Verifying the configuration – H3C Technologies H3C SecPath F1000-E User Manual

220

Verifying the configuration

After the configuration, traffic between Host A (10.1.1.2) and Host B (10.2.2.2) should be able to trigger

IKE negotiation. After IPsec SAs are established, traffic between Host A and Host B should be transferred
through the IPsec tunnel, and SecPath A should synchronize its IKE SA and IPsec SAs to SecPath B.
# Display the active IPsec SAs on SecPath A.

display ipsec sa active

===============================

Interface: GE0/2

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "map1"

sequence number: 10

mode: isakmp

-----------------------------

connection id: 20000

encapsulation mode: tunnel

perfect forward secrecy:

tunnel:

local address: 192.168.0.1

remote address: 192.168.0.2

flow:

sour addr: 10.1.1.0/0.0.0.255 port: 0 protocol: IP

dest addr: 10.2.2.0/0.0.0.255 port: 0 protocol: IP

[inbound ESP SAs]

spi: 1078770651 (0x404cbbdb)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa duration (kilobytes/sec): 1843200/3600

sa remaining duration (kilobytes/sec): 1843200/3412

max received sequence-number: 1

anti-replay check enable: Y

anti-replay window size: 32

udp encapsulation used for nat traversal: N

status: active

[outbound ESP SAs]

spi: 468087311 (0x1be6720f)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa duration (kilobytes/sec): 1843200/3600

sa remaining duration (kilobytes/sec): 1843200/3412

max received sequence-number: 1

udp encapsulation used for nat traversal: N

status: active

# Display the summary information of the active IKE SA on SecPath A.

display ike sa active

total phase-1 SAs: 1

connection-id peer flag phase doi status