sa encryption-hex inbound esp

Function

The sa encryption-hex command configures an encryption key for manual Security Association (SA) in hexadecimal format.

The undo sa encryption-hex command deletes an encryption key for manual SA configured in hexadecimal format.

By default, no encryption key is created.

Format

sa encryption-hex { inbound esp [ cipher ] encry-in-esp }

sa encryption-hex inbound esp plain plain-encry-in-esp

undo sa encryption-hex inbound esp

Parameters

Parameter Description Value
inbound

Specifies SA parameters for incoming protocol packets.

-
esp

Specifies SA parameters for Encapsulating Security Payload (ESP) . If the security proposal applied to an SA uses ESP, esp must be configured in the sa encryption-hex command.

-
cipher

Indicates the ciphertext type.

-
encry-in-esp

Specifies a ciphertext key used for encryption.

The value is in hexadecimal notation.

  • If encryption algorithm Data Encryption Standard (DES) is used, the length of the key is 8 bytes.
  • If encryption algorithm Triple Data Encryption Standard (3DES) is used, the length of the key is 24 bytes.
  • If encryption algorithm Advanced Encryption Standard 128 (AES-128) is used, the length of the key is 16 bytes.
  • If encryption algorithm Advanced Encryption Standard 192 (AES-192) is used, the length of the key is 24 bytes.
  • If encryption algorithm Advanced Encryption Standard 256 (AES-256) is used, the length of the key is 32 bytes.

The corresponding cipher data ranges from 20 to 432.

The encryption algorithms DES/3DES have a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as AES, is recommended.
plain plain-encry-in-esp

Specifies a simple text password key used for encryption.

The value is in hexadecimal notation.

  • If encryption algorithm Data Encryption Standard (DES) is used, the length of the key is 8 bytes.
  • If encryption algorithm Triple Data Encryption Standard (3DES) is used, the length of the key is 24 bytes.

Views

IPsec SA view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ipsec write

Usage Guidelines

Usage Scenario

ESP security protocol support encryption of IP protocol packets. The algorithm used for encryption/decryption is either DES, 3DES or AES. These algorithms need a key either in hexadecimal format to operate. The hexadecimal key to be used for encryption is configured using the sa encryption-hex command.

If sa encryption-hex command is configured, then the encryption key configured using sa string-key command is deleted automatically.

Updating the key every 90 days is recommended.

Example

# Configure an encryption key in the hexadecimal format for the SA named sa1.
<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] sa encryption-hex inbound esp abcdABCD1357abcdABCD1357abcdABCD1357abcdABCD1357abcdABCD1357abcd
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >