No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SA

Configuring an SA

This section describes how to configure a Security Association (SA) and specify the security protocol, Security Parameter Index (SPI), authentication key, and encryption key.


An SA is unidirectional. Incoming packets and outgoing packets are processed by different SAs. To ensure smooth SA negotiation, configure the same parameters for the SAs that apply to incoming packets and outgoing packets of one data flow, respectively. The parameters are as follows:
  • Security proposal, defines the specific protection include authentication algorithm, encryption algorithm.
  • SPI, Security Parameter Index identifies an SA.
  • Key, the key is used to calculate the message digest and encrypt the packet.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec sa sa-name

    An SA is created and the SA view is displayed.

    By default, no SA is created.

  3. Run proposal proposal-name

    A security proposal is applied to the SA.

    By default, no security proposal is created.


    A security proposal must be configured before it can be associated with data flows.

    One SA can use only one security proposal. If a security proposal has been applied to an SA, the SA can use another security proposal only after the original one is deleted.

  4. Run sa spi { inbound | outbound } { ah | esp } spi-number

    The SPI is configured.

    By default, no SPI is configured.


    The SPI uniquely identifies an SA. The inbound and outbound SPIs are configured, and the outbound SPI on the local end must be the same as the inbound SPI on the peer end.

  5. Either the sa authentication-hex or sa string-key command can be used to configure the authentication key.

    • Run sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] hex-cipher-key

      An authentication key in hexadecimal format is configured.

      By default, no authentication key is created.

    • Run sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-cipher-key

      An authentication key in string format is configured.

      By default, no authentication key is created.


    The authentication key for outgoing packets on the local end must be identical with that for incoming packets on the peer end.

    If multiple authentication keys are configured, the latest one takes effect.

  6. (Optional) Run sa encryption-hex { inbound | outbound } esp [ cipher ] hex-cipher-key

    An encryption key is configured.

    By default, no encryption key is created.

Follow-up Procedure

After IPSec is configured, you can use IPSec to encrypt OSPFv3 packets. For details, see Table 5-12.

Table 5-12  IPSec applications




(Optional) Configuring OSPFv3 IPSec Authentication

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142488

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next