2TP group view Default level 2: System level Parameters name: Name for the tunnel at the local end, a case-sensitive string of 1 to 30 characters. Description Use tunnel name to specify the name of a tunnel at the local end. Use undo tunnel name to restore the default. By default, a tunnel takes the system name of the firewall as its name at the local end.
If you specify the cipher keyword, you can enter a password in either plain text or cipher text. If you specify the simple keyword, you can enter a password only in plain text. A plain text password is a string of 1 to 16 characters, for example, aabbcc. A cipher text password consists of 24 characters, for example, _(TT8F)Y\5SQ=^Q`MAF4<1!!. Description Use tunnel password to specify the password for tunnel authentication. Use undo tunnel password to remove the configuration.
Certificate management commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value undo attribute { id | all } View Certificate attribute group view Default level 2: System level Parameters id: Sequence number of the certificate attribute rule, in the range 1 to 16. alt-subject-name: Specifies the name of the alternative certificate subject. fqdn: Specifies the FQDN of the entity.
system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use certificate request entity to specify the entity for certificate request. Use undo certificate request entity to remove the configuration. By default, no entity is specified for certificate request. Related commands: pki entity. Examples # Specify the entity for certificate request as entity1.
undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Requests a certificate in auto mode. key-length: Length of the RSA keys in bits, in the range 512 to 2048. It is 1024 bits by default. cipher: Displays the password in cipher text. simple: Displays the password in clear text. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. manual: Requests a certificate in manual mode.
interval minutes: Specifies the polling interval in minutes, in the range 5 to 168. Description Use certificate request polling to specify the certificate request polling interval and attempt limit. Use undo certificate request polling to restore the defaults. By default, the polling is executed every 20 minutes for up to 50 times. After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually.
common-name Syntax common-name name undo common-name View PKI entity view Default level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use common-name to configure the common name of an entity, which can be, for example, the username. Use undo common-name to remove the configuration. By default, no common name is specified. Examples # Configure the common name of an entity as test.
Examples # Set the country code of an entity to CN. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Syntax crl check { disable | enable } View PKI domain view Default level 2: System level Parameters disable: Disables CRL checking. enable: Enables CRL checking. Description Use crl check to enable or disable CRL checking. By default, CRL checking is enabled. CRLs are files issued by the CA to publish all certificates that have been revoked.
Description Use crl update-period to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use undo crl update-period to restore the default. By default, the CRL update period depends on the next update field in the CRL file. Examples # Set the CRL update period to 20 hours.
View Any view Default level 2: System level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display pki certificate access-control-policy to display information about one or all certificate attribute-based access control policies.
Examples # Display information about certificate attribute group mygroup.
Examples # Display the locally saved CRLs.
undo fqdn View PKI entity view Default level 2: System level Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Description Use fqdn to configure the FQDN of an entity. Use undo fqdn to remove the configuration. By default, no FQDN is specified for an entity. An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.
ldap-server Syntax ldap-server ip ip-address [ port port-number ] [ version version-number ] undo ldap-server View PKI domain view Default level 2: System level Parameters ip-address: IP address of the LDAP server, in dotted decimal format. port-number: Port number of the LDAP server, in the range 1 to 65535. The default is 389. version-number: LDAP version number, either 2 or 3. By default, it is 2. Description Use ldap-server to specify an LDAP server for a PKI domain.
Examples # Configure the locality of an entity as city. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] locality city organization Syntax organization org-name undo organization View PKI entity view Default level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use organization to configure the name of the organization to which the entity belongs.
Description Use organization-unit to specify the name of the organization unit to which this entity belongs. Use undo organization-unit to remove the configuration. By default, no organization unit name is specified for an entity. Examples # Configure the name of the organization unit to which an entity belongs as group1.
View System view Default level 2: System level Parameters group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be "a", "al", or "all". all: Specifies all certificate attribute groups. Description Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to delete one or all certificate attribute groups. By default, no certificate attribute group exists.
pki domain Syntax pki domain domain-name undo pki domain domain-name View System view Default level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Description Use pki domain to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain. Use undo pki domain to remove a PKI domain. By default, no PKI domain exists. Examples # Create a PKI domain and enter its view.
Examples # Create a PKI entity named en and enter its view. system-view [Sysname] pki entity en [Sysname-pki-entity-en] pki import-certificate Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] View System view Default level 2: System level Parameters ca: Specifies the CA certificate. local: Specifies the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. der: Specifies the certificate format of DER.
pki request-certificate domain Syntax pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] View System view Default level 2: System level Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.
Default level 2: System level Parameters ca: Retrieves the CA certificate. local: Retrieves the local certificate. domain-name: Name of the PKI domain used for certificate request. Description Use pki retrieval-certificate to retrieve a certificate from the server for certificate distribution. Related commands: pki domain. Examples # Retrieve the CA certificate from the certificate issuing server.
Default level 2: System level Parameters ca: Verifies the CA certificate. local: Verifies the local certificate. domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters. Description Use pki validate-certificate to verify the validity of a certificate. The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Related commands: pki domain.
[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E # Configure a SHA1 fingerprint for verifying the validity of the CA root certificate.
View PKI entity view Default level 2: System level Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use state to specify the name of the state or province where an entity resides. Use undo state to remove the configuration. By default, no state or province is specified. Examples # Specify the state where an entity resides.
Public key configuration commands display public-key local public Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair.
Default level 1: Monitor level Parameters brief: Displays brief information about all the public keys of remote hosts. name publickey-name: Displays information about a remote host's public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
peer-public-key end Syntax peer-public-key end View Public key view Default level 2: System level Parameters None Description Use peer-public-key end to return from public key view to system view. Related commands: public-key peer. Examples # Exit public key view.
Examples # Enter public key code view and type the key.
[Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] public-key local create Syntax public-key local create { dsa | rsa } View System view Default level 2: System level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. Description Use public-key local create to create local key pairs. The created local key pairs are saved automatically, and can survive a reboot.
system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... * * public-key local destroy Syntax public-key local destroy { dsa | rsa } View System view Default level 2: System level Parameters dsa: DSA key pair. rsa: RSA key pair.
Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see System Management and Maintenance Configuration Guide. Description Use public-key local export dsa to display the local DSA public key on the screen or export it to a specified file.
public-key local export rsa Syntax public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the host public key. For more information about file name, see System Management and Maintenance Configuration Guide.
public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Default level 2: System level Parameters keyname: Specifies the public key name of a remote host, a case-sensitive string of 1 to 64 characters. Description Use public-key peer to specify a name for a remote host's public key and enter public key view. Use undo public-key peer to remove a remote host's public key.
filename: Specifies the name of the file that saves a remote host's host public key. The value range depends on the device model. For more information about file name, see System Management and Maintenance Configuration Guide. Description Use public-key peer import sshkey to import a remote host's host public key from the public key file. Use undo public-key peer to remove the specified host public key of a remote host.
SSL VPN configuration commands The following matrix shows the feature and firewall compatibility: Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module SSL VPN Yes Yes No No ssl-vpn enable Syntax ssl-vpn enable undo ssl-vpn enable View System view Default level 2: System level Parameters None Description Use ssl-vpn enable to enable the SSL VPN service. Use undo ssl-vpn enable to disable the SSL VPN service. By default, the SSL VPN service is disabled.
undo ssl-vpn server-policy View System view Default level 2: System level Parameters server-policy-name: Name of the SSL server policy, a case-insensitive string of 1 to 16 characters. port port-number: Specifies the port number to be used by the SSL VPN service. The port-number argument is in the range of 1 to 65535 and defaults to 443. Description Use ssl-vpn server-policy to specify the SSL server policy and port to be used by the SSL VPN service.
DVPN configuration commands The following matrix shows the feature and firewall compatibility: Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module DVPN No Yes Yes Yes VAM server configuration commands authentication-algorithm Syntax authentication-algorithm { none | { md5 | sha-1 } * } undo authentication-algorithm View VPN domain view Default level 2: System level Parameters none: Performs no authentication. md5: Uses the MD5 (message digest 5) authentication algorithm.
authentication-method Syntax authentication-method { none | { chap | pap } [ domain name-string ] } undo authentication-method View VPN domain view Default level 2: System level Parameters none: Performs no authentication of clients. chap: Performs CHAP (Challenge Authentication Protocol) authentication. pap: Performs PAP (Password Authentication Protocol) authentication. domain name-string: Specifies the ISP domain for authentication.
vpn vpn-name: Displays the address mapping information of all registered VAM clients in a VPN domain. The vpn-name argument indicates the VPN domain name and is a case-insensitive string of 1 to 15 characters. private-ip private-ip: Displays the address mapping information of the VAM client with the specified private IP address. The private-ip argument indicates the private IP address of the VAM client. |: Filters command output by specifying a regular expression.
Field Description Private-ip Private address that the VAM client registers with the VAM server Public-ip Public address that the VAM client registers with the VAM server Type Type of the VAM client, Hub or Spoke Holding time Time that elapses since the VAM client registers with the server successfully, in the format xxH xxM xxS (xx hour xx minute xx second).
Succeeded resolution times: Failed resolution times: VPN name: Service: 10 1 9 enable Holding time: 0h 33m 53s Registered spoke number: 23 Registered hub number: 1 Address resolution times: 150 Succeeded resolution times: Failed resolution times: 148 2 # Display statistics about VAM clients in VPN domain 1.
Default level 2: System level Parameters 3des: Uses the 3DES encryption algorithm. aes-128: Uses the AES encryption algorithm, with the key length being 128 bits. des: Uses the DES encryption algorithm. none: Performs no encryption. Description Use encryption-algorithm to specify the algorithms for protocol packet encryption and their priorities. Use undo encryption-algorithm to restore the default. By default, three encryption algorithms are available and preferred in this order: AES-128, 3DES and DES.
• The public IP address argument is optional. When a Hub registers, the VAM server will get the public address of the Hub. • Currently, up to two Hubs can be configured on a VAM server. Related commands: vam server vpn. Examples # Configure a Hub for VPN domain 1, setting the public and private IP addresses as 123.0.0.1 and 10.1.1.1 respectively. system-view [Sysname] vam server vpn 1 [Sysname-vam-server-vpn-1] hub private-ip 10.1.1.1 public-ip 123.0.0.
View VPN domain view Default level 2: System level Parameters retry-times: Maximum number of attempts for a VAM client to send a keepalive packet, in the range 1 to 6. Description Use keepalive retry to set the maximum number of attempts for a VAM client to send a keepalive packet to the VAM server. If the maximum number of attempts is reached but the client receives no response, the connection is considered broken. Use undo keepalive retry to restore the default.
Use undo pre-shared-key to remove the configuration. By default, no pre-shared key is configured. Related commands: authentication-algorithm, encryption-algorithm, pre-shared-key (VAM client view), and vam server vpn. Examples # Configure the pre-shared key of the VAM server to 123, setting the display mode as plain text.
Default level 2: System level Parameters all: Specifies all existing VPN domains. vpn vpn-name: Specifies an existing VPN domain. The vpn-name argument indicates the VPN domain name and is a case-insensitive string of 1 to 15 characters. Valid characters are A to Z, a to z, 0 to 9, and the dot sign (.). Description Use vam server enable command to enable the VAM server feature for all VPN domains or a specified VPN domain.
Examples # Configure the VAM service listening address to 10.1.1.1 and UDP port number to 2000. system-view [Sysname] vam server ip-address 10.1.1.1 port 2000 vam server vpn Syntax vam server vpn vpn-name undo vam server vpn vpn-name View System view Default level 2: System level Parameters vpn-name: VPN domain name, a case-insensitive string of 1 to 15 characters. Valid characters are A to Z, a to z, 0 to 9, and the dot sign (.).
Description Use client enable to enable the VAM client feature for a VAM client. Use undo client enable to restore the default. By default, the VAM client feature is disabled. Related commands: vam client enable and vam client name. Examples # Enable the VAM client feature for VAM client spoke.
Examples # Display the status information of VAM client abc. display vam client fsm abc Client name: hub VPN name: 1 Interface: Tunnel0 Resend interval(seconds): 5 Client type: Hub Username: user1 Primary server: 28.1.1.23 Current state: ONLINE Holding time: 9h 20m 30s Encryption-algorithm: AES-128 Authentication-algorithm: SHA1 Secondary server: 28.1.1.
10.0.0.3 222.222.222.
resend interval Syntax resend interval time-interval undo resend interval View VAM client view Default level 2: System level Parameters time-interval: Protocol packet retransmission interval, in the range 3 to 30 seconds. Description Use resend interval to set the interval for the VAM client to resend VAM protocol packets. Use undo resend interval to restore the default. By default, the protocol packet retransmission interval is 5 seconds.
