[x]

IPsec commands > display ipsec { ipv6-policy | policy }

 

 Next

display ipsec { ipv6-policy | policy }

Use display ipsec { ipv6-policy | policy } to display information about IPsec policies.

Syntax

display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

ipv6-policy: Displays information about IPv6 IPsec policies.

policy: Displays information about IPv4 IPsec policies.

policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPsec policies.

If you specify an IPsec policy name and a sequence number, this command displays information about the specified IPsec policy entry. If you specify an IPsec policy name without any sequence number, this command displays information about all IPsec policy entries with the specified name.

Examples

# Display information about all IPv4 IPsec policies.

<Sysname> display ipsec policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------

  -----------------------------
  Sequence number: 1
  Mode: Manual
  -----------------------------
  The policy configuration is incomplete:
           ACL not specified
           Incomplete transform-set configuration
  Description: This is my first IPv4 manual policy
  Security data flow:
  Remote address: 2.5.2.1
  Transform set: transform

  Inbound AH setting:
    AH SPI: 1200 (0x000004b0)
    AH string-key: ******
    AH authentication hex key:

  Inbound ESP setting:
    ESP SPI: 1400 (0x00000578)
    ESP string-key:
    ESP encryption hex key:
    ESP authentication hex key:

  Outbound AH setting:
    AH SPI: 1300 (0x00000514)
    AH string-key: ******
    AH authentication hex key:

  Outbound ESP setting:
    ESP SPI: 1500 (0x000005dc)
    ESP string-key: ******
    ESP encryption hex key:
    ESP authentication hex key:

  -----------------------------
  Sequence number: 2
  Mode: ISAKMP
  -----------------------------
  The policy configuration is incomplete:
           Remote-address not set
           ACL not specified
           Transform-set not set
  Description: This is my first IPv4 Isakmp policy
  Traffic Flow Confidentiality: Enabled
  Security data flow:
  Selector mode: standard
  Local address:
  Remote address:
  Transform set:
  IKE profile:
  IKEv2 profile:
  SA duration(time based): 3600 seconds
  SA duration(traffic based): 1843200 kilobytes
  SA idle time:
-------------------------------------------
IPsec Policy: mycompletepolicy
Interface: LoopBack2
-------------------------------------------

  -----------------------------
  Sequence number: 1
  Mode: Manual
  -----------------------------
  Description: This is my complete policy
  Security data flow: 3100
  Remote address: 2.2.2.2
  Transform set: completetransform

  Inbound AH setting:
    AH SPI: 5000 (0x00001388)
    AH string-key: ******
    AH authentication hex key:

  Inbound ESP setting:
    ESP SPI: 7000 (0x00001b58)
    ESP string-key: ******
    ESP encryption hex key:
    ESP authentication hex key:

  Outbound AH setting:
    AH SPI: 6000 (0x00001770)
    AH string-key: ******
    AH authentication hex key:

  Outbound ESP setting:
    ESP SPI: 8000 (0x00001f40)
    ESP string-key: ******
    ESP encryption hex key:
    ESP authentication hex key:

  -----------------------------
  Sequence number: 2
  Mode: ISAKMP
  -----------------------------
  Description: This is my complete policy
  Traffic Flow Confidentiality: Enabled
  Security data flow: 3200
  Selector mode: standard
  Local address:
  Remote address: 5.3.6.9
  Transform set:  completetransform
  IKE profile:
  IKEv2 profile:
  SA duration(time based): 3600 seconds
  SA duration(traffic based): 1843200 kilobytes
  SA idle time:

# Display information about all IPv6 IPsec policies.

<Sysname> display ipsec ipv6-policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------

  -----------------------------
  Sequence number: 1
  Mode: Manual
  -----------------------------
  Description: This is my first IPv6 policy
  Security data flow: 3600
  Remote address: 1000::2
  Transform set: mytransform

  Inbound AH setting:
    AH SPI: 1235 (0x000004d3)
    AH string-key: ******
    AH authentication hex key:

  Inbound ESP setting:
    ESP SPI: 1236 (0x000004d4)
    ESP string-key: ******
    ESP encryption hex key:
    ESP authentication hex key:

  Outbound AH setting:
    AH SPI: 1237 (0x000004d5)
    AH string-key: ******
    AH authentication hex key:

  Outbound ESP setting:
    ESP SPI: 1238 (0x000004d6)
    ESP string-key: ******
    ESP encryption hex key:
    ESP authentication hex key:

Table 38: Command output

Field

Description

IPsec Policy

IPsec policy name.

Interface

Interface applied with the IPsec policy.

Sequence number

Sequence number of the IPsec policy entry.

Mode

Negotiation mode of the IPsec policy:

  • Manual—Manual mode.

  • ISAKMP—IKE negotiation mode.

  • Template—IPsec policy template mode.

The policy configuration is incomplete

IPsec policy configuration incomplete. Possible causes include:

  • The ACL is not configured.

  • The IPsec transform set is not configured.

  • The ACL does not have any permit statements.

  • The IPsec transform set configuration is not complete.

  • The peer IP address of the IPsec tunnel is not specified.

  • The SPI and key of the IPsec SA do not match those in the IPsec policy.

Description

Description of the IPsec policy.

Traffic Flow Confidentiality

Whether Traffic Flow Confidentiality (TFC) padding is enabled.

Security data flow

ACL used by the IPsec policy.

Selector mode

Data flow protection mode of the IPsec policy: standard, aggregation, or per-host.

Local address

Local end IP address of the IPsec tunnel (available only for the IKE-based IPsec policy).

Remote address

Remote end IP address or host name of the IPsec tunnel.

Transform set

Transform set used by the IPsec policy.

IKE profile

IKE profile used by the IPsec policy.

IKEv2 profile

IKEv2 profile used by the IPsec policy.

SA duration(time based)

Time-based IPsec SA lifetime, in seconds.

SA duration(traffic based)

Traffic-based IPsec SA lifetime, in kilobytes.

SA idle time

Idle timeout of the IPsec SA, in seconds.

AH string-key

AH string key. This field displays ****** if the key is configured and it is empty if the key is not configured.

AH authentication hex key

AH authentication hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured.

ESP string-key

ESP string key. This field displays ****** if the key is configured and it is empty if the key is not configured.

ESP encryption hex key

ESP encryption hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured.

ESP authentication hex key

ESP authentication hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured.

Related commands

ipsec { ipv6-policy | policy }

prev

 

up

 next

description 

home

 display ipsec { ipv6-policy-template | policy-template }

© Copyright 2018 Hewlett Packard Enterprise Development LP