Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
i
Command Manual – Security
VRP3.4 Table of Contents
ii
Command Manual – Security
VRP3.4 Table of Contents
iii
Command Manual – Security
VRP3.4 Table of Contents
iv
Command Manual – Security
VRP3.4 Table of Contents
v
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
1.1.1 access-limit
Syntax
undo access-limit
View
Parameter
Description
Using the access-limit command, you can configure a limit to the amount of
supplicants in the current ISP domain. Using the undo access-limit command, you
can restore the limit to the default setting.
By default, there is no limit to the amount of supplicants in the current ISP domain.
This command limits the amount of supplicants contained in the current ISP domain.
The supplicants may compete for the network resources. So setting a suitable limit to
the amount will guarantee the reliable performance to the existing supplicants.
Example
1-1
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
accounting optional
View
Parameter
None
Description
Using the accounting optional command, you can enable optional accounting. Using
the undo accounting optional command, you can disable it.
With the accounting optional command, a user that will be disconnected otherwise
can use the network resources even when there is no available accounting server or
the communication with the current accounting server fails. This command is normally
used for the authentication without accounting.
Example
Syntax
View
Any view
1-2
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Parameter
domain isp-name: Displays all the user connections belonging to the ISP domain
specified by isp-name, a character string not exceeding 24 characters. The specified
ISP domain must an existing one.
ip ip-address: Displays all the user connections related to the specified IP address.
Description
Using the display connection command, you can view the relevant information on the
specified user connection or all the connections. The output can help you troubleshoot
user connections.
Example
1-3
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
Any view
Parameter
isp-name: Specifies the ISP domain name, with a character string not exceeding 24
characters. The specified ISP domain must be an existing one.
Description
Using the display domain command, you can view the configuration of a specified ISP
domain or display the summary information of all ISP domains.
This command is used to output the configuration of a specified ISP domain or display
the summary information of all ISP domains. If an ISP domain is specified, the
configuration information will be displayed exactly the same, concerning the content
and format, as the displayed information of the display domain command. The output
information can help with ISP domain diagnosis and troubleshooting.
For the related commands, see access-limit, domain, scheme, state, display
domain.
Example
1-4
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
Any view
Parameter
domain isp-name: Displays all the local users in the ISP domain specified by isp-name,
a character string not exceeding 24 characters. The specified ISP domain must be an
existing one.
service-type: Displays local users by specifying service type, which can be telnet, ssh,
terminal (terminal users logging on from Console, AUX, or Asyn port), ftp, ppp, or PAD
(X.25 PAD).
state { active | block }: Displays local users by specifying user state, where active
means users allowed to request for network services and block means the opposite.
Description
Using the display local-user command, you can view the relevant information on the
specified local user or all the local users. The output can help you troubleshoot faults
related to local user.
Example
1-5
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
IP address: Disable
MAC address: Disable
FTP Directory: flash:
1.1.6 domain
Syntax
View
System view
Parameter
isp-name: Specifies an ISP domain name. The name is expressed with a character
string not exceeding 24 characters, excluding “/”, “: ”, “*”, “? ”, “<”, and “>”.
default: Configures the default ISP domain. The default ISP domain of the system is
"system".
disable: Disables the configured default ISP domain. The users that have usernames
without a domain name are to be refused as a result.
Description
Using the domain command, you can configure an ISP domain or enter the view of an
existing ISP domain. Using the undo domain command, you can cancel a specified
ISP domain.
ISP domain is a group of users belonging to the same ISP. Generally, for a username in
the userid@isp-name format, gw20010608@huawei163.net for example, the isp-name
(”huawei163.net” in the example) following the “@” is the ISP domain name. When an
AAA server controls user access, for an ISP user whose username is in
userid@isp-name format, the system takes the part "userid" as username for
identification and takes the part "isp-name" as domain name.
1-6
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
For a router, each supplicant belongs to an ISP domain. The system supports to
configure up to 16 ISP domains.
When this command is used, if the specified ISP domain does not exist, the system will
create a new ISP domain. All the ISP domains are in the active state when they are
created.
For the related commands, see access-limit, scheme, state, and display domain.
Example
1.1.7 ip pool
Syntax
View
Parameter
low-ip-address and high-ip-address: The start and end IP addresses of the address
pool. The number of in-between addresses cannot exceed 1024. If end IP address is
not specified, there will be only one IP address in the pool, namely the start IP address.
1-7
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the ip pool command, you can configure a local address pool for assigning
addresses to PPP users. Using the undo ip pool command, you can delete the
specified local address pool.
You can configure an IP address pool in system view and use the remote address
command in interface view to assign IP addresses from the pool to PPP users.
You can also configure an IP address pool in ISP domain view for assigning IP
addresses to PPP users in the current ISP domain. This applies to the case where an
interface serves a great amount of PPP users but with inadequate address resources
for allocation. For example, an Ethernet interface running PPPoE can accommodate
4095 users at most. However, only one address pool with up to 1024 addresses can be
configured on its Virtual Template (VT). This is obviously far from what is required. To
address the issue, you can configure address pools for ISP domains and assign
addresses from them to their PPP users.
Example
# Configure the local IP address pool 0 with the address range of 129.102.0.1 to
129.102.0.10.
[Quidway] domain huawei163.net
[Quidway-isp-huawei163.net] ip pool 0 129.102.0.1 129.102.0.10
1.1.8 level
Syntax
level level
undo level
View
Parameter
1-8
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the level command, you can configure user priority level. Using the undo level
command, you can restore the default user priority level.
Note:
If the configured authentication mode is none authentication or password authentication, the command
level that a user can access after login depends on the priority of user interface. In the case of
authentication requiring both username and password, however, the accessible command level depends
on user priority level.
Example
1.1.9 local-user
Syntax
local-user user-name
View
System view
Parameter
1-9
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the local-user command, you can add a local user and enter the local user view.
Using the undo local-user command, you can remove the specified local user.
Example
Syntax
View
System view
Parameter
cipher-force: Forced cipher mode specifies that the passwords of all the accessed
users must be displayed in cipher text.
auto: The auto mode specifies that a user is allowed to use the password command to
set a password display mode.
Description
1-10
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
# Force all the local users to have passwords displayed in cipher text.
[Quidway] local-user password-display-mode cipher-force
1.1.11 password
Syntax
undo password
View
Parameter
Description
Using the password command, you can configure a password for a local user. Using
the undo password command, you can cancel the password of the local user.
Example
# Display the password of the user huawei1 in simple text, with the password being
20030422.
[Quidway-luser-huawei1] password simple 20030422
1.1.12 scheme
1-11
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
Parameter
none: No authentication
Description
Using the scheme command, you can configure the AAA scheme to be referenced by
the current ISP domain. Using the undo scheme command, you can restore the
default AAA scheme.
With this command the current ISP domain can reference a RADIUS/HWTACACS
scheme that has been configured.
If the local or none scheme applies as the first scheme, no RADIUS or HWTACACS
scheme can be adopted.
For the related commands, see radius scheme and hwtacacs scheme.
Example
# Specify the current ISP domain, huawei163.net, to use the RADIUS scheme Huawei.
[Quidway-isp-huawei163.net] scheme radius Huawei
1-12
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
1.1.13 service-type
Syntax
View
Parameter
terminal: Authorizes the user to use the terminal service (login from the Console, AUX
or Asyn port).
Description
Using the service-type command, you can configure a service type for a particular user.
Using the undo service-type command, you can delete one or all service types
configured for the user.
For the related commands, see service-type ppp and service-type ftp.
Example
1-13
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
Parameter
Description
Using the service-type ftp command, you can specify a directory accessible for the
FTP user. Using the undo service-type ftp command, you can restore the default
directory accessible for the FTP user.
By default, no services of any type are authorized to any user and access of
anonymous FTP users is not allowed, but a user that is granted the FTP service is
authorized to access the root directory "flash:/".
Example
Syntax
View
1-14
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Parameter
[ subcall-number ]: Specifies the sub-caller number. If included, the total length of it plus
the caller number cannot exceed 62 bytes.
Description
Using the service-type command, you can configure the callback attribute and caller
number of the PPP user. Using the undo service-type command, you can restore their
default settings.
By default, no services of any type are authorized to any users; if the PPP service is
authorized, call back without authentication applies and no callback number is
specified; and the system does not authenticate the caller number of ISDN users.
Example
1.1.16 state
Syntax
View
Parameter
active: Configured to allow users in the current ISP domain or the current local user to
request for network services.
block: Configured to block users in the current ISP domain or the current local user to
request for network services.
1-15
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the state command, you can configure the state of the current ISP domain or
local user.
By default, both ISP domain (in ISP domain view) and local user (in local user view) are
in the active state upon their creation (in ISP domain view).
Every ISP domain can be active or blocked. If an ISP domain is configured to be active,
the supplicants in it can request for network services; whereas in the block state, its
users are disallowed to request for any network service, which does not affect the users
currently online. This is also applies to local users.
Example
# Set the state of the current ISP domain "huawei163.net" to block. The supplicants in
this domain cannot request for network services.
[Quidway-isp-huawei163.net] state block
1.2.1 data-flow-format
Syntax
undo data-flow-format
View
RADIUS view
Parameter
1-16
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the data-flow-format command, you can configure the unit in which data flows
are sent to a RADIUS Server. Using the undo data-flow-format command, you can
restore the unit to the default setting.
By default, data flows are sent in bytes and data packets in the units of one-packet.
Example
# Send data flows and packets destined for the RADIUS server "Huawei" in kilobytes
and kilo-packets.
[Quidway-radius-huawei] data-flow-format data kilo-byte packet kilo-packet
Syntax
View
User view
Parameter
1-17
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the debugging radius command, you can enable RADIUS debugging. Using
the undo debugging radius command, you can disable RADIUS debugging.
Example
Syntax
View
Any view
Parameter
Description
Using the display radius command, you can view the configuration information about
one or all RADIUS schemes.
Example
1-18
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Field Description
SchemeName RADIUS scheme name
Index Index number of the RADIUS scheme
Type Type of the RADIUS scheme
IP address/access port number/current state of the primary
Primary Auth IP/ Port/ State
authentication server
IP address/access port number/current state of the primary
Primary Acct IP/ Port/ State
accounting server
Retry sending times of noresponse The maximum number of retries allowed when sending a
acct-stop-PKT buffered stop-accounting packet
Quiet-interval(min) The interval for the primary server to resume the active state.
Username format Format of username
Data flow unit Unit of data flows
Packet unit Unit of packets
1-19
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
Any view
Parameter
None
Description
Using the display radius statistics command, you can view the statistics information
on RADIUS packets. The displayed packet information can help you troubleshoot
RADIUS faults.
Example
Running statistic:
1-20
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
Syntax
View
Any view
Parameter
1-21
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the display stop-accounting-buffer command, you can view information on the
stop-accounting requests buffered in the router by RADIUS scheme, session ID, or
time range. The displayed packet information can help you troubleshoot RADIUS
faults.
Example
1.2.6 key
Syntax
1-22
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
View
RADIUS view
Parameter
string: Shared key, a character string not exceeding 16 characters and excluding “/”, “: ”,
“*”, “? ”, “<” and “>”. By default, the key is “huawei”.
Description
Using the key command, you can configure a shared key for encrypting RADIUS
authentication/authorization or accounting packets. Using the undo key command,
you can restore the default shared key.
The RADIUS client (router system) and RADIUS server use MD5 algorithm to encrypt
the exchanged packets. The two ends verify packets using a shared key. Only when the
same key is used can both ends accept the packets from each other and give
responses. So it is necessary to ensure that the same key is set on the router and the
RADIUS server. If the authentication/authorization and accounting are performed on
two server devices with different shared keys, you must set one shared key for each.
For the related commands, see primary accounting, primary authentication, and
radius scheme.
Example
# In the RADIUS scheme “huawei”, set the shared key used for encrypting
authentication/authorization packets to “hello”.
[Quidway-radius-huawei] key authentication hello
# In the RADIUS scheme “huawei”, set the shared key for encrypting accounting
packets to “ok”.
[Quidway-radius-huawei] key accounting ok
1.2.7 nas-ip
Syntax
nas-ip ip-address
undo nas-ip
1-23
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
View
RADIUS view
Parameter
Description
Using the nas-ip command, you can set the source IP address of the network access
server (NAS, the router in this manual), so that all packets destined for the RADIUS
server carry the same source IP address. Using the undo nas-ip command, you can
cancel the configuration.
Specifying a source address for the RADIUS packets to be transmitted can avoid the
situation where the packets sent back by the RADIUS server cannot be received as the
result of a physical interface failure. The address of a loopback interface is usually used
as the source address.
By default, the source IP address of packets is the IP address of the output port.
Example
# Set the source IP address that is carried in the RADIUS packets sent by the NAS (the
router) to 10.1.1.1.
[Quidway] radius scheme test1
[Quidway-radius-test1] nas-ip 10.1.1.1
Syntax
View
RADIUS view
Parameter
1-24
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
port-number: UDP port number of the primary accounting server, which is ranging from
1 to 65535 and defaults to 1813.
Description
Using the primary accounting command, you can configure IP address and port
number of the primary RADIUS accounting server. Using the undo primary
accounting command, you can restore the default IP address and port number of the
primary RADIUS accounting server.
After creating a RADIUS scheme, you are supposed to configure IP address and UDP
port of each RADIUS server (primary/secondary authentication/authorization or
accounting server). The configuration of RADIUS servers is at your discretion except
that there must be at least one authentication/authorization server and one accounting
server. Besides, ensure that the RADIUS service port settings on the router are
consistent with the port settings on the RADIUS servers.
For the related commands, see key, radius scheme, and state.
Example
# Set the IP address of the primary accounting server in the RADIUS scheme “huawei”
to 10.110.1.2 and use the UDP port 1813 to provide the RADIUS accounting service.
[Quidway-radius-huawei] primary accounting 10.110.1.2 1813
Syntax
View
RADIUS view
Parameter
1-25
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the primary authentication command, you can configure IP address and port
number of the primary RADIUS authentication/authorization server. Using the undo
primary authentication command, you can restore the default IP address and port
number of the primary RADIUS authentication/authorization server.
After creating a RADIUS scheme, you are supposed to configure IP address and UDP
port of each RADIUS server (primary/secondary authentication/authorization or
accounting server). The configuration of RADIUS servers is at your discretion except
that there must be at least one authentication/authorization server and one accounting
server. Besides, ensure that the RADIUS service port settings on the router are
consistent with the port settings on the RADIUS servers.
