reset ipsec sa
Function
The reset ipsec sa command deletes IPSec SA established through IKE negotiation.
This command is supported only on the NetEngine 8000 F1A.
Format
reset ipsec sa parameters remoteaddr ah ahspi [ slot slotnumber ]
reset ipsec sa parameters remoteaddr esp espspi [ slot slotnumber ]
reset ipsec sa policy mapname [ slot slotnumber ]
reset ipsec sa policy mapname seqno [ slot slotnumber ]
reset ipsec sa [ slot slotnumber ] [ speed speed ]
reset ipsec sa remote remoteaddr [ slot slotnumber ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| remoteaddr |
Deletes the IPSec SA by remote address. |
The value is in dotted decimal notation. |
| ah ahspi |
Deletes the IPSec SA by AH security parameter index (SPI). |
The value is an integer and ranges from 256 to 4294967295. |
| slot slotnumber |
Deletes the IPSec SA in a specified slot. |
The value is an integer that ranges from 0 to 32. |
| esp espspi |
Deletes the IPSec SA by ESP security parameter index (SPI). |
The value is an integer and ranges from 256 to 4294967295. |
| mapname |
Deletes the IPSec SA by policy name. |
It is a string of 1 to 15 case insensitive characters. |
| seqno |
Indicates the sequence number of the IPSec policy. |
It is an integer that ranges from 1 to 10000, where a smaller value indicates a higher priority. |
| speed speed |
Set delete speed. |
It is an integer that ranges from 1 to 200 (per sencond). |
Usage Guidelines
To re-configure the IPSec policy, you can clear IPSec SAs.
- reset ipsec sa operation clears SAs created at phase 2 only, no matter the SAs are created manually or through IKE negotiation. If no parameter is specified, all the SAs at phase 2 are cleared.
- For the SAs negotiated and established by the IKE mode, you must run reset ipsec sa command before running the reset ike sa command. Otherwise, the command fails. After the SA that is created through IKE negotiation is cleared, if certain packets trigger the IKE negotiation, IKE re-negotiates to create an SA.
- SAs exist in pairs. Therefore, when the parameters field is specified, if an SA in one direction is cleared, the SA in the other direction is cleared at the same time. If the reset ipsec sa command is run during a rekey or reauthentication operation, new SAs may be generated after the command execution.