Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
101102103104105106107108109110
103
# Set the SA lifetime for IPsec profile profile1 to 7200 seconds (two hours).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration time-based 7200
# Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480
sa encryption-hex
Use sa encryption-hex to configure an encryption key for an SA.
Use undo sa encryption-hex to remove the configuration.
Syntax
sa encryption-hex { inbound | outbound } esp [ cipher string-key | simple hex-key ]
undo sa encryption-hex { inbound | outbound } esp
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
esp: Uses ESP.
cipher string-key: Sets a ciphertext encryption key. The string-key argument is case sensitive and must be
a ciphertext string of 1 to 117 characters.
simple hex-key: Sets a plaintext encryption key. The hex-key argument is case insensitive, and must be an
8-byte hexadecimal string for DES-CBC, a 16-byte hexadecimal string for AES128-CBC, or a 24-byte
hexadecimal string for 3DES-CBC and AES192-CBC.
If neither cipher nor simple is specified, you set a plaintext encryption key string.
For secrecy, all keys, including keys configured in plain text, are saved in cipher text.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound
SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at
the remote end, and the encryption key for the outbound SA at the local end must be the same as that for
the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.