HP VPN Firewall Appliances VPN Command Reference
98
Usage guidelines
If neither cipher nor simple is specified, you set a plaintext encryption key string.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound
SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at
the remote end, and the encryption key for the outbound SA at the local end must be the same as that for
the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format
(both in hexadecimal format or both in string format), and the keys must be specified in the same format
for both ends of the tunnel.
Examples
# Configure the encryption keys for the inbound and outbound SAs that use ESP as
0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp simple
1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp simple
abcdefabcdef1234
Related commands
ipsec policy (system view)
sa spi
Use sa spi to configure an SPI for an SA.
Use undo sa spi to remove the configuration.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
No SPI is configured for an SA.
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.