reset ipsec sa

Syntax

reset ipsec sa [ parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote ip-address ]

View

User view

Default level

2: System level

Parameters

parameters: Specifies IPsec SAs that use the specified destination IP address, security protocol, and SPI.

dest-address: Destination address, in dotted decimal notation.

protocol: Security protocol, which can be keyword ah or esp, case insensitive.

spi: Security parameter index in the range 256 to 4294967295.

policy: Specifies IPsec SAs that use an IPsec policy.

policy-name: Name of the IPsec policy , a case-insensitive string of 1 to 15 characters, including letters and digits.

seq-number: Sequence number of the IPsec policy, in the range 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.

remote: Specifies SAs to or from a remote address, in dotted decimal notation.

Description

Use the reset ipsec sa command to clear IPsec SAs.

Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only when IKE negotiation is triggered by interesting packets.

IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared.

If you do not specify any parameter, the command clears all IPsec SAs.

Related commands: display ipsec sa.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the IPsec SA with a remote IP address of 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

# Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10.

<Sysname> reset ipsec sa policy policy1 10

# Clear the IPsec SA with a remote IP address of 10.1.1.2, security protocol of AH, and SPI of 10000.

<Sysname> reset ipsec sa parameters 10.1.1.2 ah 10000