display ipsec tunnel

Use display ipsec tunnel to display information about IPsec tunnels.

Syntax

display ipsec tunnel { brief | count | tunnel-id tunnel-id }

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

brief: Displays brief information about IPsec tunnels.

count: Displays the number of IPsec tunnels.

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.

Usage guidelines

IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.

Examples

# Display brief information about all IPsec tunnels.

<Sysname> display ipsec tunnel brief
----------------------------------------------------------------------------
Tunn-id   Src Address     Dst Address     Inbound SPI   Outbound SPI  Status
----------------------------------------------------------------------------
0         --              --              1000          2000          Active
                                          3000          4000
1         1.2.3.1         2.2.2.2         5000          6000          Active
                                          7000          8000

Table 45: Command output

Field

Description

Src Address

Source IP address of the IPsec tunnel.

For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).

Dst Address

Destination IP address of the IPsec tunnel.

For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).

Inbound SPI

Valid SPI in the inbound direction of the IPsec tunnel.

If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines.

Outbound SPI

Valid SPI in the outbound direction of the IPsec tunnel.

If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines.

Status

Status of the IPsec SA, which can only be Active.

# Display the number of IPsec tunnels.

<Sysname> display ipsec tunnel count
Total IPsec Tunnel Count: 2

# Display detailed information about all IPsec tunnels.

<Sysname> display ipsec tunnel
Tunnel ID: 0
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
    outbound:  2000        (0x000007d0)   [AH]
    inbound:   1000        (0x000003e8)   [AH]
    outbound:  4000        (0x00000fa0)   [ESP]
    inbound:   3000        (0x00000bb8)   [ESP]
Tunnel:
    local  address:
    remote address:
Flow:

Tunnel ID: 1
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
    outbound:  6000        (0x00001770)   [AH]
    inbound:   5000        (0x00001388)   [AH]
    outbound:  8000        (0x00001f40)   [ESP]
    inbound:   7000        (0x00001b58)   [ESP]
Tunnel:
    local  address: 1.2.3.1
    remote address: 2.2.2.2
Flow:
    as defined in ACL3100

# Display detailed information about IPsec tunnel 1.

<Sysname> display ipsec tunnel tunnel-id 1
Tunnel ID: 1
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
    outbound:  6000        (0x00001770)   [AH]
    inbound:   5000        (0x00001388)   [AH]
    outbound:  8000        (0x00001f40)   [ESP]
    inbound:   7000        (0x00001b58)   [ESP]
Tunnel:
    local  address: 1.2.3.1
    remote address: 2.2.2.2
Flow:
    as defined in ACL 3100

Table 46: Command output

Field

Description

Tunnel ID

IPsec ID, used to uniquely identify an IPsec tunnel.

Status

IPsec tunnel status, which can only be Active.

Perfect forward secrecy

Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation:

  • 768-bit Diffie-Hellman group (dh-group1).

  • 1024-bit Diffie-Hellman group (dh-group2).

  • 1536-bit Diffie-Hellman group (dh-group5).

  • 2048-bit Diffie-Hellman group (dh-group14).

  • 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24).

  • 256-bit ECP Diffie-Hellman group (dh-group19).

  • 384-bit ECP Diffie-Hellman group (dh-group20).

Inside vpn-instance

Name of the VPN instance to which the IPsec-protected data belongs.

SA's SPI

SPIs of the inbound and outbound SAs.

Tunnel

Local and remote addresses of the IPsec tunnel.

local address

Local end IP address of the IPsec tunnel.

remote address

Remote end IP address of the IPsec tunnel.

Flow

Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol.

as defined in ACL 3001

Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001.