3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

391

392

393

394

395

396

397

398

399

400

392 CHAPTER 22: IPSEC CONFIGURATION COMMANDS

Related command: ipsec policy (system view), ipsec policy (interface view),

security acl , tunnel local, tunnel remote, sa duration and proposal.

Example

# Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to

20000, in the IPsec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah

[SecBlade_VPN-ipsec-proposal-prop_ah] transform ah

[SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5

[SecBlade_VPN-ipsec-proposal-prop_ah] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

sa string-key Syntax

sa string-key { inbound | outbound } { ah | esp } string-key

undo sa string-key { inbound | outbound } { ah | esp }

View

Manually-established IPsec policy view

Parameter

inbound: Sets the string-key parameter for the inbound SA. IPsec uses the

inbound SA for processing the packet in the inbound direction (received).

outbound: Sets the string-key parameter for the outbound SA. IPsec uses the

outbound SA for processing the packet in the outbound direction (sent).

ah: Sets the string-key parameter for the SA using AH. If the IPsec proposal set

used by the IPsec policy adopts AH, the ah key word is used here to set the

string-key relevant parameter of the SA.

esp: Sets the string-key parameter for the SA using ESP. If the IPsec proposal set

used by the IPsec policy adopts ESP, the esp key word is used here to set the

string-key relevant parameter of the SA.

string-key: Specifies the key for an SA input in the character string format, with a

length ranging 1 to 256 characters. For different algorithms, you can input

character strings of any length in the specified range, and the system will generate

keys meeting the algorithm requirements automatically according to the input

character strings. As for ESP, the system will automatically generate the key for the

authentication algorithm and that for the encryption algorithm at the same time.

Description

Use the sa string-key command to set the SA parameter manually for the IPsec

policy of manual mode.

Use the undo sa string-key command to delete the SA parameter already set.

This command is only used for the IPsec policy in manual mode. It is used to set

the SA parameter manually and establish a SA manually.