The capwap dtls inter-controller psk command configures a pre-shared key (PSK) for DTLS encryption of an inter-AC tunnel.
The undo capwap dtls inter-controller psk command restores the default PSK used for DTLS encryption of an inter-AC tunnel.
The default PSK for DTLS encryption of an inter-AC tunnel is huawei_seccwp.
Parameter |
Description |
Value |
|---|---|---|
psk-value |
Specifies a PSK for DTLS encryption. |
The value is string of 48 or 68 characters in ciphertext (for example, %^%#u(Oz:BL,QKYZw%-JWC*P8aGC,="C&M'OI*Gmt.V(%^%#) or a string of 6 to 32 characters in plaintext (for example, a1234567). The key must contain at least two types of the following: uppercase letters, lowercase letters, digits, and special characters. |
Usage Scenario
After ACs establish a connection, they start a DTLS session. DTLS supports PSK encryption. When a PSK is used for DTLS encryption, you can use this command to change the value of the PSK on the AC.
Follow-up Procedure
Run the capwap dtls inter-controller control-link encrypt command to enable DTLS encryption for an inter-AC control tunnel.
Precautions
If you modify the PSK after an inter-AC tunnel is set up, the modification takes effect at the next tunnel setup.
DTLS encryption must be enabled on ACs at both ends of the tunnel, and the ACs must have the same PSK.
It is recommended that you configure the same PSK on the ACs at both ends before enabling DTLS encryption. In this way, the ACs have the same PSK. If you enable DTLS encryption first, and the ACs have different PSKs, DTLS negotiation fails. As a result, the tunnel cannot be set up between the two ACs.