R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

351

352

353

354

355

356

357

358

359

360

344

Usage guidelines

This command applies to only manual IPsec policies and IPsec profiles.

You must set a key for both inbound and outbound SAs.

The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must

use the same key as the remote inbound SA.

If you configure a key in different formats, only the most recent configuration takes effect.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal

or character format). Otherwise, they cannot establish an IPsec tunnel.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text.

When you configure an IPsec policy or IPsec profile for an IPv6 protocol, follow these guidelines:

• The local inbound and outbound SAs must use the same key.

• The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by

protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope

consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP

peers or a BGP peer group.

Examples

# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab,

respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab

# In an IPsec policy for an IPv6 routing protocol, configure the inbound and outbound SAs that use AH

to use the plaintext key abcdef.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef

Related commands

• display ipsec sa

• sa hex-key

security acl

Use security acl to reference an ACL for an IPsec policy or IPsec policy template.

Use undo security acl to remove the ACL referenced by an IPsec policy or IPsec policy template.

Syntax

security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]

undo security acl

Default

An IPsec policy or IPsec policy template references no ACL.