Configuring an ike-based ipsec policy – H3C Technologies H3C S12500-X Series Switches User Manual
Page 149
137
Step Command
Remarks
7.
Configure an SPI for the
inbound or outbound
IPsec SA.
•
To configure an SPI for the
inbound IPsec SA:
sa spi inbound { ah | esp }
spi-number
•
To configure an SPI for the
outbound IPsec SA:
sa spi outbound { ah | esp }
spi-number
By default, no SPI is configured for the
inbound or outbound IPsec SA.
8.
Configure keys for the
IPsec SA.
•
Configure an authentication
key in hexadecimal format for
AH:
sa hex-key authentication
{ inbound | outbound } ah
{ cipher | simple } key-value
•
Configure an authentication
key in character format for AH:
sa string-key { inbound |
outbound } ah { cipher |
simple } key-value
•
Configure a key in character
format for ESP:
sa string-key { inbound |
outbound } esp { cipher |
simple } key-value
•
Configure an authentication
key in hexadecimal format for
ESP:
sa hex-key authentication
{ inbound | outbound } esp
{ cipher | simple } key-value
•
Configure an encryption key in
hexadecimal format for ESP:
sa hex-key encryption
{ inbound | outbound } esp
{ cipher | simple } key-value
By default, no keys are configured for the
IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have
specified in the IPsec transform set
referenced by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,
only the most recent configuration takes
effect.
If you configure a key in character format
for ESP, the device automatically
generates an authentication key and an
encryption key for ESP.
241B
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, directly configure it by configuring the parameters in IPsec policy
view.
470B
Configuration restrictions and guidelines
The IPsec configurations at the two ends of an IPsec tunnel must meet the following requirements:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.
•
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.