No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Configuration Commands (IPSec Encryption)

IPSec Configuration Commands (IPSec Encryption)

Command Support

For details about command support, see the description of each command. If no command support information is provided, all switch models support the command by default.

ah authentication-algorithm

Function

The ah authentication-algorithm command specifies the authentication algorithm used by the Authentication Header (AH) protocol.

The undo ah authentication-algorithm command restores the default authentication algorithm used by the AH protocol.

By default, AH protocol uses the Secure Hash Algorithm-256 (SHA-256) authentication algorithm.

Format

ah authentication-algorithm { md5 | sha1 | sha2-256 }

undo ah authentication-algorithm

Parameters

Parameter

Description

Value

md5

Specifies MD5 as the authentication algorithm used by the AH protocol.

-

sha1

Specifies SHA-1 as the authentication algorithm used by the AH protocol.

-

sha2-256

Specifies SHA-256 as the authentication algorithm used by the AH protocol.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

AH is used to prevent packets from being intercepted or modified and implement data origin authentication during data transmission. AH implements the Hash algorithm on the sending and receiving parties and checks data integrity and authenticity.

AH currently supports MD5, SHA-1 and SHA2-256 authentication algorithms.

  • MD5: generates a 128-bit message summary for an input message of any length
  • SHA-1: generates a 160-bit message summary for an input message of less than 264 bits
  • SHA2-256: generates a 256-bit message summary for an input message of less than 264 bits

MD5 is faster than SHA-1, but is less secure.

Prerequisite

The transform command has been configured to select AH before the authentication algorithm for AH is configured.

Precautions

The authentication algorithms on both IPSec peers must be identical.

Example

# Configure IPSec proposal prop1 and configure the AH protocol to use the SHA-256 authentication algorithm.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform ah
[HUAWEI-ipsec-proposal-prop1] ah authentication-algorithm sha2-256

display ipsec proposal

Function

The display ipsec proposal command displays IPSec proposal information.

Format

display ipsec proposal [ name proposal-name ]

Parameters

Parameter Description Value
name proposal-name

Specifies the name of an IPSec proposal.

The value is an existing name of an IPSec proposal.

Views

All views

Default Level

1: Monitoring Level

Usage Guidelines

Usage Scenario

After IPSec is configured, when valid packets are dropped between IPSec peers, you can run the display ipsec proposal command to check whether the IPSec proposal configurations on both IPSec peers are identical.

IPSec ensures security using the IPSec proposal. You can run the display ipsec proposal command to view the following information:

  • Name of the IPSec proposal

  • Encapsulation mode defined in the IPSec proposal

  • Security protocol defined in the IPSec proposal

  • Authentication and encryption algorithms defined in the IPSec proposal

Example

# Display information about all IPSec proposals.

<HUAWEI> display ipsec proposal
  Total IP security proposal number: 1

  IP security proposal name: proposal1
    encapsulation mode: transport
    transform: esp-new
    ESP protocol: authentication SHA2-HMAC-256, encryption AES-192
Table 10-6  Description of the display ipsec proposal command output

Item

Description

Total IP security proposal number

Number of security proposals created.

IP security proposal name

Name of an IPSec proposal. To configure an IPSec proposal, run the ipsec proposal command.

encapsulation mode

IPSec encapsulation mode:
  • transport
  • tunnel
To configure an encapsulation mode, run the encapsulation-mode command.
NOTE:

Currently only transport mode is supported.

transform

Security protocol defined in the security proposal:
  • esp-new: specifies the Encapsulating Security Payload (ESP).
  • ah-new: specifies the Authentication Header (AH).
To configure a security protocol, run the transform command.

ESP protocol

ESP configuration:
  • authentication MD5-HMAC-96
  • authentication SHA1-HMAC-96
  • authentication SHA2-HMAC-256
  • encryption DES
  • encryption 3DES
  • encryption AES-128
  • encryption AES-192
  • encryption AES-256
  • not use encryption
  • not use authentication
NOTICE:
  • The MD5-HMAC-96 and SHA1-HMAC-96 authentication algorithms have security risks; therefore, you are advised to use SHA2-HMAC-256 preferentially.

