sa encryption-hex
Syntax
sa encryption-hex { inbound | outbound } esp [ cipher | simple ] hex-key
undo sa encryption-hex { inbound | outbound } esp
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
esp: Uses ESP.
cipher string-key: Sets a ciphertext encryption key.
simple hex-key: Sets a plaintext encryption key.
hex-key: Encryption key for the SA. The hex-key argument is a case-sensitive ciphertext string of 8 to 117 characters when the cipher keyword is specified, or a case-insensitive plaintext hexadecimal string when the simple keyword is specified. The plaintext string must be a 16-byte hexadecimal string for AES128-CBC, a 24-byte hexadecimal string for AES192-CBC, or a 32-byte hexadecimal string for AES256-CBC. If neither cipher nor simple is specified, you set a plaintext encryption key string.
Description
Use the sa encryption-hex command to configure an encryption key for an SA.
Use the undo sa encryption-hex command to remove the configuration.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
Related commands: ipsec policy (system view).
Examples
# Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234, respectively.
<Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp 1234567890abcdef [Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp abcdefabcdef1234