ipsec sa(VPN instance PIM view)

Function

The hello ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received IPv4 PIM Hello messages to implement IP Security (IPsec) authentication.

The undo hello ipsec sa command restores the default configuration.

The ipsec sa command globally specifies a security association (SA) using which interfaces authenticate sent and received IPv6 PIM messages to implement IPv6 PIM IP Security (IPsec) authentication.

The undo ipsec sa command restores the default configuration.

By default, no SA is specified globally, so that a device does not authenticate sent or received IPv6 PIM Hello messages.

By default, no SA is specified globally, so that interfaces do not authenticate sent or received IPv6 PIM messages.

Format

hello ipsec sa sa-name

ipsec sa sa-name

undo ipsec sa

undo hello ipsec sa

Parameters

Parameter Description Value
sa-name

Specifies the name of an SA.

It is a string of 1 to 15 case-sensitive characters, spaces not supported. The characters can be letters or numbers, hyphens (-) not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

VPN instance PIM view, PIM view of a public network instance

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
pim write

Usage Guidelines

Usage Scenario

On a multicast network, forged IPv6 PIM Hello messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv6 PIM Hello messages, run the hello ipsec sa command to configure the device to authenticate sent and received IPv6 PIM Hello messages based on a specified SA.

Some non-Huawei devices can encrypt and authenticate only IPv6 PIM Hello messages. Therefore, the hello ipsec sa command configuration allows a Huawei device to perform IPsec authentication only for IPv6 PIM Hello messages.

Prerequisites

  • The multicast routing function has been enabled using the multicast ipv6 routing-enable command.
  • Basic IPsec functions have been configured.

Configuration Impact

If the hello ipsec sa command is run more than once, the latest configuration overrides the previous one. If the hello ipsec sa and ipsec sa commands are both configured, the command configured later overrides the command configured earlier.

The function of this command is the same as the function of the pim (ipv6) hello ipsec sa command in the interface view. The configuration in the interface view takes precedence over the configuration in the IPv6 PIM view. The configuration in the IPv6 PIM view is used only when the configuration in the interface view is not available.

Precautions

The function of hello ipsec sa is the same as the function of the pim (ipv6) hello ipsec sa command in the interface view. The configuration in the interface view takes precedence over the configuration in the PIM view. The configuration in the PIM view is used only when the configuration in the interface view is not available.

Example

# Globally configure interfaces to authenticate sent and received IPv4 PIM Hello messages based on the SA named sa1.
<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] quit
[*HUAWEI] multicast routing-enable
[*HUAWEI] pim
[*HUAWEI-pim] hello ipsec sa sa1
Parent Topic: IPv4 PIM Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >