< Home

sa encryption-hex

Function

The sa encryption-hex command configures an encryption key for an IPSec SA.

The undo sa encryption-hex command cancels the configuration.

By default, the encryption key is not configured for an IPSec SA.

Format

sa encryption-hex { inbound | outbound } esp hex-string

undo sa encryption-hex { inbound | outbound } esp

Parameters

Parameter

Description

Value

inbound

Sets an encryption key for the inbound IPSec SA. IPSec uses the inbound IPSec SA to process incoming packets.

-

outbound

Sets an encryption key for the outbound IPSec SA. IPSec uses the outbound IPSec SA to process outgoing packets.

-

esp

Sets an encryption key using the ESP protocol. If the IPSec proposal referenced in an IPSec policy uses the ESP protocol, the authentication key is set based on the esp keyword.

-

hex-string

Sets an encryption key for the IPSec SA.

The value is a hexadecimal number.

  • If DES is used, the key length is 8 bytes.
  • If 3DES is used, the key length is 24 bytes
  • If AES-128 is used, the key length is 16 bytes.
  • If AES-192 is used, the key length is 24 bytes.
  • If AES-256 is used, the key length is 32 bytes.
  • If SM4 is used, the key length is 16 bytes.

Views

Manual IPSec policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The sa encryption-hex command applies to manually created IPSec policies only. You do not need to set an encryption key for an IPSec SA established through IKE negotiation, because IKE peers automatically negotiate the encryption key.

Precautions

When configuring manual IPSec policies, you must set encryption keys for the IPSec SAs in inbound and outbound directions. The inbound encryption key on the local end must be the same as the outbound encryption key on the remote end. The outbound encryption key on the local end must be the same as the inbound encryption key on the remote end.

Example

# In IPSec policy policy1 using ESP and AES-256, set the SPI and encryption key of the inbound IPSec SA to 10000 and 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef; set the SPI and encryption key of the outbound IPSec SA to 20000 and 0xabcdefabcdef1234abcdefabcdef1234abcdefabcdef1234abcdefabcdef1234.

<sysname> system-view
[sysname] ipsec proposal prop1
[sysname-ipsec-proposal-prop1] quit
[sysname] ipsec policy policy1 1 manual
[sysname-ipsec-policy-manual-policy1-1] proposal prop1
[sysname-ipsec-policy-manual-policy1-1] sa spi inbound esp 10000
[sysname-ipsec-policy-manual-policy1-1] sa encryption-hex inbound esp 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
[sysname-ipsec-policy-manual-policy1-1] sa spi outbound esp 20000
[sysname-ipsec-policy-manual-policy1-1] sa encryption-hex outbound esp abcdefabcdef1234abcdefabcdef1234abcdefabcdef1234abcdefabcdef1234
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >