194
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents
the sequence number space from being exhausted when large volumes of data are transmitted at
high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does
not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable ESN in the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands
display ipsec transform-set
Modified command: esp authentication-algorithm
Old syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
New syntax
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.
This keyword is available only for IKEv2.
To Next Page
Loading...
Need help?
General
