288
Step Command
Remarks
8.
Configure keys for the
IPsec SA.
•
Configure an authentication
key in hexadecimal format
for AH:
sa hex-key authentication
{
inbound
|
outbound
}
ah
{
cipher
|
simple
}
key-value
•
Configure an authentication
key in character format for
AH:
sa string-key
{
inbound
|
outbound
}
ah
{
cipher
|
simple
}
key-value
•
Configure a key in character
format for ESP:
sa string-key
{
inbound
|
outbound
}
esp
{
cipher
|
simple
}
key-value
•
Configure an authentication
key in hexadecimal format
for ESP:
sa hex-key authentication
{
inbound
|
outbound
}
esp
{
cipher
|
simple
}
key-value
•
Configure an encryption key
in hexadecimal format for
ESP:
sa hex-key encryption
{
inbound
|
outbound
}
esp
{
cipher
|
simple
}
key-value
By default, no keys are configured for
the IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have
specified in the IPsec transform set
used by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,
only the most recent configuration takes
effect.
If you configure a key in character
format for ESP, the device
automatically generates an
authentication key and an encryption
key for ESP.
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
•
Directly configure it by configuring the parameters in IPsec policy view.
•
Configure it by using an existing IPsec policy template with the parameters to be negotiated
configured.
A device using an IPsec policy that is configured in this way cannot initiate an SA negotiation,
but it can respond to a negotiation request. The parameters not defined in the template are
determined by the initiator. When the remote end's information (such as the IP address) is
unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
When you configure an IKE-based IPsec policy, follow these restrictions and guidelines:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same
security protocols, security algorithms, and encapsulation mode.
•
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
•
You can specify a maximum of six IPsec transform sets for an IKE-based IPsec policy. During
an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the
IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be
protected will be dropped.
Summary of Contents for 10500 series
Page 326: ...312 No duration limit for this SA ...