display ipsec policy

Syntax

display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays brief information about all IPsec policies.

name: Displays detailed information about a specified IPsec policy or IPsec policy group.

policy-name: Name of the IPsec policy, a string of 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range 1 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipsec policy command to display information about IPsec policies.

If you do not specify any parameters, the command displays detailed information about all IPsec policies.

If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.

Related commands: ipsec policy (system view).

Examples

# Display brief information about all IPsec policies.

<Sysname> display ipsec policy brief
IPsec-Policy-Name     Mode    acl    ike-peer name    Mapped Template
------------------------------------------------------------------------
aaa-100               manual
policy1-1             isakmp

IPsec-Policy-Name     Mode    acl          Local-Address  Remote-Address
------------------------------------------------------------------------
aaa-100               manual

Table 38: Output description

Field

Description

IPsec-Policy-Name

Name and sequence number of the IPsec policy separated by hyphen

Mode

Negotiation mode of the IPsec policy:

  • manual—Manual mode

  • isakmp—IKE negotiation mode (available only in FIPS mode)

acl

Access control list (ACL) referenced by the IPsec policy

ike-peer name

IKE peer name

Local-Address

IP address of the local end

Remote-Address

IP address of the remote end

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy

===========================================
IPsec Policy Group: "aaa"
Interface:
===========================================

  -----------------------------
  IPsec policy name: "aaa"
  sequence number: 100
  mode: manual
  -----------------------------
    security data flow :
    tunnel local  address:
    tunnel remote address:
    proposal name:
    inbound AH setting:
      AH spi:
      AH string-key:
      AH authentication hex key:
    inbound ESP setting:
      ESP spi:
      ESP string-key:
      ESP encryption hex key:
      ESP authentication hex key:
    outbound AH setting:
      AH spi:
      AH string-key:
      AH authentication hex key:
    outbound ESP setting:
      ESP spi:
      ESP string-key:
      ESP encryption hex key:
      ESP authentication hex key:

===========================================
IPsec Policy Group: "policy1"
Interface:
===========================================

  -----------------------------
  IPsec policy name: "policy1"
  sequence number: 1
  mode: isakmp
  -----------------------------
    security data flow :
    selector mode: standard
    tunnel remote address:
    perfect forward secrecy:
    proposal name:
    IPsec sa local duration(time based): 3600 seconds
    IPsec sa local duration(traffic based): 1843200 kilobytes
    policy enable: True 

Table 39: Output description

Field

Description

security data flow

ACL referenced by the IPsec policy.

Interface

Interface to which the IPsec policy is applied.

sequence number

Sequence number of the IPsec policy.

mode

Negotiation mode of the IPsec policy, which can be:

  • manual—Manual mode

  • isakmp—IKE negotiation mode (available only in FIPS mode)

selector mode

Data flow protection mode of the IPsec policy.

ike-peer name

IKE peer referenced by the IPsec policy.

tunnel local address

Local IP address of the tunnel.

tunnel remote address

Remote IP address of the tunnel.

perfect forward secrecy

Whether PFS is enabled.

proposal name

Proposal referenced by the IPsec policy.

policy enable

Whether the IPsec policy is enabled or not.

inbound/outbound AH/ESP setting

AH/ESP settings in the inbound/outbound direction, including the SPI and keys.