IPsec configuration commands 1

ah authentication-algorithm·· 1

display ipsec policy· 1

display ipsec proposal 4

display ipsec sa· 5

display ipsec statistics 7

display ipsec tunnel 8

encapsulation-mode· 10

esp authentication-algorithm·· 11

esp encryption-algorithm·· 11

ipsec policy (system view) 12

ipsec proposal 13

proposal (IPsec policy view) 14

reset ipsec sa· 14

reset ipsec statistics 15

sa authentication-hex· 15

sa encryption-hex· 16

sa spi 17

sa string-key· 18

transform·· 19

ah authentication-algorithm

Syntax

ah authentication-algorithm { md5 | sha1 }

undo ah authentication-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

md5: Uses MD5.

sha1: Uses SHA1.

Description

Use ah authentication-algorithm to specify the authentication algorithm for the authentication header (AH) protocol.

Use undo ah authentication-algorithm to restore the default.

By default, MD5 is used.

You need to use the transform command to specify the security protocol as AH or both AH and ESP before specifying the authentication algorithm for AH.

Related commands: ipsec proposal and transform.

Examples

# Configure IPsec proposal prop1 to use AH and SHA1.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform ah

[Sysname-ipsec-proposal-prop1] ah authentication-algorithm sha1

display ipsec policy

Syntax

display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays brief information about all IPsec policies.

name: Displays detailed information about a specified IPsec policy or IPsec policy group.

policy-name: Name of the IPsec policy, a string of 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec policy to display information about IPsec policies.

·           If you do not specify any keywords or parameters, the command displays detailed information about all IPsec policies.

·           If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.

Related commands: ipsec policy (system view).

Examples

# Display brief information about all IPsec policies.

<Sysname> display ipsec policy brief

IPsec-Policy-Name     Mode    acl    ike-peer name    Mapped Template

------------------------------------------------------------------------

policy1-1             manual

policy1-100           manual

policy1-200           manual

 

IPsec-Policy-Name     Mode    acl     Local-Address  Remote-Address

------------------------------------------------------------------------

policy1-1             manual

policy1-100           manual

policy1-200           manual  

Table 1 Command output

Field	Description
IPsec-Policy-Name	Name and sequence number of the IPsec policy separated by hyphen
Mode	Negotiation mode in the IPsec policy. It can only be manual mode on SR8800 routers. You must manually set up and maintain SAs.
acl	Access control list (ACL) referenced by the IPsec policy
ike-peer name	IKE peer name
Mapped Template	Referenced IPsec policy template
Local-Address	IP address of the local end
Remote-Address	IP address of the remote end

 

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy

===========================================

IPsec Policy Group: "policy1"

Interface:

===========================================

 

  -----------------------------

  IPsec policy name: "policy1"

  sequence number: 1

  mode: manual

  -----------------------------

    security data flow :

    tunnel local  address:

    tunnel remote address:

    proposal name:

    inbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    inbound ESP setting:

      ESP spi:

      ESP string-key:

      ESP encryption hex key:

      ESP authentication hex key:

    outbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    outbound ESP setting:

      ESP spi:

      ESP string-key:

      ESP encryption hex key:

      ESP authentication hex key:  

Table 2 Command output

Field	Description
security data flow	ACL referenced by the IPsec policy.
Interface	Interface to which the IPsec policy is applied.
sequence number	Sequence number of the IPsec policy.
mode	Negotiation mode in the IPsec policy. It can only be manual mode on SR8800 routers. You must manually set up and maintain SAs.
proposal name	Proposal referenced by the IPsec policy.
inbound/outbound AH/ESP setting	AH/ESP settings in the inbound/outbound direction, including the SPI and keys.

 

display ipsec proposal

Syntax

display ipsec proposal [ proposal-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

proposal-name: Name of a proposal, a string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec proposal to display information about a specified or all IPsec proposals.

Related commands: ipsec proposal.