  • The DES and 3DES encryption algorithms have security risks; therefore, you are advised to use AES-128, AES-192, AES-256 preferentially.

To configure an authentication algorithm used by the ESP protocol, run the esp authentication-algorithm command. To configure an encryption algorithm used by the ESP protocol, run the esp encryption-algorithm command.

AH protocol

AH configuration:
  • MD5-HMAC-96
  • SHA1-HMAC-96
  • SHA2-HMAC-256
NOTICE:

The MD5-HMAC-96 and SHA1-HMAC-96 authentication algorithms have security risks; therefore, you are advised to use SHA2-HMAC-256 preferentially.

To configure an authentication algorithm used by the AH protocol, run the ah authentication-algorithm command.
Related Topics

display ipsec sa

Function

The display ipsec sa command displays information about a Security Association (SA).

Format

display ipsec sa [ name sa-name ] [ brief ]

Parameters

Parameter Description Value
name sa-name Specifies the SA name.

The value is an existing SA name.

brief Displays brief information of the SA, such as the SA name and the Security Parameter Index (SPI) value. -

Views

All views

Default Level

1: Monitoring Level

Usage Guidelines

Usage Scenario

You can run the display ipsec sa command to check whether the SA configurations for outgoing packets on the local end are identical with those for incoming packets on the peer end. The display ipsec sa command output displays the following information:

  • SA name

  • Security proposal applied to the SA

  • Number of times the SA is applied

  • SA configurations for incoming Authentication Header (AH) packets

  • SA configurations for outgoing AH packets

  • SA configurations for incoming Encapsulating Security Payload (ESP) packets

  • SA configurations for outgoing ESP packets

Example

# Display configurations of the SA.

<HUAWEI> display ipsec sa
  IP security association name: sa1  
  Number of references: 0  
    proposal name: prop1  
    inbound AH setting:   
      AH spi:      
      AH string-key:  
      AH authentication hex key: %^%#0D_@HS5002;U1AR{t$3W:H188Ghs~N'_r`Y&R<j70V5-,r-NF(z!92N)oSNA%^%#
    inbound ESP setting:  
      ESP spi:   
      ESP string-key:  
      ESP encryption hex key: %^%#A*v9(B!U3U%*HL%Rod;%|G}F;B3[5%q#VMTG#9EP%^%#
      ESP authentication hex key: %^%#w_eeVg;FD3ybX!(2&P2ecMN%'JMGWXm^bR#qcUNKj_3AGrb@#\B4(Vn5cYC%^%#
    outbound AH setting: 
      AH spi:
      AH string-key:
      AH authentication hex key: %^%#jp!o1aA7qD^qMN&yI4M8nG_(~~O.{8;tyqI3%o5M4&L@G]rJw/au]r'm=j^9%^%#
    outbound ESP setting: 
      ESP spi:   
      ESP string-key:
      ESP encryption hex key: %^%#".dAYkLlqV_o-'SI0.":&<M';66l4UGMEjB9Cl\S%^%#
      ESP authentication hex key: %^%#Nkz8Z-sF*Pw3clT]@_F9B4:8>RIwc'r#sCJl0N[;{drLI|%uU5lVUWQkY3p1%^%#
Table 10-7  Description of the display ipsec sa command output

Item

Description

IP security association name

SA name

Number of references

Number of times the SA is applied

proposal name

Security proposal applied to the SA

inbound AH setting

SA configurations for incoming AH packets

AH spi

SPI for AH

AH string-key

Authentication key for AH in the string format displayed in cipher text

AH authentication hex key

Authentication key for AH in cipher text

inbound ESP setting

SA configurations for incoming ESP packets

ESP spi

SPI for ESP

ESP string-key

Authentication key for ESP in the string format displayed in cipher text

ESP encryption hex key

Encryption key for ESP in cipher format

ESP authentication hex key

Authentication key for ESP in cipher text

outbound AH setting

SA configurations for outgoing AH packets

outbound ESP setting

SA configurations for outgoing ESP packets

display ipsec statistics

Function

The display ipsec statistics command displays the statistics about packets processed by IPSec.

Format

display ipsec statistics [ sa-name sa-name slot slot-number ]

Parameters

Parameter Description Value
sa-name sa-name Specifies the IPSec Security Association (SA) name.

