3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

391

392

393

394

395

396

397

398

399

400

IPsec Configuration Commands 391

1234567890abcdef

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound

esp abcdefabcdef1234

sa spi Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View

Manually-established IPsec policy view

Parameter

inbound: Sets the spi parameter for the inbound SA. IPsec uses the inbound SA

for processing the packet in the inbound direction (received).

outbound: Sets the spi parameter for outbound SA. IPsec uses the outbound SA

for processing the packet in the outbound direction (sent).

ah: Sets the spi parameter for the SA using AH. If the IPsec proposal set used by

the IPsec policy adopts AH, the ah key word is used here to set the spi relevant

parameter of the SA.

esp: Sets the spi parameter for the SA using ESP. If the IPsec proposal set used by

the IPsec policy adopts ESP, the esp key word is used here to set the spi relevant

parameter of the SA.

spi-number: Security Parameter Index (SPI) in the triplet identification of the SA,

ranging 256 to 4294967295. The triplet identification of the SA, which appears as

SPI, destination address, and protocol number, must be unique.

Description

Use the sa spi command to set the SA SPI manually for the IPsec policy of manual

mode.

Use the undo sa spi command to delete the SA SPI already set.

This command is only used for the IPsec policy in manual mode. It is used to set

the SA parameter manually and establish a SA manually.

For the IPsec policy in isakmp mode, it is unnecessary to set the SA parameter

manually, and this command is invalid. IKE will automatically negotiate the SA

parameter and establish a SA.

When configuring the SA of manual mode, the SA parameters of inbound and

outbound directions must be set separately.

The SA parameters set at both ends of the security tunnel must be fully matching.

The SPI and key for the SA input at the local end must be the same as those

output at the remote. The SA SPI and key output at the local end must be the

same as those input at the remote.