HP VPN Firewall Appliances VPN Configuration Guide
167
Ste
p
Command
Remarks
4. Specify the security
algorithms.
• Specify the encryption
algorithm for ESP:
esp encryption-algorithm
{ 3des | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
des } *
In non-FIPS mode, the default is
DES.
In FIPS mode, 3DES and DES are
not supported and AES-128 is
default encryption algorithm.
• Specify the authentication
algorithm for ESP:
esp authentication-algorithm
{ md5 | sha1 } *
In non-FIPS mode, the default is
MD5.
In FIPS mode, MD5 is not
supported and the default
authentication algorithm is SHA1.
• Specify the authentication
algorithm for AH:
ah authentication-algorithm
{ md5 | sha1 } *
In non-FIPS mode, the default is
MD5.
In FIPS mode, MD5 is not
supported and the default
authentication algorithm is SHA1.
Configure at least one command.
In FIPS mode, you must specify
both an authentication algorithm
and an encryption algorithm.
5. Specify the IP packet
encapsulation mode for the
IPsec transform set.
encapsulation-mode { transport |
tunnel }
Optional.
Tunnel mode by default.
Transport mode applies only when
the source and destination IP
addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
Configuring an IPsec policy
IPsec policies define which IPsec transform sets should be used to protect which data flows. An IPsec
policy is uniquely identified by its name and sequence number.
IPsec policies include the following categories:
• Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.