R0106-HP MSR Router Series Security Command Reference(V7)
340
In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound
and outbound SAs must be identical.
If you configure a key in different formats, only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal
or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and
0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple
112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple
aabbccddeeff001100aabbccddeeff00
Related commands
• display ipsec sa
• sa string-key
sa hex-key encryption
Use sa encryption-hex to configure a hexadecimal encryption key for manual IPsec SAs.
Use undo sa encryption-hex to remove the hexadecimal encryption key.
Syntax
sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value
undo sa hex-key encryption { inbound | outbound } esp
Default
No encryption key is configured for manual IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal encryption key for inbound SAs.
outbound: Specifies a hexadecimal encryption key for outbound SAs.
esp: Uses ESP.
cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 117 characters.
simple key-value: Sets a plaintext encryption key. The key-value argument is case insensitive and must be
an 8-byte hexadecimal string for DES-CBC, a 24-byte hexadecimal string for 3DES-CBC, a 16-byte
hexadecimal string for AES128-CBC, a 24-byte hexadecimal string for AES192-CBC, and a 32-byte
hexadecimal string for AES256-CBC.