Configuring a keychain
Enter system view.
system-view
Create a keychain and enter keychain view.
keychain keychain-name mode absolute
(Optional.) Configure TCP authentication.
Set the kind value in the TCP Enhanced Authentication Option.
tcp-kind kind-value
By default, the kind value is 254.
Set an algorithm ID for a TCP authentication algorithm.
tcp-algorithm-id { hmac-md5 | md5 } algorithm-id
By default, the algorithm ID is 3 for the MD5 authentication algorithm, and is 5 for the HMAC-MD5 authentication algorithm.
When the local device uses TCP to communicate with a peer device from another vendor, make sure both devices have the same kind value and algorithm ID settings. If they do not, modify the settings on the local device.
(Optional.) Set a tolerance time for accept keys in the keychain.
accept-tolerance { value | infinite }
By default, no tolerance time is configured for accept keys in a keychain.
If authentication information is changed, information mismatch occurs on the local and peer devices, and the service might be interrupted. Use this command to ensure continuous packet authentication.
Create a key and enter key view.
key key-id
Configure the key.
Specify an authentication algorithm for the key.
authentication-algorithm { hmac-md5 | hmac-sha-256 | md5 }
By default, no authentication algorithm is specified for a key.
Configure a key string for the key.
key-string { cipher | plain } string
By default, no key string is configured.
Set the sending lifetime in UTC mode for the key.
send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
By default, the sending lifetime is not configured for a key.
Set the receiving lifetime in UTC mode for the key.
accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
By default, the receiving lifetime is not configured for a key.
(Optional.) Specify the key as the default send key.
default-send-key
You can specify only one key as the default send key in a keychain.