R3303-HP HSR6800 Routers Security Command Reference
309
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480
Related commands
• ipsec sa global-duration
• ipsec policy (system view)
• ipsec profile (system view)
sa encryption-hex
Use sa encryption-hex to configure an encryption key for an SA.
Use undo sa encryption-hex to remove the configuration.
Syntax
sa encryption-hex { inbound | outbound } esp [ cipher | simple ] hex-key
undo sa encryption-hex { inbound | outbound } esp
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
esp: Uses ESP.
cipher: Sets a ciphertext encryption key.
simple: Sets a plaintext encryption key.
hex-key: Specifies the key string. If cipher is specified, this argument is case sensitive and must be a
ciphertext string of 1 to 117 characters. If simple is specified, this argument is case insensitive, and must
be an 8-byte hexadecimal string for DES-CBC, a 16-byte hexadecimal string for AES128-CBC, or a
24-byte hexadecimal string for 3DES-CBC and AES192-CBC. If neither cipher nor simple is specified,
you set a plaintext encryption key string.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound
SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at
the remote end, and the encryption key for the outbound SA at the local end must be the same as that for
the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.