The value is an existing SA name.

slot slot-number Displays the IPSec SA statistics of the specified slot.

The value is an integer, and the value range depends on the device configuration.

Views

All views

Default Level

1: Monitoring Level

Usage Guidelines

Usage Scenario

After configuring IPSec, you can run the display ipsec statistics command to view information about transmitted packets and dropped packets. The details are as follows:
  • Number of received and sent packets

  • Number of received and sent bytes

  • Number of dropped incoming and outgoing packets

  • Detailed information about dropped packets

Example

# Display statistics about packets processed by IPSec.

<HUAWEI> display ipsec statistics
  IPv6 security packet statistics:
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0
  IPv4 security packet statistics:
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0
Table 10-8  Description of the display ipsec statistics command output

Item

Description

IPv6 security packet statistics

Statistics on IPv6 security packets.

IPv4 security packet statistics

Statistics on IPv4 security packets.

input/output security packets

Indicates the number of received and sent packets.

input/output security bytes

Indicates the number of received and sent bytes.

input/output dropped security packets

Indicates the number of dropped incoming and outgoing packets.

dropped security packet detail

Detailed information about dropped packets.

memory process problem

Indicates the number of packets that are dropped due to a memory fault.

can't find SA

Indicates the number of packets that are dropped because no SA is found.

queue is full

Indicates the number of packets that are dropped because the queue is full.

authentication is failed

Indicates the number of packets that are dropped due to authentication failure.

wrong length

Indicates the number of packets that are dropped due to a packet length fault.

replay packet

Indicates the number of packets that are dropped due to repeated transmission.

too long packet

Indicates the number of packets that are dropped due to excess packet length.

invalid SA

Indicates the number of packets that are dropped due to an invalid SA.

policy deny

Indicates the number of packets that are dropped due to a deny action in the policy.

the normal packet statistics

Statistics about normal packets.

input/output dropped normal packets

Indicates the number of received/sent normal packets that are dropped.

encapsulation-mode

Function

The encapsulation-mode command sets the encapsulation mode for IP packets.

The undo encapsulation-mode command restores the default encapsulation mode for IP packets.

By default, the encapsulation mode is set to tunnel.

Format

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

NOTE:

Currently only transport mode is supported.

Parameters

Parameter Description Value
transport Sets the encapsulation mode to transport. -
tunnel Sets the encapsulation mode to tunnel. -

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure Authentication Header (AH) or Encapsulating Security Payload (ESP) to ensure security based on data confidentiality. If AH is configured, an AH header is generated; if ESP is configured, an ESP header, an ESP tail, and an ESP authentication field are generated. Two encapsulation modes are available for IPSec: transport and tunnel.

  • The transport mode is applicable to a scenario in which two hosts, or a host and a security gateway, are communicating with each other. In transport mode, the two devices encrypting and decrypting packets must be the original packet sender and the final receiver, respectively.
  • The tunnel mode is generally applied to a scenario in which two security gateways are communicating with each other. The packets that are encrypted on the local security gateway can be decrypted only on the peer security gateway. Therefore, an IP packet must be encapsulated using the tunnel mode and an IP header embed. After arriving at the peer security gateway, the IP packet can be decrypted.

Precautions

The encapsulation modes on both IPSec peers must be identical.

Example

# Set the encapsulation mode to transport in the security proposal named prop2.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop2
[HUAWEI-ipsec-proposal-prop2] encapsulation-mode transport
Related Topics

esp authentication-algorithm

Function

The esp authentication-algorithm command configures the authentication algorithm for Encapsulating Security Payload (ESP).

The undo esp authentication-algorithm command cancels the authentication algorithm for ESP.

By default, the authentication algorithm Secure Hash Algorithm-256 (SHA-256) is used for ESP.

Format

esp authentication-algorithm { md5 | sha1 | sha2-256 }

undo esp authentication-algorithm

Parameters

Parameter Description Value
md5

Indicates that the authentication algorithm MD5 is used for ESP.

-

sha1

Indicates that the authentication algorithm Secure Hash Algorithm-1 (SHA-1) is used for ESP.