For the related commands, see key, radius scheme, and state.
Example
Syntax
View
System view
Parameter
Description
Using the radius scheme command, you can configure a RADIUS scheme and enter
its view. Using the undo radius scheme command, you can delete the specified
RADIUS scheme.
1-26
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
By default, the RADIUS scheme with the name “system” exists in the system, with all
attributes being the defaults.
A RADIUS scheme can be referenced by several ISP domains at the same time.
The undo radius scheme command can be used to delete any RADIUS scheme
except for the default one. Note that a RADIUS scheme currently being used by any
online users cannot be removed.
For the related commands, see key, retry realtime-accounting, scheme, timer
realtime-accounting, stop-accounting-buffer enable, retry stop-accounting,
server-type, state, user-name-format, retry, display radius and display radius
statistics.
Example
Syntax
View
System view
Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It
cannot be the address of all zeros, or a host/network address of class A, B, or C, or an
address starting with 127.
1-27
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the radius nas-ip command, you can specify the source address of the RADIUS
packet sent from NAS. Using the undo radius nas-ip command, you can restore the
default setting..
By specifying the source address of the RADIUS packet, you can avoid unreachable
packets as returned from the server upon interface failure. The source address is
normally recommended to be a loopback interface address..
By default, the source address is not specified, that is, the address of the interface
sending the packet serves as the source address.
This command specifies only one source address; therefore, the newly configured
source address may overwrite the original one.
Example
Syntax
View
User view
Parameter
None
Description
Using the reset radius statistics command, you can clear the statistic information
related to the RADIUS protocol.
Example
1-28
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
System view
Parameter
Description
Using the reset stop-accounting-buffer command, you can clear the buffered
stop-accounting requests that have no responses.
You can clear the buffered stop-accounting requests by RADIUS scheme, session ID,
username, or time range.
1-29
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
# Clear the buffered stop-accounting requests in the time range 0:0:0 to 23:59:59 on
August 31, 2002.
<Quidway> reset stop-accounting-buffer time-range 0:0:0-08/31/2002
23:59:59-08/31/2002
1.2.14 retry
Syntax
retry retry-times
undo retry
View
RADIUS view
Parameter
Description
Using the retry command, you can configure the number of RADIUS request attempts.
Using the undo retry command, you can restore the default.
In the RADIUS protocol, UDP applies to provide unreliable transmission. If the NAS
receives no response from the current RADIUS server when the response timeout
timer expires, it has to retransmit the RADIUS request. If the number of request
attempts exceeds the specified retry-times, the NAS considers the communication with
the current RADIUS server is disconnected and turns to another RADIUS server.
Example
# With the RADIUS scheme "huawei", a RADIUS request can be sent up to five times.
1-30
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
[Quidway-radius-huawei] retry 5
Syntax
View
RADIUS view
Parameter
Description
Using the retry realtime-accounting command, you can configure the maximum
times of real-time accounting request failing to be responded. Using the undo retry
realtime-accounting command, you can restore the maximum times of real-time
accounting request failing to be responded to the default value.
RADIUS server usually checks if a user is online with timeout timer. If the RADIUS
server has not received the real-time accounting packet from NAS, it will consider that
there is line or device failure and stop accounting. Accordingly, it is necessary to
disconnect the user at NAS end and on RADIUS server synchronously when some
unexpected failure occurs. Huawei Quidway Series Routers support to set maximum
times of real-time accounting request failing to be responded. NAS will disconnect the
user if it has not received real-time accounting response from RADIUS server for some
specified times.
Suppose the response timeout timer of the RADIUS server is T and the real-time
accounting interval of NAS is t. Set T to 3, t to 12, and the maximum number of real-time
request retries to 5. With these values being configured, the NAS generates an
accounting request every 12 minutes, and retries if no response is received within 3
minutes. If no response is received after five attempts, the NAS assumes that this
accounting fails. Normally, the result of retry-times multiple by T is smaller than t.
For the related command, see radius scheme and timer realtime-accounting.
1-31
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
Syntax
View
RADIUS view
Parameter
Description
Using the retry stop-accounting command, you can configure the maximal
retransmission times after stop-accounting request. Using the undo retry
stop-accounting command, you can restore the retransmission times to the default
value.
Because the stop-accounting request concerns account balance and will affect the
amount of charge, which is very important for both the user and ISP, NAS shall make its
best effort to send the message to RADIUS accounting server. Accordingly, if the
message from the router to RADIUS accounting server has not been responded, the
router shall save it in the local buffer and retransmit it until the server responds or
discard the messages after transmitting for specified times.
Example
# Indicate that, when stop-accounting request for the server in the RADIUS scheme
“huawei”, the router system will retransmit the packets for up to 1000 times.
[Quidway-radius-huawei] retry stop-accounting 1000
1-32
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
RADIUS view
Parameter
port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the
accounting service is provided through UDP 1813.
Description
Using the secondary accounting command, you can configure the IP address and
port number for the secondary RADIUS accounting server. Using the undo secondary
accounting command, you can restore the IP address and port number to the defaults.
For detailed information, refer to the description of the primary accounting command.
For the related commands, see key, radius scheme, and state.
Example
# Set the IP address of the secondary accounting server of RADIUS scheme, huawei,
to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.
[Quidway-radius-huawei] secondary accounting 10.110.1.1 1813
Syntax
View
RADIUS view
1-33
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Parameter
Description
Using the secondary authentication command, you can configure the IP address and
port number of the secondary RADIUS authentication/authorization server. Using the
undo secondary authentication command, you can restore the IP address and port
number to the defaults.
For the related commands, see key, radius scheme, and state.
Example
1.2.19 server-type
Syntax
View
RADIUS view
Parameter
huawei: Specifies the RADIUS server of Huawei type (generally CAMS), which
requires the RADIUS client (router system) and RADIUS server to interact according to
the procedures and packet format provisioned by the private RADIUS protocol of
Huawei Technologies.
1-34
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
iphotel: Specifies the RADIUS server of IP Hotel type, which requires the RADIUS
client end (router system) and RADIUS server to interact according to the procedures
and packet format provisioned by IP Hotel (an extension of the RADIUS protocol).
portal: Specifies the RADIUS server of portal type, which requires the RADIUS client
end (router system) and RADIUS server to interact according to the regulation and
packet format of Portal (an extension of RADIUS protocol).
standard: Specifies the RADIUS server of Standard type, which requires the RADIUS
client end (router system) and RADIUS server to interact according to the regulation
and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).
Description
Using the server-type command, you can configure the RADIUS server type
supported by the router. Using the
Huawei Quidway Series Routers support standard RADIUS protocol and the extended
RADIUS service platforms like IP Hotel, 201+ and Portal independently developed by
Huawei Technologies. This command is used to select the supported RADIUS sever
type.
Example
1.2.20 state
Syntax
View
RADIUS view
Parameter
1-35
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
active: Sets state of the RADIUS server to active, namely the normal operation state.
Description
Using the state command, you can configure the state of a RADIUS server.
By default, all the RADIUS servers in every RADIUS scheme are in the state of active.
When both the primary and secondary servers are active or blocked, the NAS only
sends packets to the primary server.
For the related commands, see radius scheme, primary authentication, secondary
authentication, primary accounting, and secondary accounting.
Example
# Set the state of the secondary authentication server in the RADIUS scheme “huawei”
to active.
[Quidway-radius-huawei] state secondary authentication active
Syntax
stop-accounting-buffer enable
View
RADIUS view
Parameter
None
1-36
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the stop-accounting-buffer enable command, you can enable the router to
buffer the stop-accounting requests that have no responses. Using the undo
stop-accounting-buffer enable command, you can disable the router to buffer the
stop-accounting requests that have no responses.
By default, the router is enabled to buffer the stop-accounting requests that have no
responses.
Since the stop-accounting packet affects the charge to a user, it has importance for
both users and ISPs. Therefore, the NAS makes its best effort to send every
stop-accounting request to RADIUS accounting servers. If receiving no response after
a specified period of time, the NAS buffers and resends the packet till receiving a
response or discards the packet when the number of transmission retries reaches the
configured limit.
For the related commands, see reset stop-accounting-buffer, radius scheme, and
display stop-accounting-buffer.
Example
# In the RADIUS scheme “Huawei”, enable the router to buffer the stop-accounting
requests that have no responses.
[Quidway-radius-huawei] stop-accounting-buffer enable
Syntax
View
RADIUS view
Parameter
minutes: Ranges from 1 to 255. By default, the primary server must wait five minutes
before it can resume the active state.
1-37
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the timer quiet command, you can set the duration that the primary server must
wait before it can resume the active state. Using the undo timer quiet command, you
can restore the default (five minutes).
Example
# Set the quiet timer for the primary server to ten minutes.
[Quidway] radius scheme test1
[Quidway-hwtacacs-test1] timer quiet 10
Syntax
View
RADIUS view
Parameter
Description
1-38
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
For the related commands, see retry realtime-accounting and radius scheme.
Example
# Set the real-time accounting interval in the RADIUS scheme “huawei” to 51 minutes.
[Quidway-radius-huawei] timer realtime-accounting 51
Syntax
View
RADIUS view
Parameter
Description
Using the timer response-timeout command, you can configure the RADIUS server
response timer. Using the undo timer command, you can restore the default.
If the NAS receives no response from the RADIUS server after sending a RADIUS
request (authentication/authorization or accounting request) for a period of time, the
NAS resends the request, thus ensuring the user can obtain the RADIUS service. You
can specify this period by setting the RADIUS server response timeout timer, taking into
consideration the network condition and the desired system performance.
1-39
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
# Set the response timeout timer in the RADIUS scheme huawei to 5 seconds.
[Quidway-radius-huawei] timer response-timeout 5
1.2.25 user-name-format
Syntax
View
RADIUS view
Parameter
with-domain: Includes the ISP domain name in the username sent to the RADIUS
server.
without-domain: Excludes the ISP domain name from the username sent to the
RADIUS server.
Description
Using the user-name-format command, you can configure the format of the username
to be sent to a RADIUS server.
Note:
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the
RADIUS scheme to more than one ISP domains, thus avoiding the confused situation where the RADIUS
server regards two users in different ISP domains but with the same userid as one.
1-40
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
# Send the username without the domain name to the RADIUS servers in the RADIUS
scheme "huawei".
[Quidway-radius-huawei] user-name-format without-domain
1.3.1 data-flow-format
Syntax
View
HWTACACS view
Parameter
1-41
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the data-flow-format command, you can configure the unit of data flow that is
sent to the HWTACACS server. Using the undo data-flow-format command, you can
restore the default setting.
By default, the data unit is byte and the data packet unit is one-packet.
Example
# Set the unit of data flow destined for the HWTACACS server "huawei" to be kilo-byte
and the data packet unit be kilo-packet.
[Quidway- hwtacacs-huawei] data-flow-format data kilo-byte packet kilo-packet
Syntax
View
User view
Parameter
Description
Using the debugging hwtacacs command, you can enable HWTACACS debugging.
Using the undo debugging hwtacacs command, you can disable HWTACACS
debugging.
1-42
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
Syntax
View
Any view
Parameter
Description
Using the display hwtacacs command, you can view configuration information of one
or all HWTACACS schemes.
Example
Syntax
View
Any view
1-43
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Parameter
Description
Using the display stop-accounting-buffer command, you can view information on the
stop-accounting requests buffered in the router.
Example
Syntax
View
System view
Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It
cannot be the address of all zeros, or a host/network address of class A, B, or C, or an
address starting with 127.
Description
Using the hwtacacs nas-ip command, you can specify the source address of the
hwtacacs packet sent from NAS. Using the undo hwtacacs nas-ip command, you
can restore the default setting..
1-44
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
By specifying the source address of the hwtacacs packet, you can avoid unreachable
packets as returned from the server upon interface failure. The source address is
normally recommended to be a loopback interface address..
By default, the source address is not specified, that is, the address of the interface
sending the packet serves as the source address.
This command specifies only one source address; therefore, the newly configured
source address may overwrite the original one.
Example
Syntax
View
System view
Parameter
Description
Using the hwtacacs scheme command, you can enter HWTACACS Server view. If the
specified HWTACACS server scheme does not exist, you can create a new
HWTACACS scheme. Using the .undo hwtacacs scheme command, you can delete
an HWTACACS scheme.
Example
# Create an HWTACACS scheme named "test1" and enter the relevant HWTACACS
Server view.
[Quidway] hwtacacs scheme test1
[Quidway-hwtacacs-test1]
1-45
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
1.3.7 key
Syntax
View
HWTACACS view
Parameter
string: The shared key, a string up to 16 characters excluding the characters “/”, “:”, “*”,
“?”, “<”, and “>”.
Description
Using the key command, you can configure a shared key for HWTACACS
authentication, authorization or accounting. Using the undo key command, you can
delete the configuration.
The HWTACACS client (the router system) and HWTACACS server use MD5 algorithm
to encrypt the exchanged packets. The two ends verify packets using a shared key.
Only when the same key is used can both ends accept the packets from each other and
give responses. So it is necessary to ensure that the same key is set on the router and
the HWTACACS server. If the authentication/authorization and accounting are
performed on two server devices with different shared keys, you must set one shared
key for each.
Example
1-46
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
1.3.8 nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
HWTACACS view
Parameter
Description
Using the nas-ip command, you can have all the HWTACACS packets sent by the NAS
(the router) carry the same source address. Using the undo nas-ip command, you can
delete the setting.
Specifying a source address for the HWTACACS packets to be transmitted can avoid
the situation where the packets sent back by the HWTACACS server cannot be
received as the result of a physical interface failure. The address of a loopback
interface is usually used as the source address.
By default, the source IP address of a HWTACACS packet sent by the NAS is the IP
address of the output port.
Example
# Set the source IP address carried in the HWTACACS packets that are sent by the
NAS to 10.1.1.1.
[Quidway] hwtacacs scheme test1
[Quidway-hwtacacs-test1] nas-ip 10.1.1.1
Syntax
1-47
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Using the primary accounting command, you can configure a primary HWTACACS
accounting server. Using the undo primary accounting command, you can delete the
configured primary HWTACACS accounting server.
You are not allowed to assign the same IP address to both primary and secondary
accounting servers.
You can configure only one primary accounting server in a HWTACACS scheme. If you
repeatedly use this command, the latest configuration replaces the previous one.
You can remove an accounting server only when it is not being used by any active TCP
connections, and the removal impacts only packets forwarded afterwards.
