The ipsec sa command specifies an IPSec SA globally used for encrypting and authenticating PIM messages sent and received by the device.
The undo ipsec sa command deletes the IPSec SA globally used for encrypting and authenticating PIM messages sent and received by the device.
By default, no IPSec SA is specified for encrypting and authenticating PIM messages.
| Parameter | Description | Value |
|---|---|---|
unicast-message |
Authenticates only PIM unicast messages. If you do not specify this keyword, the device authenticates only PIM multicast messages. |
- |
sa-name |
Specifies the name of the globally used SA. |
The value is an existing SA name. |
Usage Scenario
On an IPv4 multicast network, if multicast devices are attacked by forged PIM messages, multicast data forwarding between multicast devices will be interrupted. To protect multicast devices against such attacks, configure PIM IPSec on the multicast devices to authenticate PIM messages they send and receive.
Prerequisites
IP multicast routing has been enabled using the multicast routing-enable command.
Precautions
If you run both the ipsec sa sa-name command and the hello ipsec sa (IPv4) command in the PIM view, the last configured one takes effect.
This command has the same function as the pim ipsec sa command used in the interface view, except for the effective scope. The configuration in the interface view takes precedence over the configuration in the PIM view. If SAs are specified in both the interface view and PIM view, the specified interface uses the SA configured in the interface view. If no SA is specified on an interface, the interface uses the SA specified in the PIM view.