346
Default
No key string is configured for IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373
characters. If simple is specified, it must be a string of 1 to 255 characters. Using this key string, the
system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the
system generates the keys for the authentication algorithm and encryption algorithm respectively.
Usage guidelines
This command applies to only manual IPsec policies and IPsec profiles.
You must set a key for both inbound and outbound SAs.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must
use the same key as the remote inbound SA.
If you configure a key in different formats, only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal
or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
When you configure an IPsec policy or IPsec profile for an IPv6 protocol, follow these guidelines:
• The local inbound and outbound SAs must use the same key.
• The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by
protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope
consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP
peers or a BGP peer group.
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab,
respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
To Next Page
Loading...
Need help?
General
