- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Packet-Filter Firewall Commands
- 10-ALG Commands
- 11-Session Management Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-IP Source Guard Commands
- 14-ARP Attack Protection Commands
- 15-URPF Commands
- 16-COPS Commands
- 17-FIPS Commands
- 18-PKI Commands
- Related Documents
-
Title | Size | Download |
---|---|---|
07-IPsec Commands | 128.59 KB |
Contents
ah authentication-algorithm
Syntax
ah authentication-algorithm { md5 | sha1 }
undo ah authentication-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
md5: Uses MD5.
sha1: Uses SHA1.
Description
Use ah authentication-algorithm to specify the authentication algorithm for the authentication header (AH) protocol.
Use undo ah authentication-algorithm to restore the default.
By default, MD5 is used.
You need to use the transform command to specify the security protocol as AH or both AH and ESP before specifying the authentication algorithm for AH.
Related commands: ipsec proposal and transform.
Examples
# Configure IPsec proposal prop1 to use AH and SHA1.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform ah
[Sysname-ipsec-proposal-prop1] ah authentication-algorithm sha1
display ipsec policy
Syntax
display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec policies.
name: Displays detailed information about a specified IPsec policy or IPsec policy group.
policy-name: Name of the IPsec policy, a string of 1 to 15 characters.
seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec policy to display information about IPsec policies.
· If you do not specify any keywords or parameters, the command displays detailed information about all IPsec policies.
· If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.
Related commands: ipsec policy (system view).
Examples
# Display brief information about all IPsec policies.
<Sysname> display ipsec policy brief
IPsec-Policy-Name Mode acl ike-peer name Mapped Template
------------------------------------------------------------------------
policy1-1 manual
policy1-100 manual
policy1-200 manual
IPsec-Policy-Name Mode acl Local-Address Remote-Address
------------------------------------------------------------------------
policy1-1 manual
policy1-100 manual
policy1-200 manual
Table 1 Command output
Field |
Description |
IPsec-Policy-Name |
Name and sequence number of the IPsec policy separated by hyphen |
Mode |
Negotiation mode in the IPsec policy. It can only be manual mode on SR8800 routers. You must manually set up and maintain SAs. |
acl |
Access control list (ACL) referenced by the IPsec policy |
ike-peer name |
IKE peer name |
Mapped Template |
Referenced IPsec policy template |
Local-Address |
IP address of the local end |
Remote-Address |
IP address of the remote end |
# Display detailed information about all IPsec policies.
<Sysname> display ipsec policy
===========================================
IPsec Policy Group: "policy1"
Interface:
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 1
mode: manual
-----------------------------
security data flow :
tunnel local address:
tunnel remote address:
proposal name:
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi:
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi:
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
Table 2 Command output
Field |
Description |
security data flow |
ACL referenced by the IPsec policy. |
Interface |
Interface to which the IPsec policy is applied. |
sequence number |
Sequence number of the IPsec policy. |
mode |
Negotiation mode in the IPsec policy. It can only be manual mode on SR8800 routers. You must manually set up and maintain SAs. |
proposal name |
Proposal referenced by the IPsec policy. |
inbound/outbound AH/ESP setting |
AH/ESP settings in the inbound/outbound direction, including the SPI and keys. |
display ipsec proposal
Syntax
display ipsec proposal [ proposal-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
proposal-name: Name of a proposal, a string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec proposal to display information about a specified or all IPsec proposals.
Related commands: ipsec proposal.
Examples
# Display information about all IPsec proposals.
<Sysname> display ipsec proposal
encapsulation mode: transport
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
Table 3 Command output
Field |
Description |
IPsec proposal name |
Name of the IPsec proposal |
encapsulation mode |
Encapsulation mode used by the IPsec proposal, transport or tunnel |
transform |
Security protocol(s) used by the IPsec proposal, AH, ESP, or both |
AH protocol |
Authentication algorithm used by AH |
ESP protocol |
Authentication algorithm and encryption algorithm used by ESP |
display ipsec sa
Syntax
display ipsec sa [ brief | policy policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
brief: Displays brief information about all SAs.
policy: Displays detailed information about SAs created by using a specified IPsec policy.
policy-name: Name of the IPsec policy, a string 1 to 15 characters.
seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec sa to display relevant information about SAs.
With no parameter or keyword specified, the command displays information about all SAs.
Related commands: reset ipsec sa.