Example
Syntax
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
1-48
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
You are not allowed to assign the same IP address to both primary and secondary
authentication servers.
You can configure only one primary authentication server in a HWTACACS scheme. If
you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authentication server only when it is not being used by any active
TCP connections, and the removal impacts only packets forwarded afterwards.
Example
Syntax
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
1-49
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the primary authorization command, you can configure a primary HWTACACS
authorization server. Using the undo primary authorization command, you can delete
the configured primary authorization server.
You are not allowed to assign the same IP address to both primary and secondary
authorization servers.
You can configure only one primary authorization server in a HWTACACS scheme. If
you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authorization server only when it is not being used by any active
TCP connections, and the removal impacts only packets forwarded afterwards.
Example
Syntax
View
User view
Parameter
1-50
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
Using the reset hwtacacs statistics command, you can clear HWTACACS protocol
statistics.
Example
Syntax
View
User view
Parameter
Description
Using the reset stop-accounting-buffer command, you can clear the stop-accounting
requests that have no response and are buffered on the router.
Example
# Delete the buffered stop-accounting requests that are related to the HWTACACS
scheme “huawei”.
<Quidway> reset stop-accounting-buffer hwtacacs-scheme huawei
1-51
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
HWTACACS view
Parameter
Description
Using the retry stop-accounting command, you can enable stop-accounting packet
retransmission and configure the maximum number of stop-accounting request
attempts. Using the undo retry stop-accounting command, you can restore the
default setting.
Example
Syntax
View
HWTACACS view
1-52
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
You are not allowed to assign the same IP address to both primary and secondary
accounting servers.
You can configure only one secondary accounting server in a HWTACACS scheme. If
you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an accounting server only when it is not being used by any active TCP
connections, and the removal impacts only packets forwarded afterwards.
Example
Syntax
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
1-53
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Description
You are not allowed to assign the same IP address to both primary and secondary
authentication servers.
You can configure only one primary authentication server in a HWTACACS scheme. If
you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authentication server only when it is not being used by any active
TCP connections, and the removal impacts only packets forwarded afterwards.
Example
Syntax
View
HWTACACS view
Parameter
ip-address: IP address of the server, a legal unicast address in dotted decimal format.
port: Port number of the server, ranging from 1 to 65535. By default, it is 49.
Description
1-54
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
You are not allowed to assign the same IP address to both primary and secondary
authorization servers.
You can configure only one primary authorization server in a HWTACACS scheme. If
you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authorization server only when it is not being used by any active
TCP connections, and the removal impacts only packets forwarded afterwards.
Example
Syntax
View
HWTACACS view
Parameter
minutes: Ranges from 1 to 255 minutes. By default, the primary server must wait five
minutes before it resumes the active state.
Description
Using the timer quiet command, you can set the duration that a primary server must
wait before it can resume the active state. Using the undo timer quiet command, you
can restore the default (five minutes).
Example
# Set the quiet timer for the primary server to ten minutes.
1-55
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Syntax
View
HWTACACS view
Parameter
Description
1-56
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
For the related commands, see retry realtime-accounting and radius scheme.
Example
Syntax
View
HWTACACS view
Parameter
Description
Using the timer response-timeout command, you can set the response timeout timer
of the HWTACACS server. Using the .undo timer response-timeout command, you
can restore the default (five seconds).
Note:
As the HWTACACS is based on TCP, either the server response timeout and or the TCP timeout may
cause disconnection to the HWTACACS server.
Example
1-57
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
1.3.21 user-name-format
Syntax
View
HWTACACS view
Parameter
with-domain: Specifies to send the username with domain name to the HWTACACS
server..
Description
Using the user-name-format command, you can configure the username format sent
to the HWTACACS server.
The supplicants are generally named in "userid@isp-name" format. The part following
“@” is the ISP domain name. The router will put the users into certain ISP domains
according to the domain names. However, some earlier HWTACACS servers reject the
username including ISP domain name. In this case, the username will be sent to the
HWTACACS server after its domain name is removed. Accordingly, the router provides
this command to decide whether the username to be sent to HWTACACS server
carries ISP domain name or not.
Note:
If a HWTACACS scheme is configured to reject usernames including ISP domain names, the HWTACACS
scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the HWTACACS
server will regard two users in different ISP domains as the same user by mistake, if they have the same
username (excluding their respective domain names.)
1-58
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Example
# Specify to send the username without domain name to the HWTACACS scheme
"huawei".
[Quidway-hwtacacs-huawei ] user-name-format without-domain
1-59
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
2.1.1 acl
Syntax
View
System View
Parameter
acl-number: ACL number, with the range 1000 to 1999 for interface-based ACLs, 2000
to 2999 for basic ACLs, 3000 to 3999 for advanced ACLs, and 4000 to 4999 for
MAC-based ACLs.
config: Indicates to match the rule according to configuration order that the user
configured them.
auto: Indicates to match the rule in automatic order (in accordance with "Depth first"
principle.)
Description
Using the acl command, you can create an access control list and enter ACL view.
Using the undo acl command, you can delete an access control list.
2-1
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
An access control list consists of a list of rules that are described by a series of permit
or deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for
an access control list, you should create the access control list first.
Example
Syntax
View
Any view
Parameter
Description
Using the display acl command, you can view the rules of access control list.
The rule match order defaults to config or the configuration order. If it applies, the
display command does not show information on the match order. If the match order
auto applies, the display command shows that.
Example
2-2
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
Syntax
View
User View
Parameter
Description
Using the reset acl counter command, you can clear the statistics of access control
list.
Example
2.1.4 rule
Syntax
2-3
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
View
ACL view
Parameter
rule-id: ID of an ACL rule, optional, ranging from 0 to 127. If you specify a rule-id, and
the ACL rule related to the ID already exists, the newly defined rule will overwrite the
existing rule, just as editing the existing ACL rule. If the rule-id you specify does not
exist, a new rule number with the specified rule-id will be created. If you do not specify
the rule-id, A new rule will be created and the system will assign a rule-id to the ACL
rule automatically.
protocol: Protocol type over IP expressed by name or number. The number range is
from 0 to 255, and the name range covers gre, icmp, igmp, ip, ipinip, ospf, tcp and udp.
source: Optional, specify source address information of ACL rule. If it is not configured,
it indicates that any source address of the packets matches.
2-4
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
source-port: Optional, specify source port information of UDP or TCP packets, valid
only when the protocol specified by the rule is TCP or UDP. If it is not specified, it
indicates that any source port information of TCP/UDP packets matches.
port: Optional, port number of TCP or UDP, expressed by name or number. The number
range is from 0 to 65535.
icmp-type: Optional, specify ICMP packet type and ICMP message code, only valid
when packet protocol is ICMP. If it is not configured, it indicates any ICMP packet
matches.
icmp-type: ICMP packet can be filtered according to ICMP message type. It is a number
ranging from 0 to 255.
icmp-code: ICMP packets that can be filtered according to ICMP message type can
also be filtered according to message code. It is a number ranging from 0 to 255.
logging: Optional, indicating whether to log qualified packets. The log contents include
sequence number of ACL rule, packets passed or discarded, upper layer protocol type
over IP, source/destination address, source/destination port number, and number of
packets.
2-5
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
fragment: Specifies that this rule is only valid for the fragment packets that are not the
first fragment. When this parameter is contained, it indicates that the rule is only valid
for the fragment packets that are not the first fragment.
rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the command is
not followed by other parameters, this ACL rule will be deleted completely; otherwise,
only part of information related to this ACL rule will be deleted.
source: Optional. Only the information settings related to the source address part of
the ACL rule number will be deleted.
destination: Optional. Only the information setting related to the destination address
part of the ACL rule number will be deleted.
source-port: Optional. Only the information setting related to the source port part of the
ACL rule number will be deleted, valid only when the protocol is TCP or UDP.
destination-port: Optional. Only the information setting related to the destination port
part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.
icmp-type: Optional. Only the information setting related to ICMP type and message
code part of the ACL rule number will be deleted, valid only when the protocol is ICMP.
precedence: Optional. Only the setting of precedence configuration of the ACL rule will
be deleted.
tos: Optional. Only related tos setting corresponding to the ACL rule will be deleted.
time-range: Optional. Only the setting corresponding to the time range part of the ACL
rule will be deleted.
logging: Optional. Only the setting corresponding to the logging part of the ACL rule
will be deleted.
2-6
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
fragment: Optional. Only the setting corresponding to the validity of non-first packets
fragmentation of the ACL rule will be deleted.
vpn-instance: Optional parameter. If it has been specified, the deletion operation will
delete only the settings involved the vpn-instance in the specified ACL rule.
type-code: Type of the Data frame, a 16-bit hexadecimal number corresponds to the
type-code field in Ethernet_II and Ethernet_SNAP frames.
type-mask: A 16-bit hexadecimal number used for specifying the mask bits.
lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.
sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the
source address of a packet.
dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, Used to match the
destination address of a packet.
Description
Using the rule command, you can add a rule in current ACL view. Using the undo rule
command, you can delete a rule.
The rule ID is needed when you try to delete a rule. If you do not know the ID, using the
display acl command to find it out.
Example
# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet to
hosts in the network segment 202.38.160.0.
[Quidway-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq www
# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0
to the host in network segment 202.38.160.0, and log events that violate the rule.
[Quidway-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255.255 destination
202.38.160. 0 0.0.0.255 eq www logging
2-7
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
# Add a rule to permit the WWW access (80) from the host in network segment
129.9.8.0 to the host in network segment 202.38.160.0.
[Quidway-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0.255 destination
202.38.160.0 0.0.0.255 destination-port eq www
# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host
with the IP address 202.38.160.1.
[Quidway-acl-adv-3001] rule deny tcp destination 202.38.160.1 0
destination-port eq telnet
# Add a rule to prohibit create UDP connections with port number greater than 128 from
the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0
[Quidway-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255 destination
202.38.160.0 0.0.0.255 destination-port gt 128
# Add a rule, denying the packets carrying the source address 1.1.1.1 from VPN vrf1.
[Quidway-acl-adv-3001] rule deny ip source 1.1.1.1 vpn-instance vrf1
Syntax
View
Any view
Parameter
Description
Using the display time-range command, you can view the configuration and the status
of time range. For the active time range at present, it displays "active" and for the
inactive time range, it displays "inactive".
Since there is a time deviation when the system updates acl status, which is about 1
minute, but display time-range will display the information of time range at the current
time exactly. Thus, the following case may happen: use the command display
2-8
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
time-range to find that a time range is activated but the acl that should be active in the
time range is inactive. This case is normal.
Example
2.2.2 time-range
Syntax
View
System view
Parameter
days: Indicates on which day of a week the time range is valid or from which day in a
week the time range is valid. The following parameters can be input:
Number (0 to 6);
2-9
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
from time1 date1: Optional, which is used to indicate the start time and date. The input
format of time is hh:mm, which is shown in 24-hour notation. The range of hh is from 0
to 23 and the range of mm is from 0 to 59. The input format of date is MM/DD/YYYY. DD
can be in the value range from 1 to 31. MM is one number in the range form 1 to 12 and
YYYY is a 4-digit number. If no start time is set, it means that there is no restriction on
start time and only the end time should be considered.
to time2 date2: Optional. It is used to indicate the end time and date. In addition, the
input format of time and date is the same with that of the start time. The end time must
be greater than the start time. If the end time is not set, it will be the maximum time that
the system can set.
Description
Using the time-range command, you can specify a time range. Using the undo
time-range command, you can delete a time range.
A time range consists of 2 parts, the first is the periodic time range within one week
described by the parameters start-time and end-time, depending on the parameter
days to specify on which day it is valid; the second is the time range specified by from
and to, which can be used to emphasize in what time range the periodical time range is
valid.
You can configure multiple time ranges with the same time-name, which are in “OR”
relationship.
Example
# Configure the time range valid at 0:0 on Jan. 1, 2003, always valid.
[Quidway] time-range test from 0:0 1/1/2003
# Configure the time range valid between 14:00 and 16:00 in every weekend from
20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.
[Quidway] time test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00
12/10/2003
# Configure the time range valid between 8:00 and 18:00 in each working day.
[Quidway] time-range test 8:00 to 18:00 working-day
# Configure the time range valid between 14:00 and 18:00 in each weekend day.
[Quidway] time-range test 14:00 to 18:00 off-day
2-10
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
View
User view
Parameter
others: Debugging information of all the other packets except ICMP, TCP and UDP.
Description
Using the debugging firewall command, you can enable the information debugging of
the firewall packet filtering. Using the undo debugging firewall command, you can
disable the information debugging of the firewall packet filtering.
3-1
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Example
Syntax
View
Any view
Parameter
Description
Using the display firewall-statistics command, you can view the firewall statistics.
Example
Syntax
3-2
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
View
System view
Parameter
Description
Using the firewall default command, you can configure the default filtering rule of the
firewall, whether to be “permit” or “deny”.
Example
Syntax
firewall enable
View
System view
Parameter
none.
Description
Using the firewall enable command, you can enable the firewall. Using the undo
firewall enable command, you can disable the firewall.
Example
3-3
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
firewall fragments-inspect
View
System view
Parameter
none
Description
Using the firewall fragments-inspect command, you can enable fragment inspection
switch. Using the undo firewall fragments-inspect command, you can disable
fragment inspection switch.
This command is the premise of realizing exact match. Only after fragment inspection
switch is enabled, can fragment exact match be implemented. Packet filtering firewall
will record the status of a fragment, and perform the exact matching to advanced ACL
rules according to the information beyond the layer 3 (IP layer).
Packet filtering firewall will consume some system resources for recording the fragment
status. If the exact match mode is not used, you are recommended to disable this
function so as to improve the running efficiency of system and reduce the system cost.
Only when the fragment packet inspection is enabled, can the exact match really take
effect.
For the related commands, see display firewall fragments-inspect and firewall
packet-filter.
Example
3-4
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
View
System view
Parameter
high number: Specifies the high threshold of the fragment status records. It is in the
range from 100 to 10000.
low number: Specifies the low threshold of the fragment status records. It is in the
range from 100 to 10000.
default: Default number of fragment status records. The default high threshold of the
fragment status records is 2000 and the default low threshold of the fragment status
records is 1500.
Description
Using the firewall fragments-inspect { high | low } command, you can configure the
high and low thresholds of records for fragment inspection. Using the undo firewall
fragments-inspect { high | low } command, you can restore the default high and low
thresholds.
If fragment inspection switch is enabled and exact match filtering is applied, the
executing efficiency of the packet filtering will be slightly reduced. The more matching
entries are configured, the more the efficiency is reduced. Therefore, the (high and low)
thresholds should be set. When the number of fragment status records reaches the
high threshold, those status entries first reserved will be deleted till the number of
records is below the low threshold.
Example
# Configure the high threshold for fragment packet inspection to 3000 and configure the
low threshold to the default value.
[Quidway] firewall fragments-inspect high 3000
[Quidway] firewall fragments-inspect low default
3-5
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
View
Interface view
Parameter
match-fragments: Specify the matching mode of fragments. This parameter can only
be applied to advanced ACLs.
Packet-filtering on VRP platform can filter fragment packets, which matches and filters
all fragment packets on the third layer (IP layer) by source IP address, destination IP
address etc. It also provides standard matching and exact matching for advanced ACL
rules that contain extended information such as TCP/UDP port number and type of
ICMP. The standard matching matches information of the third layer, Information that is
not of the third layer will be ignored. The exact matching matches packets according to
all advanced ACL rules. To do this, the firewall must be able to store the state of the first
fragment packet to get the whole matching information of the followed fragments. The
standard matching is the default.
Description
Using the firewall packet-filter command, you can apply the access control list to the
corresponding interface. Using the undo firewall packet-filter command, you can
delete the corresponding setting.
Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can
only use the parameter outbound.
3-6
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Packet-filtering on VRP platform can filter fragment packets, which matches and filters
all fragment packets on the third layer (IP layer) by source IP address, destination IP
address etc. It also provides standard matching and exact matching for advanced ACL
rules that contain extended information such as TCP/UDP port number and type of
ICMP. The standard matching matches information of the third layer, Information that is
not of the third layer will be ignored. The exact matching matches packets according to
all advanced ACL rules. To do this, the firewall must be able to store the state of the first
fragment packet to get the whole matching information of the followed fragments. The
standard matching is the default.
For related command, see acl, display acl and firewall fragments-inspect.
Example
# Apply ACL 1001 to the Serial1/0/0 interface to filter the packets forwarded by the
interface.
[Quidway-Serial1/0/0] firewall packet-filter 1001 outbound
Syntax
View
User view
Parameter
Description
Using the reset firewall-statistics command, you can clear the firewall statistics.
Example
3-7
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
3.2.1 aging-time
Syntax
View
Parameter
The default timeout time of SYN, FIN, TCP and UDP is 30s, 5s, 3600s and 30s
respectively.
Description
Using the aging-time command, you can configure SYN status waiting timeout value
and FIN status waiting timeout value of TCP, session entry idle timeout value of TCP
and UDP. Using the undo aging-time command, you can restore the default value.
Before the aging-time expires, the system will retain the connections and the sessions
that have been set up.
For related commands, see display aspf all, display aspf policy, display aspf
session and display aspf interface.
Example
3.2.2 aspf-policy
3-8
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
aspf-policy aspf-policy-number
View
System view
Parameter
Description
Using the aspf-policy command, you can define an ASPF policy. For a defined policy,
the policy can be invoked through its policy number.
Example
Syntax
debugging aspf { all | verbose | events | ftp | h323 | http | rtsp | session | smtp | tcp
| timers | udp }
undo debugging aspf { all | verbose | events | ftp | h323 | http | rtsp | session |
smtp | tcp | timers | udp }
View
User view
Parameter
3-9
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Description
Using the debugging aspf command, you can enable ASPF debugging function.
Using the undo debugging aspf command, you can disable ASPF debugging
function.
For the related commands, see display aspf all, display aspf policy, display aspf
session and display aspf interface.
Example
3.2.4 detect
Syntax
View
Parameter
3-10
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
seconds: Configures the idle timeout time of the protocol, ranging from 10 to 43200
seconds. The default TCP-based timeout time is 3600 seconds, and the default
UDP-based timeout time is 30 seconds.
Description
Using the detect command, you can specify ASPF policy for application layer protocols.
Using the undo detect command, you can cancel the configuration.
ASPF uses the timeout mechanism to manage session state information of protocols
so that it can decide when to stop managing the state information of a session or delete
a session that cannot be set up normally. The timeout time setting is a global setting
applicable to all sessions; it can protect system resources against malicious
occupation.
For related commands, see display aspf all, display aspf policy, display aspf
session and display aspf interface.
Example
# Configure to specify an ASPF policy for HTTP protocol with policy number 2000. At
the same time, permit Java blocking and set ACL1 to make ASPF able to filter Java
Applets from destination server 10.1.1.1.
[Quidway] acl number 2000
[Quidway-acl-basic-2000] rule deny source 10.1.1.1 0
[Quidway-acl-basic-2000] rule permit any
[Quidway-acl-basic-2000] quit
[Quidway] aspf-policy 1
[Quidway-aspf-policy-1] detect http java-blocking 2000
Syntax
3-11
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
View
Any view
Parameter
none
Description
Using the display aspf all command, you can view the information of all ASPF policies
and sessions.
Example
[Interface Configuration]
Interface: Ethernet0/0/0
Inbound ASPF policy: none
Outbound ASPF policy: 1
Item Description
Session audit trail: disabled The session logging function is disabled.
tcp syn wait-time TCP connected SYN status timeout value is 30 seconds.
tcp finnwait-time TCP connection FIN status timeout value is 5 seconds.
tcp idle-time Timeout for the idle-time of TCP session is 3600 seconds.
udp idle-time Timeout for the idle-time of UDP session is 30 seconds.
Detect the HTTP traffic and filter the Java Applets from some particular
http java-blocking 1 timeout sites by using ACL 1. The HTTP timeout time is set to 3000 seconds.
“h323 timeout” indicates the timeout time of the h323 session entry.
3-12
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Item Description
The policy inspects h323 traffic. The timeout time of h323 is 3600
h323 timeout
seconds.
tcp timeout The policy inspects tcp traffic. The timeout time of tcp is 33 seconds.
No ASPF policy is configured in inbound direction of the interface
Inbound ASPF policy
Ethernet0/0/0.
Syntax
View
Any view
Parameter
none
Description
Using the display aspf interface command, you can view the interface configuration of
the inspection policy.
Example
3-13
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Item Description
No ASPF policy is configured in inbound direction of the interface
Inbound ASPF policy
Ethernet0/0/0.
ASPF policy 1 is configured in outbound direction of the interface
outbound ASPF policy
Ethernet0/0/0.
Syntax
View
Any view
Parameter
Description
Using the the display aspf policy command, you can view the configuration of a
specific inspection policy.
Example
# Display the configuration information of the inspection policy with policy number of 1.
[Quidway] display aspf policy 1
[ASPF Policy 1]
Session audit trail: disabled
tcp synwait-time: 30 sec
tcp finwait-time: 5 sec
tcp idle-time: 3600 sec
udp idle-time: 30 sec
h323 timeout: 3600
tcp timeout: 33
3-14
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
View
Any view
Parameter
Description
Using the display aspf session command, you can view the information of the ASPF
sessions.
Example
3-15
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Item Description
TransProt: 6 Transport layer protocol is numbered 6, which means that TCP is used.
AppProt: 21 Application layer protocol uses port 21, which means that the sessions
are FTP sessions
Interface: Ethernet1/0/0 ASPF policy is applied in outbound direction of the interface
Ethernet1/0/0
Direction: outbound
Bytes/Packets sent Bytes/Packets transmitted between the originating and responding
sides of the connection
Timeout 00:02:00(120) Timeout time set for the protocol is 120 seconds
Syntax
View
Any view
Parameter
Description
Using the display port-mapping command, you can view PAM information.
Example
3-16
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Syntax
View
Interface view
Parameter
Description
Using the firewall aspf command, you can apply ASPF policy in specified direction to
an interface. Using the undo firewall aspf command, you can delete the applied ASPF
policy on the interface.
There are two concepts is ASPF: inbound interface and outbound interface. If the router
connects with both intranet and internet, and uses ASPF to protect the servers of
intranet, the router interface connected with intranet is regarded as inbound interface
and that connected with internet is regarded as outbound interface.
When ASPF is applied on outbound interface, ASPF will refuse the access of intranet
from internet users, but the returning packets of intranet users accessing internet can
pass the detection of ASPF.
Example
Syntax
log enable
3-17
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
View
Description
Using the log enable command, you can enable ASPF session logging function. Using
the undo log enable command, you can disable logging function.
ASPF provides enhanced session logging function, which can log all connections,
including connection time, source address, destination address, port in use and
transmitted bytes number.
For related command, see display aspf all, display aspf policy, display aspf
session, display aspf interface.
Example
3.2.12 port-mapping
Syntax
View
System view
Parameter
application-name: Specifies the name of the application for PAM. Optional applications
include ftp, http, h323, smtp and rtsp.
acl-number: Number of basic ACL, which is in the range from 2000 to 2999.
3-18
Command Manual – Security
VRP3.4 Chapter 3 Firewall Configuration Commands
Description
Using the port-mapping command, you can establish a mapping from the port to
application layer protocol. Using the undo port-mapping command, you can delete
the PAM ingress defined by the user.
PAM supports two mapping mechanisms: general port mapping and host port mapping
based on basic ACL. The former is to establish the mapping relation between a
user-defined port number and an application protocol. For example, mapping the port
8080 to the HTTP will make all the TCP packets destined to 8080 be regarded as HTTP
packets. The latter is to map the self-defined port number to the application protocol for
the packets from some specific hosts. For example, you can map the TCP packets
using the port 8080, which destine to the hosts residing on the segment 1.1.0.0 to be
the HTTP packets. The range of hosts will be specified by the basic ACL.
For the same port, general port mapping and host port mapping based on basic ACL
cannot be configured at the same time.
Example
# Map port 3456 to FTP service, with this configuration, all the data flows destined to
port 3456 will be regarded as FTP data flows.
[Quidway] port-mapping ftp port 3456
3-19
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
4.1.1 ah authentication-algorithm
Syntax
undo ah authentication-algorithm
View
Parameter
Description
MD5 algorithm uses the 128-bit key, and SHA1 uses the 160-bit key. By comparison,
MD5 is faster than SHA1, while SHA1 is securer than MD5.
The IPSec proposal adopted by the security policy at both ends of the security tunnel
must be set as using the same authentication algorithm.
For the related commands, see ipsec proposal, proposal, sa sip and transform.
4-1
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
Syntax
View
User view
Parameter
Description
Using the debugging ipsec command, you can turn IPSec debugging on, Using the
undo debugging ipsec command, you can turn IPSec debugging off.
4-2
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
Syntax
View
Any view
Parameter
name: Displays information of the ipsec policy with the name policy-name and
sequence number seq-number.
If no argument has been specified, the details of all the IPSec policies will be displayed.
If name policy-name has been specified but seq-number has not, the information of the
specified IPSec policy group will be listed out.
Description
Using the display ipsec policy command, you can view information about the ipsec
policy.
The brief keyword is used for displaying brief information about all the ipsec policies,
whose display format is the brief format (see the following example). The brief
command can be used to quickly display all the ipsec policies. Brief information
includes: name and sequence number, negotiation mode, access control list, proposal,
local address, and remote address.
The other command words are used to display the detailed information about the ipsec
policy, whose display format is the detailed format (refer to the following example).
4-3
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
Item Description
Ipsec-policy-Name name and sequence number of an ipsec policy
Mode negotiation method used by an ipsec policy
acl access control list used by an ipsec policy
Local Address local IP address
Remote Address remote IP address
4-4
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
mode: manual
-----------------------------------------
security data flow : 100
tunnel local address: 162.105.10.1
tunnel remote address: 162.105.10.2
proposal name: prop1
inbound ah setting:
ah spi: 12345 (0x3039)
ah string-key:
ah authentication hex key : 1234567890123456789012345678901234567890
inbound esp setting:
esp spi: 23456 (0x5ba0)
esp string-key:
esp encryption hex key:
1234567890abcdef1234567890abcdef1234567812345678
esp authentication hex key: 1234567890abcdef1234567890abcdef
outbound ah setting:
ah spi: 54321 (0xd431)
ah string-key:
ah authtication hex key: 1122334455667788990011223344556677889900
outbound esp setting:
esp spi: 65432 (0xff98)
esp string-key:
esp encryption hex key:
11223344556677889900aabbccddeeff1234567812345678
esp authentication hex key: 11223344556677889900aabbccddeeff
Item Description
ipsec policy name, sequence number and negotiation method of an ipsec policy
security data flow access control list used by an ipsec policy
proposal name name of the proposal used by an ipsec policy
inbound/outbound ah/esp settings of inbound/outbound ends using AH/ESP, including SPI
setting and key
tunnel Local Address local IP address
tunnel Remote Address remote IP address
PFS (Y/N) Whether using PFS(Perfect Forward Security) or not
4-5
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
Any view
Parameter
brief: Displays brief information about all the ipsec policy templates.
name: Displays information of the ipsec policy template with the name template-name
and sequence number seq-number.
If no parameter is specified, then the detail information about all the ipsec policy
templates will be displayed. If name template-name has been specified but
seq-number has not, the information of the specified IPSec policy template group will
be listed out.
Description
Using the display ipsec policy-template command, you can view information about
the ipsec policy template.
Parameter brief is for showing brief information about all the ipsec policy templates,
whose display format is the brief format (see the following example). It can be used to
quickly display all the ipsec policy templates. Brief information includes: template name
and sequence number, access control list, and remote address.
Any of the sub-commands can be used to display detail information of the IPSec policy
template.
Example
4-6
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Item Description
Policy-template-Name name, sequence number of an ipsec policy template
acl access control list used by an ipsec policy template
Remote Address remote IP address
Syntax
View
Any view
Parameter
Description
Using the display ipsec proposal command, you can view information about the
proposal.
If the name of the proposal is not specified, then information about all the proposals will
be shown.
For the related commands, see ipsec proposal, display ipsec sa and display ipsec
policy.
Example
4-7
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Item Description
Ipsec proposal
name of the proposal
name
encapsulation
modes used by proposal, including two types: transport mode and tunnel mode
mode
transform security protocols used by proposal, including two types: AH and ESP
ah protocol the authentication-algorithm used by AH: md5 | sha1
the authentication-algorithm and encryption method used by ESP respectively:
esp protocol
MD5 and DES
Syntax
View
Any view
Parameter
policy: Displays information about the SA created by the ipsec policy whose name is
policy-name.
4-8
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Description
Using the display ipsec sa command, you can view the relevant information about the
SA.
