ipsec security-association

Create and configure an Internet Protocol Security (IPsec) security association.

Syntax

Command Parameters

auth-algo <AES-XCBC-MAC| 32 MD5|SHA1|SHA2>
The authentication algorithm parameter specifies the authorization algorithm, which includes one of the following values:
  • AES-XCBC-MAC

  • MD5

  • SHA1

  • SHA2

The default authentication algorithm name is MD5.
auth-key WORD<1-256> [KeyLength WORD<1-256>]
The parameter auth-key specifies the authentication key. KeyLength specifies the KeyLength value that can be a string of 1 to 256 characters. The default KeyLength is 128. The KeyLength values are as follows:
  • 3DES is 48

  • AES-CBC is 32, 48, or 64

  • AES-CTR is 32

encap-proto <AH|ESP>
Specifies the encapsulation protocol. AH specifies the authentication header and ESP specifies the encapsulation security payload. If you configure the encapsulation protocol as AH, you cannot configure the encryption algorithms and other encryption-related attributes. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP. The default value is ESP.
Encrpt-algo <3DES|AES24 CBC|AES-CTR|NULL>
Specifies the encryption algorithm avlue as one of the following:
  • 3DES-CBC

  • AES-CBC

  • AES-CTR

  • NULL

The default encryption algorithm value is AES-CBC. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP.
EncrptKey WORD<1-256> [KeyLength WORD<1-256>]
EncrptKey specifies the encryption key. KeyLength specifies the KeyLength value that can be a string of 1 to 256 characters. The default KeyLength is 128. The KeyLength values are as follows:
  • 3DES is 48

  • AES-CBC is 32, 48, or 64

  • AES-CTR is 32

key-mode <automatic|manual>
Specifies the key-mode as one of the following: automatic or manual. The default is manual.
lifetime <Bytes <1-4294967295>|seconds <1-4294967295>
Specifies the lifetime value in seconds or kilobytes.The default lifetime value in seconds is 8 hours. The default value in bytes is 4608000 kilobytes.
mode transport

Specifies the mode as transport, which encapsulates the IP payload and provides a secure connection between two end points.

Note

Note

The IPsec implementation on the switch only supports transport mode.

policy WORD<1-32>
Specifies the policy ID.
spi <1-4294967295>
Specifies the security parameters index (SPI) value,which is a unique value. SPI is a tag IPsec adds to the IP header. The tag enables the system that receives the IP packet to determine under which security association to process the received packet. For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy.
WORD<1-32>
Specifies the security association.
WORD<1-32>
Specifies the security association and creates the security association.

Default

None

Command Mode

Global Configuration