Huawei v200r001 User Manual
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Versatile Routing Platform
Chapter 5
Configuration of IKE
5-6
Flag meaning:
RD--Ready ST--Stayalive RT--Replaced FD--Fading
RD--Ready ST--Stayalive RT--Replaced FD--Fading
Execute the following command to clear security association 1.
Quidway# clear crypto ike sa 1
Then the SA will show the following information:
Quidway# show crypto ike sa
conn-id peer flags phase doi
2 202.38.0.2 RD|ST 2 IPSEC
Flag meaning:
RD--Ready ST--Stayalive RT--Replaced FD--Fading
2 202.38.0.2 RD|ST 2 IPSEC
Flag meaning:
RD--Ready ST--Stayalive RT--Replaced FD--Fading
Table SC-5-9 Description about the command field show crypto ike sa
Operation
Command
Security channel ID
conn-id
Peer IP address of this SA
peer
Show the status of this SA
NONE means this SA is being established
READY means this SA has been established successfully
STAYALIVE means that lifetime is negotiated, and this SA will be refreshed
in fixed interval.
REPLACED means that a timeout has happened
FADING means this SA has been replaced, and will be cleared
automatically after some time
NONE means this SA is being established
READY means this SA has been established successfully
STAYALIVE means that lifetime is negotiated, and this SA will be refreshed
in fixed interval.
REPLACED means that a timeout has happened
FADING means this SA has been replaced, and will be cleared
automatically after some time
Flags
Phase of SA
phase
Explanation domain of SA
doi
2) Show IKE security policy
Quidway# show crypto ike policy
Protection suite priority 15
encryption algorithm: DES - CBC
hash algorithm: MD5
authentication method: Pre-Shared Key
Diffie-Hellman Group: MODP1024
Lifetime:
encryption algorithm: DES - CBC
hash algorithm: MD5
authentication method: Pre-Shared Key
Diffie-Hellman Group: MODP1024
Lifetime:
5000 seconds, no volume limit
Protection suite priority 20
encryption algorithm: DES - CBC
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman Group: MODP768
lifetime:
encryption algorithm: DES - CBC
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman Group: MODP768
lifetime:
10000 seconds, no volume limit
Default protection suite
encryption algorithm: DES - CBC
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman Group: MODP768
Lifetime: 86400 seconds, no volume limit
encryption algorithm: DES - CBC
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman Group: MODP768
Lifetime: 86400 seconds, no volume limit
The information shows the protection priority, encryption algorithm, hashing algorithm,
authentication algorithm, Diffie-Hellman group and IKE SA lifetime.
authentication algorithm, Diffie-Hellman group and IKE SA lifetime.
5.4 Typical Configuration of IKE
I. Networking requirements
z Hosts A and B communicates securely, and a security channel is established with
IKE automatic negotiation between security gateways A and B.