159
Step Command Remarks
3. Specify the security
protocol for the IPsec
transform set.
transform
{
ah
|
ah-esp
|
esp
}
Optional.
ESP by default.
You can configure security
algorithms for a security protocol
only after you select the protocol.
For example, you can specify the
ESP-specific security algorithms
only when you select ESP as the
security protocol. ESP supports
three IP packet protection schemes:
encryption only, authentication only,
or both encryption and
authentication.
4. Specify the security
algorithms.
• Specify the encryption
algorithm for ESP:
esp encryption-algorithm
{ 3des | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256
| aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 |
camellia-cbc-128 |
camellia-cbc-192 |
camellia-cbc-256 | des } *
• Specify the authentication
algorithm for ESP:
esp
authentication-algorithm
{ aes-xcbc-mac | md5 |
sha1 | sha2-256 } *
• Specify the authentication
algorithm for AH:
ah
authentication-algorithm
{ aes-xcbc-mac | md5 |
sha1 | sha2-256 } *
Configure at least one command.
You configure security algorithms
for a security protocol only after you
specify the security protocol. For
example, you can specify the
ESP-specific security algorithms
only after you select ESP as the
security protocol. ESP supports
three IP packet protection schemes:
encryption only, authentication only,
or both encryption and
authentication.
DES, 3DES, and MD5 algorithms
are not supported in FIPS mode.
In FIPS mode:
• ESP uses AES-128 for
encryption and uses SHA-1 for
authentication by default.
• AH uses SHA-1 for
authentication by default.
• You must specify both an
encryption algorithm and an
authentication algorithm.
In non-FIPS mode, no encryption or
authentication algorithm is specified
for ESP and AH.
5. Specify the IP packet
encapsulation mode for the
IPsec transform set.
encapsulation-mode
{
transport
|
tunnel
}
Optional.
Tunnel mode by default.
Transport mode applies only when
the source and destination IP
addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
6. Enable the ESN function.
esn enable
Optional.
By default, ESN is disabled.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the
changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be
set up using the updated parameters.
To modify an existing IPsec transform set, use the undo ipsec transform-set command to delete it,
and then configure a new one.
To Next Page
Loading...
Need help?
General
