Configuring an IPsec proposal

An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA negotiation, including the security protocol, the encryption and authentication algorithms, and the encapsulation mode.

To configure an IPsec proposal:

Step

Command

Remarks

1. Enter system view

system-view

N/A

2. Create an IPsec proposal and enter its view

ipsec proposal proposal-name

By default, no IPsec proposal exists.

3. Specify the security protocol for the proposal

transform { ah | ah-esp | esp }

Optional.

ESP by default.

4. Specify the security algorithms

  • Specify the encryption algorithm for ESP:

    • In non-FIPS mode:esp encryption-algorithm { 3des | aes [ key-length ] | des }

    • In FIPS mode:esp encryption-algorithm aes [ key-length ]

  • Specify the authentication algorithm for ESP:

    • In non-FIPS mode:esp authentication-algorithm { md5 | sha1 }

    • In FIPS mode:esp authentication-algorithm sha1

  • Specify the authentication algorithm for AH:

    • In non-FIPS mode:ah authentication-algorithm { md5 | sha1 }

    • In FIPS mode:ah authentication-algorithm sha1

Optional.

For ESP, the default encryption algorithm is DES in non-FIPS mode and is AES-128 in FIPS mode.

For ESP and AH, the default authentication algorithm is MD5 in non-FIPS mode and is SHA1 in FIPS mode.

5. Specify the IP packet encapsulation mode for the IPsec proposal

encapsulation-mode { transport | tunnel }

Optional.

Tunnel mode by default.

Transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel.


[NOTE: ]

NOTE:

  • Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the updated parameters.

  • Only when a security protocol is selected, can you configure security algorithms for it. For example, you can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP encryption and authentication.