276
Step Command
Remarks
7.
Configure keys for the
SA.
•
Configure an authentication key
in hexadecimal for AH:
sa authentication-hex
{
inbound
|
outbound
}
ah
[
cipher
string-key
|
simple
hex-key
]
•
Configure an authentication key
in characters for AH:
sa string-key
{
inbound
|
outbound
}
ah
[
cipher
|
simple
]
string-key
•
Configure a key in characters for
ESP:
sa
string-key
{
inbound
|
outbound
}
esp
[
cipher
|
simple
]
string-key
•
Configure an authentication key
in hexadecimal for ESP:
sa authentication-hex
.{
inbound
|
outbound
}
esp
[
cipher
string-key
|
simple
hex-key
]
•
Configure an encryption key in
hexadecimal for ESP:
sa
encryption-hex
.{
inbound
|
outbound
}
esp
[
cipher
string-key
|
simple
hex-key
]
Configure keys properly for the security
protocol (AH or ESP) you have specified.
If you configure a key in two modes (in
characters and in hexadecimal), only the
last configured one will be used.
If you configure a key in characters for
ESP, the device automatically generates
an authentication key and an encryption
key for ESP.
The
sa
string-key
command is not
supported in FIPS mode.
NOTE:
You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To
create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec
policy.
Configuring an IPsec policy that uses IKE (available only in FIPS mode)
To configure an IPsec policy that uses IKE, directly configure it by configuring the parameters in IPsec
policy view.
Before you configure an IPsec policy that uses IKE, configure the ACLs and the IKE peer for the IPsec
policy.
The parameters for the local and remote ends must match.
When you configure an IPsec policy that uses IKE, follow these guidelines:
•
An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the
last one takes effect.
•
With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec
proposals. During negotiation, IKE searches for a fully matched IPsec proposal at the two ends of
the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to
be protected will be dropped.
•
During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is
performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both
ends must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.