consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP
peers or a BGP peer group.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For
•
example, if the key at one end is entered as a string of characters, the key on the other end must also
be entered as a string of characters.
To configure a manual IPsec profile:
Step
1.
Enter system view.
2.
Create a manual IPsec
profile and enter its view.
3.
(Optional.) Configure a
description for the IPsec
profile.
4.
Reference an IPsec
transform set for the IPsec
profile.
5.
Configure an SPI for an
SA.
6.
Configure keys for the
IPsec SA.
Command
system-view
ipsec profile profile-name manual
description text
transform-set transform-set-name
sa spi { inbound | outbound } { ah |
esp } spi-number
•
Configure an authentication key in
hexadecimal format for AH:
sa hex-key authentication
{ inbound | outbound } ah { cipher
| simple } key-value
•
Configure an authentication key in
character format for AH:
sa string-key { inbound |
outbound } ah { cipher | simple }
key-value
•
Configure a key in character
format for ESP:
sa string-key { inbound |
outbound } esp [ cipher | simple ]
key-value
•
Configure an authentication key in
hexadecimal format for ESP:
sa hex-key authentication
{ inbound | outbound } esp
{ cipher | simple } key-value
•
Configure an encryption key in
hexadecimal format for ESP:
sa hex-key encryption { inbound |
outbound } esp { cipher | simple }
key-value
239
Remarks
N/A
By default, no IPsec profile exists.
The manual keyword is not needed
if you enter the view of an existing
IPsec profile.
By default, no description is
configured.
By default, no IPsec transform set is
referenced for an IPsec profile.
The referenced IPsec transform set
must use the transport mode.
By default, no SPI is configured for
an SA.
By default, no keys are configured
for the IPsec SA.
Configure a key for the security
protocol (AH, ESP, or both) you
have specified.
If you configure a key in character
format for ESP, the device
automatically generates an
authentication key and an
encryption key for ESP.
If you configure a key in both the
character and hexadecimal
formats, only the most recent
configuration takes effect.