beautypg.com

Panasonic 8000 User Manual

Page 101

Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".

background image

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

Using local-address: {}

Using interface: {Ethernet1/0/0}

IPsec policy name: " map2"

sequence number: 10

mode: isakmp

securi^ty data flow : 3102

ike-peer name: routerb

perfect forward secrecy: None

proposal name:

tran2

IPsec sa local durat^ion(t^ime based): 3600 seconds

IPsec sa local durat^ion(t^raffic based): 1843200 ki_lobytes

Using interface: {Ethernet1/0/0}

The display indicates the interface that uses the IPSec policy group.

You can use the ipsec policy command to change the interface.

mode: isakmp

The display indicates two IPSec SA modes: manual mode and ISAKMP mode.

You can use the ipsec policy

polic

^-

nawe seq-number

{ manual | isakmp } command to

configure IPSec policies.

securi_ty data flow : 3102

The display indicates the ACL used in the IPSec policy.

You can use the security acl command to modify the configuration.

ike-peer name: routerb

The display indicates the IKE peer specified in the IPSec policy.

You can use the ike-peer command to modify the configuration.

perfect forward secrecy: DH group 1

The display indicates the used PFS feature in the negotiation. The PFS feature includes
768-bit Diffie-Hellman (DH group 1), 1024-bit Diffie-Hellman (DH group 2), and none PFS.
By default, disable PFS.

You can use the pfs { dh-group1 | dh-group2 } command to modify the configuration and
the undo pfs command to disable PFS in the negotiation.

proposal name:

tran2

The display indicates the proposals used in the IPSec policy. In ISAKMP mode, each policy
can use up to six proposals. Proposals of the same configuration at two ends are used.

You can use the proposal command to modify the configuration.

IPsec sa local dura^ion(^ime based): 3600 seconds

The display indicates the time-based SA duration.

You can use the sa duration time-based command to modify the configuration. If no SA
duration is configured in the policies, use the configured global SA duration.

2-54

Nortel Networks Inc.

Issue 01.01 (30 March 2009)

See also other documents in the category Panasonic Routers: