Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
261262263264265266267268269270
254
To configure an IPsec transform set:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IPsec transform
set and enter its view.
ipsec transform-set transform-set-name
By default, no IPsec transform set
exists.
3. Specify the security
protocol for the IPsec
transform set.
protocol { ah | ah-esp | esp }
Optional.
By default, the IPsec transform set
uses ESP as the security protocol.
4. Specify the security
algorithms.
(Low encryption.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm des-cbc
(High encryption in non-FIPS mode.)
Specify the encryption algorithm for
ESP:
esp encryption-algorithm { 3des-cbc
| aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc | null } *
(In FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 } *
(In non-FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm { md5
| sha1 } *
(In FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm sha1
(In non-FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm { md5 |
sha1 } *
(In FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm sha1
Configure at least one command.
By default, no security algorithm is
specified.
You can specify security algorithms
for a security protocol only when
the security protocol is used by the
transform set. For example, you
can specify the ESP-specific
security algorithms only when you
select ESP or AH-ESP as the security
protocol.
If you use ESP in FIPS mode, you
must specify both the ESP
encryption algorithm and the ESP
authentication algorithm.
You can specify multiple
algorithms by using one command,
and the algorithm specified earlier
has a higher priority.
5. Specify the mode in
which the security
protocol encapsulates IP
packets.
encapsulation-mode { transport |
tunnel }
By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination IP
addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.