Configuring a manual IPsec profile

About manual IPsec profile

A manual IPsec profile specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by the SAs.

Restrictions and guidelines

When you configure a manual IPsec profile, make sure the IPsec profile configuration at both tunnel ends meets the following requirements:

Procedure

  1. Enter system view.

    system-view

  2. Create a manual IPsec profile and enter its view.

    ipsec profile profile-name manual

    The manual keyword is not needed if you enter the view of an existing IPsec profile.

  3. (Optional.) Configure a description for the IPsec profile.

    description text

    By default, no description is configured.

  4. Specify an IPsec transform set.

    transform-set transform-set-name

    By default, no IPsec transform set is specified in an IPsec profile.

    The specified IPsec transform set must use the transport mode.

  5. Configure an SPI for an SA.

    sa spi { inbound | outbound } { ah | esp } spi-number

    By default, no SPI is configured for an SA.

  6. Configure keys for the IPsec SA.

    • Configure an authentication key in hexadecimal format for AH.

      sa hex-key authentication { inbound | outbound } ah { cipher | simple } string

    • Configure an authentication key in character format for AH.

      sa string-key { inbound | outbound } ah { cipher | simple } string

    • Configure a key in character format for ESP.

      sa string-key { inbound | outbound } esp { cipher | simple } string

    • Configure an authentication key in hexadecimal format for ESP.

      sa hex-key authentication { inbound | outbound } esp { cipher | simple }

    • Configure an encryption key in hexadecimal format for ESP.

      sa hex-key encryption { inbound | outbound } esp { cipher | simple } string

    By default, no keys are configured for the IPsec SA.

    Configure a key for the security protocol (AH, ESP, or both) you have specified.