sa authentication-hex inbound ah

Function

The sa authentication-hex command sets an authentication in hexadecimal format or cipher text for Security Associations (SAs).

The undo sa authentication-hex command deletes an authentication key from SAs.

By default, no authentication key is created.

Format

sa authentication-hex { inbound ah [ cipher ] auth-in-ah }

sa authentication-hex inbound ah plain plain-auth-in-ah

undo sa authentication-hex inbound ah

Parameters

Parameter Description Value
inbound

Specifies SA parameters for incoming protocol packets.

-
ah

Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa authentication-hex command.

-
cipher

Specifies the ciphertext type.

-
auth-in-ah

Specifies a ciphertext key used for authentication.
The value is in hexadecimal notation.
  • If authentication algorithm SHA2-256 is used, the length of the key is 32 bytes.
    • If authentication algorithm SHA2-384 is used, the length of the key is 48 bytes.
    • If authentication algorithm SHA2-512 is used, the length of the key is 64 bytes

The corresponding cipher data ranges from 20 to 392.
plain plain-auth-in-ah

Specifies a simple text password key used for authentication.
The value is in hexadecimal notation.
  • If authentication algorithm SHA2-256 is used, the length of the key is 32 bytes.
    • If authentication algorithm SHA2-384 is used, the length of the key is 48 bytes.
    • If authentication algorithm SHA2-512 is used, the length of the key is 64 bytes

The corresponding cipher data ranges from 20 to 392.

Views

IPsec SA view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ipsec write

Usage Guidelines

Usage Scenario

AH and ESP can use MD5, SHA-1, or SHA-2 that require an authentication key in the string or hexadecimal format. To generate a hexadecimal key, run the sa authentication-hex command.

To ensure high security, do not use the MD5 or SHAI algorithm as the authentication algorithm. You are advised to use a more secure authentication algorithm, such as SHA2, if the authentication algorithm is supported by the protocol.

Precautions

Set parameters for both inbound and outbound SAs.

SA parameters on both IPsec peers must be identical. The authentication key for incoming protocol packets on the local end must be identical with that for outgoing protocol packets on the peer end and vice versa.

The authentication key can be in the hexadecimal or string format. To configure an authentication key in the string format, run the sa string-key command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPsec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate.

Updating the key every 90 days is recommended.

Example

# Configure an authentication key in the hexadecimal format for the SA named sa1.
<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa authentication-hex inbound ah abcdeF1234567891abcdeF1234567891
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >