H3C SecPath F1800-A Operation Manual page 534

Operation Manual - VPN
H3C SecPath F1800-A Firewall
Table 3-11 Configuring SPI for SA
Configure SPI for SA.
Delete SPI of SA.
When creating the SA, you must set inbound and outbound parameters respectively
for the SA.
SA parameters set on the two ends of the tunnel must fully match each other. That is,
the local inbound SPI must be consistent with the remote outbound SPI and vice
versa.
VII. Configuring Shared Key for SA (in Manual Mode Only)
This configuration task is only used for IPSec policies in manual mode. Using the
following command, you can manually input a shared key for the SA. As for IPSec
policies in isakmp mode, IKE will automatically negotiate a shared key for the SA.
Do as follows in IPSec policy view.
Table 3-12 Configuring shared key for SA
Configure the key for
authentication
hexadecimal format).
Configure the key for
authentication
character string format).
Configure
key for
hexadecimal format).
Delete the parameters of
SA.
Parameters of SA set on the two ends of the tunnel must fully match each other. That
is, the local inbound SPI and shared key must be consistent with the remote outbound
SPI and shared key, and vice versa.
For the character string key and hexadecimal key, the latest one will be adopted. On
both ends of security tunnel, shared key should be input in the same format. If shared
key is input in character string on one end and in hex on the other end, the security
tunnel cannot be correctly created.
Action
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Action
sa authentication-hex { inbound | outbound } { ah |
(in
esp } hex-key
sa string-key { inbound | outbound } { ah | esp }
(in
string-key
encryption
sa encryption-hex { inbound | outbound } esp
ESP (in
hex-key
undo sa string-key { inbound | outbound } { ah | esp }
undo sa authentication-hex { inbound | outbound }
{ ah | esp }
undo sa encryption-hex { inbound | outbound } esp
Command
Command
7-54
Chapter 3 IPSec Configuration