ipsec security-association

Syntax

• default ipsec security-association WORD<1-32>

• ipsec security-association WORD<1-32>

• ipsec security-association WORD<1-32> auth-algo AES-XCBC-MAC

• ipsec security-association WORD<1-32> auth-algo AES-XCBC-MAC auth-key WORD<1-256> KeyLength <1-256>

• ipsec security-association WORD<1-32> auth-algo MD5

• ipsec security-association WORD<1-32> auth-algo MD5 auth-key WORD<1-256> KeyLength <1-256>

• ipsec security-association WORD<1-32> auth-algo SHA1

• ipsec security-association WORD<1-32> auth-algo SHA1 auth-key WORD<1-256> KeyLength <1-256>

• ipsec security-association WORD<1-32> auth-algo SHA2

• ipsec security-association WORD<1-32> auth-algo SHA2 auth-key WORD<1-256> KeyLength <1-256>

• ipsec security-association WORD<1-32> encap-proto AH

• ipsec security-association WORD<1-32> encap-proto ESP

• ipsec security-association WORD<1-32> Encrpt-algo 3DES

• ipsec security-association WORD<1-32> Encrpt-algo 3DES EncrptKey WORD<1–256> KeyLength <1-256>

• ipsec security-association WORD<1-32> Encrpt-algo AES-CBC

• ipsec security-association WORD<1-32> Encrpt-algo AES-CBC EncrptKey WORD<1–256> KeyLength <1-256>

• ipsec security-association WORD<1-32> Encrpt-algo AES-CTR

• ipsec security-association WORD<1-32> Encrpt-algo AES-CTR EncrptKey WORD<1–256> KeyLength <1-256>

• ipsec security-association WORD<1-32> Encrpt-algo NULL

• ipsec security-association WORD<1-32> Encrpt-algo NULL EncrptKey WORD<1–256> KeyLength <1-256>

• ipsec security-association WORD<1-32> key-mode automatic

• ipsec security-association WORD<1-32> key-mode manual

• ipsec security-association WORD<1-32> lifetime Bytes <1-4294967295>

• ipsec security-association WORD<1-32> lifetime seconds <1-4294967295>

• ipsec security-association WORD<1-32> mode transport

• ipsec security-association WORD<1-32> spi <1-4294967295>

• no ipsec security-association WORD<1-32>

Command Parameters

auth-algo <AES-XCBC-MAC| 32 MD5|SHA1|SHA2>

The authentication algorithm parameter specifies the authorization algorithm, which includes one of the following values:

• AES-XCBC-MAC

• MD5

• SHA1

• SHA2

The default authentication algorithm name is MD5.

auth-key WORD<1-256> [KeyLength WORD<1-256>]

The parameter auth-key specifies the authentication key. KeyLength specifies the KeyLength value that can be a string of 1 to 256 characters. The default KeyLength is 128. The KeyLength values are as follows:

• 3DES is 48

• AES-CBC is 32, 48, or 64

• AES-CTR is 32

encap-proto <AH|ESP>

Specifies the encapsulation protocol. AH specifies the authentication header and ESP specifies the encapsulation security payload. If you configure the encapsulation protocol as AH, you cannot configure the encryption algorithms and other encryption-related attributes. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP. The default value is ESP.

Encrpt-algo <3DES|AES24 CBC|AES-CTR|NULL>

Specifies the encryption algorithm avlue as one of the following:

• 3DES-CBC

• AES-CBC

• AES-CTR

• NULL

The default encryption algorithm value is AES-CBC. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP.

EncrptKey WORD<1-256> [KeyLength WORD<1-256>]

EncrptKey specifies the encryption key. KeyLength specifies the KeyLength value that can be a string of 1 to 256 characters. The default KeyLength is 128. The KeyLength values are as follows:

• 3DES is 48

• AES-CBC is 32, 48, or 64

• AES-CTR is 32

key-mode <automatic|manual>

Specifies the key-mode as one of the following: automatic or manual. The default is manual.

lifetime <Bytes <1-4294967295>|seconds <1-4294967295>

Specifies the lifetime value in seconds or kilobytes.The default lifetime value in seconds is 8 hours. The default value in bytes is 4608000 kilobytes.

mode transport

Specifies the mode as transport, which encapsulates the IP payload and provides a secure connection between two end points.

Note

The IPsec implementation on the switch only supports transport mode.

policy WORD<1-32>

Specifies the policy ID.

spi <1-4294967295>

Specifies the security parameters index (SPI) value,which is a unique value. SPI is a tag IPsec adds to the IP header. The tag enables the system that receives the IP packet to determine under which security association to process the received packet. For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy.

WORD<1-32>

Specifies the security association.

WORD<1-32>

Specifies the security association and creates the security association.

Default

None

Command Mode

Global Configuration