Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
101102103104105106107108109110
102
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
Related commands: ipsec policy (system view).
Examples
# Configure the encryption keys for the inbound and outbound SAs that use ESP as
0x1234567890abcdef and 0xabcdefabcdef1234 respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp
abcdefabcdef1234
sa spi
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
spi-number: Security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295.
Description
Use sa spi to configure an SPI for an SA.
Use undo sa spi to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound
SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the
local outbound SA and remote inbound SA.
When you configure IPsec for an IPv6 routing protocol, follow these guidelines:
The inbound and outbound SAs at the local end must use the same SPI.
Within a certain network scope, each router must use the same SPI and keys for its inbound and
outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be
directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected