R3303-HP HSR6800 Routers Security Command Reference
287
Syntax
esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des }
undo esp encryption-algorithm
Default
In FIPS mode, ESP uses the AES-128 encryption algorithm.
In non-FIPS mode, ESP uses no encryption algorithm.
Views
IPsec transform set view
Default command level
2: System level
Parameters
3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key. This
keyword is not supported in FIPS mode.
aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128- bit key.
aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key.
aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.
des: Uses the DES in cipher block chaining (CBC) mode, which uses a 56-bit key. This keyword is not
supported in FIPS mode.
Usage guidelines
ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication. In non-FIPS mode, you must specify an encryption algorithm, an authentication
algorithm, or both for ESP. In FIPS mode, you must specify both an encryption algorithm and an
authentication algorithm for ESP. The undo esp encryption-algorithm command takes effect only if one or
more authentication algorithms are specified for ESP.
Examples
# Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] transform esp
[Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des
Related commands
• display ipsec transform-set
• esp authentication-algorithm
ike-peer (IPsec policy view/IPsec policy template view/IPsec
profile view)
Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured
through IKE negotiation.
Use undo ike peer to remove the reference.