Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000

101

102

103

104

105

106

107

108

109

110

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

Troubleshooting - VAS

2-54 Nortel Networks Inc. Issue 01.01 (30 March 2009)

Using local-address: {}

Using interface: {Ethernet1/0/0}

===========================================

-----------------------------

IPsec policy name: " map2"

sequence number: 10

mode: isakmp

-----------------------------

security data flow : 3102

ike-peer name: routerb

perfect forward secrecy: None

proposal name: tran2

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

Using interface: {Ethernet1/0/0}

The display indicates the interface that uses the IPSec policy group.

You can use the ipsec policy command to change the interface.

mode: isakmp

The display indicates two IPSec SA modes: manual mode and ISAKMP mode.

You can use the ipsec policy policy-name seq-number { manual | isakmp } command to

configure IPSec policies.

security data flow : 3102

The display indicates the ACL used in the IPSec policy.

You can use the security acl command to modify the configuration.

ike-peer name: routerb

The display indicates the IKE peer specified in the IPSec policy.

You can use the ike-peer command to modify the configuration.

perfect forward secrecy: DH group 1

The display indicates the used PFS feature in the negotiation. The PFS feature includes

768-bit Diffie-Hellman (DH group 1), 1024-bit Diffie-Hellman (DH group 2), and none PFS.

By default, disable PFS.

You can use the pfs { dh-group1 | dh-group2 } command to modify the configuration and

the undo pfs command to disable PFS in the negotiation.

proposal name: tran2

The display indicates the proposals used in the IPSec policy. In ISAKMP mode, each policy

can use up to six proposals. Proposals of the same configuration at two ends are used.

You can use the proposal command to modify the configuration.

IPsec sa local duration(time based): 3600 seconds

The display indicates the time-based SA duration.

You can use the sa duration time-based command to modify the configuration. If no SA

duration is configured in the policies, use the configured global SA duration.