sa spi

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

spi-number: Security parameters index (SPI) in the SA triplet, in the range 256 to 4294967295.

Description

Use the sa spi command to configure an SPI for an SA.

Use the undo sa spi command to remove the configuration.

When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound SAs, and make sure that you specify different SPIs for different SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

Related commands: ipsec policy (system view).

Examples

# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.

<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000