R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101
103
neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a
neighbor group.
Related commands: ipsec policy (system view).
Examples
# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec
policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
sa string-key
Syntax
sa string-key { inbound | outbound } { ah | esp } string-key
undo sa string-key { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
string-key: Key string for the SA, consisting of 1 to 255 characters. For different algorithms, enter strings
at any length in the specified range. Using this key string, the system automatically generates keys
meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the
authentication algorithm and encryption algorithm respectively.
Description
Use sa string-key to set a key string for an SA.
Use undo sa string-key to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the
local outbound SA and remote inbound SA.
Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the
local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound
SAs must use keys in characters.
When you configure an IPsec policy for an IPv6 protocol, follow these guidelines: