Step
address of the IPsec
tunnel.
7.
Configure an SPI for the
inbound or outbound
IPsec SA.
8.
Configure keys for the
IPsec SA.
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, directly configure it by configuring the parameters in IPsec
policy view.
Configuration restrictions and guidelines
The IPsec configurations at the two ends of an IPsec tunnel must meet the following requirements:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same
security protocols, security algorithms, and encapsulation mode.
•
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
Command
•
To configure an SPI for the
inbound IPsec SA:
sa spi inbound { ah | esp }
spi-number
•
To configure an SPI for the
outbound IPsec SA:
sa spi outbound { ah | esp }
spi-number
•
Configure an authentication
key in hexadecimal format for
AH:
sa hex-key authentication
{ inbound | outbound } ah
{ cipher | simple } key-value
•
Configure an authentication
key in character format for
AH:
sa string-key { inbound |
outbound } ah { cipher |
simple } key-value
•
Configure a key in character
format for ESP:
sa string-key { inbound |
outbound } esp { cipher |
simple } key-value
•
Configure an authentication
key in hexadecimal format for
ESP:
sa hex-key authentication
{ inbound | outbound } esp
{ cipher | simple } key-value
•
Configure an encryption key
in hexadecimal format for
ESP:
sa hex-key encryption
{ inbound | outbound } esp
{ cipher | simple } key-value
112
Remarks
IPsec tunnel is not specified.
The local IPv4 address of the IPsec
tunnel is the primary IPv4 address of the
interface to which the IPsec policy is
applied.
By default, no SPI is configured for the
inbound or outbound IPsec SA.
By default, no keys are configured for
the IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have
specified in the IPsec transform set
referenced by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,
only the most recent configuration takes
effect.
If you configure a key in character
format for ESP, the device automatically
generates an authentication key and an
encryption key for ESP.