No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Configuration Commands

IPSec Configuration Commands

NOTE:

CE6810LI does not support this command.

ah authentication-algorithm

Function

The ah authentication-algorithm command specifies the authentication algorithm used by the Authentication Header (AH) protocol.

The undo ah authentication-algorithm command restores the default setting.

By default, no authentication algorithm is used for AH.

Format

ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo ah authentication-algorithm

Parameters

Parameter

Description

Value

md5

Specifies MD5 as the authentication algorithm used by the AH protocol.

-

sha1

Specifies SHA-1 as the authentication algorithm used by the AH protocol.

-

sha2-256

Specifies SHA-256 as the authentication algorithm used by the AH protocol.

-

sha2-384

Specifies SHA-384 as the authentication algorithm used by the AH protocol.

-

sha2-512

Specifies SHA-512 as the authentication algorithm used by the AH protocol.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an IPSec proposal uses AH, you must run this command to configure an authentication algorithm used by AH.

The differences between the MD5 and SHA authentication algorithms are as follows:

  • The MD5 algorithm uses a 128-bit key, and the SHA-1 algorithm uses a 160-bit key. The SHA-256, SHA-384, and SHA-512 algorithms use 256-bit, 384-bit, and 512-bit keys respectively.

  • A larger number of key bits indicate a more secure algorithm but a slower calculation speed.

In practice, select an authentication algorithm according to the requirement for security and device performance. You are advised not to use MD5 or SHA-1; otherwise, security defense requirements may be not met.

Prerequisites

ah has been specified in the transform command.

Precautions

In the IPSec proposals used by both ends of an IPSec tunnel, the AH protocol must use the same authentication algorithm.

Example

# Configure IPSec proposal prop1 and configure the AH protocol to use the SHA-512 authentication algorithm.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal prop1
[*HUAWEI-ipsec-proposal-prop1] transform ah
[*HUAWEI-ipsec-proposal-prop1] ah authentication-algorithm sha2-512

display ipsec proposal

Function

The display ipsec proposal command displays IPSec proposal information.

Format

display ipsec proposal [ name proposal-name | brief ]

Parameters

Parameter

Description

Value

proposal-name

Specifies the name of an IPSec proposal. If the name of an IPSec proposal is not specified, information about all IPSec proposals is displayed.

The value is an existing IPSec proposal name.

brief

Specifies to display the brief information about security proposals.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about all IPSec proposals.

<HUAWEI> display ipsec proposal
  Total IPsec proposal number: 2 
                        
  IPsec proposal name: prop1
    encapsulation mode: transport
    transform: ah-new
    AH protocol: authentication SHA2-HMAC-256
                                               
  IPsec proposal name: aa  
    encapsulation mode: tunnel
    transform: esp-new 
    ESP protocol: authentication SHA1-HMAC-96, encryption 256-aes
Table 16-99  Description of the display ipsec proposal command output

Item

Description

Total IPsec proposal number

Number of security proposals created.

IPsec proposal name

Name of an IPSec proposal. To configure an IPSec proposal, run the ipsec proposal command.

encapsulation mode

IPSec encapsulation mode:
  • tunnel
  • transport
To configure an encapsulation mode, run the encapsulation-mode command.
NOTE:

Currently only transport mode is supported.

transform

Security protocol:
  • ah-new: AH is used.
  • esp-new: ESP is used.
To configure a security protocol, run the transform command.

ESP protocol

Authentication algorithm and encryption algorithm used by the ESP protocol. To configure an authentication algorithm used by the ESP protocol, run the esp authentication-algorithm command. To configure an encryption algorithm used by the ESP protocol, run the esp encryption-algorithm command.

AH protocol

Authentication algorithm used by the AH protocol. To configure an authentication algorithm used by the AH protocol, run the ah authentication-algorithm command.

display ipsec sa

Function

The display ipsec sa command displays IPSec SA information.

Format

display ipsec sa [ name sa-name ] [ brief ]

Parameters

Parameter

Description

Value

name sa-name Specifies the SA name. The value is an existing SA name.

brief

Displays brief information about the specified SA or all SAs.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display configurations of the SA named sa1.

<HUAWEI> display ipsec sa name sa1
  SHA1-HMAC-96
  IP security association name: sa1                                             
  Number of references: 0                                                       
    proposal name: prop1                                                        
    State: InComplete                                                           
    inbound AH setting:                                                         
      AH spi: 1000 (0x3E8)                                                      
      AH string-key: %#%##*+o3{>omV(fzWL,d}7@]$[e%qErP4&,:`X{;qLT%#%#           
      AH authentication hex key:                                                
    inbound ESP setting:                                                        
      ESP spi:                                                                  
      ESP string-key:                                                           
      ESP encryption hex key:                                                   
      ESP authentication hex key:                                               
    outbound AH setting:                                                        
      AH spi: 2200 (0x898)                                                      
      AH string-key:                                                            
      AH authentication hex key:                                                
    outbound ESP setting:                                                       
      ESP spi:                                                                  
      ESP string-key:                                                           
      ESP encryption hex key: %#%#^nu|KC!YX-fWC/C3{h~8OR(u1[Q`B9tHrwD>(un.%#%#  
      ESP authentication hex key:  
Table 16-100  Description of the display ipsec sa command output

Item

Description

IP security association name

SA name, run the ipsec sa command.

Number of references

Number of times the SA is applied.

proposal name

Security proposal applied to the SA, run the proposal command.

State

State of an SA.
  • Complete
  • Incomplete

inbound AH setting

SA configurations for incoming AH packets.

AH spi

SPI for AH, run the sa spi command.

AH string-key

Authentication key for AH in the string format displayed in cipher text, run the sa string-key command.

AH authentication hex key

Authentication key for AH in cipher text, run the sa authentication-hex command.

inbound ESP setting

SA configurations for incoming ESP packets.

ESP spi

SPI for ESP, run the sa spi command.

ESP string-key

Authentication key for ESP in the string format displayed in cipher text, run the sa string-key command.

ESP encryption hex key

Encryption key for ESP in cipher format, run the sa encryption-hex command.

ESP authentication hex key

Authentication key for ESP in cipher text, run the sa authentication-hex command.

outbound AH setting

SA configurations for outgoing AH packets.

outbound ESP setting

SA configurations for outgoing ESP packets.

display ipsec statistics

Function

The display ipsec statistics command displays statistics about IPSec packets.

Format

display ipsec statistics [ sa-name sa-name ] [ slot slot-number ]

Parameters

Parameter

Description

Value

sa-name sa-name

Specifies the IPSec SA name.

The value is an existing IPSec SA name.

slot slot-number

Specifies the slot number on which IPSec component is running.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display statistics about packets processed by IPSec.

<HUAWEI> display ipsec statistics sa-name sa1 
  IPv6 security packet statistics:
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0
                                                                                 
  IPv4 security packet statistics:                                               
    input/output security packets: 0/7011                                        
    input/output security bytes: 0/224328                                        
    input/output dropped security packets: 0/372                                 
    dropped security packet detail:                                              
      memory process problem: 0                                                  
      can't find SA: 0                                                           
      queue is full: 0                                                           
      authentication is failed: 0                                                
      wrong length: 0                                                            
      replay packet: 0                                                           
      too long packet: 0                                                         
      invalid SA: 372                                                            
      policy deny: 0                                                             
  the normal packet statistics:                                                  
    input/output dropped normal packets: 0/0  
Table 16-101  Description of the display ipsec statistics command output

Item

Description

IPv6 security packet statistics

Number of incoming and outgoing IPv6 IPSec packets.

input/output security packets

Indicates the number of received and sent packets

input/output security bytes

Indicates the number of received and sent bytes

input/output dropped security packets

Indicates the number of dropped incoming and outgoing packets

dropped security packet detail

Detailed information about dropped packets

memory process problem

Indicates the number of packets that are dropped due to a memory fault

can't find SA

Indicates the number of packets that are dropped because no SA is found

queue is full

Indicates the number of packets that are dropped because the queue is full

authentication is failed

Indicates the number of packets that are dropped due to authentication failure

wrong length

Indicates the number of packets that are dropped due to a packet length fault

replay packet

Indicates the number of packets that are dropped due to repeated transmission

too long packet

Indicates the number of packets that are dropped due to excess packet length

invalid SA

Indicates the number of packets that are dropped due to an invalid SA

policy deny

Indicates the number of packets that are dropped due to a deny action in the policy

the normal packet statistics

Statistics about normal packets that are dropped

input/output dropped normal packets

Indicates the number of received/sent normal packets that are dropped

IPv4 security packet statistics

Number of incoming and outgoing IPv4 IPSec packets.

encapsulation-mode

Function

The encapsulation-mode command configures the encapsulation mode that IPSec uses to encapsulate packets.

