IPSec debugging commands

0

Configure the IPSec SA lifetime on the USG.
Configure the IPSec VPN SA lifetime.
1. Configure IKE SA hard lifetime.
You can configure per-SA IKE lifetime, but cannot configure a global IKE lifetime.
system-view //Access the system view.
ike proposal proposal-number //Access the IKE proposal view.
sa duration seconds //Configure the IKE SA hard lifetime.

Notes for configuring IKE SA lifetime:
a) If the hard lifetime expires, the IKE SA will be deleted and re-negotiated. The IKE negotiation involves DH calculation and may take a long time. To ensure the secure communications, you are advised to set the lifetime to a value larger than 600 seconds.
b) When the soft lifetime expires, a new SA is negotiated to replace the original SA. Before the new SA is negotiated, the original SA is still in use. After the new SA is established, the new SA is used, and the original SA will be automatically deleted when the hard lifetime expires.
The default IKE SA hard lifetime is 86,400 seconds (a day).
2. Configure IKE SA soft lifetime.
system-view //Access the system view.
ike peer peer-name //Access the IKE peer view.
sa soft-duration time-based buffer seconds //Configure the IKE SA soft lifetime.
The configuration applies only to IKEv1.
a) By default, the soft lifetime is 9/10 of the hard lifetime. When the soft lifetime expires, a new SA is negotiated to replace the original SA.
b) If the soft lifetime is specified and the hard lifetime is greater than the soft lifetime by more than 10s, the specified soft lifetime applies; otherwise, the default soft lifetime applies.

display ike proposal //Display the configured IKE SA hard lifetime.
[USG] display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
- 10 PRE_SHARED MD5 DES_CBC MODP_768 5000
default PRE_SHARED SHA1 AES_CBC MODP_1024 86400
display ike peer [ brief | name peer-name ] //Display the configured IKE SA soft lifetime.
[USG] display ike peer name b

--
IKE peer: b
Exchange mode: main on phase 1
Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$
Local certificate file name:
Proposal: 10
Local ID type: IP
Peer IP address: 202.38.169.1
VPN instance:
Authentic IP address:
IP address pool:
Peer name:
Peer domain name:
VPN instance bound to the SA:
NAT traversal: enable
SA soft timeout buffer time: 22 seconds
OCSP check: disable
OCSP server URL:
Applied to 1 policy: ppp1-1-isakmp

Other related questions:
Disabling the debugging function on the USG2000&5000&6000
The method of disabling the debugging function on the USG2000&5000&6000 is as follows: The common CLI operation method is as follows: undo terminal debugging Info: Current terminal debugging is off. However, after you enable the debugging function, the information output to the device may be of a large volume. Therefore, it is inconvenient for you to run the undo debugging all command on the device to stop the output of all debugging information. In this case, you can press Ctrl+O. The result is the same as running the undo debugging all command. Devices that support Ctrl+O include Windows HyperTerminal, Telnet program in the DOS CLI environment, SecureCRT, and IPOP V2.3 or later versions. VTP does not support this operation. In VTP, Ctrl+O is defined as the shortcut keys for creating a console.

How to check ICMP packets on S series switches
You can check ICMP packets on S series switches (excluding the S1700) using the following method:
Ensure that at least one ICMP packet passes or arrives at the switch. Then enable the debugging of ICMP packets in the user view:
 <HUAWEI> terminal debugging
 <HUAWEI> terminal monitor
 <HUAWEI> debugging ip icmp

How to configure a switch to send debugging information to the log server
To configure a switch to send debugging information to the log server, run the following commands in the system view. [HUAWEI] info-center source default channel 2 debug state on [HUAWEI] info-center loghost x.x.x.x By default, a switch sends only logs and traps to the log server.

Common firewall IPSec maintenance commands
Common IPSec maintenance commands on the USG Display ike peer //Display the configuration information of the IKE peer. display ike proposal //Display the configuration information of the IKE proposal. display ike sa //Display the configuration information of the SA established in IKE negotiation mode. display ipsec policy //Display the configuration information of the security policy. display ipsec policy-template //Display the configuration information of the security policy template. display ipsec proposal //Display the configuration information of the IPSec proposal. display ipsec sa //Display the configuration information of the SA. display ipsec sa global-configuration //Display the global configuration information of the IPSec SA, including the global hard lifetime information, global soft lifetime information, and global anti-replay information. display ipsec statistics //Display IPSec packet statistics.

Debugging NTP packets on the firewall
Debug firewall NTP packets as follows: Before enabling the debugging function, you must run the terminal monitor and terminal debugging commands in the user view to enable the information display and debugging information display functions of the terminal. Note: Enabling the debugging function affects the system performance. After debugging, run the undo debugging all command to disable the debugging function immediately. Run the debugging ntp-service { access | adjustment | all | authentication | event | filter | packet [ ipv6 ] [ send | receive ] | parameter | refclock | selection | synchronization | validity } command to enable NTP debugging.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top