Router User Manual

ManualsBrandsPanasonic ManualsNetwork Router8000

101

102

103

104

105

106

107

108

109

110

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

Troubleshooting - VAS

2-56 Nortel Networks Inc. Issue 01.01 (30 March 2009)

The display indicates that the SPI on the inbound of SA is 54321, the protocol is ESP, the

encryption algorithm is DES (ESP-ENCRYPT-DES), and the authentication algorithm is

SHA-1 (ESP-AUTH-SHA1).

[outbound ESP SAs]

spi: 12345 (0x3039)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

No duration limit for this sa

The display indicates that the SPI on the outbound of SA is 12345, the protocol is ESP, the

encryption algorithm is DES, and the authentication algorithm is SHA-1.

display ipsec sa brief

<RouterA> display ipsec sa brief

Src Address Dst Address SPI Protocol Algorithm

--------------------------------------------------------------

202.38.162.1 202.38.163.1 54321 ESP E:DES; A:HMAC-SHA1-96;

202.38.163.1 202.38.162.1 12345 ESP E:DES; A:HMAC-SHA1-96;

Use the display ipsec sa command to view brief IPSec SA information.

For a detailed explanation of each field in the display lines, see “

display ipsec sa policy.”

display ike proposal

<RouterA> display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

-------------------------------------------------------------------------

default PRE_SHARED SHA DES_CBC MODP_768 86400

The following section explains each field in the display lines:

priority

Priority indicates the priority of IKE proposals. The value can be any integer from 1 to 100.

The higher the value, the lower the priority. Default indicates that the default IKE proposal

priority is used.

Authentication method

Currently, only pre-shared key authentication mode is applicable.

Authentication algorithm

The authentication algorithms in IKE proposals contain SHA-1 and MD5. You can use the

authentication-algorithm { md5 | sha1 } command to modify the configuration.

encryption algorithm

The encryption algorithms in IKE proposals contain DES (DES_CBC), 3DES (3DES_CBC),

and AES (AES_CBC).

You can use the encryption-algorithm { des-cbc | 3des-cbc | aes-cbc } command to modify

the configuration.

Diffie-Hellman group

Diffie-Hellman group flags used in IKE proposals contain 768-bit Diffie-Hellman

(MODP_768) and 1024-bit Diffie-Hellman (MODP_1024).