-

sha2-256

Indicates the authentication algorithm SHA-256 is used for ESP.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec can use Authentication Header (AH) or ESP to authenticate packets, preventing packets from being intercepted or modified. When ESP is used, the authentication and encryption algorithms must be configured. You can run the transform command to configure AH or ESP. When ESP is used, you can run the esp authentication-algorithm command to specify an authentication algorithm for ESP.

ESP currently supports MD5, SHA-1 and SHA2-256 authentication algorithms.

  • MD5: generates a 128-bit message summary for an input message of any length.
  • SHA-1: generates a 160-bit message summary for an input message of less than 264 bits.
  • SHA2-256: generates a 256-bit message summary for an input message of less than 264 bits

MD5 is faster than SHA-1, but is less secure.

NOTE:

The undo esp authentication-algorithm command functions differently from the undo ah authentication-algorithm command. The undo esp authentication-algorithm command configures ESP not to authenticate packets, whereas the undo ah authentication-algorithm command restores the default authentication algorithm for AH.

Prerequisite

IPSec ensures security using AH or ESP. An authentication algorithm can be configured only after AH or ESP is specified. Therefore, you can configure an ESP authentication algorithm only after running the transform command to specify ESP.

Precautions

The encryption algorithm and authentication algorithm cannot be both set to NULL for ESP.

The authentication algorithms on both IPSec peers must be identical.

Example

# Configure the IPSec proposal prop1 to use the ESP protocol, and configure the ESP protocol to use the SHA-256 authentication algorithm.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform esp 
[HUAWEI-ipsec-proposal-prop1] esp authentication-algorithm sha2-256 

esp encryption-algorithm

Function

The esp encryption-algorithm command configures the encryption algorithm for Encapsulating Security Payload (ESP).

The undo esp encryption-algorithm command configures ESP not to encrypt packets.

By default, the encryption algorithm Advanced Encryption Standard-256 (AES-256) is used for ESP.

Format

esp encryption-algorithm { des | 3des | aes [ 128 | 192 | 256 ] }

undo esp encryption-algorithm

Parameters

Parameter Description Value
des

Indicates that ESP uses DES algorithm to encrypt packets.

-

3des

Indicates that ESP uses 3DES algorithm to encrypt packets.

-

aes

Indicates that ESP uses Advanced Encryption Standard (AES) algorithm to encrypt packets.

By default, If 128, 192 and 256 are not configured, AES 128 bits algorithm is used for ESP to encrypt packets.

-

128

Indicates that ESP uses AES 128 bits algorithm to encrypt packets.

-

192

Indicates that ESP uses AES 192 bits algorithm to encrypt packets.

-

256

Indicates that ESP uses AES 256 bits algorithm to encrypt packets.

-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec uses authentication and encryption algorithms to protect IP packet transmission, preventing packets from being intercepted or modified. Therefore, specify an encryption algorithm before using ESP to ensure security.

  • DES: uses a 56-bit key to encrypt a 64-bit packet in plain text.
  • 3DES: uses three 56-bit keys (in effect, a 168-bit key) to encrypt a packet in plain text.
  • AES: uses 128, 192, 256-bit keys respectively to encrypt a packet in plain text.

The DES and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

Prerequisite

esp has been specified in the transform command.

Precautions

The undo esp encryption-algorithm command configures ESP not to encrypt packets instead of restoring the default encryption algorithm. This command takes effect only when an encryption algorithm is used.

The ESP encryption algorithm and authentication algorithm cannot be kept blank simultaneously.

The IPSec proposals referenced by an SA on two ends of an IPSec tunnel must use the same encryption algorithm.

Example

# Set the encryption algorithm to AES 128 bits for ESP.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform esp
[HUAWEI-ipsec-proposal-prop1] esp encryption-algorithm aes 128

ipsec proposal

Function

The ipsec proposal command creates an IPSec proposal and displays the IPSec proposal view.

The undo ipsec proposal command deletes an IPSec proposal.

By default, no IPSec proposal is configured.

Format

ipsec proposal proposal-name

undo ipsec proposal proposal-name

Parameters

Parameter

Description

Value

proposal-name

Specifies the name of an IPSec proposal.

The value is a string of 1 to 15 case-insensitive characters without question marks (?) or spaces. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec proposal, part of an IPSec SA, defines security parameters for IPSec SA negotiation, including the security protocol, encryption and authentication algorithms, and encapsulation mode.

Follow-up Procedure

Run the proposal command to reference the IPSec proposal in an IPSec SA.

Precautions

Both ends of an IPSec tunnel must be configured with the same parameters.

You cannot delete the security proposal applied on a Security Association (SA). However, you can apply the same proposal on different SA's. To delete a security proposal, run the undo proposal command to remove a security proposal from the SA.

Example

# Create an IPSec proposal newprop1.

<HUAWEI> system-view
[HUAWEI] ipsec proposal newprop1
[HUAWEI-ipsec-proposal-newprop1] 

ipsec sa

Function

The ipsec sa command creates an SA and displays the SA view.

The undo ipsec sa command deletes an SA.

By default, no SA is created.

Format

ipsec sa sa-name

undo ipsec sa sa-name

Parameters

Parameter Description Value
sa-name Specifies the name of an SA. The value is a string of 1 to 15 case-insensitive characters without question marks (?) or spaces. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec uses an SA to ensure security during data transmission. When configuring IPSec, run the ipsec sa command to create an SA and configure SA parameters.

Follow-up Procedure

Run the proposal command to import a security proposal; run the sa spi command to configure the SPI; run the sa string-key or sa authentication-hex command to configure the authentication key.

Precautions

An SA is unidirectional. Incoming packets and outgoing packets are processed by different SAs.

An SA can be configured with only one security protocol.

Example

# Create an SA.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1]

proposal

Function

The proposal command applies a security proposal to a Security Association (SA).

The undo proposal command removes a security proposal from an SA.

By default, no security proposal is created.

Format

proposal proposal-name

undo proposal

Parameters

Parameter Description Value
proposal-name Specifies the name of an IPSec proposal. The value is an existing IPSec proposal name.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An SA defines a protection policy, and a security proposal defines a protection method. Data protection can be implemented only after a security proposal is applied to an SA.

Prerequisite

The ipsec proposal command has been run to create a security proposal before the proposal command is run. If no security proposal has been created, an error message will be displayed when the proposal command is run.

Precautions

After the proposal command is run, the security proposal is applied to an SA and cannot be deleted.

Example

# Create an IPSec proposal prop1 and configure it to use the default parameters. Then reference the IPSec proposal in IPSec SA sa1.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop1
[HUAWEI-ipsec-proposal-prop1] transform ah
[HUAWEI-ipsec-proposal-prop1] encapsulation-mode transport
[HUAWEI-ipsec-proposal-prop1] quit
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] proposal prop1
Related Topics

reset ipsec statistics

Function

The reset ipsec statistics command clears statistics about packets processed by IPSec.

Format

reset ipsec statistics [ sa-name sa-name slot slot-number ]

Parameters

Parameter Description Value
sa-name sa-name Specifies the IPSec Security Association (SA) name.

The value is an existing SA name.

slot slot-number Displays the IPSec SA statistics of the specified slot.

The value is an integer, and the value range depends on the device configuration.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before collecting statistics about packets processed by IPSec in a specified length of time, you can run the reset ipsec statistics command to clear the original statistics.

Follow-up Procedure

Run the display ipsec statistics command to check statistics about packets processed by IPSec.

Precautions

The statistics cannot be restored after being cleared. Therefore, confirm the action before running this command.

Example

# Clear statistics about packets processed by IPSec.

<HUAWEI> reset ipsec statistics

sa authentication-hex

Function

The sa authentication-hex command sets an authentication in hexadecimal format or cipher text for Security Associations (SAs).

The undo sa authentication-hex command deletes an authentication key from SAs.

By default, no authentication key is created.

Format

sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] { hex-plain-key | hex-cipher-key }

undo sa authentication-hex { inbound | outbound } { ah | esp }

Parameters

Parameter Description Value
inbound

Specifies SA parameters for incoming packets.

-

outbound

Specifies SA parameters for outgoing packets.

-

ah

Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa authentication-hex command.

-

esp

Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa authentication-hex command.

-

cipher

Indicates the cipher text used for authentication.

-

hex-plain-key

Sets the authentication password to be in plaintext format.

