sa hex-key encryption
Use sa encryption-hex to configure an encryption key for a manual IPsec SA.
Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA.
Syntax
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
undo sa hex-key encryption { inbound | outbound } esp
Default
No hexadecimal encryption keys are configured for manual IPsec SAs.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Specifies a hexadecimal encryption key for the inbound SA.
outbound: Specifies a hexadecimal encryption key for the outbound SA.
esp: Uses ESP.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.
The following matrix shows the key length for the algorithms:
Algorithm | Key length (bytes) |
---|---|
DES-CBC | 8 |
3DES-CBC | 24 |
AES128-CBC | 16 |
AES192-CBC | 24 |
AES256-CBC | 32 |
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
If you execute this command multiple times for the same direction, the most recent configuration takes effect.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.
<Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef [Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234
Related commands
display ipsec sa
sa string-key