Alcatel-Lucent 6850-48 Reference Guide

IPsec commands

page 34-12

OmniSwitch CLI Reference Guide

• When using ESP to verify integrity only, use the null option with the encryption parameter.

• If the null option is used with the encryption parameter, specify an integrity algorithm using the 

authentication parameter. 

• To override the default key length for the aes-cbc or aes-ctr encryption algorithm, specify the key 

length value after the protocol name. The following key length values are supported:

• There are two ways to configure an ESP confidentiality-only SA: use the none option with the authen-

tication parameter, or simply omit the authentication parameter from the command.

• For an integrity-only SA or an encryption and integrity SA, specify one of the authentication algo-

rithms (aes-xcbc-mac, hmac-md5 or hmac-sha1).

• For AH SAs, specify one of the authentication algorithms (aes-xcbc-mac, hmac-md5 or hmac-sha1).

• Note that enabling an SA is not allowed if the required encryption and/or authentication keys have not 

been configured.

-> ipsec sa ah_in ah source 3ffe:200:200:4001::99 destination 3ffe:200:200:4001::1 

spi 9901 authentication hmac-sha1 description "HMAC SHA1 on traffic from 99 to 1"

-> ipsec sa esp_out esp source 3ffe:200:200:4001::1 destination 

3ffe:200:200:4001::1ae7 spi 12901 encryption aes-cbc authentication aes-xcbc-mac 

description "ESP confidentiality and integrity on traffic from 1 to 1ae7"

-> no ipsec sa ah_in

Release 6.3.4; command was introduced.

aes-cbc

128(default), 192, and 256

aes-ctr

160(default), 224, and 288

Configures the authentication and encryption keys for a manually 
configured IPsec SA.

Displays information about manually configured IPsec Security 
Associations.