The command with brief parameter shows brief information about all the SAs, whose
display format is the brief format (refer to the following example). Brief information
includes source address, destination address, SPI, protocol, and algorithm. A display
beginning with "E" in the algorithm stands for the encryption algorithm, and a display
beginning with "A" stands for the authentication algorithm. The brief command can be
used to quickly display all the SAs already set up.
The commands with remote and policy parameters both display the detailed
information about the SA. The display mode: part of the information about the ipsec
policy is shown first and then the detailed information of the SA in this ipsec policy.
The command with duration parameter shows the global sa duration, including
"time-based" and "traffic-based" sa duration. Referring to the following examples.
For the related commands, see reset ipsec sa, ipsec sa duration, display ipsec sa
and display ipsec policy.
Example
Item Description
Src Address Local IP address
Dst Address Remote Ip address
SPI security parameter index
Protocol security protocol used by IPSec
The authentication algorithm and encryption algorithm used by the security
Algorithm protocol. A display beginning with "E" in the algorithm stands for the encryption
algorithm, and a display beginning with "A" stands for the authentication algorithm.
4-9
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
4-10
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Item Description
Interface Interface using ipsec policy
path MTU Maximum IP packet length sent from the interface
ipsec policy used, including name, sequence number and negotiation
ipsec policy
method
connection id security channel identifier
in use settings IPSec mode, including two types: transport mode and tunnel mode
tunnel local local IP address
tunnel remote remote IP address
inbound SA information of the inbound end
transform proposal used by the ipsec policy
sa remaining key
rest sa duration of SA
duration
max received maximum sequence number of the received packets (the anti-replay
sequence-number function provided by the security protocol)
Syntax
View
Any view
Parameter
none
Description
Using the display ipsec statistics command, you can view the IPSec packet statistics
information, including the input and output security packet statistics, bytes, number of
packets discarded and detailed description of discarded packets.
4-11
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
Item Description
input/output security packets input/output packets under the security protection
input/output security bytes input/output bytes under the security protection
input/output discarded security input/output packets under the security protection discarded
packets by the router
4.1.8 encapsulation-mode
Syntax
undo encapsulation-mode
View
Parameter
4-12
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Description
Using the encapsulation-mode command, you can set the encapsulation mode that
the security protocol applies to IP packets, which can be transport or tunnel. Using the
undo encapsulation-mode command, you can restore it to the default.
There are two encapsulation modes where IPSec is used to encrypt and authenticate
IP packets: transport mode and tunnel mode. In transport mode, IPSec does not
encapsulate a new header into the IP packet. The both ends of security tunnel is of
source and destination of original packets. In tunnel mode, IPSec protects the whole IP
packet, and adds a new IP header in the front part of the IP packet. The source and
destination addresses of the new IP header are the IP addresses of both ends of the
tunnel.
Generally, the tunnel mode is used between two security gateways (routers). A packet
encrypted in a security gateway can only be decrypted in another security gateway. So
an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added;
the IP packet encapsulated in tunnel mode is sent to another security gateway before it
is decrypted.
The transport mode is suitable for communication between two hosts, or for
communication between a host and a security gateway (like the network management
communication between the gateway workstation and a router). In transport mode, two
devices responsible for encrypting and decrypting packets must be the original sender
and receiver of the packet. Most of the data traffic between two security gateways is not
of the security gateway’s own. So the transport mode is not ofen used between security
gateways.
The proposal used by the ipsec policies set at both ends of the security tunnel must be
set as having the same packet encapsulation mode.
Example
# Set the proposal whose name is prop2 as using the transport mode to encapsulate IP
packets.
[Quidway] ipsec proposal prop2
[Quidway-ipsec-proposal- prop2] encapsulation-mode transport
4-13
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
Parameter
md5: Use MD5 algorithm with the length of the key 128 bits.
sha1: Use SHA1 algorithm with the length of the key 160 bits.
Description
Using the esp authentication-algorithm command, you can set the authentication
algorithm used by ESP. Using the undo esp authentication-algorithm command, you
can set ESP not to authenticate packets.
The encryption and authentication algorithm used by ESP cannot be set to vacant at
the same time.
The proposal used by the ipsec policies set at both ends of the security tunnel must be
set as having the same authentication algorithm.
Example
4-14
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
Parameter
des: Data Encryption Standard (DES), a universal encryption algorithm with the length
of the key being 56 bits.
3des: 3DES (Triple DES), another universal encryption algorithm with the length of the
key being 168 bits.
Description
Using the esp encryption-algorithm command, you can set the encryption algorithm
adopted by ESP. Using the undo esp encryption-algorithm command, you can set
the ESP not to encrypt packets.
3DES can meet the requirement of high confidentiality and security, but it is
comparatively slow. And DES can satisfy the normal security requirements.
The encryption and authentication methods used by ESP cannot be set to a vacant
value at the same time. The undo esp encryption-algorithm command can take
effect only if the authentication algorithm is not null.
4-15
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
Syntax
View
Interface view
Parameter
policy-name: Specifies the name of an ipsec policy group applied at the interface. The
ipsec policy group with name policy-name should be configured in system view.
Description
Using the ipsec policy(interface view) command, you can apply an ipsec policy group
with the name policy-name at the interface,. Using the undo ipsec policy(interface
view) command, you can cancel the ipsec policy group so as to disable the IPSec
function of the interface.
At an interface, only one ipsec policy group can be applied. An ipsec policy group can
be applied at multiple interfaces.
When a packet is sent from an interface, it searches for each ipsec policy in the ipsec
policy group by number in an ascending order. If the packet matches an access control
list used by an ipsec policy, then this ipsec policy is used to process the packet;
otherwise it continues to search for the next ipsec policy. If the packet does not match
any of the access control lists used by all the ipsec policies, it will be directly transmitted
(that is, IPSec will not protect the packet).
4-16
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
Syntax
View
System view
Parameter
policy-name: Name of the ipsec policy. The naming rule is: the length of the name is 1
to 15 characters, the name is case insensitive and the characters can be English
characters or numbers, cannot include “-”.
seq-number: Sequence number of the ipsec policy, ranging 1 to 10000, with lower
value indicating higher sequence priority.
Description
Using the ipsec policy command, you can establish or modify an ipsec policy, and
enter ipsec policy view. Using the undo ipsec policy policy-name command, you can
delete an ipsec policy group whose name is policy-name. Using the undo ipsec policy
policy-name seq-number command. you can delete an ipsec policy whose name is
policy-name and sequence number is seq-number.
4-17
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Once the ipsec policy is established, its negotiation mode cannot be modified. For
example: if an ipsec policy is established in manual mode, it cannot be changed to
isakmp mode--this ipsec policy must be deleted and then recreated, if appropriate, with
the negotiation mode being isakmp.
Ipsec policies with the same name constitute an ipsec policy group. The name and
sequence number are used together to define a unique ipsec policy. In an ipsec policy
group, at most 100 ipsec policies can be set. In an ipsec policy, the smaller the
sequence number of an ipsec policy is, the higher is its preference. Apply an ipsec
policy group at an interface means applying all ipsec policies in the group
simultaneously, so that different data streams can be protected by adopting different
SAs.
Note that IKE will not use a policy with a template argument to initiate a negotiation.
Rather, it uses such a policy to response the negotiation initiated by its peer.
For the related commands, see ipsec policy (interface view), security acl, tunnel
local, tunnel remote, sa duration, proposal, display ipsec policy, ipsec
policy-template, and ike-peer.
Example
# Set an ipsec policy whose name is newpolicy1, sequence number is 100, and
negotiation mode is isakmp.
[Quidway] ipsec policy newpolicy1 100 isakmp
[Quidway-ipsec-policy-isakmp-newpolicy1-100]
Syntax
4-18
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
View
System view
Parameter
policy-name: Name of the ipsec policy. The naming rule is as follows: length is 1 to 15
bytes, the name is case insensitive and the characters can be English characters or
numbers, cannot include “-”.
seq-number: Serial number of the ipsec policy, ranging 1 to 10000. In one ipsec policy
group, the smaller the serial number of the ipsec policy, the higher the preference.
Description
Using the ipsec policy-template command, you can establish or modify an ipsec
policy template, and enter ipsec policy view. Using the undo ipsec policy-template
policy-name command, you can delete the ipsec policy group named policy-name.
Using the undo ipsec policy-template policy-name seq-number command, you can
delete an ipsec policy with the name policy-name and the serial number seq-number.
A policy template that has been created with the name being template-name can be
referenced by the ipsec policy policy-name seq-number isakmp template
template-name command to create an IPSec policy.
The IPSec policy template and the security policy of IPSec IPSAMP negotiation share
the same kinds of arguments, including the referenced IPSec proposal, the protected
traffic, PFS feature, lifetime, and the address of the remote tunnel end. However, you
should note that the proposal argument is compulsory to be configured whereas other
arguments are optional. If an IPSec policy template is used for the policy match
operation undertaken in an IKE negotiation, the configured arguments must be
matched, and the settings of the initiator will be used if the corresponding arguments
have not been configured.
For the related commands, see ipsec policy, security acl, tunnel local, tunnel
remote, proposal, display ipsec policy, and ike-peer.
Example
# Establish an ipsec policy template with the name template1 and the serial number
100.
[Quidway] ipsec policy-template template1 100
[Quidway-ipsec-policy-template- template1-100]
4-19
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
System view
Parameter
proposal-name: Name of the specified proposal. The naming rule is: the length of the
name is 1 to 15 characters, case insensitive.
Description
Using the ipsec proposal proposal-name command, you can establish or modify a
proposal named proposal-name, and enter IPSec proposal view. Using the undo ipsec
proposal proposal-name command, you can delete the proposal named
proposal-name.
After a new IPSec proposal is established by using the ipsec proposal command, the
ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted
by default.
Example
4-20
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
System view
Parameter
Description
Using the ipsec sa global-duration command, you can set a global SA duration. Using
the undo ipsec sa global-duration command, you can restore to the default setting of
the global SA duration.
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration specified by this
command to negotiate with the peer. If the IPSec policy is configured with its own
duration, the system will use the duration of the IPSec policy to negotiate with the peer.
When IKE negotiates to set up an SA for IPSec, the smaller one of the lifetime set
locally and that proposed by the remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA,, and the SA is
invalid when the set value is exceeded. No matter which one of the two types expires
first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new
SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.
Modifying the global SA duration will not affect a map that has individually set up its own
SA duration, or an SA already set up. But the modified global SA duration will be used to
set up a new SA in the future IKE negotiation.
The SA duration does not function for an SA manually set up, that is, the SA manually
set up will never be invalidated.
4-21
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
For the related commands, see sa duration and display ipsec sa duration.
Example
4.1.16 pfs
Syntax
undo pfs
View
Parameter
Description
Using the pfs command, you can set the Perfect Forward Secrecy (PFS) feature for the
IPSec policy to initiate the negotiation. Using the undo pfs command, you can set not
to use the PFS feature during the negotiation.
The command is used to add a PFS exchange process when IPSec uses the ipsec
policy to initiate a negotiation. This additional key exchange is performed during the
phase 2 negotiation so as to enhance the communication safety. The DH group
specified by the local and remote ends must be consistent, otherwise the negotiation
will fail.
Can this command be used only when the security alliance is established through IKE
style.
For the related commands, see ipsec policy-template, ipsec policy(system view),
ipsec policy(interface view), tunnel local, tunnel remote, sa duration and
proposal.
4-22
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
# Set that PFS must be used when negotiating through ipsec policy shanghai 200.
[Quidway] ipsec policy shanghai 200 isakmp
[Quidway-ipsec-policy-isakmp-shanghai-200] pfs group1
4.1.17 proposal
Syntax
View
Parameter
Description
Using the proposal command, you can set the proposal used by the IPSec policy.
Using the undo proposal command, you can cancel the proposal used by the IPSec
policy.
Before using this command, the corresponding IPSec proposal must has been
configured.
If set up in manual mode, an SA can only use one proposal. And if a proposal is already
set, it needs to be deleted by using the undo proposal command before a new one
can be set.
If set up in isakmp mode, an SA can use six proposals at most. IKE negotiation will
search for the completely matching proposal at both ends of the security tunnel.
If it is the IPSec template, each template can use six proposals at most, and the IKE
negotiation will search for the completely matching proposal.
For the related commands, see ipsec proposal, ipsec policy(system view), ipsec
policy(interface view), security acl, tunnel local and tunnel remote.
4-23
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
# Set a proposal with name prop1, adopting ESP and the default algorithm, and sets an
IPSec policy as using a proposal name prop1.
[Quidway] ipsec proposal prop1
[Quidway-ipsec-proposal-prop1] transform esp
[Quidway-ipsec-proposal-prop1] quit
[Quidway] ipsec policy policy1 100 manual
[Quidway-ipsec-policy-manual-policy1-100] proposal prop1
Syntax
View
User view
Parameter
policy-name: Specifies the name of the IPSec policy. The naming rule is as follows:
length is 1 to 15 characters, case sensitive, and the character can be English character
or number.
seq-number: Optional parameter specifying the serial number of the ipsec policy. If no
seq-number is specified, the IPSec policy refers to all the policies in the IPSec policy
group named policy-name.
protocol: Specifies the security protocol by inputting the key word ah or esp, case
insensitive. ah indicates the Authentication Header protocol and esp indicates
Encapsulating Security Payload.
spi: Specifies the security parameter index (SPI), ranging 256 to 4294967295.
4-24
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Description
Using the reset ipsec sa command, you can delete an SA already set up (manually or
through IKE negotiation). If no parameter (remote, policy, parameters) is specified, all
the SA will be deleted.
The keyword parameters will take effect only after the spi of the outbound SA is
defined. Because SAs appear in pairs, the inbound SA will also be deleted after the
outbound SA is deleted.
Example
# Delete the SA of the ipsec policy with the name policy1 and the serial number 10.
<Quidway> reset ipsec sa policy policy1 10
# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is
10000
<Quidway> reset ipsec sa parameters 10.1.1.2 ah 10000
Syntax
View
User view
4-25
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Parameter
none
Description
Using the reset ipsec statistics command, you can clear IPSec message statistics,
and set all the statistics to zero.
Example
4.1.20 sa authentication-hex
Syntax
View
Parameter
inbound: Configures the authentication-hex parameter for the inbound SA. IPSec
uses the inbound SA for processing the packet in the inbound direction (received).
outbound: Configures the authentication-hex parameter for the outbound SA. IPSec
uses the outbound SA for processing the packet in the outbound direction (sent).
ah: Sets the authentication-hex parameter for the SA using AH. If the IPSec proposal
used by the ipsec policy adopts AH, the ah key word is used here to set the AH relevant
parameter of the SA.
esp: Sets the authentication-hex parameter for the SA using ESP. If the IPSec
proposal used by the ipsec policy adopts ESP, the esp key word is used here to set the
ESP relevant parameter of the SA.
hex-key: Specifies a key for the SA input in the hex format. If MD5 is used, then input a
16-byte key; if SHA1 is used, input a 20-byte key.
4-26
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Description
Using the sa authentication-hex command, you can set the SA authentication key
manually for the ipsec policy of manual mode. Using the undo sa authentication-hex
command, you can delete the SA authentication key already set.
This command is only used for the ipsec policy in manual mode.
For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter
manually. IKE will automatically negotiate the SA parameter and establish a SA.
The SA parameters set at both ends of the security tunnel must be fully matching. The
SPI and key for the SA input at the local end must be the same as those output at the
remote. The SA SPI and key output at the local end must be the same as those input at
the remote.
There are two methods for inputting the key: hex and character string. For the character
string key and hex string key, the last set one will be adopted. At both ends of a security
tunnel, the key should be input by the same method. If the key is input in character
string at one end, and it is input in hex at the other end, then a security tunnel cannot be
set up correctly.
For the related commands, see ipsec policy (system view), ipsec policy (interface
view), security acl , tunnel local, tunnel remote, sa duration and proposal.
Example
4-27
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
4.1.21 sa duration
Syntax
View
Parameter
Description
Using the sa duration command, you can set a SA duration of the ipsec policy. Using
the undo sa duration command, you can cancel the SA duration, i.e., restore the use
of the global SA duration.
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration to negotiate with the
peer. If the IPSec policy is configured with its own duration, the system will use the
duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up
an SA for IPSec, the shorter one of the lifetime set locally and that proposed by the
remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA, and the SA is
invalid when the set value is exceeded. No matter which one of the two types expires
first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new
SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.
The SA duration does not function for an SA manually set up, that is, the SA manually
set up will never be invalidated.
For the related commands, see ipsec sa global-duration, ipsec policy(system view),
ipsec policy(interface view), security acl, tunnel local, tunnel remote and
proposal.
4-28
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Example
# Set the Sa duration for the ipsec policy shenzhen 100 to 2 hours, that is, 7200
seconds.
[Quidway] ipsec policy shenzhen 100 isakmp
[Quidway-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200
# Set the Sa duration for the ipsec policy shenzhen 100 to 20M bytes, that is, the SA is
overtime when the traffic exceeds 20000 kilobytes.
[Quidway] ipsec policy shenzhen 100 isakmp
[Quidway-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000
4.1.22 sa encryption-hex
Syntax
View
Parameter
inbound: Sets the encryption-hex parameter for the inbound SA. IPSec uses the
inbound SA for processing the packet in the inbound direction (received).
outbound: Sets the encryption-hex parameter for outbound SA. IPSec uses the
outbound SA for processing the packet in the outbound direction (sent).
esp: Sets the encryption-hex parameter for the SA using ESP. If the IPSec proposal
used by the ipsec policy adopts ESP, the esp key word is used here to set the ESP
relevant parameter of the SA.
hex-key: Specifies a key for the SA input in the hex format. When applied in ESP, if DES
is used, then input a 8-byte key; if 3DES is used, then input a 24-byte key.
Description
Using the sa encryption-hex command, you can set the SA encryption key manually
for the ipsec policy of manual mode. Using the undo sa encryption-hex command,
you can delete the SA parameter already set.
This command is only used for the ipsec policy in manual mode. It is used to set the SA
parameter manually and establish a SA manually.
4-29
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter
manually, and this command is invalid. IKE will automatically negotiate the SA
parameter and establish a SA.
The SA parameters set at both ends of the security tunnel must be fully matching. The
SPI and key for the SA input at the local end must be the same as those output at the
remote. The SA SPI and key output at the local end must be the same as those input at
the remote.
For the related commands, see ipsec policy(system view), ipsec policy(interface
view), security acl , tunnel local, tunnel remote, sa duration and proposal.
Example
# Set the SPI of the inbound SA to 10000, and the key to 0x1234567890abcdef; set the
SPI of the outbound SA to 20000, and its key to 0xabcdefabcdef1234 in the ipsec policy
using ESP and DES.
[Quidway] ipsec proposal prop_esp
[Quidway-ipsec-proposal-prop_esp] transform esp
[Quidway-ipsec-proposal-prop_esp] ah encryption-algorithm des
[Quidway-ipsec-proposal-prop_esp] quit
[Quidway] ipsec policy tianjin 100 manual
[Quidway-ipsec-policy-manual-tianjin-100] proposal prop_esp
[Quidway-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001
[Quidway-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp
1234567890abcdef
[Quidway-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001
[Quidway-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp
abcdefabcdef1234
4.1.23 sa spi
Syntax
View
4-30
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Parameter
inbound: Sets the spi parameter for the inbound SA. IPSec uses the inbound SA for
processing the packet in the inbound direction (received).
outbound: Sets the spi parameter for outbound SA. IPSec uses the outbound SA for
processing the packet in the outbound direction (sent).
ah: Sets the spi parameter for the SA using AH. If the IPSec proposal set used by the
ipsec policy adopts AH, the ah key word is used here to set the spi relevant parameter
of the SA.
esp: Sets the spi parameter for the SA using ESP. If the IPSec proposal set used by the
ipsec policy adopts ESP, the esp key word is used here to set the spi relevant
parameter of the SA.
spi-number: Security Parameter Index (SPI) in the triplet identification of the SA,
ranging 256 to 4294967295. The triplet identification of the SA, which appears as SPI,
destination address, and protocol number, must be unique.
Description
Using the sa spi command, you can set the SA SPI manually for the ipsec policy of
manual mode. Using the undo sa spi command, you can delete the SA SPI already
set.
This command is only used for the ipsec policy in manual mode. It is used to set the SA
parameter manually and establish a SA manually.
For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter
manually, and this command is invalid. IKE will automatically negotiate the SA
parameter and establish a SA.
The SA parameters set at both ends of the security tunnel must be fully matching. The
SPI and key for the SA input at the local end must be the same as those output at the
remote. The SA SPI and key output at the local end must be the same as those input at
the remote.
For the related commands, see ipsec policy(system view), ipsec policy(interface
view), security acl , tunnel local, tunnel remote, sa duration and proposal.
Example
# Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in
the ipsec policy using AH and MD5.
4-31
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
4.1.24 sa string-key
Syntax
View
Parameter
inbound: Sets the string-key parameter for the inbound SA. IPSec uses the inbound
SA for processing the packet in the inbound direction (received).
outbound: Sets the string-key parameter for the outbound SA. IPSec uses the
outbound SA for processing the packet in the outbound direction (sent).
ah: Sets the string-key parameter for the SA using AH. If the IPSec proposal set used
by the ipsec policy adopts AH, the ah key word is used here to set the string-key
relevant parameter of the SA.
esp: Sets the string-key parameter for the SA using ESP. If the IPSec proposal set
used by the ipsec policy adopts ESP, the esp key word is used here to set the
string-key relevant parameter of the SA.
string-key: Specifies the key for an SA input in the character string format, with a length
ranging 1 to 256 characters. For different algorithms, you can input character strings of
any length in the specified range, and the system will generate keys meeting the
algorithm requirements automatically according to the input character strings. As for
ESP, the system will automatically generate the key for the authentication algorithm
and that for the encryption algorithm at the same time.
4-32
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Description
Using the sa string-key command, you can set the SA parameter manually for the
ipsec policy of manual mode. Using the undo sa string-key command, you can delete
the SA parameter already set.
This command is only used for the ipsec policy in manual mode. It is used to set the SA
parameter manually and establish a SA manually.
For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter
manually, and this command is invalid. IKE will automatically negotiate the SA
parameter and establish a SA.
The SA parameters set at both ends of the security tunnel must be fully matching. The
SPI and key for the SA input at the local end must be the same as those output at the
remote. The SA SPI and key output at the local end must be the same as those input at
the remote.
There are two methods for inputting the key: hex and character string. To input a
hexadecimal key, use the sa authentication-hex command. For the character string
key and hex string key, the last set one will be adopted. At both ends of a security tunnel,
the key should be input by the same method. If the key is input in character string at one
end, and it is input in hex at the other end, then a security tunnel cannot be set up
correctly.
For the related commands, see ipsec policy(system view), ipsec policy(interface
view), security acl , tunnel local, tunnel remote, sa duration and proposal.
Example
# Set the SPI of the inbound SA to 10000, and the key string to abcdef; sets the SPI of
the outbound SA to 20000, and its key string to efcdab in the ipsec policy using AH and
MD5.
[Quidway] ipsec proposal prop_ah
[Quidway-ipsec-proposal-prop_ah] transform ah
[Quidway-ipsec-proposal-prop_ah] ah authentication-algorithm md5
[Quidway-ipsec-proposal-prop_ah] quit
[Quidway] ipsec policy tianjin 100 manual
[Quidway-ipsec-policy-manual-tianjin-100] proposal prop_ah
[Quidway-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000
[Quidway-ipsec-policy-manual-tianjin-100] sa string-key abcdef
[Quidway-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000
[Quidway-ipsec-policy-manual-tianjin-100] sa string-key efcdab
4-33
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
Parameter
acl-number: Specifies the number of the access control list used by the ipsec policy,
ranging 3000 to 3999.
Description
Using the security acl command, you can set an access control list to be used by the
ipsec policy. Using the undo security acl command, you can remove the access
control list used by the ipsec policy.
The data flow that will be protected by the IPSec policy is confined by the ACL in this
command. According to the rules in the ACL, IPSec determines which packets need
security protection and which do not. The packet permitted by the access control list will
be protected, and a packet denied by the access control list will not be protected. The
denied packets are sent out derectly without IPSec protection.
For the related commands, see ipsec policy(system view), ipsec policy(interface
view), tunnel local, tunnel remote, sa duration and proposal.
Example
4.1.26 transform
4-34
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
undo transform
View
Parameter
ah-esp: Uses ESP specified in RFC2406 to protect the packets and then use AH
protocol specified in RFC2402 to authenticate packets.
Description
Using the transform command, you can set a security protocol used by a proposal.
Using the undo transform command, you can restore the default security protocol.
If ESP is adopted, the default encryption algorithm is DES and the authentication
algorithm is MD5.
If the parameter ah-esp is specified, the default authentication algorithm for AH is MD5
and the default encryption algorithm for ESP is DES without authentication.
AH protocol provides data authentication, data integrity check and anti-replay function.
ESP protocol provides data authentication, data integrity check, anti-replay function
and data encryption.
While establishing a SA manually, the proposals used by the ipsec policy set at both
ends of the security tunnel must be set as using the same security protocol.
The following figure illustrates the data encapsulation formats of different security
protocols in the transport mode and the tunnel mode.
4-35
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Transfer
Security mode transport tunnel
protocol
ah IP AH data IP AH IP data
Example
Syntax
View
Parameter
Description
Using the tunnel local command, you can set the local address of an ipsec policy.
Using the undo tunnel local command, you can delete the local address set in the
ipsec policy.
4-36
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
It is not necessary to set a local address for an ipsec policy in isakmp mode, so this
command is invalid in this situation. IKE can automatically obtain the local address from
the interface where this ipsec policy is applied.
As for the ipsec policy in manual mode, it is necessary to set the local address before
the SA can be established. A security tunnel is set up between the local and remote end,
so the local address and remote address must be correctly configured before a security
tunnel can be set up.
For the related commands, see ipsec policy(system view), ipsec policy(interface
view), security acl , tunnel remote, sa duration and proposal.
Example
# Set the local address for the ipsec policy, which is applied at serial 4/1/2 whose IP
address is 10.0.0.1.
[Quidway] ipsec policy guangzhou 100 manual
[Quidway-ipsec-policy-manual-guangzhou-100] tunnel local 10.0.0.1
[Quidway-ipsec-policy-manual-guangzhou-100] quit
[Quidway] interface serial 4/1/2
[Quidway-if-Serial4/1/2] ipsec policy guangzhou
Syntax
View
Parameter
Description
Using the tunnel remote command, you can set the remote address of an ipsec policy.
Using the undo tunnel remote command, you can delete the remote address in the
ipsec policy.
4-37
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
For the ipsec policy in manual mode, only one remote address can be set. If a remote
address is already set, this existing address must be deleted before a new one can be
set.
The security tunnel is established between the local and remote ends. The remote
address must be set correctly on both ends of the security tunnel.
For the related commands, see ipsec policy(system view), ipsec policy(interface
view), security acl , tunnel local, sa duration, proposal.
Example
Syntax
View
Any view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
4-38
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the
parameter, the system will display the log of all encryption cards.If you input nothing
here, your operation will run to all encryption cards.
Description
Using the debugging encrypt-card command, you can enable debugging on the
encryption card. Using the undo debugging ipsec command, you can disable
debugging on the encryption card.
Example
Syntax
View
User view
Parameter
4-39
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Description
Using the debugging ipsec command, you can turn IPSec debugging on, Using the
undo debugging ipsec command, you can turn IPSec debugging off.
Example
Syntax
View
Any view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the
parameter, the system will display the log of all encryption cards.If you input nothing
here, your operation will run to all encryption cards.
Description
Example
4-40
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
ESP SAs
proposal: ESP-ENCRYPT-3DES
proposal: ESP-AUTH-SHA1HMAC96
local address: 20.0.0.2
remote address: 20.0.0.1
sa remaining key duration (bytes/sec): 1887436136/2401
spi: 891512401 (0x35236651)
Uses Encrypt5/0/0
ESP SAs
proposal: ESP-ENCRYPT-3DES
proposal: ESP-AUTH-SHA1HMAC96
local address: 20.0.0.1
remote address: 20.0.0.2
sa remaining key duration (bytes/sec): 1887436532/2401
spi: 3024247997 (0xb4425cbd)
Uses Encrypt5/0/0
AH SAs
proposal: ESP-AUTH-SHA1HMAC96
local address: 20.0.0.1
remote address: 20.0.0.2
sa remaining key duration (bytes/sec): 1887436464/2401
spi: 2937733563 (0xaf1a41bb)
Uses Encrypt5/0/0
Syntax
View
Any view
4-41
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the
parameter, the system will display the log of all encryption cards.If you input nothing
here, your operation will run to all encryption cards.
Description
Using the display encrypt-card statistics command, you can view statistics on the
encryption cards.
