R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

241

242

243

244

245

246

247

248

249

250

228

string for SHA2, or a 16-byte hexadecimal string for AES-XBC-MAC. If neither cipher nor simple is

specified, you set a plaintext authentication key string.

Usage guidelines

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound

SAs.

The authentication key for the inbound SA at the local end must be the same as that for the outbound SA

at the remote end, and the authentication key for the outbound SA at the local end must be the same as

that for the inbound SA at the remote end.

With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the

outbound SA must be identical.

At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format

(both in hexadecimal format or both in string format), and the keys must be specified in the same format

for both ends of the tunnel.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the

configuration file.

Examples

# Configure the authentication keys of the inbound and outbound SAs that use AH as

0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 in plain text.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah simple

112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple

aabbccddeeff001100aabbccddeeff00

Related commands

ipsec policy (system view)

sa duration

Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile.

Use undo sa duration to restore the default.

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

Default

The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.

The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.

Views

IPsec policy view, IPsec policy template view, IPsec profile view

Default command level

2: System level