To Next Page

To Previous Page

566

Related commands

display ipsec sa

sa string-key

Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.

Use undo sa string-key to remove the key string.

Syntax

sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string

undo sa string-key { inbound | outbound } { ah | esp }

Default

No key string is configured for manual IPsec SAs.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Sets a key string for inbound IPsec SAs.

outbound: Sets a key string for outbound IPsec SAs.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key string in encrypted form.

simple: Specifies a key string in plaintext form. For security purposes, the key string specified in

plaintext form will be stored in encrypted form.

string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its

plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system

automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the

system automatically generates keys for the authentication algorithm and encryption algorithm.

Usage guidelines

This command applies only to manual IPsec policies and IPsec profiles.

You must set a key for both inbound and outbound SAs.

The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA

must use the same key as the remote inbound SA.

If you execute this command multiple times, the most recent configuration takes effect.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in

hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

When you configure an IPsec policy or IPsec profile for an IPv6 protocol, follow these guidelines:

• The local inbound and outbound SAs must use the same key.

• The IPsec SAs on the devices in the same scope must have the same key. The scope is defined

by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For

RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the

scope consists of BGP peers or a BGP peer group.

Other manuals for H3C MSR Series

Manual33 pages

Probe Command Reference28 pages

Configuration Guide80 pages

Troubleshooting Guide28 pages

User Guide26 pages

Questions and Answers:

Need help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General

Category	Network Router
IPv6 Support	Yes
Dimensions	Varies by model
Weight	Varies by model
Product Type	Modular Router
Ports	Varies by model
WAN Interfaces	Varies by model
Firewall	Yes
QoS	Yes
Wireless Support	Varies by model
USB Ports	Varies by model
Console Port	Yes
Power Supply	Varies by model
Redundancy	Varies by model
Operating Temperature	0°C to 45°C
Storage Temperature	-40°C to 70°C
Humidity	5% to 95% non-condensing
Series	MSR
Certifications	CE, FCC, RoHS