The undo encapsulation-mode command restores the default encapsulation mode that IPSec uses to encapsulate packets.

By default, IPSec uses the tunnel mode to encapsulate packets.

Format

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Parameters

Parameter

Description

Value

transport

Indicates that IPSec uses the transport mode to encapsulate packets.

-

tunnel

Indicates that IPSec uses the tunnel mode to encapsulate packets.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec encapsulates protocol packets by adding an AH or ESP header and ESP tail to original protocol packets for authentication and encryption. Currently only transport data encapsulation mode is supported.

Precautions

The IPSec proposals referenced by an SA on both IPSec peers must use the same encapsulation mode.

Example

# Configure IPSec proposal newprop1 to use the transport mode to encapsulate packets.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal newprop1
[*HUAWEI-ipsec-proposal-newprop1] encapsulation-mode transport
Related Topics

esp authentication-algorithm

Function

The esp authentication-algorithm command specifies the authentication algorithm used by the Encapsulating Security Payload (ESP) protocol.

undo esp authentication-algorithm command restores the default setting.

By default, no authentication algorithm is used for ESP.

Format

esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo esp authentication-algorithm

Parameters

Parameter

Description

Value

md5

Specifies MD5 as the authentication algorithm used by the ESP protocol.

-

sha1

Specifies SHA-1 as the authentication algorithm used by the ESP protocol.

-

sha2-256

Specifies SHA-256 as the authentication algorithm used by the ESP protocol.

-

sha2-384

Specifies SHA-384 as the authentication algorithm used by the ESP protocol.

-

sha2-512

Specifies SHA-512 as the authentication algorithm used by the ESP protocol.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an IPSec proposal uses ESP, you must run this command to configure an authentication algorithm used by ESP.

The differences between the MD5 and SHA authentication algorithms are as follows:

  • The MD5 algorithm uses a 128-bit key, and the SHA-1 algorithm uses a 160-bit key. The SHA-256, SHA-384, and SHA-512 algorithms use 256-bit, 384-bit, and 512-bit keys respectively.

  • A larger number of key bits indicate a more secure algorithm but a slower calculation speed.

In practice, select an authentication algorithm according to the requirement for security and device performance. You are advised not to use MD5 or SHA-1; otherwise, security defense requirements may be not met.

Prerequisites

esp has been specified in the transform command.

Precautions

The IPSec proposals referenced by security policies on two ends of an IPSec tunnel must use the same authentication algorithm.

Example

# Configure the IPSec proposal prop1 to use the ESP protocol, and configure the ESP protocol to use the SHA-512 authentication algorithm.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal prop1
[*HUAWEI-ipsec-proposal-prop1] transform esp 
[*HUAWEI-ipsec-proposal-prop1] esp authentication-algorithm sha2-512 

esp encryption-algorithm

Function

The esp encryption-algorithm command specifies the encryption algorithm used by the ESP protocol.

The undo esp encryption-algorithm command restores the default setting.

By default, no encryption algorithm is used for ESP.

Format

esp encryption-algorithm { 3des | aes { 128 | 192 | 256 } | des | null }

undo esp encryption-algorithm

Parameters

Parameter

Description

Value

3des

Indicates that ESP uses the 168-bit Triple Data Encryption Standard (3DES) encryption algorithm.

-

des

Indicates that ESP uses the 56-bit DES encryption algorithm.

-

aes 128

Indicates that ESP uses the AES encryption algorithm. The AES algorithm uses a key of 128 bits in plain text.

-

aes 192

Indicates that ESP uses the AES encryption algorithm. The AES algorithm uses a key of 192 bits in plain text.

-

aes 256

Indicates that ESP uses the AES encryption algorithm. The AES algorithm uses a key of 256 bits in plain text.

-

null Indicates that ESP uses null encryption algorithm. -

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an IPSec proposal uses ESP, you must run this command to configure an encryption algorithm used by ESP.

The number of bits in the encryption algorithm is the length of the key. A larger key length indicates a more secure algorithm but a slower calculation speed.

The DES and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

ESP allows encryption and authentication or only authentication for packets. When encryption is not required, you can run the esp encryption-algorithm null command to set non-encryption.

