display ipsec tunnel
Use display ipsec tunnel to display information about IPsec tunnels.
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
brief: Displays brief information about IPsec tunnels.
count: Displays the number of IPsec tunnels.
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.
Usage guidelines
IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Examples
# Display brief information about all IPsec tunnels.
<Sysname> display ipsec tunnel brief ---------------------------------------------------------------------------- Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status ---------------------------------------------------------------------------- 0 -- -- 1000 2000 Active 3000 4000 1 1.2.3.1 2.2.2.2 5000 6000 Active 7000 8000
Table 45: Command output
Field | Description |
---|---|
Src Address | Source IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
Dst Address | Destination IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
Inbound SPI | Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines. |
Outbound SPI | Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. |
Status | Status of the IPsec SA, which can only be Active. |
# Display the number of IPsec tunnels.
<Sysname> display ipsec tunnel count Total IPsec Tunnel Count: 2
# Display detailed information about all IPsec tunnels.
<Sysname> display ipsec tunnel Tunnel ID: 0 Status: Active Perfect forward secrecy: Inside vpn-instance: SA's SPI: outbound: 2000 (0x000007d0) [AH] inbound: 1000 (0x000003e8) [AH] outbound: 4000 (0x00000fa0) [ESP] inbound: 3000 (0x00000bb8) [ESP] Tunnel: local address: remote address: Flow: Tunnel ID: 1 Status: Active Perfect forward secrecy: Inside vpn-instance: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL3100
# Display detailed information about IPsec tunnel 1.
<Sysname> display ipsec tunnel tunnel-id 1 Tunnel ID: 1 Status: Active Perfect forward secrecy: Inside vpn-instance: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL 3100
Table 46: Command output
Field | Description |
---|---|
Tunnel ID | IPsec ID, used to uniquely identify an IPsec tunnel. |
Status | IPsec tunnel status, which can only be Active. |
Perfect forward secrecy | Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation:
|
Inside vpn-instance | Name of the VPN instance to which the IPsec-protected data belongs. |
SA's SPI | SPIs of the inbound and outbound SAs. |
Tunnel | Local and remote addresses of the IPsec tunnel. |
local address | Local end IP address of the IPsec tunnel. |
remote address | Remote end IP address of the IPsec tunnel. |
Flow | Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol. |
as defined in ACL 3001 | Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. |