3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

381

382

383

384

385

386

387

388

389

390

388 CHAPTER 22: IPSEC CONFIGURATION COMMANDS

Description

Use the sa authentication-hex command to set the SA authentication key

manually for the IPsec policy of manual mode.

Use the undo sa authentication-hex command to delete the SA authentication

key already set.

This command is only used for the IPsec policy in manual mode.

For the IPsec policy in isakmp mode, it is unnecessary to set the SA parameter

manually. IKE will automatically negotiate the SA parameter and establish a SA.

When configuring the SA of manual mode, the SA parameters of inbound and

outbound directions must be set separately.

The SA parameters set at both ends of the security tunnel must be fully matching.

The SPI and key for the SA input at the local end must be the same as those

output at the remote. The SA SPI and key output at the local end must be the

same as those input at the remote.

There are two methods for inputting the key: hex and character string. For the

character string key and hex string key, the last set one will be adopted. At both

ends of a security tunnel, the key should be input by the same method. If the key

is input in character string at one end, and it is input in hex at the other end, then

a security tunnel cannot be set up correctly.

Related command: ipsec policy (system view), ipsec policy (interface view),

security acl , tunnel local, tunnel remote, sa duration and proposal.

Example

# Set SPI of the inbound SA to 10000, key to

0x112233445566778899aabbccddeeff00; sets the SPI of the outbound SA to

20000, and its key to 0xaabbccddeeff001100aabbccddeeff00 in the IPsec policy

using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah

[SecBlade_VPN-ipsec-proposal-prop_ah] transform ah

[SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5

[SecBlade_VPN-ipsec-proposal-prop_ah] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa authentication-hex inbound

ah 112233445566778899aabbccddeeff00

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa authentication-hex

outbound ah aabbccddeeff001100aabbccddeeff00

sa duration Syntax

sa duration { traffic-based kilobytes | time-based seconds }

undo sa duration { traffic-based | time-based }

View

IPsec policy view, IPsec policy template view