The sa string-key command configures an authentication key in the string format.
The undo sa string-key command deletes an authentication key from Security Associations (SAs).
By default, no authentication key is created.
| Parameter | Description | Value |
|---|---|---|
| outbound |
Specifies SA parameters for outgoing protocol packets. |
- |
| ah |
Specifies SA parameters for Authentication Header (AH). If the security proposal applied to an SA uses AH, ah must be configured in the sa string-key command. |
- |
| cipher |
Indicates the ciphertext used for authentication. |
- |
| string-cipher-key |
Specifies the ciphertext key. |
The value is a string of case-sensitive characters that can be letters or digits. The authentication password can be a string of 1 to 255 characters in plain text or a string of 20 to 432 characters in encrypted text. Except the question mark (?) and space. However, when quotation marks (") are used around the password, spaces are allowed in the password. |
Usage Scenario
AH and ESP can use either MD5, SHA-1 or SHA-2, that require an authentication key in the string or hexadecimal format. If an authentication key in the string format is required, run the sa string-key command.
To ensure high security, do not use the MD5 or SHA1 algorithm as authentication algorithm. If protocols allowed, using more secure authentication algorithms, such as SHA2, is recommended.Precautions
Set parameters for both inbound and outbound SAs.
SA parameters on both IPsec peers must be identical. The authentication key for incoming protocol packets on the local end must be identical with that for outgoing protocol packets on the peer end and vice versa. The authentication key can be in the hexadecimal or string format. To configure an authentication key in the hexadecimal format, run the sa authentication-hex command. If multiple authentication keys are configured, the latest one takes effect. The formats of authentication keys on both IPsec peers must be identical. If an authentication key in the string format is configured on one end and an authentication key in the hexadecimal format on another end, the two ends cannot communicate. Updating the key every 90 days is recommended.