The statistics includes the processing information of ESP/AH packets on the encryption
card. More details are displayed in the following example.
If the slot ID you type in is greater than the available slot number on the router, the error
information “Invalid encrypt-card slot-id” shallwill be prompted.
Example
4-42
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
Any view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card. If you input nothing heredo not
specify a value for the parameter, the system will display the log of all encryption
cardsyour operation will run to all encryption cards.
Description
Using the display encrypt-card syslog command, you can view the current system
log on the encryption cards.
If the slot ID you type in is greater than the available slot number on the router, the error
information “Invalid encrypt-card slot-id” shall be prompted.
Example
4-43
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
Any view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the
parameter, the system will display the log of all encryption cards.If you input nothing
here, your operation will run to all encryption cards.
Description
Using the display interface encrypt command, you can view the information about the
ports on the encryption cards.
With this command, you can view the status of the encryption card, total countnumber
of packets transmitted or received on it, maximum countnumber of packets dropped per
second, information during the last five seconds.
Example
4-44
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
encrypt-card backuped
View
Any view
Parameter
None
Description
Using the encrypt-card backuped command, you can enable backup function for the
encryption card. Using the undo encrypt-card backuped command, you can disable
backup function for the encryption card.
For the IPSec SA implemented by the encryption card, if the card is normal, IPSec is
processed by the card. If the card is faultyfails, backup function is enabled on the card
and the selected encryption/authentication algorithms for the SA are supported by the
IPSec module on VRP platform, IPSec shall be implemented by the IPSec module on
VRP platform. In the event that the selected algorithms are not supported by the IPSec
module, the system drops packets.
Example
Syntax
4-45
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
View
System view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card.
Description
Using the interface encrypt command, you can enter encryption card interface mode.
In encryption card interface mode, you only can the shutdown and undo shutdown
commands, respectively to shut down the encryption card or turn the card up.
Example
Syntax
View
System view
Parameter
Description
Using the ipsec card-proposal command, you can create an SA proposal for the
encryption card and enter the corresponding view. Using the undo ipsec
card-proposal command, you can delete an SA proposal of the encryption card.
4-46
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
After completing SA proposal configuration, you need to return to system view using the
quit command, so that you can initiate other configuration.
Example
# Create the SA proposal “card” using the encryption card at slot 5/0/0, configure
security and encryption algorithm.
[Router] ipsec card-proposal card
[Router-ipsec-card-proposal] use encrypt-card 5/0/0
[Router-ipsec-card-proposal-card] transform ah-esp
[Router-ipsec-card-proposal-card] ah authentication-algorithm sha1
[Router-ipsec-card-proposal-card] esp authentication-algorithm sha1
[Router-ipsec-card-proposal-card] esp encryption-algorithm 3des
[Router-ipsec-card-proposal-card] quit
[Router]
Syntax
View
User view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card.
Description
Using the reset counters encrypt command, you can clear the statistics on the
encryption card.
4-47
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
The statistics record all the information starting from normal operation of the encryption
card, while system debugging requires statistics of a specific time period for fault
analysis. Then you may need to reset the existing statistics and get the statistics of a
required time period.
For the related commands, see ipsec card-proposal and display encrypt-card sa.
Example
Syntax
View
User view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card.
Description
Using the reset encrypt-card sa command, you can clear the SAs on the encryption
card.
You may need to clear the SA database information stored on the encryption card, to
output only the required information during debugging.
For the related commands, see ipsec card-proposal and display encrypt-card sa.
Example
4-48
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Syntax
View
User view
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card.
Description
Using the reset encrypt-card statistics command, you can clear the statistics during
processing of the encryption card.
The statistics record all the protocol processing information from the last rebooting,
including counts of incoming/outgoing ESP/AH packets, dropped packets, failed
authentications, erroneous SAs, invalid SA proposals, invalid protocols.
Example
# Clear the processing statistics on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card statistic 5/0/0
Syntax
View
User view
4-49
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card.
Description
Using the reset encrypt-card syslog command, you can clear all the logging
information on the encryption card.
The encryption card records all logging history information. And all the information
(including those obsolete items) shall be reported for every query, which imposes
somewhat difficulties to log monitoring and locating. Then you may need to clear the log
buffer of the encryption card.
Example
# Clear all the logging information on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card syslog 5/0
Syntax
View
System view
Parameter
None
Description
Using the snmp-agen trap enable encrypt-card command, you can enable SNMP
agent trap function on the encryption card. Using the undo snmp-agent trap enable
encrypt-card command, you can disable SNMP agent trap function on the card.
4-50
Command Manual – Security
VRP3.4 Chapter 4 IPSec Configuration Commands
When combined with appropriate NM configuration, the trap function allow you to view
the information about card rebooting, status transition and packet loss processing on
the Console of the NM station or router.
Example
Syntax
View
Parameter
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
router, y and z are fixed to 0 for the encryption card.
Description
Using the use encrypt-card command, you can specify the SA proposal uses the
encryption card at a designated slot. Using the undo use encrypt-card command,
you can remove the configuration.
One SA proposal can only be processed by a single encryption card, but one single
encryption card can process different SA proposals.
Example
4-51
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
5.1.1 authentication-algorithm
Syntax
undo authentication-algorithm
View
Parameter
Description
For the related commands, see ike proposal, display ike proposal.
Example
5.1.2 authentication-method
5-1
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Syntax
undo authentication-method
View
Parameter
pre-share: Specifies the pre-shared key authentication as the Internet Key Exchange
(IKE) proposal authentication method.
Description
You can specify an authentication method for an IKE policy. So far, two methods are
available: pre-shared key and PKI (rsa-signature).
For the related commands, see ike pre-shared-key, ike proposal, display ike
proposal, pki domain, and pki entity.
Note:
For more information on configuring PKI, refer to “PKI Configuration” in this manual.
Example
# Specify pre-shared key authentication as the authentication method for IKE proposal
10.
[Quidway] ike proposal 10
[Quidway-ike-proposal-10] authentication-method pre-share
5-2
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Syntax
View
User view
Parameter
Description
Using the debugging ike command, you can enable IKE debugging. Using the undo
debugging ike command, you can disable IKE debugging.
Example
5.1.4 dh
Syntax
dh { group1 | group2 }
undo dh
View
5-3
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Parameter
Description
Using the dh command, you can select the Diffie-Hellman group for an IKE proposal.
Using the undo dh command, you can restore the Diffie-Hellman group for an IKE
proposal to the default.
For the related commands, see ike proposal, display ike proposal.
Example
Syntax
View
Any view
Parameter
none
Description
Using the display ike proposal command, you can view the parameters configured for
each IKE proposal.
5-4
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Example
# View the IKE proposal information after two IKE proposals are configured.
[Quidway] display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
--------------------------------------------------------------------------
-
10 PRE_SHARED SHA DES_CBC MODP_1024 5000
11 PRE_SHARED MD5 DES_CBC MODP_768 50000
default PRE_SHARED SHA DES_CBC MODP_768 86400
Syntax
display ike sa
View
Any view
Parameter
none
Description
Using the display ike sa command, you can view the current security tunnels
established by IKE.
Example
The descriptions of the items displayed are listed in the following table.
5-5
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Item Description
conn-id Security channel ID
remote Remote IP address of this SA
Display the status of this SA
RD (READY) means this SA has been established successfully
ST (STAYALIVE) means that SA duration is negotiated, and this SA will be refreshed in
fixed interval.
RL (REPLACED) means that this SA has been replaced by a new one, and will be
flag automatically deleted after a period of time.
FD (FADING) means this SA has been soft timeout, but is still in use, and will be deleted
at the time of hard timeout.
TO (TIMEOUT) means this SA have not received any keepalive packet after previous
keepalive timeout occurred. If this SA receives no keepalive packet till next keepalive
timeout occurs, this SA will be deleted.
5.1.7 encryption-algorithm
Syntax
undo encryption-algorithm
View
Parameter
des-cbc: Selects the 56-bit DES-CBC encryption algorithm for an IKE proposal. DES
algorithm adopts 56-bit keys for encryption.
3des-cbc: Setss the encryption algorithm to the 3DES algorithm in CBC mode. The
3DES algorithm uses 168-bit keys for encryption.
5-6
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Description
Using the encryption command, you can specify the encryption algorithm for an IKE
proposal. Using the undo encryption command, you can restore to the default.
For the related commands, see ike proposal and display ike proposal.
Example
# Specify the 56-bit DES-CBC encryption algorithm for IKE proposal 10.
[Quidway] ike proposal 10
[Quidway-ike-proposal-10] encryption-algorithm des-cbc
5.1.8 exchange-mode
Syntax
undo exchange-mode
View
IKE-peer view
Parameter
Description
Using the exchange-mode command, you can select an IKE negotiation mode. Using
the undo exchange-mode command, you can restore the default negotiation mode.
By default, main mode is adopted.
In main mode, you can only use IP address to perform IKE negotiation and to create an
SA. It is applicable to the situation in which both end of a tunnel have fixed IP
addresses.
In IKE aggressive mode, you can use both IP addresses and name to perform IKE
negotiation and to create an SA. If the user at one end of a security tunnel obtains IP
address automatically (for example, a dial-up user), IKE negotiation mode must be set
5-7
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
to aggressive. In this case, you can create an SA as long as the username and
password are correct.
Example
5.1.9 id-type
Syntax
id-type [ ip | name ]
undo id-type
View
IKE-peer view
Parameter
Description
Using the id-type command, you can select the type of ID used in IKE negotiation.
Using the undo id-type command, you can restore the default setting. By default, IP
address is the ID used in IKE negotiation.
In main mode, you can only use IP address to perform IKE negotiation and to create an
SA.
In aggressive mode, you can use both IP address and name to perform Ike negotiation
and to create an SA.
Example
5-8
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Syntax
View
System view
Parameter
Description
Using the ike local-name command, you can set the name of the local GW. Using the
undo ike local-name command, you can restore the default name of the local GW. By
default, router name is used as the name of the local GW.
If the initiator uses the GW name to perform IKE negotiation (id-type name is used),
you must configure the ike local-name command on the local device.
Example
Syntax
View
System view
5-9
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Parameter
Description
Using the ike peer command, you can configure an IKE peer and access IKE-peer view.
Using the undo ike peer command, you can delete an IKE peer.
Example
5.1.12 ike peer (IPSec policy view, IPSec policy template view)
Syntax
View
Parameter
Description
Using the ike peer command, you can quote an IKE peer in an IPSec policy or IPSec
policy template. Using the undo ike peer command, you can remove the quoted IKE
peer from the IPSec policy or IPSec policy template.
Example
5-10
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Syntax
View
System view
Parameter
proposal-number: IKE proposal number, ranging from 1 to 100. This value also stands
for the priority. A smaller value stands for a higher priority. When perform an IKE
negotiation, the system matches IKE proposals by the proposal number, the one with
the smallest proposal number first.Description
Using the ike proposal command, you can define an IKE proposal. Using the undo ike
proposal command, you can delete an IKE proposal.
The system provides a default IKE proposal with the lowest priority.
Executing this command in system view will enter the IKE proposal view, where you
can set parameters such as authentication method, encryption algorithm,
authentication algorithm, DH group ID, and sa duration for this IKE proposal using the
authentication-method, encryption-algirithm, dh, authentication-algorithm, and
sa duration command.
These parameters will be used to establish a security tunnel once these parameters are
confirmed by the both sides of the negotiation.
Both sides of the negotiation can be configured more then one IKE proposal. During the
negotiation, the IKE proposals in both sides are selected to match one by one, by turns
of their priority level. The parameters that must be same during the match are
encryption algorithm, authentication algorithm, authentication method, and DH group.
The sa duration is decided by the initiator of the negotiation, needing no agreement.
5-11
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Example
Syntax
View
System view
Parameter
seconds: Specifies the interval for sending Keepalive packet to the remote end through
ISAKMP SA. It can be set to a value in the range 20 to 28800.
Description
Using the ike sa keepalive-timer interval command, you can configure the interval for
sending Keepalive packet to the remote end through ISAKMP SA. Using the undo ike
sa keepalive-timer interval command, you can disable the function.
This command is used to configure the interval for sending Keepalive packet to the
remote end through ISAKMP SA. IKE maintains the link state of the ISAKMP SA by
using the Keepalive packet. In general, if a timeout is configured at the remote end by
using the ike sa keepalive-timer timeout command, an interval for sending Keepalive
packet must be configured at the local end. When the remote end in the configured
timeout time does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT
flag and the IPSec SA corresponding to it will be deleted, and otherwise the ISAKMP
SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout
should be longer than the interval for sending the Keepalive packet during
configuration.
5-12
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Example
# Configure the interval as 20 seconds for the local end to send Keepalive packet to the
remote end.
[Quidway] ike sa keepalive-timer interval 20
Syntax
View
System view
Parameter
seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It can
be set to a value in the range 20 to 28800.
Description
Using the ike sa keepalive-timer timeout command, you can configure a timeout for
ISAKMP SA to wait for the Keepalive packet. Using the undo ike sa keepalive-timer
timeout command, you can disable the function.
This command is used to configure the timeout for the remote end to send the
Keepalive packet. IKE maintains the link state of the ISAKMP SA by using the
Keepalive packet. When the remote end in the configured timeout does not receive the
Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPSec SA
corresponding to it will be deleted, and otherwise the ISAKMP SA without the
TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be
longer than the interval for sending the Keepalive packet during configuration.
Generally, packets will not be lost for more than three consecutive times in the network,
so the timeout can be configured as three times of the interval set for the remote end to
send Keepalive packets.
5-13
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Example
# Configure the timeout as 20 seconds for the local end to wait for the remote end to
send the Keepalive packet.
[Quidway] ike sa keepalive-timer timeout 20
5.1.16 local
Syntax
undo local
View
IKE-peer view
Parameter
Description
Using the local command, you can configure the subnet type in IKE negotiation. Using
the undo local command, you can restore the default subnet type. You can use this
command to enable interoperability between the router and a Netscreen device.
Example
5.1.17 local-address
Syntax
local-address ip-address
undo local-address
5-14
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
View
IKE-peer view
Parameter
Description
Using the local-address command, you can configure the IP address of the local GW in
IKE negotiation. Using the undo local-address command, you can delete the IP
address of the local GW.
Normally, you don’t need to configure the local-address command, unless you want to
specify a special address for the local GW.
