3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

391

392

393

394

395

396

397

398

399

400

IPsec Configuration Commands 393

For the IPsec policy in isakmp mode, it is unnecessary to set the SA parameter

manually, and this command is invalid. IKE will automatically negotiate the SA

parameter and establish a SA.

When configuring the SA of manual mode, the SA parameters of inbound and

outbound directions must be set separately

The SA parameters set at both ends of the security tunnel must be fully matching.

The SPI and key for the SA input at the local end must be the same as those

output at the remote. The SA SPI and key output at the local end must be the

same as those input at the remote.

There are two methods for inputting the key: hex and character string. To input a

hexadecimal key, use the sa authentication-hex command. For the character

string key and hex string key, the last set one will be adopted. At both ends of a

security tunnel, the key should be input by the same method. If the key is input in

character string at one end, and it is input in hex at the other end, then a security

tunnel cannot be set up correctly.

Related command: ipsec policy(system view), ipsec policy(interface view),

security acl , tunnel local, tunnel remote, sa duration, proposal.

Example

# Set the SPI of the inbound SA to 10000, and the key string to abcdef; sets the

SPI of the outbound SA to 20000, and its key string to efcdab in the IPsec policy

using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah

[SecBlade_VPN-ipsec-proposal-prop_ah] transform ah

[SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5

[SecBlade_VPN-ipsec-proposal-prop_ah] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa string-key abcdef

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa string-key efcdab

security acl Syntax

security acl acl-number

undo security acl

View

IPsec policy view, IPsec policy template view

Parameter

acl-number: Specifies the number of the access control list used by the IPsec policy,

ranging 3000 to 3999.

Description

Use the security acl command to set an access control list to be used by the IPsec

policy.