Prerequisites

esp has been specified in the transform command.

Precautions

The IPSec proposals referenced by an SA on both IPSec peers must use the same encryption algorithm.

Example

# Configure the IPSec proposal prop1 to use the ESP protocol and configure the ESP protocol to use the AES–256 encryption algorithm.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal prop1
[*HUAWEI-ipsec-proposal-prop1] transform esp
[*HUAWEI-ipsec-proposal-prop1] esp encryption-algorithm aes 256

ipsec proposal

Function

The ipsec proposal command creates an IPSec proposal and displays the IPSec proposal view.

The undo ipsec proposal command deletes an IPSec proposal.

By default, no IPSec proposal is configured.

Format

ipsec proposal proposal-name

undo ipsec proposal proposal-name

Parameters

Parameter

Description

Value

proposal-name

Specifies the name of an IPSec proposal.

The value is a string of 1 to 15 case-insensitive characters without question marks (?) or spaces. When quotation marks (") are used around the password, spaces are allowed in the password.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A security proposal defines the security protocol and authentication or encryption algorithm. Therefore, run the ipsec proposal command to create a security proposal before configuring IPsec.

Follow-up Procedure

Configure the security protocol, authentication or encryption algorithm, and encapsulation mode.

Precautions

You cannot delete the security proposal applied on a Security Association (SA). However, you can apply the same proposal on different SAs. To delete a security proposal, run the undo proposal command to remove a security proposal from the SA.

Example

# Create an IPSec proposal newprop1.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal newprop1
[*HUAWEI-ipsec-proposal-newprop1] 

ipsec sa

Function

The ipsec sa command creates an SA and displays the SA view.

The undo ipsec sa command deletes an SA.

By default, no SA is created.

Format

ipsec sa sa-name

undo ipsec sa sa-name

Parameters

Parameter Description Value
sa-name Specifies the name of an SA. The value is a string of 1 to 15 case-insensitive characters without question marks (?) or spaces. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec uses an SA to ensure security during data transmission. When configuring IPSec, run the ipsec sa command to create an SA and configure SA parameters.

Follow-up Procedure

Run the proposal command to import a security proposal; run the sa spi command to configure the SPI; run the sa string-key or sa authentication-hex command to configure the authentication key.

Precautions

An SA is unidirectional. Incoming packets and outgoing packets are processed by different SAs.

An SA can be configured with only one security protocol.

Example

# Create an SA.

<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1]

proposal

Function

The proposal command references an IPSec proposal.

The undo proposal command deletes the referenced IPSec proposal.

By default, no IPSec proposal is referenced.

Format

proposal proposal-name

undo proposal

Parameters

Parameter

Description

Value

proposal-name

Specifies the name of an IPSec proposal.

The value is an existing IPSec proposal name.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The proposal command references an IPSec proposal in an SA.

Prerequisites

An IPSec proposal has been created using the ipsec proposal command.

Example

# Create an IPSec proposal prop1 and configure it to use the default parameters. Then reference the IPSec proposal in IPSec SA sa1.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal prop1
[*HUAWEI-ipsec-proposal-prop1] quit
[*HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] proposal prop1
Related Topics

reset ipsec statistics

Function

The reset ipsec statistics command clears statistics about IPSec packets.

Format

reset ipsec statistics [ sa-name sa-name ] [ slot slot-number ]

Parameters

Parameter

Description

Value

sa-name sa-name

Specifies the IPSec SA name.

The value is an existing IPSec SA name.

slot slot-number Specifies the slot number on which IPSec component is running.

The value is an integer and must be set according to the device configuration.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Statistics cannot be restored after being cleared.

Run the display ipsec statistics command to display statistics about IPSec packets.

Example

# Clear statistics about packets processed by IPSec.

<HUAWEI> reset ipsec statistics sa-name sa1

sa authentication-hex

Function

The sa authentication-hex command sets the authentication key for SAs.

The undo sa authentication-hex command cancels the configuration.

By default, no authentication key is set for an SA.

Format

sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] hex-string

undo sa authentication-hex { inbound | outbound } { ah | esp }

Parameters

Parameter

Description

Value

inbound

Indicates the inbound SA.

-

outbound

Indicates the outbound SA.

-

ah

Indicates that the SA uses the AH protocol. If the IPSec proposal referenced by the SA uses the AH protocol, use this keyword to set the SA authentication key.

