[x]

IPsec configuration commands > esp encryption-algorithm

 

 Next

esp encryption-algorithm

Syntax

In non-FIPS mode:

esp encryption-algorithm { 3des | aes [ key-length ] | des }

undo esp encryption-algorithm

In FIPS mode:

esp encryption-algorithm aes [ key-length ]

undo esp encryption-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. The FIPS mode does not support this algorithm.

aes: Uses the Advanced Encryption Standard (AES) in CBC mode as the encryption algorithm. The AES algorithm uses a 128- bit, 192-bit, or 256-bit key for encryption.

key-length: Key length for the AES algorithm, which can be 128, 192, and 256 and defaults to 128. This argument is for AES only.

des: Uses the Data Encryption Standard (DES) in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption. This keyword is not available for FIPS mode.

Description

Use the esp encryption-algorithm command to specify an encryption algorithm for ESP.

Use the undo esp encryption-algorithm command to configure ESP not to encrypt packets.

By default, DES is used in non-FIPS mode and AES-128 is used in FIPS mode.

3DES provides high confidentiality and security, but it is slow in encryption. For a network that requires moderate confidentiality and security, DES is sufficient.

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP authentication and encryption.

For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp encryption-algorithm command takes effect only if one authentication algorithm is specified for ESP.

Related commands: ipsec proposal, esp authentication-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify AES as the encryption algorithm for ESP.

<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp encryption-algorithm aes

prev

 

up

 next

esp authentication-algorithm 

home

 ike-peer (IPsec policy view)

© Copyright 2016 Hewlett Packard Enterprise Development LP