Syntax CREate IPSec SASpecification=spec-id
KEYmanagement={ISAkmp|MAnual} PROTocol={AH|COmp|ESp}
Description This command creates an SA specification to be used as a template when IPsec SAs are created by IPsec or ISAKMP. An SA specification must use esp
(encryption), ah (authentication) or comp (compression) protocols. If manual key management is to be used, inspi, outspi, and enckey must be specified for an esp SA; and inspi, outspi and hashkey must be specified for an ah SA. If ISAKMP is to be used, ISAKMP must be enabled and configured. Only algorithms must be specified because ISAKMP negotiates suitable SPIs and keys.
This command requires a user with security officer privilege when the switch is in security mode.
Parameter Description
SASpecification The identification number for the SA proposal. An SA specification with the specified identification number must not already exist. The number can range from 0 to 255.
Default: no default
KEYmanagement Whether the keys and SPIs are to be manually entered or negotiated by ISAKMP.
Default: no default
ISAKMP Keys and SPIs are negotiated by ISAKMP. If ISAKMP is to be used, ISAKMP must be enabled and configured. Only algorithms must be specified because ISAKMP negotiates suitable SPIs and keys.
MAnual Keys and SPIs are manually entered. If manual key management is to be used, inspi, outspi, and enckey must be specified for an encryption SA; and inspi, outspi and hashkey must be specified for an authentication SA.
PROTocol The IPsec protocol type negotiated in this proposal.
Default: no default
AH An authentication SA is negotiated.
COmp A compression SA is negotiated.
ESp An encryption SA is negotiated.
ANTIReplayenabled Whether the anti-replay mechanism is enabled for the specified SA.
This parameter is not valid for a compression SA or manual key management.
Default: false
True Anti-replay is enabled.
False Anti-replay is disabled.
IP Security (IPsec) create ipsec saspecification 49-61
COMPalg The compression algorithm to be negotiated in this proposal. This parameter is required if protocol is set to comp.
Default: no default
ENCalg The encryption algorithm used by SAs created from this SA specification. This parameter is required if protocol is set to esp.
Default: no default
3DES2key Triple DES encryption algorithm is used in Outer CBC mode with two keys.
3DESOuter Triple DES Outer encryption algorithm is used.
3DESInner Triple DES Inner encryption algorithm is used.
DES Data Encryption Standard (DES) is used.
NULl No encryption algorithm is set in this proposal. Null can only be set if the protocol selected is esp, and hashhalg is not set to null.
ENCKey The identification number of an encryption key used by SAs created from this SA specification. The number identifies an existing key in the ENCO key database, and can range from 0 to 65535. This parameter is required if protocol is set to esp and keymanagement is set to manual.
Default: no default
HASHHAlg The hash algorithm used by SAs created from this SA specification.
This parameter is required if protocol is set to ah, or if ESP is to be used with authentication.
Default: no default
DESMac The DES MAC algorithm is used.
MD5 The MD5 algorithm is used.
NULl No hash algorithm is set in this proposal. Null can only be set if the protocol selected is esp, and encalg is not set to null.
SHA The SHA algorithm is used.
HASHKey The identification number of a key used for authentication purposes by SAs created from this SA specification. The number identifies an existing key in the ENCO key database, and can range from 0 to 65535. This parameter is required if protocol is set to ah or esp, and keymanagement is set to manual.
Default: no default
INSPI The Security Parameter Index (SPI) used by SAs created from this SA specification for inbound traffic. An SPI is a number from 256 to 4294967295. This parameter is required if protocol is set to ah or esp, and keymanagement is set to manual.
Default: no default
MODe The mode of operation of the SA to be negotiated, either transport or tunnel mode.
Default: tunnel
OUTSPI The Security Parameter Index (SPI) used for outbound traffic. An SPI is a number from 256 to 4294967295. This parameter is required if Parameter Description
49-62 create ipsec saspecification AlliedWare OS Software Reference
Examples To create an SA specification for manual key management for ESP using DES and MD5, use the command:
cre ips sas=1 prot=es key=ma inspi=300 outspi=400 enc=des hashalg=md5 enck=1 hashkey=101
To create an SA specification for manual key management for AH using MD5, use the command:
cre ips sas=2 prot=ah key=ma inspi=300 outspi=400 hasha=md5 hashk=10
To create an SA specification for ISAKMP key management for ESP using 168-bit 3DES and MD5, use the command:
cree ips sas=1 prot=es key=is enc=3desi hasha=md5
To create an SA specification for ISAKMP key management for AH using MD5, use the command:
cre ips sas=5 prot=ah key=is hasha=md5 Related Commands destroy ipsec saspecification
set ipsec saspecification show ipsec saspecification
REPLAywindowsize The packet size of the anti-replay window. The packet size can be set to either 32, 64, 128 or 256. This parameter is not valid for a compression SA or manual key management.
Default: 32 Parameter Description
IP Security (IPsec) create isakmp policy 49-63