-

esp

Indicates that the SA uses the ESP protocol. If the IPSec proposal referenced by the SA uses the ESP protocol, use this keyword to set the SA authentication key.

-

cipher

Indicates the cipher authentication key. You can enter an authentication key in plain text or cipher text. The authentication key is displayed in cipher text in the configuration file.

-

hex-string

Specifies the SA authentication key.

Expressed in hexadecimal notation.

  • When the MD5 algorithm is used, the authentication key is 16 bytes long.

  • When the SHA-1 algorithm is used, the authentication key is 20 bytes long.

  • When the SHA-384 algorithm is used, the authentication key is 48 bytes long.

  • When the SHA-512 algorithm is used, the authentication key is 64 bytes long.

The corresponding cipher data ranges from 20 to 432.

The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an authentication algorithm is specified in the IPSec proposal referenced by an SA, you must configure an authentication key for the inbound/outbound SA. The inbound authentication key on the local end must be the same as the outbound authentication key on the remote end. The outbound authentication key on the local end must be the same as the inbound authentication key on the remote end.

The authentication key can be a hexadecimal number or a character string.

  • The sa authentication-hex command sets the authentication key in hexadecimal notation.

  • The sa string-key command sets the authentication key in the format of character string.

If you configure the keys in different formats, the most recently configured key takes effect.

Precautions

When the referenced IPSec proposal specifies both authentication and encryption algorithms, run the sa encryption-hex command to configure an encryption key.

Example

# In an IPSec SA, set the authentication key of the inbound SA to 112233445566778899aabbccddeeff00, and the authentication key of the outbound SA to aabbccddeeff001100aabbccddeeff00. The authentication key is displayed in cipher text.

<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[*HUAWEI-ipsec-sa-sa1] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff00

sa encryption-hex

Function

The sa encryption-hex command sets an encryption key for SAs.

The undo sa encryption-hex command cancels the configuration.

By default, no encryption key is set for an SA.

Format

sa encryption-hex { inbound | outbound } esp [ cipher ] hex-string

undo sa encryption-hex { inbound | outbound } esp

Parameters

Parameter

Description

Value

inbound

Indicates the inbound SA.

-

outbound

Indicates the outbound SA.

-

esp

Indicates that the SA uses the ESP protocol. If the IPSec proposal referenced by the IPSec SA policy uses the ESP protocol, use this keyword to set the authentication key of the SA.

-

cipher

Indicates the encryption key in cipher text. You can enter an authentication key in plain text or cipher text. The encryption key is displayed in cipher text in the configuration file.

-

hex-string

Specifies the encryption key of the SA.

The value is expressed in hexadecimal notation.

  • When the DES algorithm is used, the encryption key is 8 bytes long.

  • When the 3DES algorithm is used, the encryption key is 24 bytes long.

  • When the 128-bit AES algorithm is used, the encryption key is 16 bytes long.

  • When the 192-bit AES algorithm is used, the encryption key is 24 bytes long.

  • When the 256-bit AES algorithm is used, the encryption key is 32 bytes long.

The corresponding cipher data ranges from 20 to 432.

NOTE:

DES and 3DES are insecure and have potential security risks. You are advised to use AES-128, AES-192, or AES-256.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an encryption algorithm is specified in the IPSec proposal referenced by an SA, you must configure an encryption key for the inbound/outbound SA. The inbound encryption key on the local end must be the same as the outbound encryption key on the remote end. The outbound encryption key on the local end must be the same as the inbound encryption key on the remote end.

Follow-up Procedure

When the referenced IPSec proposal specifies both authentication and encryption algorithms, run the sa authentication-hex command configure an authentication key.

Example

# In an IPSec SA, set the encryption key of the inbound SA to 0x1234567890abcdef, and the encryption key of the outbound SA to 0xabcdefabcdef1234. The encryption key is displayed in cipher text.

<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa encryption-hex inbound esp cipher 1234567890abcdef
[*HUAWEI-ipsec-sa-sa1] sa encryption-hex outbound esp cipher abcdefabcdef1234

sa spi

Function

The sa spi command sets the Security Parameter Index (SPI) for the SAs.

The undo sa spi command cancels the configuration.

By default, no SPI is set for an SA.

Format

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Parameters

Parameter

Description

Value

inbound

Indicates the inbound SA.

-

outbound

Indicates the outbound SA.

