IPsec configuration commands 1

ah authentication-algorithm·· 1

display ipsec policy· 1

display ipsec proposal 4

display ipsec sa· 5

display ipsec statistics 7

display ipsec tunnel 9

encapsulation-mode· 10

esp authentication-algorithm·· 11

esp encryption-algorithm·· 11

ipsec policy (system view) 12

ipsec proposal 13

proposal (IPsec policy view) 14

reset ipsec sa· 14

reset ipsec statistics 15

sa authentication-hex· 15

sa encryption-hex· 16

sa spi 17

sa string-key· 18

transform·· 19

 

NOTE: The term “router” in this document refers to both routers and Layer 3 switches.

 

ah authentication-algorithm

Syntax

ah authentication-algorithm { md5 | sha1 }

undo ah authentication-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

md5: Uses MD5.

sha1: Uses SHA1.

Description

Use the ah authentication-algorithm command to specify the authentication algorithm for the authentication header (AH) protocol.

Use the undo ah authentication-algorithm command to restore the default.

By default, MD5 is used.

Before specifying the authentication algorithm for AH, be sure to use the transform command to specify the security protocol as AH or both AH and ESP.

Related commands: ipsec proposal and transform.

Examples

# Configure IPsec proposal prop1 to use AH and SHA1.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform ah

[Sysname-ipsec-proposal-prop1] ah authentication-algorithm sha1

display ipsec policy

Syntax

display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays brief information about all IPsec policies.

name: Displays detailed information about a specified IPsec policy or IPsec policy group.

policy-name: Name of the IPsec policy, a string of 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipsec policy command to display information about IPsec policies.

If you do not specify any keywords or parameters, the command displays detailed information about all IPsec policies.

If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.

Related commands: ipsec policy (system view).

Examples

# Display brief information about all IPsec policies.

<Sysname> display ipsec policy brief

IPsec-Policy-Name     Mode    acl    ike-peer name    Mapped Template

------------------------------------------------------------------------

policy1-1             manual

policy1-100           manual

policy1-200           manual

 

IPsec-Policy-Name     Mode    acl     Local-Address  Remote-Address

------------------------------------------------------------------------

policy1-1             manual

policy1-100           manual

policy1-200           manual

Table 1 Output description

Field	Description
IPsec-Policy-Name	Name and sequence number of the IPsec policy separated by hyphen.
Mode	Negotiation mode of the IPsec policy. manual indicates the manual mode.
acl	Access control list (ACL) referenced by the IPsec policy.
ike-peer name	IKE peer name.
Mapped Template	Referenced IPsec policy template.
Local-Address	IP address of the local end.
Remote-Address	IP address of the remote end.

 

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy

===========================================

IPsec Policy Group: "policy1"

Interface:

===========================================

 

  -----------------------------

  IPsec policy name: "policy1"

  sequence number: 1

  mode: manual

  -----------------------------

    security data flow :

    tunnel local  address:

    tunnel remote address:

    proposal name:

    inbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    inbound ESP setting:

      ESP spi:

      ESP string-key:

      ESP encryption hex key:

      ESP authentication hex key:

    outbound AH setting:

      AH spi:

      AH string-key:

      AH authentication hex key:

    outbound ESP setting:

      ESP spi:

      ESP string-key:

      ESP encryption hex key:

      ESP authentication hex key:

Table 2 Output description

Field	Description
security data flow	ACL referenced by the IPsec policy.
Interface	Interface to which the IPsec policy is applied.
sequence number	Sequence number of the IPsec policy.
mode	Negotiation mode of the IPsec policy. manual indicates the manual mode.
proposal name	Proposal referenced by the IPsec policy.
inbound/outbound AH/ESP setting	AH/ESP settings in the inbound/outbound direction, including the SPI and keys.

 

display ipsec proposal

Syntax

display ipsec proposal [ proposal-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

proposal-name: Name of a proposal, a string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipsec proposal command to display information about a specified or all IPsec proposals.

Related commands: ipsec proposal.

Examples

# Display information about all IPsec proposals.

<Sysname> display ipsec proposal

  IPsec proposal name: prop1

    encapsulation mode: transport

    transform: esp-new

    ESP protocol: authentication md5-hmac-96, encryption des

Table 3 Output description

Field	Description
IPsec proposal name	Name of the IPsec proposal.
encapsulation mode	Encapsulation mode used by the IPsec proposal, transport or tunnel.
transform	Security protocol(s) used by the IPsec proposal: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	Authentication algorithm used by AH.
ESP protocol	Authentication algorithm and encryption algorithm used by ESP.

 

display ipsec sa

Syntax

display ipsec sa [ brief | policy policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays brief information about all SAs.

policy: Displays detailed information about SAs created by using a specified IPsec policy.

policy-name: Name of the IPsec policy, a string 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipsec sa command to display relevant information about SAs.

With no parameter or keyword specified, the command displays information about all SAs.

Related commands: reset ipsec sa.

Examples

# Display brief information about all SAs.

<Sysname> display ipsec sa brief

Src Address  Dst Address  SPI    Protocol     Algorithm

--------------------------------------------------------

--           --           300    ESP          E:DES;

                                              A:HMAC-MD5-96

--           --           300    ESP          E:DES;

                                              A:HMAC-MD5-96

Table 4 Output description

Field	Description
Src Address	Local IP address.
Dst Address	Remote IP address.
SPI	Security parameter index.
Protocol	Security protocol used by IPsec.
Algorithm	Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified.

 

# Display detailed information about all SAs.

<Sysname> display ipsec sa

===============================

Protocol: OSPFv3

===============================

 

  -----------------------------

  IPsec policy name: "manual"

  sequence number: 1

  mode: manual

  -----------------------------

    connection id: 2

    encapsulation mode: transport

    perfect forward secrecy:

    tunnel:

    flow :

 

  [inbound AH SAs]

      spi: 1234563 (0x12d683)

      proposal: AH-MD5HMAC96

      No duration limit for this sa

 

  [outbound AH SAs]

      spi: 1234563 (0x12d683)

      proposal: AH-MD5HMAC96

      No duration limit for this sa

Table 5 Output description

Field	Description
Protocol	Name of the protocol to which the IPsec policy is applied
IPsec policy  name	Name of IPsec policy used
sequence number	Sequence number of the IPsec policy
mode	IPsec negotiation mode
connection id	IPsec tunnel identifier
encapsulation mode	Encapsulation mode, transport or tunnel
perfect forward secrecy	Whether the perfect forward secrecy feature is enabled
tunnel	IPsec tunnel
flow	Data flow
inbound	Information of the inbound SA
spi	Security parameter index
proposal	Security protocol and algorithms used by the IPsec proposal

 

display ipsec statistics

Syntax

display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range of 1 to 2000000000.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipsec statistics command to display IPsec packet statistics.

If you do not specify any argument, the command displays the statistics for all IPsec packets.

Related commands: reset ipsec statistics.

Examples

# Display statistics on all IPsec packets.

<Sysname> display ipsec statistics

  the security packet statistics:

    input/output security packets: 47/62

    input/output security bytes: 3948/5208

    input/output dropped security packets: 0/45

    dropped security packet detail:

      not enough memory: 0

      can't find SA: 45

      queue is full: 0

      authentication has failed: 0

      wrong length: 0

      replay packet: 0

      packet too long: 0

      wrong SA: 0

# Display IPsec packet statistics for Tunnel 3.

<Sysname> display ipsec statistics tunnel-id 3

------------------------------------------------

  Connection ID : 3

 ------------------------------------------------

  the security packet statistics:

    input/output security packets: 5124/8231

    input/output security bytes: 52348/64356

    input/output dropped security packets: 0/0

    dropped security packet detail:

      not enough memory: 0

      queue is full: 0

      authentication has failed: 0

      wrong length: 0

      replay packet: 0

      packet too long: 0

      wrong SA: 0

Table 6 Output description

Field	Description
Connection ID	ID of the tunnel
input/output security packets	Counts of inbound and outbound IPsec protected packets
input/output security bytes	Counts of inbound and outbound IPsec protected bytes
input/output dropped security packets	Counts of inbound and outbound IPsec protected packets that are discarded by the device
dropped security packet detail	Detailed information about inbound/outbound packets that get dropped
not enough memory	Number of packets dropped due to lack of memory
can't find SA	Number of packets dropped due to finding no security association
queue is full	Number of packets dropped due to full queues
authentication has failed	Number of packets dropped due to authentication failure
wrong length	Number of packets dropped due to wrong packet length
replay packet	Number of packets replayed
packet too long	Number of packets dropped due to excessive packet length
wrong SA	Number of packets dropped due to improper SA

 

display ipsec tunnel

Syntax

display ipsec tunnel [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ipsec tunnel command to display IPsec tunnel information.

Examples

# Display information about IPsec tunnels.

<Sysname> display ipsec tunnel

    total tunnel : 1

    ------------------------------------------------  

    connection id: 5

    perfect forward secrecy:

    SA's SPI:

        inbound:  12345 (0x3039) [ESP]

        outbound: 12345 (0x3039) [ESP]

    tunnel:

    flow:

    current Encrypt-card:

# Display information about IPsec tunnels in aggregation mode.

<Sysname> display ipsec tunnel

    total tunnel: 1

    ------------------------------------------------

    connection id: 4

    perfect forward secrecy:

    SA's SPI:

        inbound :  2454606993 (0x924e5491) [ESP]

        outbound : 675720232 (0x2846ac28) [ESP]

    tunnel :

        local address:  44.44.44.44

        remote address : 44.44.44.45

    flow :

        as defined in acl 3001

    current Encrypt-card : None

Table 7 Output description

Field	Description
connection id	Connection ID, used to uniquely identify an IPsec Tunnel
perfect forward secrecy	Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2
SA's SPI	SPIs of the inbound and outbound SAs
tunnel	Local and remote addresses of the tunnel
flow	Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol
as defined in acl 3001	The IPsec tunnel protects all data flows defined by ACL 3001
current Encrypt-card	Encryption card interface used by the current tunnel

 

encapsulation-mode

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

View

IPsec proposal view

Default level

2: System level

Parameters

transport: Uses transport mode.

tunnel: Uses tunnel mode.

Description

Use the encapsulation-mode command to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use the undo encapsulation-mode command to restore the default.

By default, a security protocol encapsulates IP packets in tunnel mode.

IPsec for IPv6 routing protocols supports only the transport mode.

Related commands: ipsec proposal.

Examples

# Configure IPsec proposal prop2 to encapsulate IP packets in transport mode.

<Sysname> system-view

[Sysname] ipsec proposal prop2

[Sysname-ipsec-proposal-prop2] encapsulation-mode transport

esp authentication-algorithm

Syntax

esp authentication-algorithm { md5 | sha1 }

undo esp authentication-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

md5: Uses the MD5 algorithm, which uses a 128-bit key.

sha1: Uses the SHA1 algorithm, which uses a 160-bit key.

Description

Use the esp authentication-algorithm command to specify the authentication algorithm for ESP.

Use the undo esp authentication-algorithm command to configure ESP not to perform authentication on packets.

By default, the MD5 algorithm is used.

Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform esp

[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1

esp encryption-algorithm

Syntax

esp encryption-algorithm { 3des | aes [ key-length ] | des }

undo esp encryption-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.

aes: Uses advanced encryption standard (AES) in CBC mode as the encryption algorithm. The AES algorithm uses a 128- bit, 192-bit, or 256-bit key for encryption.

key-length: Key length for the AES algorithm, which can be 128, 192, and 256 and is  defaulted to 128. This argument is for AES only.

des: Uses data encryption standard (DES) in CBC mode as the encryption algorithm, The DES algorithm uses a 56-bit key for encryption.

Description

Use the esp encryption-algorithm command to specify the encryption algorithm for ESP.

Use the undo esp encryption-algorithm command to configure ESP not to encrypt packets.

By default, the DES algorithm is used.

3DES is well suited for environments with high demand on confidentiality and security, but it is comparatively slow in encryption. DES is enough to satisfy normal security requirements.

ESP allows the encryption and/or authentication of a packet.

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. The undo esp encryption-algorithm command takes effect only if no authentication algorithm is used.

Related commands: ipsec proposal, esp authentication-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform esp

[Sysname-ipsec-proposal-prop1] esp encryption-algorithm 3des

ipsec policy (system view)

Syntax

ipsec policy policy-name seq-number [ manual ]

undo ipsec policy policy-name [ seq-number ]

View

System view

Default level

2: System level

Parameters

policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included.

seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535.

manual: Sets up SAs manually.

Description

Use the ipsec policy command to create an IPsec policy and enter its view.

Use the undo ipsec policy command to delete the specified IPsec policies.

By default, no IPsec policy exists.

When creating an IPsec policy, you must specify the generation mode.

You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.

IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.

Related commands: display ipsec policy.

Examples

# Create an IPsec policy with the name policy1 and specify the manual mode for it.

<Sysname> system-view

[Sysname] ipsec policy policy1 101 manual

[Sysname-ipsec-policy-manual-policy1-101]

ipsec proposal

Syntax

ipsec proposal proposal-name

undo ipsec proposal proposal-name

View

System view

Default level

2: System level

Parameters

proposal-name: Name for the proposal, a case-insensitive string of 1 to 32 characters .

Description

Use the ipsec proposal command to create an IPsec proposal and enter its view.

Use the undo ipsec proposal command to delete an IPsec proposal.

By default, no IPsec proposal exists.

An IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default.

Related commands: display ipsec proposal.

Examples

# Create an IPsec proposal named newprop1.

<Sysname> system-view

[Sysname] ipsec proposal newprop1

proposal (IPsec policy view)

Syntax

proposal proposal-name&<1-6>

undo proposal [ proposal-name ]

View

IPsec policy view

Default level

2: System level

Parameters

proposal-name&<1-6>: Name of the IPsec proposal for the IPsec policy to reference, a string of 1 to 32 characters. &<1-6> means that you can specify the proposal-name argument for up to six times.

Description

Use the proposal command to specify the IPsec proposals for the IPsec policy to reference.

Use the undo proposal command to remove an IPsec proposal reference by the IPsec policy.

By default, an IPsec policy references no IPsec proposal.

You can specify only existing IPsec proposals when using this command.

A manual IPsec policy can reference only one IPsec proposal. To replace a referenced IPsec proposal, use the undo proposal command to remove the original proposal binding and then use the proposal command to reconfigure one.

Related commands: ipsec proposal and ipsec policy (system view).

Examples

# Configure IPsec policy policy1 to reference IPsec proposal prop1.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] proposal prop1

reset ipsec sa

Syntax

reset ipsec sa [ policy policy-name [ seq-number ]]

View

User view

Default level

2: System level

Parameters

policy policy-name: Specifies an IPsec policy by its name, a case-sensitive string of 1 to 15 alphanumeric characters.

seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.

Description

Use the reset ipsec sa command to clear the specified or all IPsec SAs.

If no parameter is specified, the command clears all SAs.

Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy.

Related commands: display ipsec sa.

Examples

# Clear all SAs.

<Sysname> reset ipsec sa

# Clear the SA of the IPsec policy with the name of policy1 and sequence number of 10.

<Sysname> reset ipsec sa policy policy1 10

reset ipsec statistics

Syntax

reset ipsec statistics

View

User view

Default level

2: System level

Parameters

None

Description

Use the reset ipsec statistics command to clear IPsec message statistics, and set all the statistics to zero.

Related commands: display ipsec statistics.

Examples

# Clear IPsec message statistics.

<Sysname> reset ipsec statistics

sa authentication-hex

Syntax

sa authentication-hex { inbound | outbound } { ah | esp } hex-key

undo sa authentication-hex { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

hex-key: Authentication key for the SA, in hexadecimal format. The length of the key is 16 bytes for MD5 and 20 bytes for SHA1.

Description

Use the sa authentication-hex command to configure an authentication key for an SA.

Use the undo sa authentication-hex command to remove the configuration.

When configuring a manual IPsec policy, you must configure parameters for both the inbound and outbound SAs.

The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the authentication key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.

Related commands: ipsec policy (system view).

Examples

# Configure the authentication keys of the inbound and outbound SAs that use AH as 0x112233445566778899aabbccddeeff00.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah 0x112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah 0x112233445566778899aabbccddeeff00

sa encryption-hex

Syntax

sa encryption-hex { inbound | outbound } esp hex-key

undo sa encryption-hex { inbound | outbound } esp

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

esp: Uses ESP.

hex-key: Encryption key for the SA, in hexadecimal format. The length of the key must be 8 bytes for DES-CBC, 24 bytes for 3DES-CBC, 16 bytes for AES128-CBC, 24 bytes for AES192-CBC, and 32 bytes for AES256-CBC.

Description

Use the sa encryption-hex command to configure an encryption key for an SA.

Use the undo sa encryption-hex command to remove the configuration.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.

Related commands: ipsec policy (system view).

Examples

# Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp 1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp abcdefabcdef1234

sa spi

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

spi-number: Security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295.

Description

Use the sa spi command to configure an SPI for an SA.

Use the undo sa spi command to remove the configuration.

When configuring a manual IPsec policy, you must configure parameters for both the inbound and outbound SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

When configuring IPsec for an IPv6 routing protocol, follow these guidelines:

·           The inbound and outbound SAs at the local end must use the same SPI.

·           Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group.

Related commands: ipsec policy (system view).

Examples

# Set both the SPI for the inbound SA and that for the outbound SA to 10000

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000

[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 10000

sa string-key

Syntax

sa string-key { inbound | outbound } { ah | esp } string-key

undo sa string-key { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

string-key: Key string for the SA, consisting of 1 to 255 characters. For different algorithms, enter strings at any length in the specified range. Using this key string, the system automatically generates keys meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.

Description

Use the sa string-key command to set a key string for an SA.

Use the undo sa string-key command to remove the configuration.

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.

Follow these guidelines when configuring an IPsec policy for an IPv6 protocol:

·           Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group.

·           Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal format on one router, do so across the defined scope.

Related commands: ipsec policy (system view).

Examples

# Configure the keys for the inbound and outbound SAs using AH to abcdef and efcdab respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah efcdab

# For an IPsec policy used to protect an IPv6 routing protocol, configure the keys  to abcdef for the inbound and outbound SAs that use AH.

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah abcdef

transform

Syntax

transform { ah | ah-esp | esp }

undo transform

View

IPsec proposal view

Default level

2: System level

Parameters

ah: Uses the AH protocol.

ah-esp: Uses ESP first and then AH.

esp: Uses the ESP protocol.

Description

Use the transform command to specify the security protocol for an IPsec proposal.

Use the undo transform command to restore the default.

By default, the ESP protocol is used.

If ESP is used, the default encryption and authentication algorithms are DES and MD5 respectively.

If AH is used, the default authentication algorithm is MD5.

If both AH and ESP are used, AH takes the authentication algorithm of MD5 by default, while ESP takes the encryption algorithm of DES and uses no authentication algorithm by default.

The IPsec proposals at the two ends of an IPsec tunnel must use the same security protocol.

Related commands: ipsec proposal.

Examples

# Configure IPsec proposal prop1 to use AH.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform ah