Use undo server primary to restore the default. By default, no public network address and UDP port are of the primary VAM server are specified. If you execute the command repeatedly, the last configuration takes effect. Related commands: display vam client, server secondary, and vam client name. Examples # Specify the primary VAM server for the client, setting the public IP address and port number to 1.1.1.1 and 2000 respectively.
undo user View VAM client view Default level 2: System level Parameters Username: Username for the VAM client, a case-sensitive string of 1 to 253 characters. It cannot contain the special characters of /, :, *, ?, <, >, @, |, and \. cipher: Displays the password in cipher text. simple: Displays the password in plain text. String: Password for the VAM client, a case-sensitive string of 1 to 63 characters.
Use undo vam client enable to disable the VAM client feature for all VAM clients or a specified VAM client. By default, the VAM client feature is disabled. Related commands: client enable and vam client name. Examples # Enable the VAM client feature for VAM client spoke.
Default level 2: System level Parameters vpn-name: Name of the VPN that the VAM client belongs to, a case-insensitive string of 1 to 15 characters. Valid characters are A to Z, a to z, 0 to 9, and the dot sign (.). Description Use vpn to specify the VPN that a VAM client belongs to. Use undo vpn to remove the configuration. By default, a VAM client does not belong to any VPN. Related commands: display vam client and vam client name. Examples # Specify that VAM client abc belongs to VPN 100.
Description Use display dvpn session to display information about DVPN sessions. Related commands: reset dvpn session. Examples # Display information about DVPN sessions of interface Tunnel 0. display dvpn session interface tunnel 0 Interface: Tunnel0 Total number: 2 Private IP: 10.0.0.21 Public IP: 28.1.1.
dvpn session dumb-time Syntax dvpn session dumb-time time-interval undo dvpn session dumb-time View Tunnel interface view Default level 2: System level Parameters time-interval: Quiet period of a DVPN tunnel, in the range 10 to 600 seconds. Description Use dvpn session dumb-time to set the quiet period for a DVPN tunnel. Use undo dvpn session dumb-time to restore the default. By default, the quiet period is 120 seconds.
By default, the idle timeout for a Spoke-Spoke DVPN tunnel is 600 seconds. This setting must be the same for all VAM clients in a VPN domain. Related commands: interface tunnel and tunnel-protocol. Examples # Set the idle timeout for a Spoke-Spoke DVPN tunnel to 800 seconds.
reset dvpn session Syntax reset dvpn session { all | interface interface-type interface-number [ private-ip ip-address ] } View User view Default level 2: System level Parameters all: Specifies all Spoke-Spoke and Spoke-Hub tunnels of the VAM client. interface interface-type interface-number: Specifies the DVPN tunnels of an interface indicated by interface-type and interface-number. The interface-type argument can only be tunnel.
You can use the ip binding vpn-instance command on the tunnel’s source interface to specify the VPN to which the tunnel source address belongs. The tunnel source address and the tunnel destination address must belong to the same VPN or both belong to the public network. Examples # On interface Tunnel 0, specify that the tunneled packets belong to the VPN vpn10.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ACDEFGHIKLMNOPQRSTUVW display aft all,9 A display aft statistics,11 aft address-group,12 display dvpn session,178 aft enable,13 display gre p2mp tunnel-table interface tunnel,1 aft prefix-dns64,14 display ike dpd,36 aft prefix-ivi,14 display ike peer,37 aft v4tov6,15 display ike proposal,38 aft v6tov4,16 display ike sa,39 ah authentication-algorithm,61 display interface tunnel,20 allow l2tp,109 display ipsec policy,63 attribute,122 display ipsec policy-template,67 authentication-a
esp encryption-algorithm,80 keepalive,5 exchange-mode,44 keepalive,181 F keepalive interval,166 keepalive retry,166 fqdn,134 L G l2tp enable,112 gre checksum,2 l2tp sendaccm enable,113 gre key,2 l2tp-auto-client enable,113 gre p2mp aging-time,3 l2tp-group,114 gre p2mp backup-interface,4 l2tpmoreexam enable,115 gre p2mp branch-network-mask,4 ldap-server,136 H local,51 hub private-ip,165 local-address,52 I locality,136 local-name,53 id-type,45 ike dpd,46 M ike local-name,47 mandat
proposal,55 server primary,174 proposal (IPsec policy view/IPsec policy template view/IPsec profile view),91 server secondary,175 public-key local create,152 source,30 shutdown,29 public-key local destroy,153 ssl-vpn enable,158 public-key local export dsa,153 ssl-vpn server-policy,158 public-key local export rsa,155 start l2tp,117 public-key peer,156 state,145 public-key peer import sshkey,156 Subscription service,184 public-key-code begin,150 public-key-code end,151 synchronization anti-r