Examples

# Display information about all IPsec proposals.

<Sysname> display ipsec proposal

  IPsec proposal name: prop1

    encapsulation mode: transport

    transform: esp-new

    ESP protocol: authentication md5-hmac-96, encryption des

Table 3 Command output

Field	Description
IPsec proposal name	Name of the IPsec proposal
encapsulation mode	Encapsulation mode used by the IPsec proposal, transport or tunnel
transform	Security protocol(s) used by the IPsec proposal, AH, ESP, or both
AH protocol	Authentication algorithm used by AH
ESP protocol	Authentication algorithm and encryption algorithm used by ESP

 

display ipsec sa

Syntax

display ipsec sa [ brief | policy policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays brief information about all SAs.

policy: Displays detailed information about SAs created by using a specified IPsec policy.

policy-name: Name of the IPsec policy, a string 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec sa to display relevant information about SAs.

With no parameter or keyword specified, the command displays information about all SAs.

Related commands: reset ipsec sa.

Examples

# Display brief information about all SAs.

<Sysname> display ipsec sa brief

Src Address  Dst Address  SPI    Protocol     Algorithm

--------------------------------------------------------

--           --           300    ESP          E:DES;

                                              A:HMAC-MD5-96

--           --           300    ESP          E:DES;

                                              A:HMAC-MD5-96

Table 4 Command output

Field	Description
Src Address	Local IP address.
Dst Address	Remote IP address.
SPI	Security parameter index.
Protocol	Security protocol used by IPsec.
Algorithm	Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified.

 

# Display detailed information about all SAs.

<Sysname> display ipsec sa

===============================

Protocol: OSPFv3

===============================

 

  -----------------------------

  IPsec policy name: "manual"

  sequence number: 1

  mode: manual

  -----------------------------

    connection id: 2

    encapsulation mode: transport

    perfect forward secrecy:

    tunnel:

    flow :

 

  [inbound AH SAs]

      spi: 1234563 (0x12d683)

      proposal: AH-MD5HMAC96

      No duration limit for this sa

 

  [outbound AH SAs]

      spi: 1234563 (0x12d683)

      proposal: AH-MD5HMAC96

      No duration limit for this sa

Table 5 Command output

Field	Description
Protocol	Name of the protocol to which the IPsec policy is applied
IPsec policy  name	Name of IPsec policy used
Sequence number	Sequence number of the IPsec policy
mode	IPsec negotiation mode
connection id	IPsec tunnel identifier
encapsulation mode	Encapsulation mode, transport or tunnel
perfect forward secrecy	Whether the perfect forward secrecy feature is enabled
tunnel	IPsec tunnel
flow	Data flow
inbound	Information of the inbound SA
spi	Security parameter index
proposal	Security protocol and algorithms used by the IPsec proposal
sa duration	Lifetime of the IPsec SA

 

display ipsec statistics

Syntax

display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range of 1 to 2000000000.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec statistics to display IPsec packet statistics.

If you do not specify any argument, the command will display statistics on all IPsec packets.

Related commands: reset ipsec statistics.

Examples

# Display statistics on all IPsec packets.

<Sysname> display ipsec statistics

  the security packet statistics:

    input/output security packets: 47/62

    input/output security bytes: 3948/5208

    input/output dropped security packets: 0/45

    dropped security packet detail:

      not enough memory: 0

      can't find SA: 45

      queue is full: 0

      authentication has failed: 0

      wrong length: 0

      replay packet: 0

      packet too long: 0

      wrong SA: 0

# Display IPsec packet statistics for Tunnel 3.

<Sysname> display ipsec statistics tunnel-id 3

------------------------------------------------

  Connection ID : 3

 ------------------------------------------------

  the security packet statistics:

    input/output security packets: 5124/8231

    input/output security bytes: 52348/64356

    input/output dropped security packets: 0/0

    dropped security packet detail:

      not enough memory: 0

      queue is full: 0

      authentication has failed: 0

      wrong length: 0

      replay packet: 0

      packet too long: 0

      wrong SA: 0

Table 6 Command output

Field	Description
Connection ID	ID of the tunnel
input/output security packets	Counts of inbound and outbound IPsec protected packets
input/output security bytes	Counts of inbound and outbound IPsec protected bytes
input/output dropped security packets	Counts of inbound and outbound IPsec protected packets that are discarded by the device
dropped security packet detail	Detailed information about inbound/outbound packets that get dropped
not enough memory	Number of packets dropped due to lack of memory
can't find SA	Number of packets dropped due to finding no security association
queue is full	Number of packets dropped due to full queues
authentication has failed	Number of packets dropped due to authentication failure
wrong length	Number of packets dropped due to wrong packet length
replay packet	Number of packets replayed
packet too long	Number of packets dropped due to excessive packet length
wrong SA	Number of packets dropped due to improper SA

 

display ipsec tunnel

Syntax

display ipsec tunnel [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec tunnel to display IPsec tunnel information.

Examples

# Display information about IPsec tunnels.

<Sysname> display ipsec tunnel

    total tunnel : 1

------------------------------------------------

    connection id: 5

    perfect forward secrecy:

    SA's SPI:

        inbound:  12345 (0x3039) [ESP]

        outbound: 12345 (0x3039) [ESP]

    tunnel:

    flow:

    current Encrypt-card:

# Display information about IPsec tunnels in aggregation mode.

<Sysname> display ipsec tunnel

    total tunnel: 1

    ------------------------------------------------

    connection id: 4

    perfect forward secrecy:

    SA's SPI:

        inbound :  2454606993 (0x924e5491) [ESP]

        outbound : 675720232 (0x2846ac28) [ESP]

    tunnel :

        local address:  44.44.44.44

        remote address : 44.44.44.45

    flow :

        as defined in acl 3001

    current Encrypt-card : None

Table 7 Command output

Field	Description
connection id	Connection ID, used to uniquely identify an IPsec Tunnel
perfect forward secrecy	Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2
SA's SPI	SPIs of the inbound and outbound SAs
tunnel	Local and remote addresses of the tunnel
flow	Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol
as defined in acl 3001	The IPsec tunnel protects all data flows defined by ACL 3001
current Encrypt-card	Encryption card interface used by the current tunnel

 

encapsulation-mode

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

View

IPsec proposal view

Default level

2: System level

Parameters

transport: Uses transport mode.

tunnel: Uses tunnel mode.

Description

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

By default, a security protocol encapsulates IP packets in tunnel mode.

IPsec for IPv6 routing protocols supports only the transport mode.

Related commands: ipsec proposal.

Examples

# Configure IPsec proposal prop2 to encapsulate IP packets in transport mode.

<Sysname> system-view

[Sysname] ipsec proposal prop2

[Sysname-ipsec-proposal-prop2] encapsulation-mode transport

esp authentication-algorithm

Syntax

esp authentication-algorithm { md5 | sha1 }

undo esp authentication-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

md5: Uses the MD5 algorithm, which uses a 128-bit key.

sha1: Uses the SHA1 algorithm, which uses a 160-bit key.

Description

Use esp authentication-algorithm to specify the authentication algorithm for ESP.

Use undo esp authentication-algorithm to configure ESP not to perform authentication on packets.

By default, the MD5 algorithm is used.

Compared with SHA-1, MD5 is faster but less secure. SHA-1 applies to scenarios with higher security and confidentiality requirements. Use MD5 in common scenarios.

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp authentication-algorithm command takes effect only if one encryption algorithm is specified for ESP.

Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform esp

[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1

esp encryption-algorithm

Syntax

esp encryption-algorithm { 3des | aes [ key-length ] | des }

undo esp encryption-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.

aes: Uses the advanced encryption standard (AES) in CBC mode as the encryption algorithm. The AES algorithm uses a 128- bit, 192-bit, or 256-bit key for encryption.

key-length: Key length for the AES algorithm, which can be 128, 192, and 256 and defaults to 128. This argument is for AES only.

des: Uses the data encryption standard (DES) in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption.

Description

Use esp encryption-algorithm to specify an encryption algorithm for ESP.

Use undo esp encryption-algorithm to configure ESP not to encrypt packets.

By default, the DES algorithm is used.

3DES provides high confidentiality and security, but it is slow in encryption. For a network that requires moderate confidentiality and security, DES is sufficient.

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp encryption-algorithm command takes effect only if one authentication algorithm is specified for ESP.

Related commands: ipsec proposal, esp authentication-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform esp

[Sysname-ipsec-proposal-prop1] esp encryption-algorithm 3des

ipsec policy (system view)

Syntax

ipsec policy policy-name seq-number [ manual ]

undo ipsec policy policy-name [ seq-number ]

View

System view

Default level

2: System level

Parameters

policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included.

seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535.

manual: Sets up SAs manually.

Description

Use ipsec policy to create an IPsec policy and enter its view.

Use undo ipsec policy to delete the specified IPsec policies.

By default, no IPsec policy exists.

When creating an IPsec policy, specify the generation mode; when accessing an IPsec policy, however, you do not need to do so.

You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.

IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

Using the undo ipsec policy command without the seq-number argument deletes an IPsec policy group.

Related commands: display ipsec policy.

Examples

# Create a manual IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 101 manual

[Sysname-ipsec-policy-manual-policy1-101]

ipsec proposal

Syntax

ipsec proposal proposal-name

undo ipsec proposal proposal-name

View

System view

Default level

2: System level

Parameters

proposal-name: Name for the proposal, a case-insensitive string of 1 to 32 characters .

Description

Use ipsec proposal to create an IPsec proposal and enter its view.

Use undo ipsec proposal to delete an IPsec proposal.

By default, no IPsec proposal exists.

An IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default.

Related commands: display ipsec proposal.

Examples

# Create an IPsec proposal named newprop1.

<Sysname> system-view

[Sysname] ipsec proposal newprop1

proposal (IPsec policy view)

Syntax

proposal proposal-name&<1-6>

undo proposal [ proposal-name ]

View

IPsec policy view

Default level

2: System level

Parameters

proposal-name&<1-6>: Name of the IPsec proposal for the IPsec policy to reference, a string of 1 to 32 characters. &<1-6> means that you can specify the proposal-name argument for up to six times.

Description

Use proposal to specify the IPsec proposals for the IPsec policy to reference.

Use undo proposal to remove an IPsec proposal reference by the IPsec policy.

By default, an IPsec policy references no IPsec proposal.

You can specify only existing IPsec proposals when using this command.

A manual IPsec policy can reference only one IPsec proposal. To replace a referenced IPsec proposal, use the undo proposal command to remove the original proposal binding and then use the proposal command to reconfigure one.

Related commands: ipsec proposal and ipsec policy (system view).

Examples

# Configure IPsec policy policy1 to reference IPsec proposal prop1.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] proposal prop1

reset ipsec sa

Syntax

reset ipsec sa [ policy policy-name [ seq-number ] ]

View

User view

Default level

2: System level

Parameters

policy: Specifies an IPsec policy.

policy-name: Name of the IPsec policy, a case-sensitive string of 1 to 15 alphanumeric characters.

seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.

Description

Use reset ipsec sa to clear specified or all IPsec SAs.

If no parameter is specified, the command clears all SAs.

After an SA set up manually is cleared, the system will automatically set up a new SA based on the parameters in the IPsec policy.

Related commands: display ipsec sa.

Examples

# Clear all SAs.

<Sysname> reset ipsec sa

# Clear the SA of the IPsec policy with the name of policy1 and sequence number of 10.

<Sysname> reset ipsec sa policy policy1 10

reset ipsec statistics

Syntax

reset ipsec statistics

View

User view

Default level

2: System level

Parameters

None

Description

Use reset ipsec statistics to clear IPsec message statistics, and set all the statistics to zero.

Related commands: display ipsec statistics.

Examples

# Clear IPsec message statistics.

<Sysname> reset ipsec statistics

sa authentication-hex

Syntax

sa authentication-hex { inbound | outbound } { ah | esp } hex-key

undo sa authentication-hex { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

hex-key: Authentication key for the SA, in hexadecimal format. The length of the key is 16 bytes for MD5 and 20 bytes for SHA1.

Description

Use sa authentication-hex to configure an authentication key for an SA.

Use undo sa authentication-hex to remove the configuration.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the authentication key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.

Related commands: ipsec policy (system view).

Examples

# Set the authentication keys for the inbound and outbound SAs using AH to 0x112233445566778899aabbccddeeff00 and 0x112233445566778899aabbccddeeff00.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah 112233445566778899aabbccddeeff00

sa encryption-hex

Syntax

sa encryption-hex { inbound | outbound } esp hex-key

undo sa encryption-hex { inbound | outbound } esp

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

esp: Uses ESP.

hex-key: Encryption key for the SA, in hexadecimal format. The length of the key is 8 bytes for DES and 24 bytes for 3DES.

Description

Use sa encryption-hex to configure an encryption key for an SA.

Use undo sa encryption-hex to remove the configuration.

When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.

The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.

Related commands: ipsec policy (system view).

Examples

# Configure the encryption key for the inbound and outbound SAs using ESP as 0x1234567890abcdef and 1234567890abcdef respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp 1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp 1234567890abcdef

sa spi

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

spi-number: Security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295.

Description

Use sa spi to configure an SPI for an SA.

Use undo sa spi to remove the configuration.

When configuring a manual IPsec policy, you must configure parameters for both the inbound and outbound SAs.

The SA parameters for the two ends of an IPsec tunnel must match. The inbound SA and outbound SA must share the same SPI at both the local end and the remote end.

The SPIs configured on all devices within a scope must be identical. The scope is determined by the IPv6 routing protocol to be protected. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group

Related commands: ipsec policy (system view).

Examples

# Configure the SPI of the inbound SA to 10000 and that of the outbound SA to 10000.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000

[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 10000

sa string-key

Syntax

sa string-key { inbound | outbound } { ah | esp } string-key

undo sa string-key { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

string-key: Key string for the SA, consisting of 1 to 255 characters. For different algorithms, enter strings of any length in the specified range. Using this key string, the system automatically generates keys meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.

Description

Use sa string-key to set a key string for an SA.

Use undo sa string-key to remove the configuration.

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.

When you configure an IPsec policy for an IPv6 protocol, follow these guidelines:

·           Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group.

·           Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal format on one router, do so across the defined scope.

Related commands: ipsec policy (system view).

Examples

# Configure the inbound and outbound SAs that use AH to use the keys abcdef and efcdab respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah efcdab

# Configure the inbound and outbound SAs that use AH to use the key abcdef.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah abcdef

transform

Syntax

transform { ah | ah-esp | esp }

undo transform

View

IPsec proposal view

Default level

2: System level

Parameters

ah: Uses the AH protocol.

ah-esp: Uses ESP first and then AH.

esp: Uses the ESP protocol.

Description

Use transform to specify a security protocol for an IPsec proposal.

Use undo transform to restore the default.

By default, the ESP protocol is used.

If ESP is used, the default encryption and authentication algorithms are DES and MD5 respectively.

If AH is used, the default authentication algorithm is MD5.

If both AH and ESP are used, AH uses the MD5 authentication algorithm by default, and ESP uses the DES encryption algorithm but no authentication algorithm by default.

The IPsec proposals at the two ends of an IPsec tunnel must use the same security protocol.

Related commands: ipsec proposal.

Examples

# Configure IPsec proposal prop1 to use AH.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform ah