F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100
81
Syntax
esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } *
undo esp encryption-algorithm
Default
In non-FIPS mode, the default algorithm is DES. In FIPS mode, DES and 3DES are not supported and
AES-128 is default algorithm.
Views
IPsec transform set view
Default command level
2: System level
Parameters
3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128- bit key.
aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key.
aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.
des: Uses the DES in cipher block chaining (CBC) mode, which uses a 56-bit key.
Usage guidelines
ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication.
In non-FIPS mode, you must specify an encryption algorithm, an authentication algorithm, or both.
In FIPS mode, you must specify both an encryption algorithm and an authentication algorithm. Deleting
the encryption algorithm and the authentication algorithm will restore the default algorithms in FIPS
mode.
Examples
# Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] transform esp
[Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des
Related commands
• display ipsec transform-set
• esp authentication-algorithm
ike-peer (IPsec policy view/IPsec policy template view/IPsec
profile view)
Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured
through IKE negotiation.
Use undo ike peer to remove the reference.
This command applies only to IKE negotiation mode.