HP FlexFabric 7900 Series Command Reference Manual page 149

undo sa hex-key encryption { inbound | outbound } esp
Default
No encryption key is configured for manual IPsec SAs.
Views
IPsec policy view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal encryption key for inbound SAs.
outbound: Specifies a hexadecimal encryption key for outbound SAs.
esp: Uses ESP.
cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 1 17 characters.
simple key-value: Sets a plaintext encryption key. The key-value argument is case insensitive and must be
an 8-byte hexadecimal string for DES-CBC, a 24-byte hexadecimal string for 3DES-CBC, a 16-byte
hexadecimal string for AES128-CBC, a 24-byte hexadecimal string for AES192-CBC, and a 32-byte
hexadecimal string for AES256-CBC.
Usage guidelines
This command applies to only manual IPsec policies.
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local
outbound SA must use the same encryption key as the remote inbound SA.
If you configure a key in different formats (hexadecimal or character format), only the most recent
configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in
hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound
and outbound IPsec SAs that use ESP.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple
1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple
abcdefabcdef1234
Related commands
display ipsec sa
•
sa string-key
•
142