R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

241

242

243

244

245

246

247

248

249

250

230

Default command level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

esp: Uses ESP.

cipher: Sets a ciphertext encryption key.

simple: Sets a plaintext encryption key.

hex-key: Specifies the key string. If cipher is specified, this argument is case sensitive and must be a

ciphertext string of 1 to 117 characters. If simple is specified, this argument is case insensitive, and must

be an 8-byte hexadecimal string for DES-CBC, a 16-byte hexadecimal string for AES128-CBC and

camellia128-CBC, a 20-byte hexadecimal string for AESCTR-128, a 24-byte hexadecimal string for

3DES-CBC, AES192-CBC, and camellia192-CBC, or a 32-byte hexadecimal string for AES256-CBC and

camellia256-CBC. If neither cipher nor simple is specified, you set a plaintext encryption key string.

Usage guidelines

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound

SAs.

The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at

the remote end, and the encryption key for the outbound SA at the local end must be the same as that for

the inbound SA at the remote end.

With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the

outbound SA must be identical.

At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format

(both in hexadecimal format or both in string format), and the keys must be specified in the same format

for both ends of the tunnel.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the

configuration file.

Examples

# Configure the encryption keys for the inbound and outbound SAs that use ESP as

0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp simple

1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp simple

abcdefabcdef1234

Related commands

ipsec policy (system view)

sa spi

Use sa spi to configure an SPI for an SA.