HP VPN Firewall Appliances VPN Command Reference
99
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
spi-number: Specifies the security parameters index (SPI) in the SA triplet, in the range of 256 to
4294967295.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound
SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the
local outbound SA and remote inbound SA.
When you configure IPsec for an IPv6 routing protocol, follow these guidelines:
• The inbound and outbound SAs at the local end must use the same SPI.
• Within a certain network scope, each router must use the same SPI and keys for its inbound and
outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be
directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected
neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a
neighbor group.
Examples
# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec
policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
Related commands
ipsec policy (system view)
sa string-key
Use sa string-key to set a key string for an SA.
Use undo sa string-key to remove the configuration.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key
undo sa string-key { inbound | outbound } { ah | esp }
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.