H3C Technologies H3C SecPath F1000-E User Manual

144

[SecPathA] display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

10 PRE_SHARED MD5 DES_CBC MODP_768 5000

default PRE_SHARED SHA DES_CBC MODP_768 86400

[SecPathA] display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

default PRE_SHARED SHA DES_CBC MODP_768 86400

The output shows that SecPath A and SecPath B have only one pair of matching IKE proposals. Matching

IKE proposals do not necessarily use the same ISAKMP SA lifetime setting.
# Send traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. SecPath A starts IKE negotiation with

SecPath B when receiving the first packet.
# View the SAs established in the two IKE negotiation phases.

[SecPathA] display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 2.2.2.2 RD|ST 1 IPSEC

2 2.2.2.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

# Display information about the established IPsec SAs, which protect traffic between subnet 10.1.1.0/24
and subnet 10.1.2.0/24.

[SecPathA] display ipsec sa

===============================

Interface: GigabitEthernet0/1

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "map1"

sequence number: 10

mode: isakmp

-----------------------------

connection id: 1

encapsulation mode: tunnel

perfect forward secrecy:

tunnel:

local address: 1.1.1.1

remote address: 2.2.2.2

flow:

sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP