sa authentication-hex inbound esp

Function

The sa authentication-hex command sets an authentication in hexadecimal format or cipher text for Security Associations (SAs).

The undo sa authentication-hex command deletes an authentication key from SAs.

By default, no authentication key is created.

Format

sa authentication-hex { inbound esp [ cipher ] auth-in-esp }

sa authentication-hex inbound esp plain plain-auth-in-esp

undo sa authentication-hex inbound esp

Parameters

Parameter Description Value
inbound

Specifies SA parameters for incoming protocol packets.

-
esp

Specifies SA parameters for Encapsulating Security Payload (ESP). If the security proposal applied to an SA uses ESP, esp must be configured in the sa authentication-hex command.

-
cipher

Specifies the ciphertext type.

-
auth-in-esp

Specifies a ciphertext key used for authentication.
The value is in hexadecimal notation.
  • If authentication algorithm SHA2-256 is used, the length of the key is 32 bytes.
    • If authentication algorithm SHA2-384 is used, the length of the key is 48 bytes.
    • If authentication algorithm SHA2-512 is used, the length of the key is 64 bytes

The corresponding cipher data ranges from 20 to 392.
plain plain-auth-in-esp

Specifies a simple text password key used for authentication.
The value is in hexadecimal notation.
  • If authentication algorithm SHA2-256 is used, the length of the key is 32 bytes.
    • If authentication algorithm SHA2-384 is used, the length of the key is 48 bytes.
    • If authentication algorithm SHA2-512 is used, the length of the key is 64 bytes

The corresponding cipher data ranges from 20 to 392.

Views

IPsec SA view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ipsec write

Usage Guidelines

Usage Scenario

AH and ESP can use MD5, SHA-1, or SHA-2 that require an authentication key in the string or hexadecimal format. To generate a hexadecimal key, run the sa authentication-hex command.

To ensure high security, do not use the MD5 or SHAI algorithm as the authentication algorithm. You are advised to use a more secure authentication algorithm, such as SHA2, if the authentication algorithm is supported by the protocol.

Precautions

Set parameters for both inbound and outbound SAs.

SA parameters on both IPsec peers must be identical. The authentication key for incoming protocol packets on the local end must be identical with that for outgoing protocol packets on the peer end and vice versa.

The authentication key can be in the hexadecimal or string format. To configure an authentication key in the string format, run the sa string-key command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPsec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate.

Updating the key every 90 days is recommended.

Example

# Configure an authentication key in the hexadecimal format for the SA named sa1.
<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa authentication-hex inbound esp abcdeF1234567891abcdeF1234567891
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >