R0106-HP MSR Router Series Security Command Reference(V7)
339
Examples
# Set the SA lifetime for the IPsec policy policy1 to 7200 seconds.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting 20480
bytes.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
Related commands
• display ipsec sa
• ipsec sa global-duration
sa hex-key authentication
Use sa hex-key authentication to configure a hexadecimal authentication key for manual IPsec SAs.
Use undo sa hex-key authentication to remove the hexadecimal authentication key.
Syntax
sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } key-value
undo sa hex-key authentication { inbound | outbound } { ah | esp }
Default
No authentication key is configured for manual IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal authentication key for inbound SAs.
outbound: Specifies a hexadecimal authentication key for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters.
simple key-value: Sets a plaintext authentication key. The key-value argument is case insensitive and must
be a 16-byte hexadecimal string for HMAC-MD5, and a 20-byte hexadecimal string for HMAC-SHA1.
Usage guidelines
This command applies to only manual IPsec policies and IPsec profiles.
You must set an authentication key for both the inbound and outbound SAs.
The local inbound SA must use the same authentication key as the remote outbound SA, and the local
outbound SA must use the same authentication key as the remote inbound SA.