< Home

sa authentication-hex

Function

The sa authentication-hex command sets an authentication in hexadecimal format or cipher text for Security Associations (SAs).

The undo sa authentication-hex command deletes an authentication key from SAs.

By default, no authentication key is created.

Format

sa authentication-hex { inbound | outbound } { ah | esp } [ cipher ] { hex-plain-key | hex-cipher-key }

undo sa authentication-hex { inbound | outbound } { ah | esp }

Parameters

Parameter Description Value
inbound

Specifies SA parameters for incoming packets.

-
outbound

Specifies SA parameters for outgoing packets.

-
ah

Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa authentication-hex command.

-
esp

Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa authentication-hex command.

-
cipher

Indicates the cipher text used for authentication.

-
hex-plain-key

Sets the authentication password to be in plaintext format.
The value is in hexadecimal notation.
  • If authentication algorithm Message Digest 5 (MD5) is used, the length of the key is 16 bytes.
  • If authentication algorithm Secure Hash Algorithm-1 (SHA-1) is used, the length of the key is 20 bytes.
  • If authentication algorithm SHA2-256 is used, the length of the key is 32 bytes.
hex-cipher-key

Sets the authentication password to be in ciphertext format.
The value is a string of case-insensitive characters, spaces not supported.
  • If authentication algorithm MD5 is used, the length of the key is 68.
  • If authentication algorithm SHA-1 is used, the length of the key is88.
  • If authentication algorithm SHA2-256 is used, the length of the key is108.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

AH and ESP can use either MD5, SHA-1, or SHA-256 that require an authentication key in the string or hexadecimal format. If an authentication key in the hexadecimal format is required, run the sa authentication-hex command. The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.

Precautions

Set parameters for both inbound and outbound SAs.

SA parameters on both IPSec peers must be identical. The authentication key for incoming packets on the local end must be identical with that for outgoing packets on the peer end and vice versa.

The authentication key can be in the hexadecimal or string format. To configure an authentication key in the string format, run the sa string-key command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPSec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate.

Example

# In an IPSec SA, set the authentication key of the inbound SA to 112233445566778899aabbccddeeff00, and the authentication key of the outbound SA to aabbccddeeff001100aabbccddeeff00. The authentication key is displayed in cipher text.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] sa authentication-hex inbound ah cipher 112233445566778899aabbccddeeff00
[HUAWEI-ipsec-sa-sa1] sa authentication-hex outbound ah cipher aabbccddeeff001100aabbccddeeff00
Parent Topic: IPSec Configuration Commands (IPSec Encryption)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >