260
Step Command
Remarks
8.
Configure keys for the
IPsec SA.
•
Configure an authentication
key in hexadecimal format for
AH:
sa hex-key authentication
{
inbound
|
outbound
}
ah
{
cipher
|
simple
}
key-value
•
Configure an authentication
key in character format for AH:
sa string-key
{
inbound
|
outbound
}
ah
{
cipher
|
simple
}
key-value
•
Configure a key in character
format for ESP:
sa string-key
{
inbound
|
outbound
}
esp
{
cipher
|
simple
}
key-value
•
Configure an authentication
key in hexadecimal format for
ESP:
sa hex-key authentication
{
inbound
|
outbound
}
esp
{
cipher
|
simple
}
key-value
•
Configure an encryption key in
hexadecimal format for ESP:
sa hex-key encryption
{
inbound
|
outbound
}
esp
{
cipher
|
simple
}
key-value
By default, no keys are configured for the
IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have
specified in the IPsec transform set
referenced by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,
only the most recent configuration takes
effect.
If you configure a key in character format
for ESP, the device automatically
generates an authentication key and an
encryption key for ESP.
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
•
Directly configure it by configuring the parameters in IPsec policy view.
•
Configure it by referencing an existing IPsec policy template with the parameters to be negotiated
configured.
A device referencing an IPsec policy that is configured in this way cannot initiate an SA
negotiation, but it can respond to a negotiation request. The parameters not defined in the
template are determined by the initiator. When the remote end's information (such as the IP
address) is unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following requirements:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.
•
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
•
An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation,
IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match
is found, no SA can be set up, and the packets expecting to be protected will be dropped.