R0106-HP MSR Router Series Security Command Reference(V7)
343
When you configure an IPsec policy or IPsec profile for an IPv6 routing protocol, follow these guidelines:
• The local inbound and outbound SAs must use the same SPI.
• The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by
protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope
consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP
peers or a BGP peer group.
Examples
# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec
policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
Related commands
display ipsec sa
sa string-key
Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.
Use undo sa string-key to remove the key string.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key
undo sa string-key { inbound | outbound } { ah | esp }
Default
No key string is configured for IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373
characters. If simple is specified, it must be a string of 1 to 255 characters. Using this key string, the
system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the
system generates the keys for the authentication algorithm and encryption algorithm respectively.