Configuring An Ipsec Proposal - HP 5500 HI Series Configuration Manual
Security
Hide thumbs
Also See for 5500 HI Series:
- Installation manual (72 pages) ,
- Compliance and safety manual (62 pages) ,
- Quickspecs (35 pages)
Table of Contents
Advertisement
NOTE:
To use IPsec in combination with QoS, make sure IPsec's ACL classification rules match the QoS
classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different
queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will
discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For
more information about QoS classification rules, see
Configuring an IPsec proposal
An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA
negotiation, including the security protocol, the encryption and authentication algorithms, and the
encapsulation mode.
To configure an IPsec proposal:
Step
1.
Enter system view
2.
Create an IPsec
proposal and enter
its view
3.
Specify the security
protocol for the
proposal
4.
Specify the security
algorithms
5.
Specify the IP packet
encapsulation mode
for the IPsec proposal
Command
system-view
ipsec proposal proposal-name
transform { ah | ah-esp | esp }
•
Specify the encryption algorithm for ESP:
In non-FIPS mode:
esp encryption-algorithm { 3des | aes
[ key-length ] | des }
In FIPS mode:
esp encryption-algorithm aes [ key-length ]
•
Specify the authentication algorithm for ESP:
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 }
In FIPS mode:
esp authentication-algorithm sha1
•
Specify the authentication algorithm for AH:
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 }
In FIPS mode:
ah authentication-algorithm sha1
encapsulation-mode { transport | tunnel }
273
ACL and QoS Configuration Guide
.
Remarks
N/A
By default, no IPsec
proposal exists.
Optional.
ESP by default.
Optional.
For ESP, the default
encryption algorithm is
DES in non-FIPS mode
and is AES-128 in FIPS
mode.
For ESP and AH, the
default authentication
algorithm is MD5 in
non-FIPS mode and is
SHA1 in FIPS mode.
Optional.
Tunnel mode by default.
Transport mode applies
only when the source
and destination IP
addresses of data flows
match those of the IPsec
tunnel.
IPsec for IPv6 routing
protocols supports only
the transport mode.
- Quick Links:
- Configuration Guide
- Configuring Aaa
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
