HP MSR2000/3000/4000 Router Series Security Command Reference
217
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and
the algorithm specified earlier has a higher priority.
• For a manual IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure
an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the
tunnel must have the same first ESP authentication algorithm.
• For an IKE-based IPsec policy, the initiator sends all ESP authentication algorithms specified in the
IPsec transform set to the peer end during the negotiation phase, and the responder matches the
received algorithms against its local algorithms starting from the first one until a match is found. To
ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must
have at least one same ESP authentication algorithm.
Examples
# Configure the IPsec transform set tran1 to use HMAC-SHA1 algorithm as the ESP authentication
algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1
Related commands
ipsec transform-set
esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } *
undo encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo encryption-algorithm
Default
ESP does not use any encryption algorithms.