reset ike sa
Function
The reset ike sa command deletes the SA set up by IKE.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| slot slotnumber |
Deletes the IKE SA in a specified slot. |
The value is an integer that ranges from 0 to 32. |
| speed speed |
Set delete speed. |
It is an integer that ranges from 1 to 200 (per second). |
| connid |
Deletes the IKE SA by connection ID. |
It is an integer and ranges from 1 to 65535. |
| remote remoteaddr |
Deletes the IKE SA by remote address. |
The value is in dotted decimal notation |
Usage Guidelines
To re-configure the IPSec policy, you can clear IKE SAs. There are two types of IKE SAs established by IKE negotiation: IKE SAs in phase 1 and IKE SAs in phase 2. IKE SAs in phase 1 are used for IKE negotiation. Under the protection of these IKE SAs, IKE SAs in phase 2 are used to establish IPSec SAs that protect data flows.
- If the specified connection-id parameter corresponds to an IKE SA in phase 1, no automatic negotiation can be performed after this IKE SA is cleared. The negotiation is re-performed to establish an IKE SA in phase 1 only when data flows match ACL rules in the IPSec policy again.
- If the specified connection-id parameter corresponds to an IKE SA in phase 2, an automatic negotiation is performed under the protection of the IKE SA in phase 1, after the IKE SA in phase 2 is cleared. - In this manner, another IKE SA in phase 2 is established.
- If the connection-id parameter is not specified, all IKE SAs in phase 1 are cleared, like the first case. When the reset ike sa command is run during rekey or re-authentication, new SAs generated during rekey or re-authentication may not be deleted.