sa string-key
Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.
Use undo sa string-key to remove the key string.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string
undo sa string-key { inbound | outbound } { ah | esp }
Default
No key string is configured for manual IPsec SAs.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Specifies a key string in encrypted form.
simple: Specifies a key string in plaintext form. For security purposes, the key string specified in plaintext form will be stored in encrypted form.
string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system automatically generates keys for the authentication algorithm and encryption algorithm.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set a key for both inbound and outbound SAs.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:
The local inbound and outbound SAs must use the same key.
The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the inbound and outbound SAs that use AH to use plaintext keys abcdef and efcdab, respectively.
<Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
# In an IPsec policy for an IPv6 routing protocol, configure the inbound and outbound SAs that use AH to use plaintext key abcdef.
<Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef
Related commands
display ipsec sa
sa hex-key