[x]

IPsec commands > sa hex-key encryption

 

 Next

sa hex-key encryption

Use sa encryption-hex to configure an encryption key for a manual IPsec SA.

Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA.

Syntax

sa hex-key encryption { inbound | outbound } esp { cipher | simple } string

undo sa hex-key encryption { inbound | outbound } esp

Default

No hexadecimal encryption keys are configured for manual IPsec SAs.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

inbound: Specifies a hexadecimal encryption key for the inbound SA.

outbound: Specifies a hexadecimal encryption key for the outbound SA.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.

The following matrix shows the key length for the algorithms:

Algorithm

Key length (bytes)

DES-CBC

8

3DES-CBC

24

AES128-CBC

16

AES192-CBC

24

AES256-CBC

32

Usage guidelines

This command applies only to manual IPsec policies and IPsec profiles.

You must set an encryption key for both the inbound and outbound SAs.

The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same direction, the most recent configuration takes effect.

Examples

# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.

<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234

Related commands

display ipsec sa

sa string-key

prev

 

up

 next

sa hex-key authentication 

home

 sa idle-time

© Copyright 2018 Hewlett Packard Enterprise Development LP