The pim hello ipsec sa command specifies a security association (SA) using which an interface authenticates sent and received IPv4 PIM messages to implement IP Security (IPsec) authentication.
The undo pim hello ipsec sa command restores the default configuration.
By default, no SA is specified for an interface, so that the interface does not authenticate sent or received IPv4 PIM messages.
| Parameter | Description | Value |
|---|---|---|
| sa-name | Specifies the name of an SA. |
It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, Loopback interface view, PW-VE sub-interface view, Tunnel interface view, VE sub-interface view, VLANIF interface view
Usage Scenario
On a multicast network, forged IPv4 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv4 PIM messages, run the pim ipsec sa command to configure an interface to authenticate sent and received IPv4 PIM messages.
To implement communication with a non-Huawei device that can encrypt and authenticate only IPv4 PIM Hello messages, specify the hello parameter in the pim ipsec sa command.Prerequisites
Precautions
If the pim hello ipsec sa command is run more than once, the latest configuration overrides the previous one.
Only the GRE Tunnel interface supports this command,other tunnel interfaces do not support this command.<HUAWEI> system-view [~HUAWEI] multicast routing-enable [*HUAWEI] ipsec sa sa1 [*HUAWEI-ipsec-sa-sa1] quit [*HUAWEI] interface tunnel 5 [*HUAWEI-Tunnel5] tunnel-protocol gre [*HUAWEI-Tunnel5] pim hello ipsec sa sa1
<HUAWEI> system-view [~HUAWEI] multicast routing-enable [*HUAWEI] ipsec sa sa1 [*HUAWEI-ipsec-sa-sa1] quit [*HUAWEI] interface GigabitEthernet 0/1/0 [*HUAWEI-GigabitEthernet0/1/0] pim ipsec sa sa1 [*HUAWEI-GigabitEthernet0/1/0] pim hello ipsec sa sa1