R3303-HP HSR6800 Routers Security Configuration Guide
251
Ste
p
Command
Remarks
4. Specify the security
algorithms.
• Specify the encryption
algorithm for ESP:
esp encryption-algorithm
{ 3des | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
des }
• Specify the authentication
algorithm for ESP:
esp authentication-algorithm
{ md5 | sha1 }
• Specify the authentication
algorithm for AH:
ah authentication-algorithm
{ md5 | sha1 }
Configure at least one command.
By default, no security algorithm is
specified.
You can configure security
algorithms for a security protocol
only after you select the protocol.
For example, you can specify the
ESP-specific security algorithms
only when you select ESP as the
security protocol. ESP supports
three IP packet protection schemes:
encryption only, authentication
only, or both encryption and
authentication.
DES, 3DES, and MD5 algorithms
are not supported in FIPS mode.
In FIPS mode:
• ESP uses AES-128 for
encryption and uses SHA-1 for
authentication by default.
• AH uses SHA-1 for
authentication by default.
• You must specify both an
encryption algorithm and an
authentication algorithm for
ESP.
In non-FIPS mode:
• ESP uses DES for encryption
and uses MD5 for
authentication by default.
• AH uses MD5 for
authentication by default.
5. Specify the IP packet
encapsulation mode for the
IPsec transform set.
encapsulation-mode { transport |
tunnel }
Optional.
Tunnel mode by default.
Transport mode applies only when
the source and destination IP
addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
Configuring an IPsec policy
IPsec policies define which IPsec transform sets should be used to protect which data flows. An IPsec
policy is uniquely identified by its name and sequence number.