The value is in hexadecimal notation.
  • If authentication algorithm Message Digest 5 (MD5) is used, the length of the key is 16 bytes.
  • If authentication algorithm Secure Hash Algorithm-1 (SHA-1) is used, the length of the key is 20 bytes.
  • If authentication algorithm SHA2-256 is used, the length of the key is 32 bytes.
hex-cipher-key

Sets the authentication password to be in ciphertext format.

The value is a string of case-insensitive characters, spaces not supported.
  • If authentication algorithm MD5 is used, the length of the key is 68.
  • If authentication algorithm SHA-1 is used, the length of the key is88.
  • If authentication algorithm SHA2-256 is used, the length of the key is108.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

AH and ESP can use either MD5, SHA-1, or SHA-256 that require an authentication key in the string or hexadecimal format. If an authentication key in the hexadecimal format is required, run the sa authentication-hex command. The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.

Precautions

Set parameters for both inbound and outbound SAs.

SA parameters on both IPSec peers must be identical. The authentication key for incoming packets on the local end must be identical with that for outgoing packets on the peer end and vice versa.

The authentication key can be in the hexadecimal or string format. To configure an authentication key in the string format, run the sa string-key command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPSec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate.

Example

# In an IPSec SA, set the authentication key of the inbound SA to 112233445566778899aabbccddeeff00, and the authentication key of the outbound SA to aabbccddeeff001100aabbccddeeff00. The authentication key is displayed in cipher text.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[HUAWEI-ipsec-sa-sa1] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff00

sa encryption-hex

Function

The sa encryption-hex command configures an encryption key for manual Security Association (SA) in hexadecimal format.

The undo sa encryption-hex command deletes an encryption key for manual SA configured in hexadecimal format.

By default, no encryption key is created.

Format

sa encryption-hex { inbound | outbound } esp [ cipher ] { hex-plain-key | hex-cipher-key }

undo sa encryption-hex { inbound | outbound } esp

Parameters

Parameter Description Value
inbound Specifies SA parameters for incoming packets. -
outbound Specifies SA parameters for outgoing packets. -
esp Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa encryption-hex command. -
cipher Indicates the ciphertext used for encryption. -
hex-plain-key

Sets the authentication password to be in plaintext format.

The value is in hexadecimal notation.
  • If encryption algorithm Data Encryption Standard (DES) is used, the length of the key is 8 bytes.
  • If encryption algorithm Triple Data Encryption Standard (3DES) is used, the length of the key is 24 bytes.
  • If encryption algorithm Advanced Encryption Standard 128 (AES-128) is used, the length of the key is 16 bytes.
  • If encryption algorithm AES-192 is used, the length of the key is 24 bytes.
  • If encryption algorithm AES-256 is used, the length of the key is 32 bytes.
hex-cipher-key

Sets the authentication password to be in ciphertext format.

The value is a string of case-insensitive characters, spaces not supported.
  • If encryption algorithm DES is used, the length of the key is 48.
  • If encryption algorithm 3DES is used, the length of the key is 88.
  • If encryption algorithm AES-128 is used, the length of the key is 68.
  • If encryption algorithm AES-192 is used, the length of the key is 88.
  • If encryption algorithm AES-256 is used, the length of the key is 108.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

ESP security protocol support encryption of IP packets. The algorithm used for encryption/decryption is either DES, 3DES or AES. These algorithms need a key either in hexadecimal format to operate. The hexadecimal key to be used for encryption is configured using the sa encryption-hex command.
  • The DES and 3DES algorithms have security risks; therefore, you are advised to use AES algorithm preferentially.
  • If sa encryption-hex command is configured, then the encryption key configured using sa string-key command is deleted automatically.

Example

# In an IPSec SA, set the encryption key of the inbound SA to 0x1234567890abcdef, and the encryption key of the outbound SA to 0xabcdefabcdef1234. The encryption key is displayed in cipher text.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] sa encryption-hex inbound esp cipher 1234567890abcdef
[HUAWEI-ipsec-sa-sa1] sa encryption-hex outbound esp cipher abcdefabcdef1234

sa spi

Function

The sa spi command configures the Security Parameter Index (SPI) for a Security Association (SA).

The undo sa spi command deletes the SPI from an SA.

