R2511-HP MSR Router Series Security Command Reference(V5)
233
• Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal
format on one router, do so across the defined scope.
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab,
respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
# Configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef
Related commands
ipsec policy (system view)
security acl
Use security acl to specify the ACL for the IPsec policy to reference.
Use undo security acl to remove the configuration.
Syntax
security acl acl-number [ aggregation ]
undo security acl
Default
An IPsec policy references no ACL.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Parameters
acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to
3999.
aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the
standard mode is used.
Usage guidelines
With an IKE-dependent IPsec policy configured, data flows can be protected in two modes:
• Standard mode, in which one tunnel protects one data flow. The data flow permitted by each ACL
rule is protected by one tunnel that is established separately for it.
• Aggregation mode, in which one tunnel protects all data flows permitted by all the rules of an ACL.
When your device works with an old-version device, use the aggregation mode on both devices.