3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

381

382

383

384

385

386

387

388

389

390

390 CHAPTER 22: IPSEC CONFIGURATION COMMANDS

View

Manually-established IPsec policy view

Parameter

inbound: Sets the encryption-hex parameter for the inbound SA. IPsec uses the

inbound SA for processing the packet in the inbound direction (received).

outbound: Sets the encryption-hex parameter for outbound SA. IPsec uses the

outbound SA for processing the packet in the outbound direction (sent).

esp: Sets the encryption-hex parameter for the SA using ESP. If the IPsec

proposal used by the IPsec policy adopts ESP, the esp key word is used here to set

the ESP relevant parameter of the SA.

hex-key: Specifies a key for the SA input in the hex format. When applied in ESP, if

DES is used, then input a 8-byte key; if 3DES is used, then input a 24-byte key.

Description

Use the sa encryption-hex command to set the SA encryption key manually for

the IPsec policy of manual mode.

Use the undo sa encryption-hex command to delete the SA parameter already

set.

This command is only used for the IPsec policy in manual mode. It is used to set

the SA parameter manually and establish a SA manually.

For the IPsec policy in isakmp mode, it is unnecessary to set the SA parameter

manually, and this command is invalid. IKE will automatically negotiate the SA

parameter and establish a SA.

When configuring the SA of manual mode, the SA parameters of inbound and

outbound directions must be set separately.

The SA parameters set at both ends of the security tunnel must be fully matching.

The SPI and key for the SA input at the local end must be the same as those

output at the remote. The SA SPI and key output at the local end must be the

same as those input at the remote.

Related command: ipsec policy (system view), ipsec policy (interface view),

security acl , tunnel local, tunnel remote, sa duration and proposal.

Example

# Set the SPI of the inbound SA to 10000, and the key to 0x1234567890abcdef;

set the SPI of the outbound SA to 20000, and its key to 0xabcdefabcdef1234 in

the IPsec policy using ESP and DES.

[SecBlade_VPN] ipsec proposal prop_esp

[SecBlade_VPN-ipsec-proposal-prop_esp] transform esp

[SecBlade_VPN-ipsec-proposal-prop_esp] ah encryption-algorithm des

[SecBlade_VPN-ipsec-proposal-prop_esp] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_esp

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp