No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
sa authentication-hex

sa authentication-hex

Function

The sa authentication-hex command sets the authentication key for manually created SAs.

The undo sa authentication-hex command cancels the configuration.

By default, no authentication key is set for an SA.

Format

sa authentication-hex { inbound | outbound } { ah | esp } { simple | cipher } hex-string

undo sa authentication-hex { inbound | outbound } { ah | esp }

Parameters

Parameter

Description

Value

inbound

Indicates the inbound SA.

-

outbound

Indicates the outbound SA.

-

ah

Indicates that the SA uses the AH protocol. If the IPSec proposal referenced by the IPSec policy uses the AH protocol, use this keyword to set the SA authentication key.

-

esp

Indicates that the SA uses the ESP protocol. If the IPSec proposal referenced by the IPSec policy uses the ESP protocol, use this keyword to set the SA authentication key.

-

simple

Indicates plain text authentication key. Type in an authentication key in plain text. The authentication key is displayed in plain text in the configuration file.

NOTICE:

If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

-

cipher

Indicates the cipher authentication key. You can enter an authentication key in plain text or cipher text. The authentication key is displayed in cipher text in the configuration file.

-

hex-string

Specifies the SA authentication key.

Expressed in hexadecimal notation.

  • When the MD5 algorithm is used, the authentication key is 16 bytes long. The cipher text password is a string of 28 bytes.

  • When the SHA-1 algorithm is used, the authentication key is 20 bytes long. The cipher text password is a string of 40 bytes.

  • When the SHA-256 algorithm is used, the authentication key is 32 bytes long. The cipher text password is a string of 52 bytes.

  • When the SHA-384 algorithm is used, the authentication key is 48 bytes long. The cipher text password is a string of 76 bytes.

  • When the SHA-512 algorithm is used, the authentication key is 64 bytes long. The cipher text password is a string of 100 characters.

  • When the SM3 algorithm is used, the authentication key is 32 bytes long. The cipher text password is a string of 52 characters.

The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.

Views

Manual IPSec policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an authentication algorithm is specified in the IPSec proposal referenced by a manually created IPSec policy, you must configure an authentication key for the inbound/outbound SA. The inbound authentication key on the local end must be the same as the outbound authentication key on the remote end. The outbound authentication key on the local end must be the same as the inbound authentication key on the remote end.

The authentication key can be a hexadecimal number or a character string.

  • The sa authentication-hex command sets the authentication key in hexadecimal notation.

  • The sa string-key command sets the authentication key in the format of character string.

If you configure the keys in different formats, the most recently configured key takes effect.

Precautions

The sa authentication-hex command applies to the IPSec policy that is used to manually establish an SA. You do not need to set the authentication key of an SA established through IKE negotiation.

When the referenced IPSec proposal specifies both authentication and encryption algorithms, run the sa encryption-hex command to configure an encryption key.

Example

# In an IPSec policy that uses the AH protocol and SHA-256 authentication algorithm, set the SPI of the inbound SA to 10000, the authentication key of the inbound SA to 00112233445566778899aabbccddeeffaabbccdd00112233445566778899aabb, the SPI of the outbound SA to 20000, and the authentication key of the outbound SA to aabbccddeeff001100aabbccddeeff001100aabb00112233445566778899eeff. The authentication key is displayed in cipher text.

<Huawei> system-view
[Huawei] ipsec proposal prop1
[Huawei-ipsec-proposal-prop1] transform ah
[Huawei-ipsec-proposal-prop1] ah authentication-algorithm sha2-256
[Huawei-ipsec-proposal-prop1] quit
[Huawei] ipsec policy policy1 100 manual
[Huawei-ipsec-policy-manual-policy1-100] proposal prop1
[Huawei-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Huawei-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah cipher 00112233445566778899aabbccddeeffaabbccdd00112233445566778899aabb
[Huawei-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
[Huawei-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff001100aabb00112233445566778899eeff
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 36153

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next