R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

161

Ste

p

Command

Remarks

2. Create an IPsec transform set

and enter its view.

ipsec transform-set

transform-set-name

By default, no IPsec transform set

exists.

You can configure up to 10000 IPsec

transform sets in the system.

3. Specify the security protocol

for the IPsec transform set.

transform { ah | ah-esp | esp }

Optional.

ESP by default.

You can configure security algorithms

for a security protocol only after you

select the protocol. For example, you

can specify the ESP-specific security

algorithms only when you select ESP

as the security protocol. ESP supports

three IP packet protection schemes:

encryption only, authentication only,

or both encryption and

authentication.

4. Specify the security

algorithms.

• Specify the encryption

algorithm for ESP:

esp encryption-algorithm

{ 3des | aes-cbc-128 |

aes-cbc-192 | aes-cbc-256 |

aes-ctr-128 | aes-ctr-192 |

aes-ctr-256 |

camellia-cbc-128 |

camellia-cbc-192 |

camellia-cbc-256 | des } *

• Specify the authentication

algorithm for ESP:

esp authentication-algorithm

{ aes-xcbc-mac | md5 | sha1

| sha2-256 } *

• Specify the authentication

algorithm for AH:

ah authentication-algorithm

{ aes-xcbc-mac | md5 | sha1

| sha2-256 } *

Configure at least one command.

You configure security algorithms for

a security protocol only after you

specify the security protocol. For

example, you can specify the

ESP-specific security algorithms only

after you select ESP as the security

protocol. ESP supports three IP packet

protection schemes: encryption only,

authentication only, or both

encryption and authentication.

DES, 3DES, and MD5 algorithms are

not supported in FIPS mode.

In FIPS mode:

• ESP uses AES-128 for encryption

and uses SHA-1 for authentication

by default.

• AH uses SHA-1 for authentication

by default.

• You must specify both an

encryption algorithm and an

authentication algorithm.

In non-FIPS mode, no encryption or

authentication algorithm is specified

for ESP and AH.

5. Specify the IP packet

encapsulation mode for the

IPsec transform set.

encapsulation-mode { transport |

tunnel }

Optional.

Tunnel mode by default.

Transport mode applies only when

the source and destination IP

addresses of data flows match those

of the IPsec tunnel.

IPsec for IPv6 routing protocols

supports only the transport mode.