317 
Configuring a manual IPsec profile 
A manual IPsec profile is similar to a manual IPsec policy. The difference is that an IPsec profile is 
uniquely identified by a name and it does not support ACL configuration. A manual IPsec profile 
specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by the 
SAs. 
When you configure a manual IPsec profile, make sure the IPsec profile configuration at both tunnel 
ends meets the following requirements: 
•  The IPsec transform set specified in the IPsec profile at the two tunnel ends must have the 
same security protocol, encryption and authentication algorithms, and packet encapsulation 
mode. 
•  The local inbound and outbound IPsec SAs must have the same SPI and key. 
•  The IPsec SAs on the devices in the same scope must have the same key. The scope is defined 
by protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, 
the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope 
consists of BGP peers or a BGP peer group. 
•  The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For 
example, if the key at one end is entered as a string of characters, the key on the other end 
must also be entered as a string of characters. 
To configure a manual IPsec profile: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Create a manual IPsec 
profile and enter its view. 
ipsec
 
profile
 profile-name 
manual
 
By default, no IPsec profile exists.
The 
manual
 keyword is not 
needed if you enter the view of an 
existing IPsec profile. 
3.  (Optional.) Configure a 
description for the IPsec 
profile.  
description 
text
 
By default, no description is 
configured.  
4.  Specify an IPsec 
transform set. 
transform-set
 transform-set-name 
By default, no IPsec transform set 
is specified in an IPsec profile. 
The specified IPsec transform set 
must use the transport mode. 
5.  Configure an SPI for an 
SA. 
sa
 
spi
 { 
inbound
 | 
outbound
 } { 
ah
 | 
esp
 } spi-number 
By default, no SPI is configured 
for an SA. 
6.  Configure keys for the 
IPsec SA. 
•  Configure an authentication key 
in hexadecimal format for AH: 
sa hex-key authentication 
{ inbound | outbound } ah 
{ cipher | simple } string 
•  Configure an authentication key 
in character format for AH: 
sa string-key { inbound | 
outbound } ah { cipher | 
simple } string 
•  Configure a key in character 
format for ESP: 
sa string-key { inbound | 
outbound } esp [ cipher | 
simple ] string 
•  Configure an authentication key 
in hexadecimal format for ESP:
By default, no keys are configured 
for the IPsec SA. 
Configure a key for the security 
protocol (AH, ESP, or both) you 
have specified. 
If you configure a key in character 
format for ESP, the device 
automatically generates an 
authentication key and an 
encryption key for ESP. 
If you configure a key in both the 
character and hexadecimal 
formats, only the most recent 
configuration takes effect.