The sa spi command configures a Security Parameter Index (SPI) for an IPSec SA.
The undo sa spi command cancels the configuration.
By default, the SPI of an IPSec SA is not configured.
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
| Parameter | Description | Value |
|---|---|---|
inbound |
Sets an SPI for the inbound IPSec SA. |
- |
outbound |
Sets an SPI for the outbound IPSec SA. |
- |
ah |
Sets an SPI using the AH protocol. If the IPSec proposal referenced in an IPSec policy uses the AH protocol, the authentication key is set based on the ah keyword. |
- |
esp |
Sets an SPI using the ESP protocol. If the IPSec proposal referenced in an IPSec policy uses the ESP protocol, the authentication key is set based on the esp keyword. |
- |
spi-number |
Sets an SPI for the IPSec SA. |
The value is an integer that ranges from 256 to 4294967295. |
Usage Scenario
An IPSec SA is uniquely identified by a 3-tuple, including the SPI, destination IP address, and security protocol number (AH or ESP). The receiver uses the SPI to identify the binding between a data flow and an IPSec SA.
When manually configuring an IPSec policy, you must specify the SPIs for inbound and outbound SAs. The inbound SPI on the local end must be the same as the outbound SPI on the remote end. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
Precautions
This command applies to manually created IPSec policies only. You do not need to set an SPI for an IPSec SA established through IKE negotiation, because IKE peers automatically negotiate the SPI.
# In IPSec policy policy1 using AH and SHA2-256 on the local device, set the SPI of the inbound IPSec SA to 10000; set the SPI of the outbound IPSec SA to 20000.
<sysname> system-view [sysname] ipsec proposal prop1 [sysname-ipsec-proposal-prop1] transform ah [sysname-ipsec-proposal-prop1] ah authentication-algorithm sha2-256 [sysname-ipsec-proposal-prop1] quit [sysname] ipsec policy policy1 1 manual [sysname-ipsec-policy-manual-policy1-1] sa spi inbound ah 10000 [sysname-ipsec-policy-manual-policy1-1] sa spi outbound ah 20000
# In IPSec policy policy1 using AH and SHA2-256 on the remote device, set the SPI of the inbound IPSec SA to 20000; set the SPI of the outbound IPSec SA to 10000.
<sysname> system-view [sysname] ipsec proposal prop1 [sysname-ipsec-proposal-prop1] transform ah [sysname-ipsec-proposal-prop1] ah authentication-algorithm sha2-256 [sysname-ipsec-proposal-prop1] quit [sysname] ipsec policy policy1 1 manual [sysname-ipsec-policy-manual-policy1-1] sa spi inbound ah 20000 [sysname-ipsec-policy-manual-policy1-1] sa spi outbound ah 10000