display ipsec sa policy
Parameters
| Parameter | Description | Value |
|---|---|---|
| vpn |
Indicates the ciphertext VPN instance. |
- |
| policy-name |
Specifies the name of an IPsec policy. |
The value is a string of 1 to 15 case-sensitive characters. |
| seq-number |
Indicates the sequence number of the IPSec policy. |
It is an integer that ranges from 1 to 10000. The smaller the value is, the higher the priority is. |
| slot slot-id |
Specifies a slot ID. |
- |
Usage Guidelines
Usage Scenario
You can run the display ipsec sa command to check whether the SA configurations for outgoing protocol packets on the local end are identical with those for incoming protocol packets on the peer end. The display ipsec sa command output displays the following information:
- SA name
- Security proposal applied to the SA
- Number of times the SA is applied
- SA configurations for incoming Authentication Header (AH)
- SA configurations for outgoing AH
- SA configurations for incoming Encapsulating Security Payload (ESP)
- SA configurations for outgoing ESP
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ipsec sa policy zx1 ================================== IPsec SA Information for Slot : 1 ================================== =============================== Interface: Tunnel0/0/1 =============================== ----------------------------- IPsec policy name: "zx1" sequence number: 1 instance id: 0 mode: isakmp vpn: - ext: - ----------------------------- connection id: 2 rule number: 1 encapsulation mode: tunnel tunnel local: 10.23.100.1 tunnel remote: 10.24.100.1 flow source: 10.99.0.1/255.255.255.255 0-65535 0 0xFF flow destination: 10.88.0.1/255.255.255.255 0-65535 0 0xFF input/output security packets: 4/4 input/output security kilobytes: 0/0 input/output bandwidth limit drop packets: 0/0 input/output bandwidth limit drop kilobytes: 0/0 [inbound ESP SAs] establish: 2020-05-17 16:06:54 spi: 3128071041 (0xba729381) vpn: - said: 1 proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): --/600721 max received sequence-number: 0 udp encapsulation used for nat traversal: N [outbound ESP SAs] establish: 2020-05-17 16:06:54 spi: 3350222213 (0xc7b05585) vpn: - said: 2 proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): --/600721 max sent sequence-number: 0 udp encapsulation used for nat traversal: N
| Item | Description |
|---|---|
| sa remaining key duration (kilobytes/sec) | Rekey lifetime. |
| IPsec SA Information for Slot | IPsec SA information of a specified board. |
| IPsec policy name | Name of a security policy. |
| sequence number | Sequence number of an IPsec policy. |
| instance id | Instance ID. |
| connection id | Connection ID. |
| rule number | Security ACL rule ID. |
| encapsulation mode | Encapsulation mode. |
| tunnel local | Local tunnel address. |
| tunnel remote | Remote tunnel address. |
| flow source | Source flow characteristics, including the IP address, port number, protocol number, and DSCP. |
| flow destination | Flow destination characteristics, including the IP address, port number, protocol number, and DSCP. |
| input/output security packets | Number of encrypted packets in the inbound or outbound direction. |
| input/output security kilobytes | Number of bytes in inbound or outbound encrypted packets. |
| input/output bandwidth limit drop packets | Number of packets discarded in the inbound or outbound direction due to rate limiting. |
| input/output bandwidth limit drop kilobytes | Number of incoming or outgoing bytes that are dropped due to rate limit. |
| inbound ESP SAs | Inbound ESP SA information. |
| max received sequence-number | Maximum receive sequence number. |
| max sent sequence-number | Maximum sequence number for packet sending. |
| udp encapsulation used for nat traversal | UDP enc+A1:C46apsulation for NAT traversal. |
| outbound ESP SAs | Outbound SA parameters. |
| Interface | Interface to which an IPsec policy is bound. |
| mode | Policy mode.
|
| vpn | Ciphertext VPN instance. |
| ext | Extra IPsec SA information. |
| establish | Time when an SA is generated. |
| spi | Security parameter index. |
| proposal | Proposal. |