267
authentication algorithm for AH:
• In non-FIPS mode:
ah authentication-algorithm
{ md5 | sha1 } *
• In FIPS mode:
ah authentication-algorithm
sha1
(Release 1121 and later.) Specify the
authentication algorithm for AH:
• In non-FIPS mode:
ah authentication-algorithm
{ aes-xcbc-mac | md5 | sha1 |
sha256 | sha384 | sha512 } *
• In FIPS mode:
ah authentication-algorithm
{ sha1 | sha256 | sha384 |
sha512 } *
5. Specify the mode in
which the security
protocol encapsulates
IP packets.
encapsulation-mode
{
transport
|
tunnel
}
By default, the security protocol
encapsulates IP packets in
tunnel mode.
The transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport
mode.
6.
(Optional.) Enable the
Perfect Forward
Secrecy (PFS) feature
for the IPsec policy.
• In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |
dh-group19 | dh-group20 |
dh-group24 }
• In FIPS mode:
pfs { dh-group14 | dh-group24 |
dh-group19 | dh-group20 }
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see "Configuring IKE."
T
Diffie-Hellman (DH) group of the
initiator must be higher than or
equal to that of the responder.
The end without the PFS feature
according
requirements of the peer end.
The DH groups 19 and 20 are
available only for IKEv2.
7.
(Optional.) Enable the
Extended Sequence
Number (ESN) feature.
esn enable
[
both
]
B
y default, the ESN feature is
disabled.
Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and
the IP addresses of the two ends in tunnel mode.
Configuration restrictions and guidelines
Make sure the IPsec configuration at the two ends of an IPsec tunnel meets the following
requirements:
To Next Page
Loading...
Need help?
General