By default, no SPI is configured.

Format

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Parameters

Parameter Description Value
inbound Specifies SA parameters for incoming packets. -
outbound Specifies SA parameters for outgoing packets. -
ah Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa spi command. -
esp Specifies SA parameters for Encapsulating Security Payload (ESP) . If the security proposal applied to an SA uses ESP, esp must be configured in the sa spi command. -
spi-number Specifies the SPI. The value is an integer ranging from 256 to 4294967295.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

SPI uniquely identifies an SA. When an SPI is configured for an SA, the SPI is carried in each sent packet. The receiver checks the packet authenticity based on the SPI. When the ipsec sa sa-name command is used to create an SA, run the sa spi command to configure the SPI.

Precautions

Set parameters for both inbound and outbound SAs.

The SPI for incoming packets on the local end must be identical with that for outgoing packets on the peer end and vice versa.

Example

# In an IPSec SA, set the SPI of the inbound SA to 10000 and the SPI of the outbound SA to 20000.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] sa spi inbound ah 10000
[HUAWEI-ipsec-sa-sa1] sa spi outbound ah 20000
Related Topics

sa string-key

Function

The sa string-key command configures an authentication key in the string format.

The undo sa string-key command deletes an authentication key from Security Associations (SAs).

By default, no authentication key is created.

Format

sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-cipher-key

undo sa string-key { inbound | outbound } { ah | esp }

Parameters

Parameter Description Value
inbound Specifies SA parameters for incoming packets. -
outbound Specifies SA parameters for outgoing packets. -
ah Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa string-key command. -
esp Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa string-key command. -
cipher Indicates the cipher text used for authentication. -
string-cipher-key Specifies the cipher text key.

The value is a string of case-sensitive characters that can be letters or digits. The authentication password can be a string of 1 to 127 characters in plain text or a string of 20 to 392 characters in encrypted text. Except the question mark (?) and space. However, when quotation marks (") are used around the string, spaces are allowed in the string.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

AH and ESP can use either Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA-1) or SHA-256, that require an authentication key in the string or hexadecimal format. If an authentication key in the string format is required, run the sa string-key command. The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.

Precautions

Set parameters for both inbound and outbound SAs.

SA parameters on both IPSec peers must be identical. The authentication key for incoming packets on the local end must be identical with that for outgoing packets on the peer end and vice versa.

The authentication key can be in the hexadecimal or string format. To configure an authentication key in the hexadecimal format, run the sa authentication-hex command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPSec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate.

Example

# In an IPSec SA, set the authentication key of the inbound SA to abcdef, and the authentication key of the outbound SA to efcdab. The authentication key is displayed in cipher text.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] sa string-key inbound ah cipher abcdef
[HUAWEI-ipsec-sa-sa1] sa string-key outbound ah cipher efcdab

transform

Function

The transform command configures the security protocol in a security proposal.

The undo transform command restores the default security protocol.

By default, the Encapsulating Security Payload (ESP) protocol is used, as defined in RFC 2406.

Format

transform { ah | esp }

undo transform

Parameters

Parameter Description Value
ah Configures Authentication Header (AH) as the security protocol. -
esp Configures ESP as the security protocol. -

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  • When AH is specified, AH only authenticates packets.

    When AH is specified, by default, AH uses the SHA-256 authentication algorithm.

  • When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets.

    When ESP is specified, ESP uses the SHA-256 authentication algorithm, the AES-256 encryption algorithm.

AH prevents data tampering but cannot prevent data interception, so it applies only to the transmission of non-confidential data. ESP provides authentication service inferior to that of AH, but it can encrypt packet payloads.

Follow-up Procedure

Configure the authentication algorithm for AH when AH is used.

Configure the authentication and encryption algorithms for ESP when ESP is used.

Precautions

When multiple security proposals are configured, the latest configuration takes effect, and the default authentication and encryption algorithms will be restored.

The IPSec proposals configured on both ends of an IPSec tunnel must use the same security tunnel.

Example

# Configure AH for the security proposal named prop.

<HUAWEI> system-view
[HUAWEI] ipsec proposal prop
[HUAWEI-ipsec-proposal-prop] transform ah
Related Topics
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 115599

Downloads: 83

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next