292
sa authentication-hex
Use
sa authentication-hex
to configure an authentication key for an SA.
Use
undo sa authentication-hex
to remove the configuration.
Syntax
sa
authentication-hex
{
inbound
|
outbound
} {
ah
|
esp
} [
cipher
|
simple
]
hex-key
undo
sa
authentication-hex
{
inbound
|
outbound
} {
ah
|
esp
}
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound
: Specifies the inbound SA through which IPsec processes the received packets.
outbound
: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah
: Uses AH.
esp
: Uses ESP.
cipher
: Sets a ciphertext authentication key.
simple
: Sets a plaintext authentication key.
hex-key
: Specifies the key string. If
cipher
is specified, this argument is case sensitive and must be
a ciphertext string of 1 to 117 characters. If
simple
is specified, this argument is case insensitive and
must be a 16-byte hexadecimal string for MD5 or a 20-byte hexadecimal string for SHA-1. If neither
cipher
nor
simple
is specified, you set a plaintext authentication key string.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and
outbound SAs.
The authentication key for the inbound SA at the local end must be the same as that for the outbound
SA at the remote end, and the authentication key for the outbound SA at the local end must be the
same as that for the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same
format (both in hexadecimal format or both in string format), and the keys must be specified in the
same format for both ends of the tunnel.
Examples
# Configure the authentication keys of the inbound and outbound SAs that use AH as
0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah simple
112233445566778899aabbccddeeff00