306
Step Command Remarks
camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 |
gmac-256 | gcm-128 | gcm-192 |
gcm-256 | null } *
• (In FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 |
gmac-128 | gmac-192 |
gmac-256 | gcm-128 | gcm-192 |
gcm-256 } *
• (In non-FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm
{ aes-xcbc-mac | md5 | sha1 |
sha256 | sha384 | sha512 } *
• (In FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm
{ sha1 | sha256 | sha384 |
sha512 } *
• (In non-FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm
{ aes-xcbc-mac | md5 | sha1 |
sha256 | sha384 | sha512 } *
•
(In FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm
{ sha1 | sha256 | sha384 |
sha512 } *
example, you can specify the
ESP-specific security algorithms
only when you select ESP or
AH-ESP as the security protocol.
If you use ESP in FIPS mode, you
must specify both the ESP
encryption algorithm and the ESP
authentication algorithm.
You can specify multiple
algorithms by using one
command, and the algorithm
specified earlier has a higher
priority.
The
aes-ctr-128
,
aes-ctr-192
,
aes-ctr-256
,
camellia-cbc-128
,
camellia-cbc-192
,
camellia-cbc-256
,
gmac-128
,
gmac-192
,
gmac-256
,
gcm-128
,
gcm-192
, and
gcm-256
encryption algorithms and the
aes-xcbc-mac
authentication
algorithm are available only for
IKEv2.
5. Specify the mode in
which the security
protocol encapsulates
IP packets.
encapsulation-mode
{
transport
|
tunnel
}
By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
6. (Optional.) Enable the
Perfect Forward
Secrecy (PFS) feature.
• In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |
dh-group24 | dh-group19 |
dh-group20 }
• In FIPS mode:
pfs { dh-group14 | dh-group19 |
dh-group20 }
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see "Configuring IKE."
T
he security level of the
Diffie-Hellman (DH) group of the
initiator must be higher than or
equal to that of the responder.
The end without the PFS feature
performs SA negotiation
according to the PFS
requirements of the peer end.
The DH groups 19 and 20 are
available only for IKEv2.
7. (Optional.) Enable the
Extended Sequence
esn enable
[
both
]
By default, the ESN feature is
disabled.
To Next Page
Loading...
Need help?
General