transform

Syntax

transform { ah | ah-esp | esp }

undo transform

View

IPsec proposal view

Default level

2: System level

Parameters

ah: Uses the AH protocol.

ah-esp: Uses ESP first and then AH.

esp: Uses the ESP protocol.

Description

Use the transform command to specify a security protocol for an IPsec proposal.

Use the undo transform command to restore the default.

By default, the ESP protocol is used.

In non-FIPS mode:

• If AH is used, the default authentication algorithm is MD5.

• If ESP is used, the default encryption and authentication algorithms are DES and MD5, respectively.

• If both AH and ESP are used, AH uses the MD5 authentication algorithm by default, and ESP uses the DES encryption algorithm but no authentication algorithm by default.

In FIPS mode:

• If AH is used, the default authentication algorithm is SHA1.

• If ESP is used, the default encryption and authentication algorithms are AES-128 and SHA1, respectively.

• If both AH and ESP are used, AH uses the SHA1 authentication algorithm by default, and ESP uses the AES-128 encryption algorithm and the SHA1 authentication algorithm by default.

The IPsec proposals at the two ends of an IPsec tunnel must use the same security protocol.

Related commands: ipsec proposal.

Examples

# Configure IPsec proposal prop1 to use AH.

<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform ah