Configuring an IPsec proposal
An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA negotiation, including the security protocol, the encryption and authentication algorithms, and the encapsulation mode.
To configure an IPsec proposal:
Step | Command | Remarks |
---|---|---|
1. Enter system view | system-view | N/A |
2. Create an IPsec proposal and enter its view | ipsec proposal proposal-name | By default, no IPsec proposal exists. |
3. Specify the security protocol for the proposal | transform { ah | ah-esp | esp } | Optional. ESP by default. |
4. Specify the security algorithms |
| Optional. For ESP, the default encryption algorithm is DES in non-FIPS mode and is AES-128 in FIPS mode. For ESP and AH, the default authentication algorithm is MD5 in non-FIPS mode and is SHA1 in FIPS mode. |
5. Specify the IP packet encapsulation mode for the IPsec proposal | encapsulation-mode { transport | tunnel } | Optional. Tunnel mode by default. Transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel. |
NOTE: Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the updated parameters. Only when a security protocol is selected, can you configure security algorithms for it. For example, you can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP encryption and authentication. | ||