Common firewall IPSec maintenance commands


Common IPSec maintenance commands on the USG
Display ike peer //Display the configuration information of the IKE peer.
display ike proposal //Display the configuration information of the IKE proposal.
display ike sa //Display the configuration information of the SA established in IKE negotiation mode.
display ipsec policy //Display the configuration information of the security policy.
display ipsec policy-template //Display the configuration information of the security policy template.
display ipsec proposal //Display the configuration information of the IPSec proposal.
display ipsec sa //Display the configuration information of the SA.
display ipsec sa global-configuration //Display the global configuration information of the IPSec SA, including the global hard lifetime information, global soft lifetime information, and global anti-replay information.
display ipsec statistics //Display IPSec packet statistics.

Other related questions:
Common NQA query commands on the AR router
Common NQA query commands on the AR router: Run the display nqa-parameter command in the NQA view to check parameter settings of the NQA test instance. Run the display nqa history command in any view to check historical statistics about the NQA test instance. Run the display nqa results command in any view to check NQA test instance results.

Firewall IPSec mechanism
USG IPSec mechanism What is IPSec? 1. Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks, including security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption. 2. IPSec provides following security services for IP packets mainly through encryption and authentication: a. User data encryption: IPSec encrypts user data to ensure data confidentiality. b. Data integrity verification: IPSec ensures that the data is not tampered with during transmission using data integrity verification. c. Data origin authentication: IPSec authenticates data origins to ensure that data comes from real senders. d. Anti-replay: IPSec prevents malicious users from sending captured packets, that is, the receiver discards duplicate packets. 3. Application Scenario a. Connection of LANs Through VPN 1) Site-to-Site VPN Site-to-site VPN is also called LAN-to-LAN VPN or Gateway to Gateway VPN, in which IPSec tunnels are established between the enterprise headquarters and branches. 2) L2TP over IPSec In L2TP over IPSec, packets are encapsulated through L2TP and then IPSec. L2TP authenticates users and assigns IP addresses, and IPSec ensures security. 3) GRE over IPSec IPSec cannot encapsulate multicast, broadcast, or non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using GRE and then encapsulates the packets as IPSec packets. 4) Hub-Spoke VPN In actual networking, the Hub-Spoke IPSec VPN is commonly used for the interworking between the headquarters network and branch networks. b. The IP addresses of mobile devices are not fixed. To avoid attacks from insecure network devices, an IPSec tunnel must be established between a mobile device and the headquarters gateway. The mobile devices can access the headquarters network only after being authenticated by the gateway. In L2TP over IPSec, mobile devices can use the Windows dial-up software, dial-up software supporting IKEv2, or other dial-up software.

IPSec debugging commands
Configure the IPSec SA lifetime on the USG. Configure the IPSec VPN SA lifetime. 1. Configure IKE SA hard lifetime. You can configure per-SA IKE lifetime, but cannot configure a global IKE lifetime. system-view //Access the system view. ike proposal proposal-number //Access the IKE proposal view. sa duration seconds //Configure the IKE SA hard lifetime. Notes for configuring IKE SA lifetime: a) If the hard lifetime expires, the IKE SA will be deleted and re-negotiated. The IKE negotiation involves DH calculation and may take a long time. To ensure the secure communications, you are advised to set the lifetime to a value larger than 600 seconds. b) When the soft lifetime expires, a new SA is negotiated to replace the original SA. Before the new SA is negotiated, the original SA is still in use. After the new SA is established, the new SA is used, and the original SA will be automatically deleted when the hard lifetime expires. The default IKE SA hard lifetime is 86,400 seconds (a day). 2. Configure IKE SA soft lifetime. system-view //Access the system view. ike peer peer-name //Access the IKE peer view. sa soft-duration time-based buffer seconds //Configure the IKE SA soft lifetime. The configuration applies only to IKEv1. a) By default, the soft lifetime is 9/10 of the hard lifetime. When the soft lifetime expires, a new SA is negotiated to replace the original SA. b) If the soft lifetime is specified and the hard lifetime is greater than the soft lifetime by more than 10s, the specified soft lifetime applies; otherwise, the default soft lifetime applies. display ike proposal //Display the configured IKE SA hard lifetime. [USG] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) - 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA1 AES_CBC MODP_1024 86400 display ike peer [ brief | name peer-name ] //Display the configured IKE SA soft lifetime. [USG] display ike peer name b -- IKE peer: b Exchange mode: main on phase 1 Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$ Local certificate file name: Proposal: 10 Local ID type: IP Peer IP address: VPN instance: Authentic IP address: IP address pool: Peer name: Peer domain name: VPN instance bound to the SA: NAT traversal: enable SA soft timeout buffer time: 22 seconds OCSP check: disable OCSP server URL: Applied to 1 policy: ppp1-1-isakmp

Common authentication algorithms used in IPSec on the USG6000 series
GRE can encapsulate multicast packets into unicast packets, but cannot encrypt packets.

How many command maintenance modes of IAD in eSpace UC solution
Command maintenance of IAD generally includes the following modes: -General user mode. -Privilege mode. -Global configuration mode. -Advanced mode. -Ethernet switch mode

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top