265
To do… Use the command… Remarks
Enter system view system-view —
Create an IPsec proposal and enter its
view
ipsec proposal
proposal-name
Required
By default, no IPsec proposal exists.
Specify the security protocol for the
proposal
transform { ah | ah-esp |
esp }
Optional
ESP by default
Specify the
security
algorithms
Specify the
encryption algorithm
for ESP
esp encryption-algorithm
{ 3des | aes [ key-length ] |
des }
Optional
DES by default
Specify the
authentication
algorithm for ESP
esp
authentication-algorithm
{ md5 | sha1 }
Optional
MD5 by default
Specify the
authentication
algorithm for AH
ah
authentication-algorithm
{ md5 | sha1 }
Optional
MD5 by default
Specify the IP packet encapsulation
mode for the IPsec proposal
encapsulation-mode
{ transport | tunnel }
Optional
Tunnel mode by default
Transport mode applies only when
the source and destination IP
addresses of data flows match those
of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
NOTE:
• Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up usin
the
updated parameters.
• Only when a security protocol is selected, can you configure security algorithms for it. For example, you
can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP
supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication.
Configuring an IPsec policy
IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy
is uniquely identified by its name and sequence number.
The switch supports only manual IPsec policies. The parameters of a manual IPsec policy are all
configured manually, such as the keys and the SPIs.
1. Configuration guidelines
To ensure successful SA negotiations, follow these guidelines when configuring manual IPsec policies:
• Within a certain routed network scope, the IPsec proposals used by the IPsec policies on all routers
must have the same security protocols, security algorithms, and encapsulation mode. For OSPFv3,
the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be
To Next Page
Loading...
Need help?
General