Examples
# Display brief information about all SAs.
<Sysname> display ipsec sa brief
Src Address Dst Address SPI Protocol Algorithm
--------------------------------------------------------
-- -- 300 ESP E:DES;
A:HMAC-MD5-96
-- -- 300 ESP E:DES;
A:HMAC-MD5-96
Table 4 Command output
Field |
Description |
Src Address |
Local IP address. |
Dst Address |
Remote IP address. |
SPI |
Security parameter index. |
Protocol |
Security protocol used by IPsec. |
Algorithm |
Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified. |
# Display detailed information about all SAs.
<Sysname> display ipsec sa
===============================
Protocol: OSPFv3
===============================
-----------------------------
IPsec policy name: "manual"
sequence number: 1
mode: manual
-----------------------------
connection id: 2
encapsulation mode: transport
perfect forward secrecy:
tunnel:
flow :
[inbound AH SAs]
spi: 1234563 (0x12d683)
proposal: AH-MD5HMAC96
No duration limit for this sa
[outbound AH SAs]
spi: 1234563 (0x12d683)
proposal: AH-MD5HMAC96
No duration limit for this sa
Table 5 Command output
Field |
Description |
Protocol |
Name of the protocol to which the IPsec policy is applied |
IPsec policy name |
Name of IPsec policy used |
Sequence number |
Sequence number of the IPsec policy |
mode |
IPsec negotiation mode |
connection id |
IPsec tunnel identifier |
encapsulation mode |
Encapsulation mode, transport or tunnel |
perfect forward secrecy |
Whether the perfect forward secrecy feature is enabled |
tunnel |
IPsec tunnel |
flow |
Data flow |
inbound |
Information of the inbound SA |
spi |
Security parameter index |
proposal |
Security protocol and algorithms used by the IPsec proposal |
sa duration |
Lifetime of the IPsec SA |
display ipsec statistics
Syntax
display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range of 1 to 2000000000.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec statistics to display IPsec packet statistics.
If you do not specify any argument, the command will display statistics on all IPsec packets.
Related commands: reset ipsec statistics.
Examples
# Display statistics on all IPsec packets.
<Sysname> display ipsec statistics
the security packet statistics:
input/output security packets: 47/62
input/output security bytes: 3948/5208
input/output dropped security packets: 0/45
dropped security packet detail:
not enough memory: 0
can't find SA: 45
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
# Display IPsec packet statistics for Tunnel 3.
<Sysname> display ipsec statistics tunnel-id 3
------------------------------------------------
Connection ID : 3
------------------------------------------------
the security packet statistics:
input/output security packets: 5124/8231
input/output security bytes: 52348/64356
input/output dropped security packets: 0/0
dropped security packet detail:
not enough memory: 0
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
Table 6 Command output
Field |
Description |
Connection ID |
ID of the tunnel |
input/output security packets |
Counts of inbound and outbound IPsec protected packets |
input/output security bytes |
Counts of inbound and outbound IPsec protected bytes |
input/output dropped security packets |
Counts of inbound and outbound IPsec protected packets that are discarded by the device |
dropped security packet detail |
Detailed information about inbound/outbound packets that get dropped |
not enough memory |
Number of packets dropped due to lack of memory |
can't find SA |
Number of packets dropped due to finding no security association |
queue is full |
Number of packets dropped due to full queues |
authentication has failed |
Number of packets dropped due to authentication failure |
wrong length |
Number of packets dropped due to wrong packet length |
replay packet |
Number of packets replayed |
packet too long |
Number of packets dropped due to excessive packet length |
wrong SA |
Number of packets dropped due to improper SA |
display ipsec tunnel
Syntax
display ipsec tunnel [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec tunnel to display IPsec tunnel information.
Examples
# Display information about IPsec tunnels.
<Sysname> display ipsec tunnel
total tunnel : 1
------------------------------------------------
connection id: 5
perfect forward secrecy:
SA's SPI:
inbound: 12345 (0x3039) [ESP]
outbound: 12345 (0x3039) [ESP]
tunnel:
flow:
current Encrypt-card:
# Display information about IPsec tunnels in aggregation mode.
<Sysname> display ipsec tunnel
total tunnel: 1
------------------------------------------------
connection id: 4
perfect forward secrecy:
SA's SPI:
inbound : 2454606993 (0x924e5491) [ESP]
outbound : 675720232 (0x2846ac28) [ESP]
tunnel :
local address: 44.44.44.44
remote address : 44.44.44.45
flow :
as defined in acl 3001
current Encrypt-card : None
Table 7 Command output
Field |
Description |
connection id |
Connection ID, used to uniquely identify an IPsec Tunnel |
perfect forward secrecy |
Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2 |
SA's SPI |
SPIs of the inbound and outbound SAs |
tunnel |
Local and remote addresses of the tunnel |
flow |
Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol |
as defined in acl 3001 |
The IPsec tunnel protects all data flows defined by ACL 3001 |
current Encrypt-card |
Encryption card interface used by the current tunnel |
encapsulation-mode
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
View
IPsec proposal view
Default level
2: System level
Parameters
transport: Uses transport mode.
tunnel: Uses tunnel mode.