Example
5.1.18 max-connections
Syntax
max-connections number
undo max-connections
View
IKE-peer view
Parameter
Description
Using the max-connections command, you can configure the maximum number of
connections that the IKE peer allows. Using the undo max-connections command,
you can restore the default maximum number of connections that the IKE peer allows,
that is, 1.
5-15
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Example
Syntax
nat traversal
View
IKE-peer view
Parameter
None
Description
Using the nat traversal command, you can configure the NAT traversal function of
IKE/IPSec. Using the undo nat traversal command, you can disable the NAT traversal
function of IKE/IPSec.
This command fits for the application that the NAT GW functionality is included in the
VPN tunnel constructed by IKE/IPSec.
To save IP address space, ISPs often add NAT gateways to public networks, so as to
allocate private IP addresses to users. This may lead to IPSec/IKE tunnel having both
public network address and private network address at both ends. Hence you must
enable NAT traversal at the private network end, so as to ensure normal negotiation
and establishment for the tunnel.
Example
5.1.20 pre-shared-key
5-16
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Syntax
pre-shared-key key
undo pre-shared-key
View
IKE-peer view
Parameter
Description
Using the pre-shared-key command, you can configure a pre-shared key to be used in
IKE negotiation. Using the undo pre-shared-key command, you can remove the
pre-shared key used in IKE negotiation.
Example
5.1.21 peer
Syntax
undo peer
View
IKE-peer view
Parameter
5-17
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Description
Using the peer command, you can configure the subnet type in IKE negotiation. Using
the undo peer command, you can restore the default subnet type. You can use this
command to enable interoperability between the router and a Netscreen device.
Example
5.1.22 remote-address
Syntax
remote-address ip-address
undo remote-address
View
IKE-peer view
Parameter
Description
Using the remote-address command, you can configure IP address of the remote GW.
Using the undo remote-address command, you can delete IP address of the remote
GW.
If the initiator uses its IP address in IKE negotiation (that is, id-type ip is used), it sends
its IP address to the peer as its identity, whereas the peer uses the address configured
using the remote-address ip-address command to authenticate the initiator. To pass
authentication, this address must be the same one configured using the
local-address command on the initiator.
Example
5-18
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
5.1.23 remote-name
Syntax
remote-name name
undo remote-name
View
IKE-peer view
Parameter
Description
Using the remote-name command, you can specify a name for the remote GW. Using
the undo remote-name command, you can remove the remote GW.
If the initiator uses its GW name in IKE negotiation (that is, id-type name is used), it
sends the name to the peer as its identity, whereas the peer uses the username
configured using the remote-name name command to authenticate the initiator. To
pass authentication, this remote name must be the same one configured using the ike
local-name command on the gateway at the initiator end.
Example
Syntax
View
User view
5-19
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
Parameter
connection-id: Specifies the SA to be deleted. If this parameter is not specified, all the
SAs at phase 1 will be deleted.
Description
Using the reset ike sa command, you can delete the security tunnel set up by IKE.
If connection-id is not specified, all the SAs at phase 1 will be deleted. If ISAKMP SA at
phase 1 exists when deleting the local security tunnel, a Delete Message notification
will be sent to the remote under the protection of this security tunnel to notify the remote
to delete the corresponding SA.
IKE uses ISAKMP of two phases: phase 1 or ISAKMP SA to establish SA, phase 2 or
IPSec SA to negotiate and establish IPSec SA, using the former established SA.
Example
Caution:
If the SA of phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when
deleting the SA of phase 2.
5-20
Command Manual – Security
VRP3.4 Chapter 5 IKE Configuration Commands
5.1.25 sa duration
Syntax
sa duration seconds
undo sa duration
View
Parameter
seconds: Specifies the ISAKMP Sa duration. When the sa duration expires, ISAKMP
SA will update automatically. It can be set to a value in the range 60 to 604800 seconds.
Description
Using the sa duration command, you can specify the ISAKMP Sa duration for an IKE
proposal. Using the undo sa duration command, you can restore it to the default.
Before the sa duration for a SA expires, a new SA will be negotiated for replacing the
existing SA, and the old SA will be automatically cleared when the Sa duration expires.
For the related commands, see ike proposal and display ike proposal.
Example
# Specify the ISAKMP Sa duration for IKE proposal 10 as 600 seconds (10 minutes).
[Quidway] ike proposal 10
[Quidway-ike-proposal-10] sa duration 600
5-21
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
6.1.1 ca identifier
Syntax
ca identifier name
undo ca identifier
View
Parameter
Description
Using the ca identifier command, you can specify the CA this device trusts and have
the "name" CA bound with this device. Using the undo ca identifier command, you
can delete the CA this device trusts.
Before the CA is deleted, the request, retrieval, revocation and polling of this certificate
are all carried out through it.
Example
Syntax
6-1
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
View
Parameter
entity entity-name: name of the entity under certificate request. Within the range of 1 to
15 characters, it shall be identical with that defined by the pki entity command.
Description
Using the certificate request from command, you can choose between CA and RA to
register for certificate request. Using the undo certificate request from command,
you can undo the selection registration agent.
Example
Syntax
View
6-2
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Parameter
Description
Using the certificate request mode command, you can decide between the manual or
the auto request mode. Using the undo certificate request mode command, you can
restore the default request mode.
Auto mode enables the auto delivery of certificate request when there is no certificate
or when the current certificate is about to expire. While manual mode requires manual
operation in the request process.
Example
Syntax
View
Parameter
minutes: renders the interval between two polls. Specified in minutes, it ranges from 5
to 60 minutes, and by default, it is 20 minutes;
count: indicates the retry times. It ranges from 1 to 100, and by default, is 50.
6-3
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Description
Using the certificate request polling command, you can specify the interval between
two polls and the retry times. Using the undo certificate request polling command,
you can restore the default parameters.
When the request is delivered, if CA requires manual authentication, it takes a long time
before the certificate issuing. The client therefore needs to periodically poll the request
for the timely acquisition of the certificate after being authorized.
Example
# Specify the interval between two polls and the retry times
[RouterCA-pki-domain-1] certificate request polling interval 15
[RouterCA-pki-domain-1] certificate request polling count 40
Syntax
View
Parameter
string: refers to the server URL of the registration authority. Ranging from 1 to 255
characters, it composes server location and CA CGI command interface script location
in the format of http: //server_location /ca_script_location. Thereamong,
server_location is generally expressed as IP address, which if is to be replaced by
server name, DNS needs to be configured for the conversion match between IP
addresses and server names.
Description
Using the certificate request url command, you can specify the server URL for
certificate request through SCEP protocol. SCEP is a protocol specialized in the
communication with authentication authorities. Using the undo certificate request url
command, you can delete the concerned location setting.
6-4
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Example
Syntax
View
Parameter
Description
Using the crl update period command, you can specify the update period of CRL,
which is the interval between local downloads of CRLs from CRL access server. Using
the undo crl update period command, you can restore the default CRL update period.
Example
Syntax
6-5
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
View
Parameter
url-string: refers to the distribution point location of CRL. Ranging from 1 to 255
characters, it is in the format of ldap: //server_location. Thereamong, server_location is
generally expressed as IP address, which if is to be replaced by server name, DNS
needs to be configured for the match between IP addresses and server names.
Description
Using the crl url command, you can specify the distribution point URL for CRL. Using
the undo crl url command, you can undo the specification.
Example
Syntax
View
Parameter
port-num: port number of LDAP server, ranging from 1 to 65535. By default, it is 389.
6-6
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Description
Using the ldap server ip command, you can configure the LDAP server IP address and
the port. Using the undo ldap server ip command, you can cancel the related
configuration.
Example
Syntax
View
Any view
Parameter
name: PKI domain name specified for the quotation of other commands, indicating the
PKI domain this device belongs to. It can contain 1 to 15 characters.
Description
Using the pki domain command, you can enter PKI domain view, and configure the
parameters of LDAP server and for certificate request and authentication. Using the
undo pki domain command to delete the specified PKI domain.
Example
6-7
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
6.2.1 fqdn
Syntax
fqdn name-str
undo fqdn
View
Parameter
Description
Using the fqdn command, you can specify the FQDN of an entity. Using the undo fqdn
command, you can delete the entity FQDN.
FQDN (Fully Qualified Domain Name) is the unique identifier an entity has in the
network, like email address. It can be resolved into IP address, usually in the form of
user.domain.
Example
6.2.2 common-name
Syntax
common-name name-str
undo common-name
View
6-8
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Parameter
Description
Using the common-name command, you can specify the common name of an entity,
take User name for example. Using the undo common-name command, you can
delete the common name of this entity.
Example
6.2.3 country
Syntax
country country-code-str
undo country
View
Parameter
Description
Using the country command, you can specify the code of the country the entity
belongs to. It is a standard 2-byte code, e.g., CN for China. Using the undo country
command, you can delete the country code of this entity.
Example
6-9
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
6.2.4 ip
Syntax
ip ip-address
undo ip
View
Parameter
Description
Using the ip command, you can specify the IP address of an entity. Using the undo ip
command, you can delete the specified IP address.
Example
6.2.5 locality
Syntax
locality locality-str
undo locality
View
Parameter
6-10
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Description
Using the locality command, you can name the geographical locality of an entity, by a
city for example. Using the undo locality command, you can cancel the mentioned
naming operation.
Example
6.2.6 organization
Syntax
organization org-str
undo organization
View
Parameter
Description
Using the organization command, you can specify the name of the organization the
entity belongs to. Using the undo organization command, you can delete that name.
Example
6.2.7 organizational-unit
Syntax
organizational-unit org-unit-str
6-11
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
undo organizational-unit
View
Parameter
Description
Using the organizational-unit command, you can specify the name of the organization
unit to which this entity belongs. Using the undo organizational-unit command, you
can delete the specified organization unit name.
Example
6.2.8 state
Syntax
state state-str
undo state
View
Parameter
Description
Using the state command, you can clarify the name of the state where an entity lies.
Using the undo state command, you can cancel the previous operation.
6-12
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Example
Syntax
View
Any view
Parameter
Description
Using the pki entity command, you can name a PKI entity and enter PKI entity view.
Using the undo pki entity command, you can delete the name and cancel all
configurations under the name space.
A variety of attributes can be configured in PKI entity view. name-str plays only for the
convenience in being quoted by other commands. No field of certificate is concerned.
Example
6-13
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Syntax
View
Any view
Parameter
local: indicates the deletion of all local certificates that are locally stored;
ca: indicates the deletion of all CA certificates that are locally stored.
Description
Using the pki delete certificate command, you can delete the locally stored
certificates.
Example
Syntax
View
Any view
Parameter
pem: optionally involved in the printing of the certificate requests that can be in outband
modes such as phone, disk, and e-mail.
6-14
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Description
Using the pki request certificate command, you can deliver certificate request
through SCEP to CA for the generated RSA key pair. If SCEP fails to go through normal
communication, you can print the local certificate request in base64 format using the
optional parameter "pem", copy it, and send one to CA in an outband mode.
Example
Syntax
View
Any view
Parameter
Description
Using the pki retrieval certificate command, you can download a certificate from the
certificate issuing server.
Example
# Retrieve a certificate
6-15
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Syntax
View
Any view
Parameter
Description
Using the pki retrieval crl command, you can obtain the latest CRL from CRL server
for the verification of the validity of a current certificate.
Example
# Retrieve a CRL
[RouterCA] pki retrieval crl domain 1
Syntax
View
Any view
Parameter
6-16
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Description
Using the pki validation certificate command, you can verify the validity of a
certificate. The focus is to check the CA signature on the certificate, and to make sure
that the certificate is still within the validity period and beyond revocation. All certificates
with authentic signatures of CA can pass the validation, since it is believed that CA
never issues fake certificates.
Example
Syntax
View
Any view
Parameter
Description
Using the debugging pki command, you can enable PKI debugging functions. Using
the undo debugging pki command, you can disable PKI debugging functions.
6-17
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Example
Certificate Request:
…..
dir_name: certsrv/mscep/mscep.dll
host_name: 169.254.0.100
SCEP transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1
PKCS#7 envelope: creating inner PKCS#7
PKCS#7 envelope: data payload size: 297 bytes
data payload:
….
PKCS#7 envelope: successfully encrypted payload
PKCS#7 envelope: size 667 bytes
PKCS#7 envelope: creating outer PKCS#7
PKCS#7 envelope: signature added successfully
6-18
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
6-19
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
issuer:
/emailAddress=myca@huawei.com/C=CN/ST=Beijing/L=Beijing/O=hw3c/OU=bjs/
CN=myca
Key usage: general purpose
Field Description
Create PKCS#10 request Encapsulation of entity request in PKCS#10 format
PKCS#7 envelope Data encapsulation in PKCS#7 encryption format
inner PKCS#7 PKCS#7 encryption of datagram
outer PKCS#7 Signing of PKCS#7 datagram
PKCS#7 develope De-encapsulation of PKCS#7 encrypted packet
host_name Host name of registration server
dir_name CGI script directory of registration server
data payload Data payload
token seen DN information of an entity
pkistatus PKI certificate operation status
SUCCESS Succeeded
6-20
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Field Description
FAILURE Failed
PENDING Waiting for procession
fingerprint Usually the signature of CA
base64 encoded A data encoding mode
x509 Request Request for certificates in standard X509 format
Key usage Encryption, signature, and other common usages
Issuer Certificate issuer
Subject The entity that delivers certificate request
The entity sends a certificate operation packet to CA through
SCEP send message
SCEP
Signed Certificates Certificates signed by CA
Syntax
View
Any view
Parameter
request-status: refers to the status of the certificate request after being delivered;
Description
Using the display pki certificate command, you can display and browse through the
certificate.
For related commands, see pki retrieval certificate, pki domain, and certificate
request polling.
6-21
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
Example
Syntax
6-22
Command Manual – Security
VRP3.4 Chapter 6 PKI Configuration Commands
View
Any view
Parameter
Description
Using the display pki crl command, you can display and browse through the locally
saved CRL.
For related commands, see pki retrieval crl, and pki domain.
Example
# Display a CRL
[RouterCA] display pki crl domain 1
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=CN
O=h3c
OU=soft
CN=A Test Root
Last Update: Jan 5 08: 44: 19 2004 GMT
Next Update: Jan 5 21: 42: 13 2004 GMT
CRL extensions:
X509v3 CRL Number: 2
X509v3 Authority Key Identifier:
keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC
Revoked Certificates:
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22 2004 GMT
CRL entry extensions:……
Serial Number: 05a278445E…
Revocation Date: Sep 7 12:33:22 2004 GMT
CRL entry extensions:…
6-23