R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

241

242

243

244

245

246

247

248

249

250

232

sa string-key

Use sa string-key to set a key string for an SA.

Use undo sa string-key to remove the configuration.

Syntax

sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key

undo sa string-key { inbound | outbound } { ah | esp }

Views

IPsec policy view

Default command level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

cipher: Sets a ciphertext key.

simple: Sets a plaintext key.

string-key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a

ciphertext string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters.

If neither cipher nor simple is specified, you set a plaintext key string. For different algorithms, enter

strings of any length in the specified range. Using this key string, the system automatically generates keys

meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the

authentication algorithm and encryption algorithm respectively.

Usage guidelines

This command applies only to manual IPsec policies. This command is not available for FIPS mode.

When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the

local outbound SA and remote inbound SA.

Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the

local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound

SAs must use keys in characters.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the

configuration file.

When you configure an IPsec policy for an IPv6 protocol, follow these guidelines:

• Within a certain network scope, each router must use the same SPI and keys for its inbound and

outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be

directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected

neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a

neighbor group.