Create an IPsec Security Association

Use the following procedure to create an IPsec security association. A security association (SA) is a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a particular direction. An SA contains the information IPsec needs to process an IP packet.

About this task

You cannot delete or modify a security association if the security association links to a policy. To modify a parameter in the security association or to delete the security association, you must first unlink the security association from a policy.

You can only unlink a security association from a policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink the policy from the interface, and then unlink the policy from the security association.

Procedure

In the navigation pane, expandConfiguration > Security > Control Path.
Click IPSec.
Click the Security Association tab.
Click Insert.
In the Name field, type a name to identify the SA.
In the SPI field, type the security parameters index.

Note

For IPsec to function, each peer must have the same SPI value configured for a particular policy.
Complete the remaining optional configuration.
Click Insert.

Security Association field descriptions

Use the data in the following table to use the Security Association tab.


Name	Description
Name	Specifies the name of the security association.
Spi	Specifies the security parameters index (SPI) value, which is a unique value. SPI is a tag IPsec adds to the IP header. The tag enables the system that receives the IP packet to determine under which security association to process the received packet. For IPsec to function, each peer must have the same SPI value configured for a particular policy. The default value is 0.
HashAlgorithm	Specifies the authorization algorithm, which includes one of the following values: AESXCBC MD5 SHA1 SHA2 The default authentication algorithm name is MD5.
EncryptAlgorithm	Specifies the encryption algorithm value as one of the following: DES3CBC AES128CBC AESCTR NULL—Only use the NULL parameter to debug. Do not use this parameter in any other circumstance. The default encryption algorithm is AES128CBC. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to ESP.
AuthMethod	Specifies the encapsulation protocol: ah—Specifies authentication header. es—Specifies encapsulation security payload. If you configure the encapsulation protocol as ah, you cannot configure the encryption algorithms and other encryption related attributes. You can only access the encryption algorithm parameters if you configure the encapsulation protocol to es. The default value is es.
Mode	Specifies the mode value as one of the following: transport—Transport mode encapsulates the IP payload and provides a secure connection between two end points. This device only supports transport mode. tunnel—Tunnel mode encapsulates the entire IP packet and provides a secure tunnel. This device does not support tunnel mode. The default is transport mode.
KeyMode	Specifies the key-mode as one of the following: manual auto The default is manual.
EncryptKeyName	Specifies the encryption key.
EncryptKeyLength	Specifies the numbers of bits used in the encryption key. The key length values are as follows: DES3CBC is 48 AES128CBC is 32, 48, 64 AESCTR is 32
HashKeyName	Specifies the authentication key.
HashKeyLength	Specifies the numbers of bits used in the hash key. The key length values are as follows: AESXCBC is 32 MD5 is 32 SHA1 is 40
LifetimeSeconds	Specifies the lifetime value in seconds. The lifetime determines the traffic that can pass between IPsec peers using a security association before that security association expires. The default lifetime value in seconds is 28800.
LifetimeKbytes	Specifies the lifetime value in kilobytes. The lifetime determines the traffic that can pass between IPsec peers using a security association before that security association expires. The default lifetime value in bytes is 4294967295.