Description
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Use undo encapsulation-mode to restore the default.
By default, a security protocol encapsulates IP packets in tunnel mode.
IPsec for IPv6 routing protocols supports only the transport mode.
Related commands: ipsec proposal.
Examples
# Configure IPsec proposal prop2 to encapsulate IP packets in transport mode.
<Sysname> system-view
[Sysname] ipsec proposal prop2
[Sysname-ipsec-proposal-prop2] encapsulation-mode transport
esp authentication-algorithm
Syntax
esp authentication-algorithm { md5 | sha1 }
undo esp authentication-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
md5: Uses the MD5 algorithm, which uses a 128-bit key.
sha1: Uses the SHA1 algorithm, which uses a 160-bit key.
Description
Use esp authentication-algorithm to specify the authentication algorithm for ESP.
Use undo esp authentication-algorithm to configure ESP not to perform authentication on packets.
By default, the MD5 algorithm is used.
Compared with SHA-1, MD5 is faster but less secure. SHA-1 applies to scenarios with higher security and confidentiality requirements. Use MD5 in common scenarios.
ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp authentication-algorithm command takes effect only if one encryption algorithm is specified for ESP.
Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform.
Examples
# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1
esp encryption-algorithm
Syntax
esp encryption-algorithm { 3des | aes [ key-length ] | des }
undo esp encryption-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.
aes: Uses the advanced encryption standard (AES) in CBC mode as the encryption algorithm. The AES algorithm uses a 128- bit, 192-bit, or 256-bit key for encryption.
key-length: Key length for the AES algorithm, which can be 128, 192, and 256 and defaults to 128. This argument is for AES only.
des: Uses the data encryption standard (DES) in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption.
Description
Use esp encryption-algorithm to specify an encryption algorithm for ESP.
Use undo esp encryption-algorithm to configure ESP not to encrypt packets.
By default, the DES algorithm is used.
3DES provides high confidentiality and security, but it is slow in encryption. For a network that requires moderate confidentiality and security, DES is sufficient.
ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp encryption-algorithm command takes effect only if one authentication algorithm is specified for ESP.
Related commands: ipsec proposal, esp authentication-algorithm, proposal, and transform.
Examples
# Configure IPsec proposal prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp encryption-algorithm 3des
ipsec policy (system view)
Syntax
ipsec policy policy-name seq-number [ manual ]
undo ipsec policy policy-name [ seq-number ]
View
System view
Default level
2: System level
Parameters
policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included.
seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535.
manual: Sets up SAs manually.
Description
Use ipsec policy to create an IPsec policy and enter its view.
Use undo ipsec policy to delete the specified IPsec policies.
By default, no IPsec policy exists.
When creating an IPsec policy, specify the generation mode; when accessing an IPsec policy, however, you do not need to do so.
You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.
IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
Using the undo ipsec policy command without the seq-number argument deletes an IPsec policy group.
Related commands: display ipsec policy.
Examples
# Create a manual IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]
ipsec proposal
Syntax
ipsec proposal proposal-name
undo ipsec proposal proposal-name
View
System view
Default level
2: System level
Parameters
proposal-name: Name for the proposal, a case-insensitive string of 1 to 32 characters .
Description
Use ipsec proposal to create an IPsec proposal and enter its view.
Use undo ipsec proposal to delete an IPsec proposal.
By default, no IPsec proposal exists.
An IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default.
Related commands: display ipsec proposal.
Examples
# Create an IPsec proposal named newprop1.
<Sysname> system-view
[Sysname] ipsec proposal newprop1
proposal (IPsec policy view)
Syntax
proposal proposal-name&<1-6>
undo proposal [ proposal-name ]
View
IPsec policy view
Default level
2: System level
Parameters
proposal-name&<1-6>: Name of the IPsec proposal for the IPsec policy to reference, a string of 1 to 32 characters. &<1-6> means that you can specify the proposal-name argument for up to six times.
Description
Use proposal to specify the IPsec proposals for the IPsec policy to reference.
Use undo proposal to remove an IPsec proposal reference by the IPsec policy.
By default, an IPsec policy references no IPsec proposal.
You can specify only existing IPsec proposals when using this command.
A manual IPsec policy can reference only one IPsec proposal. To replace a referenced IPsec proposal, use the undo proposal command to remove the original proposal binding and then use the proposal command to reconfigure one.
Related commands: ipsec proposal and ipsec policy (system view).
Examples
# Configure IPsec policy policy1 to reference IPsec proposal prop1.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] proposal prop1
reset ipsec sa
Syntax
reset ipsec sa [ policy policy-name [ seq-number ] ]
View
User view
Default level
2: System level
Parameters
policy: Specifies an IPsec policy.
policy-name: Name of the IPsec policy, a case-sensitive string of 1 to 15 alphanumeric characters.
seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.
Description
Use reset ipsec sa to clear specified or all IPsec SAs.
If no parameter is specified, the command clears all SAs.
After an SA set up manually is cleared, the system will automatically set up a new SA based on the parameters in the IPsec policy.
Related commands: display ipsec sa.
Examples
# Clear all SAs.
<Sysname> reset ipsec sa
# Clear the SA of the IPsec policy with the name of policy1 and sequence number of 10.
<Sysname> reset ipsec sa policy policy1 10
reset ipsec statistics
Syntax
reset ipsec statistics
View
User view
Default level
2: System level
Parameters
None
Description
Use reset ipsec statistics to clear IPsec message statistics, and set all the statistics to zero.
Related commands: display ipsec statistics.
Examples
# Clear IPsec message statistics.
<Sysname> reset ipsec statistics
sa authentication-hex
Syntax
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
undo sa authentication-hex { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
hex-key: Authentication key for the SA, in hexadecimal format. The length of the key is 16 bytes for MD5 and 20 bytes for SHA1.
Description
Use sa authentication-hex to configure an authentication key for an SA.
Use undo sa authentication-hex to remove the configuration.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the authentication key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
Related commands: ipsec policy (system view).
Examples
# Set the authentication keys for the inbound and outbound SAs using AH to 0x112233445566778899aabbccddeeff00 and 0x112233445566778899aabbccddeeff00.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah 112233445566778899aabbccddeeff00
sa encryption-hex
Syntax
sa encryption-hex { inbound | outbound } esp hex-key
undo sa encryption-hex { inbound | outbound } esp
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
esp: Uses ESP.
hex-key: Encryption key for the SA, in hexadecimal format. The length of the key is 8 bytes for DES and 24 bytes for 3DES.
Description
Use sa encryption-hex to configure an encryption key for an SA.
Use undo sa encryption-hex to remove the configuration.
When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
Related commands: ipsec policy (system view).
Examples
# Configure the encryption key for the inbound and outbound SAs using ESP as 0x1234567890abcdef and 1234567890abcdef respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp 1234567890abcdef
sa spi
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
spi-number: Security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295.
Description
Use sa spi to configure an SPI for an SA.
Use undo sa spi to remove the configuration.
When configuring a manual IPsec policy, you must configure parameters for both the inbound and outbound SAs.
The SA parameters for the two ends of an IPsec tunnel must match. The inbound SA and outbound SA must share the same SPI at both the local end and the remote end.
The SPIs configured on all devices within a scope must be identical. The scope is determined by the IPv6 routing protocol to be protected. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group
Related commands: ipsec policy (system view).
Examples
# Configure the SPI of the inbound SA to 10000 and that of the outbound SA to 10000.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 10000
sa string-key
Syntax
sa string-key { inbound | outbound } { ah | esp } string-key
undo sa string-key { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
string-key: Key string for the SA, consisting of 1 to 255 characters. For different algorithms, enter strings of any length in the specified range. Using this key string, the system automatically generates keys meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.
Description
Use sa string-key to set a key string for an SA.
Use undo sa string-key to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
The key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
When you configure an IPsec policy for an IPv6 protocol, follow these guidelines:
· Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group.
· Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal format on one router, do so across the defined scope.
Related commands: ipsec policy (system view).
Examples
# Configure the inbound and outbound SAs that use AH to use the keys abcdef and efcdab respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah efcdab
# Configure the inbound and outbound SAs that use AH to use the key abcdef.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah abcdef
transform
Syntax
transform { ah | ah-esp | esp }
undo transform
View
IPsec proposal view
Default level
2: System level
Parameters
ah: Uses the AH protocol.
ah-esp: Uses ESP first and then AH.
esp: Uses the ESP protocol.
Description
Use transform to specify a security protocol for an IPsec proposal.
Use undo transform to restore the default.
By default, the ESP protocol is used.
If ESP is used, the default encryption and authentication algorithms are DES and MD5 respectively.
If AH is used, the default authentication algorithm is MD5.
If both AH and ESP are used, AH uses the MD5 authentication algorithm by default, and ESP uses the DES encryption algorithm but no authentication algorithm by default.
The IPsec proposals at the two ends of an IPsec tunnel must use the same security protocol.
Related commands: ipsec proposal.
Examples
# Configure IPsec proposal prop1 to use AH.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform ah