The sa string-key command configures a character string as an authentication key for an IPSec SA.
The undo sa string-key command cancels the configuration.
By default, the authentication key is not configured for an IPSec SA.
sa string-key { inbound | outbound } { ah | esp } string-key
undo sa string-key { inbound | outbound } { ah | esp }
Parameter |
Description |
Value |
|---|---|---|
inbound |
Sets an authentication key for the inbound IPSec SA. |
- |
outbound |
Sets an authentication key for the outbound IPSec SA. |
- |
ah |
Sets an authentication key using the AH protocol. If the IPSec proposal referenced in an IPSec policy uses the AH protocol, the authentication key is set based on the ah keyword. |
- |
esp |
Sets an authentication key using the ESP protocol. If the IPSec proposal referenced in an IPSec policy uses the ESP protocol, the authentication key is set based on the esp keyword. |
- |
string-key |
Sets an authentication key for the IPSec SA. |
The value is a string of case-sensitive characters without question marks (?) and spaces. The value is a string of 1 to 255 characters in plain text or 48 to 348 characters in cipher text. NOTE:
To ensure security, the authentication key must meet the minimum complexity requirement. That is, the authentication key must be a combination of three of the following: uppercase letters, lowercase letters, digits, and special characters (such as !, @, #, $, and %). |
Usage Scenario
When an authentication algorithm is specified in the IPSec proposal referenced by a manually created IPSec policy, you must configure an authentication key for the inbound/outbound SA. The inbound authentication key on the local end must be the same as the outbound authentication key on the remote end. The outbound authentication key on the local end must be the same as the inbound authentication key on the remote end.
The authentication key can be a hexadecimal number or a character string.
The sa string-key command sets a character string as the authentication key.
The sa authentication-hex command sets an authentication key in hexadecimal notation.
If two keys in different formats are configured, the key configured later takes effect.
Precautions
The sa string-key command applies to manually created IPSec policies only. You do not need to set an authentication key for an IPSec SA established through IKE negotiation, because IKE peers automatically negotiate the authentication key.
The authentication key on both ends of an IPSec tunnel must use the same format. For example, an IPSec SA cannot be established if the authentication key on one end is a character string but that on the other end is a hexadecimal number.
# In IPSec policy policy1 using AH and SHA2-256 on the local device, set the SPI and authentication key of the inbound IPSec SA to 10000 and Test@123; set the SPI and authentication key of the outbound IPSec SA to 20000 and Test@456.
<sysname> system-view [sysname] ipsec proposal prop1 [sysname-ipsec-proposal-prop1] transform ah [sysname-ipsec-proposal-prop1] ah authentication-algorithm sha2-256 [sysname-ipsec-proposal-prop1] quit [sysname] ipsec policy policy1 1 manual [sysname-ipsec-policy-manual-policy1-1] sa spi inbound ah 10000 [sysname-ipsec-policy-manual-policy1-1] sa string-key inbound ah Test@123 [sysname-ipsec-policy-manual-policy1-1] sa spi outbound ah 20000 [sysname-ipsec-policy-manual-policy1-1] sa string-key outbound ah Test@456
# In IPSec policy policy1 using AH and SHA2-256 on the remote device, set the SPI and authentication key of the inbound IPSec SA to 20000 and Test@456; set the SPI and authentication key of the outbound IPSec SA to 10000 and Test@123.
<sysname> system-view [sysname] ipsec proposal prop1 [sysname-ipsec-proposal-prop1] transform ah [sysname-ipsec-proposal-prop1] ah authentication-algorithm sha2-256 [sysname-ipsec-proposal-prop1] quit [sysname] ipsec policy policy1 1 manual [sysname-ipsec-policy-manual-policy1-1] sa spi inbound ah 20000 [sysname-ipsec-policy-manual-policy1-1] sa string-key inbound ah Test@456 [sysname-ipsec-policy-manual-policy1-1] sa spi outbound ah 10000 [sysname-ipsec-policy-manual-policy1-1] sa string-key outbound ah Test@123