-

ah

Indicates that the SA uses the AH protocol. If the IPSec proposal referenced by the IPSec SA uses the AH protocol, use this keyword to set the SPI of the SA.

-

esp

Indicates that the SA uses the ESP protocol. If the IPSec proposal referenced by the IPSec SA uses the ESP protocol, use this keyword to set the SPI of the SA.

-

spi-number

Specifies the SPI of an SA.

The value is an integer that ranges from 256 to 4294967295.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

SPI uniquely identifies an SA. When an SPI is configured for an SA, the SPI is carried in each sent protocol packet. The receiver checks the protocol packet authenticity based on the SPI. When the ipsec sa sa-name command is used to create an SA, run the sa spi command to configure the SPI.

Precautions

Set parameters for both inbound and outbound SAs.

The SPI for incoming protocol packets on the local end must be identical with that for outgoing protocol packets on the peer end and vice versa.

Example

# In an IPSec SA, set the SPI of the inbound SA to 10000 and the SPI of the outbound SA to 20000.

<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa spi inbound ah 10000
[*HUAWEI-ipsec-sa-sa1] sa spi outbound ah 20000
Related Topics

sa string-key

Function

The sa string-key command sets the authentication key for SAs.

The undo sa string-key command cancels the configuration.

By default, no authentication key is set for an SA.

Format

sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-key

undo sa string-key { inbound | outbound } { ah | esp }

Parameters

Parameter

Description

Value

inbound

Indicates the inbound SA.

-

outbound

Indicates the outbound SA.

-

ah

Indicates that the SA uses the AH protocol. If the IPSec proposal referenced by the IPSec SA uses the AH protocol, use this keyword to set the SA authentication key.

-

esp

Indicates that the SA uses the ESP protocol. If the IPSec proposal referenced by the IPSec SA uses the ESP protocol, use this keyword to set the SA authentication key.

-

cipher

Indicates the cipher authentication key. You can enter an authentication key in plain text or cipher text. The authentication key is displayed in cipher text in the configuration file.

-

string-key

Specifies the authentication key of the SA.

The value is a string of 1 to 255 case-sensitive characters in plain text or 20 to 432 case-sensitive characters in cipher text without question marks (?) or spaces. When double quotation marks are used around the string, spaces are allowed in the string.

NOTE:

To improve the security, it is recommended that the authentication key contains at least two types of lowercase letters, uppercase letters, digits, and special characters, and contains at least 6 characters.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

When an authentication algorithm is specified in the IPSec proposal referenced by an SA, you must configure an authentication key for the inbound/outbound SA. The inbound authentication key on the local end must be the same as the outbound authentication key on the remote end. The outbound authentication key on the local end must be the same as the inbound authentication key on the remote end.

The authentication key can be a hexadecimal number or a character string.

  • The sa string-key command sets the authentication key in the format of character string.

  • The sa authentication-hex command sets the authentication key in hexadecimal notation.

If you configure the keys in different formats, the last configured key takes effect.

Example

# In an IPSec SA, set the authentication key of the inbound SA to abcdef, and the authentication key of the outbound SA to efcdab. The authentication key is displayed in cipher text.

<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa string-key inbound ah cipher abcdef
[*HUAWEI-ipsec-sa-sa1] sa string-key outbound ah cipher efcdab

transform

Function

The transform command specifies a security protocol used by an IPSec proposal.

The undo transform command restores the default security protocol used by an IPSec proposal.

By default, an IPSec proposal uses the ESP protocol.

Format

transform { ah | esp }

undo transform

Parameters

Parameter

Description

Value

ah

Indicates that the IPSec proposal uses the AH protocol.

-

esp

Indicates that the IPSec proposal uses the ESP protocol.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  • When AH is specified, AH only authenticates packets.

  • When ESP is specified, ESP can authenticate, or encrypt and authenticate packets.

AH prevents data tampering but cannot prevent data interception, so it applies only to the transmission of non-confidential data. ESP provides authentication service inferior to that of AH, but it can encrypt packet payloads.

Precautions

The IPSec proposals configured on both IPSec peers must use the same security protocol.

Example

# Configure an IPSec proposal to use the AH protocol.

<HUAWEI> system-view
[~HUAWEI] ipsec proposal newprop1
[*HUAWEI-ipsec-proposal-newprop1] transform ah
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 51247

Downloads: 337

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next