HPE Moonshot 45Gc Security Configuration Manual page 278

Step
2. Create an IPsec
transform set and enter
its view.
3. Specify the security
protocol for the IPsec
transform set.
4. Specify the security
algorithms.
5. Specify the mode in
which the security
protocol encapsulates
IP packets.
6. (Optional.) Enable the
Perfect Forward
Command
ipsec transform-set
transform-set-name
protocol { ah | ah-esp | esp }
•
(In non-FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{ 3des-cbc | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 | camellia-cbc-128 |
camellia-cbc-192 |
camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 |
gmac-256 | gcm-128 | gcm-192 |
gcm-256 | null } *
•
(In FIPS mode.) Specify the
encryption algorithm for ESP:
esp encryption-algorithm
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 |
gmac-128 | gmac-192 |
gmac-256 | gcm-128 | gcm-192 |
gcm-256 } *
•
(In non-FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm
{ aes-xcbc-mac | md5 | sha1 |
sha256 | sha384 | sha512 } *
•
(In FIPS mode.) Specify the
authentication algorithm for ESP:
esp authentication-algorithm
{ sha1 | sha256 | sha384 |
sha512 } *
•
(In non-FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm
{ aes-xcbc-mac | md5 | sha1 |
sha256 | sha384 | sha512 } *
•
(In FIPS mode.) Specify the
authentication algorithm for AH:
ah authentication-algorithm
{ sha1 | sha256 | sha384 |
sha512 } *
encapsulation-mode { transport |
tunnel }
•
In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
265
Remarks
By default, no IPsec transform set
exists.
Optional.
By default, the IPsec transform set
uses ESP as the security protocol.
Configure at least one command.
By default, no security algorithm is
specified.
You can specify security
algorithms for a security protocol
only when the security protocol is
used by the transform set. For
example, you can specify the
ESP-specific security algorithms
only when you select ESP or
AH-ESP as the security protocol.
If you use ESP in FIPS mode, you
must specify both the ESP
encryption algorithm and the ESP
authentication algorithm.
You can specify multiple
algorithms by using one
command, and the algorithm
specified earlier has a higher
priority.
The aes-ctr-128, aes-ctr-192,
aes-ctr-256, camellia-cbc-128,
camellia-cbc-192,
camellia-cbc-256, gmac-128,
gmac-192, gmac-256, gcm-128,
gcm-192, and gcm-256
encryption algorithms and the
aes-xcbc-mac, sha256, sha384,
and sha512 authentication
algorithms are available only for
IKEv2.
By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
By default, the PFS feature is not
used for SA negotiation.