R0106-HP MSR Router Series Security Command Reference(V7)
341
Usage guidelines
This command applies to only manual IPsec policies and IPsec profiles.
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local
outbound SA must use the same encryption key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and
outbound SAs must be identical.
If you configure a key in different formats (hexadecimal or character format), only the most recent
configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in
hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound
and outbound IPsec SAs that use ESP.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple
1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple
abcdefabcdef1234
Related commands
• display ipsec sa
• sa string-key
sa idle-time
Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy or IPsec policy template. If no traffic
matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo sa idle-time to restore the default.
Syntax
sa idle-time seconds
undo sa idle-time
Default
An IPsec policy or IPsec policy template uses the global IPsec SA idle timeout.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.