The sa authentication-hex command configures an authentication key for an IPSec SA in hexadecimal notation.
The undo sa authentication-hex command cancels the configuration.
By default, the authentication key is not configured for an IPSec SA.
sa authentication-hex { inbound | outbound } { ah | esp } hex-string
undo sa authentication-hex { inbound | outbound } { ah | esp }
| Parameter | Description | Value |
|---|---|---|
inbound |
Sets an authentication key for the inbound IPSec SA. IPSec uses the inbound IPSec SA to process incoming packets. |
- |
outbound |
Sets an authentication key for the outbound IPSec SA. IPSec uses the outbound IPSec SA to process outgoing packets. |
- |
ah |
Sets an authentication key using the AH protocol. If the IPSec proposal referenced in an IPSec policy uses the AH protocol, the authentication key is set based on the ah keyword. |
- |
esp |
Sets an authentication key using the ESP protocol. If the IPSec proposal referenced in an IPSec policy uses the ESP protocol, the authentication key is set based on the esp keyword. |
- |
hex-string |
Sets an authentication key for the IPSec SA. |
The value is in the hexadecimal format.
|
Usage Scenario
When manually configuring an IPSec policy, you must configure an authentication key for the inbound/outbound IPSec SA. The authentication key can be a hexadecimal number or a character string.
The sa authentication-hex command sets an authentication key in hexadecimal notation.
The sa string-key command sets a character string as the authentication key.
If two keys in different formats are configured, the key configured later takes effect.
Precautions
The inbound authentication key on the local end must be the same as the outbound authentication key on the remote end. The outbound authentication key on the local end must be the same as the inbound authentication key on the remote end.
The authentication key on both ends of an IPSec tunnel must use the same format. For example, an IPSec SA cannot be established if the authentication key on one end is a character string but that on the other end is a hexadecimal number.
# In IPSec policy policy1 using AH and SHA2-256 on the local device, set the SPI and authentication key of the inbound IPSec SA to 10000 and 0x112233445566778899aabbccddeeff00aabbccddeeff001100aabbccddeeff00; set the SPI and authentication key of the outbound IPSec SA to 20000 and 0xaabbccddeeff001100aabbccddeeff00112233445566778899aabbccddeeff00.
<sysname> system-view [sysname] ipsec proposal prop1 [sysname-ipsec-proposal-prop1] transform ah [sysname-ipsec-proposal-prop1] ah authentication-algorithm sha2-256 [sysname-ipsec-proposal-prop1] quit [sysname] ipsec policy policy1 1 manual [sysname-ipsec-policy-manual-policy1-1] sa spi inbound ah 10000 [sysname-ipsec-policy-manual-policy1-1] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00aabbccddeeff001100aabbccddeeff00 [sysname-ipsec-policy-manual-policy1-1] sa spi outbound ah 20000 [sysname-ipsec-policy-manual-policy1-1] sa authentication-hex outbound ah aabbccddeeff001100aabbccddeeff00112233445566778899aabbccddeeff00
# In IPSec policy policy1 using AH and SHA2-256 on the remote device, set the SPI and authentication key of the inbound IPSec SA to 20000 and 0xaabbccddeeff001100aabbccddeeff00112233445566778899aabbccddeeff00; set the SPI and authentication key of the outbound IPSec SA to 10000 and 0x112233445566778899aabbccddeeff00aabbccddeeff001100aabbccddeeff00.
<sysname> system-view [sysname] ipsec proposal prop1 [sysname-ipsec-proposal-prop1] transform ah [sysname-ipsec-proposal-prop1] ah authentication-algorithm sha2-256 [sysname-ipsec-proposal-prop1] quit [sysname] ipsec policy policy1 1 manual [sysname-ipsec-policy-manual-policy1-1] sa spi inbound ah 20000 [sysname-ipsec-policy-manual-policy1-1] sa authentication-hex inbound ah aabbccddeeff001100aabbccddeeff00112233445566778899aabbccddeeff00 [sysname-ipsec-policy-manual-policy1-1] sa spi outbound ah 10000 [sysname-ipsec-policy-manual-policy1-1] sa authentication-hex outbound ah 112233445566778899aabbccddeeff00aabbccddeeff001100aabbccddeeff00