< Home

sa spi

Function

The sa spi command configures the Security Parameter Index (SPI) for a Security Association (SA).

The undo sa spi command deletes the SPI from an SA.

By default, no SPI is configured.

Format

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Parameters

Parameter Description Value

inbound

Specifies SA parameters for incoming packets.

-

outbound

Specifies SA parameters for outgoing packets.

-

ah

Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa spi command.

-

esp

Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa spi command.

-

spi-number

Specifies the SPI.

The value is an integer ranging from 256 to 4294967295.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

SPI uniquely identifies an SA. When an SPI is configured for an SA, the SPI is carried in each sent packet. The receiver checks the packet authenticity based on the SPI. When the ipsec sa sa-name command is used to create an SA, run the sa spi command to configure the SPI.

Precautions

Set parameters for both inbound and outbound SAs.

The SPI for incoming packets on the local end must be identical with that for outgoing packets on the peer end and vice versa.

Example

# In an IPSec SA, set the SPI of the inbound SA to 10000 and the SPI of the outbound SA to 20000.

<HUAWEI> system-view
[HUAWEI] ipsec sa sa1
[HUAWEI-ipsec-sa-sa1] sa spi inbound ah 10000
[HUAWEI-ipsec-sa-sa1] sa spi outbound ah 20000
Parent Topic: IPSec Configuration Commands (IPSec Encryption)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >