Configuring An Ipsec Transform Set - HPE FlexFabric 7900 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA
negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the
changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be
set up by using the updated parameters.
To configure an IPsec transform set:
Step
1.
Enter system view.
2.
Create an IPsec
transform set and enter
its view.
3.
Specify the security
protocol for the IPsec
transform set.
4.
Specify the security
algorithms.
5.
Specify the mode in
which the security
protocol encapsulates
IP packets.
6.
(Optional.) Enable the
Perfect Forward
Secrecy (PFS) feature
for the IPsec policy.
Command
system-view
ipsec transform-set
transform-set-name
protocol { ah | ah-esp | esp }
•
(In non-FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{ 3des-cbc | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
des-cbc | null } *
•
(In FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 } *
•
(In non-FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm
{ md5 | sha1 } *
•
(In FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm
sha1
•
(In non-FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm
{ md5 | sha1 } *
•
(In FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm
sha1
encapsulation-mode { transport |
tunnel }
•
In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |
dh-group24 }
•
In FIPS mode:
110
Remarks
N/A
By default, no IPsec transform set
exists.
Optional.
By default, the IPsec transform set
uses ESP as the security protocol.
Configure at least one command.
By default, no security algorithm is
specified.
You can specify security
algorithms for a security protocol
only when the security protocol is
used by the transform set. For
example, you can specify the
ESP-specific security algorithms
only when you select ESP or
AH-ESP as the security protocol.
If you use ESP in FIPS mode, you
must specify both the ESP
encryption algorithm and the ESP
authentication algorithm.
You can specify multiple
algorithms by using one
command, and the algorithm
specified earlier has a higher
priority.
By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see
"Configuring
IKE."
Advertisement
Table of Contents
Troubleshooting
