No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
sa encryption-hex

sa encryption-hex

Function

The sa encryption-hex command sets an encryption key for manually created SAs.

The undo sa encryption-hex command cancels the configuration.

By default, no encryption key is set for an SA.

Format

sa encryption-hex { inbound | outbound } esp { simple | cipher } hex-string

undo sa encryption-hex { inbound | outbound } esp

Parameters

Parameter

Description

Value

inbound

Indicates the inbound SA.

-

outbound

Indicates the outbound SA.

-

esp

Indicates that the SA uses the ESP protocol. If the IPSec proposal referenced by the IPSec policy policy uses the ESP protocol, use this keyword to set the authentication key of the SA.

-

simple

Indicates the encryption key in plain text. The encryption key is displayed in plain text in the configuration file.

NOTICE:

If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

-

cipher

Indicates the encryption key in cipher text. You can enter an authentication key in plain text or cipher text. The encryption key is displayed in cipher text in the configuration file.

-

hex-string

Specifies the encryption key of the SA.

The value is expressed in hexadecimal notation.

  • When the DES algorithm is used, the encryption key is 8 bytes long. The cipher text password is a string of 16 bytes.

  • When the 3DES algorithm is used, the encryption key is 24 bytes long. The cipher text password is a string of 40 bytes.

  • When the 128-bit AES algorithm is used, the encryption key is 16 bytes long. The cipher text password is a string of 28 bytes.

  • When the 192-bit AES algorithm is used, the encryption key is 24 bytes long. The cipher text password is a string of 40 bytes.

  • When the 256-bit AES algorithm is used, the encryption key is 32 bytes long. The cipher text password is a string of 52 bytes.

  • When the SM1 algorithm is used, the encryption key is 16 bytes long. The cipher text password is a string of 28 bytes.

NOTICE:

DES and 3DES are insecure and have potential security risks. You are advised to use AES-128, AES-192, SM1, or AES-256.

Views

Manual IPSec policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an encryption algorithm is specified in the IPSec proposal referenced by a manually created IPSec policy, you must configure an encryption key for the inbound/outbound SA. The inbound encryption key on the local end must be the same as the outbound encryption key on the remote end. The outbound encryption key on the local end must be the same as the inbound encryption key on the remote end.

Precautions

The sa encryption-hex command applies to the IPSec policy that uses the manual SA creation mode. You do not need to set the encryption key of the SA established through IKE negotiation.

Follow-up Procedure

When the referenced IPSec proposal specifies both authentication and encryption algorithms, run the sa authentication-hex command configure an authentication key.

Example

# In an IPSec policy that uses the ESP protocol and AES-192 encryption algorithm, set the SPI of the inbound SA to 10000, the encryption key of the inbound SA to 0x1234567890abcdef1234567890abcdef1234567890abcdef, the SPI of the outbound SA to 20000, and the encryption key of the outbound SA to 0xabcdefabcdef1234abcdefabcdef1234abcdefabcdef1234. The encryption key is displayed in cipher text.

<Huawei> system-view
[Huawei] ipsec proposal prop1
[Huawei-ipsec-proposal-prop1] transform esp
[Huawei-ipsec-proposal-prop1] esp encryption-algorithm aes-192
[Huawei-ipsec-proposal-prop1] quit
[Huawei] ipsec policy policy1 100 manual
[Huawei-ipsec-policy-manual-policy1-100] proposal prop1
[Huawei-ipsec-policy-manual-policy1-100] sa spi inbound esp 10000
[Huawei-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp cipher 1234567890abcdef1234567890abcdef1234567890abcdef
[Huawei-ipsec-policy-manual-policy1-100] sa spi outbound esp 20000
[Huawei-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp cipher abcdefabcdef1234abcdefabcdef1234abcdefabcdef1234
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 89726

Downloads: 122

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next