The sa string-key command configures an authentication key in the string format.
The undo sa string-key command deletes an authentication key from Security Associations (SAs).
By default, no authentication key is created.
sa string-key { inbound | outbound } { ah | esp } [ cipher ] string-cipher-key
undo sa string-key { inbound | outbound } { ah | esp }
| Parameter | Description | Value |
|---|---|---|
inbound |
Specifies SA parameters for incoming packets. |
- |
outbound |
Specifies SA parameters for outgoing packets. |
- |
ah |
Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa string-key command. |
- |
esp |
Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa string-key command. |
- |
cipher |
Indicates the cipher text used for authentication. |
- |
string-cipher-key |
Specifies the cipher text key. |
The value is a string of case-sensitive characters that can be letters or digits. The authentication password can be a string of 1 to 127 characters in plain text or a string of 20 to 392 characters in encrypted text. Except the question mark (?) and space. However, when quotation marks (") are used around the string, spaces are allowed in the string. |
Usage Scenario
AH and ESP can use either Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA-1) or SHA-256, that require an authentication key in the string or hexadecimal format. If an authentication key in the string format is required, run the sa string-key command. The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.
Precautions
Set parameters for both inbound and outbound SAs.
SA parameters on both IPSec peers must be identical. The authentication key for incoming packets on the local end must be identical with that for outgoing packets on the peer end and vice versa.
The authentication key can be in the hexadecimal or string format. To configure an authentication key in the hexadecimal format, run the sa authentication-hex command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPSec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate.
# In an IPSec SA, set the authentication key of the inbound SA to abcdef, and the authentication key of the outbound SA to efcdab. The authentication key is displayed in cipher text.
<HUAWEI> system-view [HUAWEI] ipsec sa sa1 [HUAWEI-ipsec-sa-sa1] sa string-key inbound ah cipher abcdef [HUAWEI-ipsec-sa-sa1] sa string-key outbound ah cipher efcdab