No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SA

Configuring an SA

This section describes how to configure a Security Association (SA) and specify the security protocol, Security Parameter Index (SPI), and authentication keys.


An SA is unidirectional. Incoming protocol packets and outgoing protocol packets are processed by different SAs. To ensure smooth SA negotiation, configure the same parameters for the SAs that apply to incoming protocol packets and outgoing protocol packets of one flow, respectively. The parameters are as follows:
  • Security proposal, defines the specific protection include authentication algorithm, encryption algorithm.
  • SPI, Security Parameter Index identifies an SA.
  • Key, the key is used to calculate the message digest and encrypt the protocol packets.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec sa sa-name

    An SA is created and the SA view is displayed.

  3. Run proposal proposal-name

    A security proposal is applied to the SA.


    A security proposal must be configured before it can be associated with protocol packet flows.

    One SA can use only one security proposal. If a security proposal has been applied to an SA, the SA can use another security proposal only after the original one is deleted.

  4. Run sa spi { inbound | outbound } { ah | esp } spi-number

    The SPI is configured. It ranges from 256 to 4294967295.


    The SPI uniquely identifies an SA. The inbound and outbound SPIs are configured, and the inbound SPI on the local end must be the same as the outbound SPI on the peer end.

  5. Either the sa authentication-hex or sa string-key command can be used to configure the authentication key.
    1. Run sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] key-cipher-key

      An authentication key in hexadecimal format or cipher text is configured.

    2. Run sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-cipher-key

      An authentication key in string format is configured.


    The authentication key for outgoing protocol packets on the local end must be identical with that for incoming protocol packets on the peer end.

    If multiple authentication keys are configured, the latest one takes effect.

    It is recommended to update keys periodically.

  6. (Optional) Run sa encryption-hex { inbound | outbound } esp [ cipher ] hex-cipher-key

    An encryption key is configured.

  7. Run commit

    The configuration is committed.

Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 21503

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next