Configuring an IPsec transform set

An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.

Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.

To configure an IPsec transform set:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IPsec transform set and enter its view.	ipsec transform-set transform-set-name	By default, no IPsec transform set exists.
3. Specify the security protocol for the IPsec transform set.	protocol { ah \| ah-esp \| esp }	Optional. By default, the IPsec transform set uses ESP as the security protocol.
4. Specify the security algorithms.	(Release 1111.) Specify the encryption algorithm for ESP: In non-FIPS mode:esp encryption-algorithm { 3des-cbc \| aes-cbc-128 \| aes-cbc-192 \| aes-cbc-256 \| des-cbc \| null } * In FIPS mode:esp encryption-algorithm { aes-cbc-128 \| aes-cbc-192 \| aes-cbc-256 } * (Release 1121 and later.) Specify the encryption algorithm for ESP: In non-FIPS mode:esp encryption-algorithm { 3des-cbc \| aes-cbc-128 \| aes-cbc-192 \| aes-cbc-256 \| aes-ctr-128 \| aes-ctr-192 \| aes-ctr-256 \| camellia-cbc-128 \| camellia-cbc-192 \| camellia-cbc-256 \| des-cbc \| gmac-128 \| gmac-192 \| gmac-256 \| gcm-128 \| gcm-192 \| gcm-256 \| null } * In FIPS mode:esp encryption-algorithm { aes-cbc-128 \| aes-cbc-192 \| aes-cbc-256 \| aes-ctr-128 \| aes-ctr-192 \| aes-ctr-256 \| gmac-128 \| gmac-192 \| gmac-256 \| gcm-128 \| gcm-192 \| gcm-256 } * (Release 1111.) Specify the authentication algorithm for ESP: In non-FIPS mode:esp authentication-algorithm { md5 \| sha1 } * In FIPS mode:esp authentication-algorithm sha1 (Release 1121 and later.) Specify the authentication algorithm for ESP: In non-FIPS mode:esp authentication-algorithm { aes-xcbc-mac \| md5 \| sha1 \| sha256 \| sha384 \| sha512 } * In FIPS mode:esp authentication-algorithm { sha1 \| sha256 \| sha384 \| sha512 } * (Release 1111.) Specify the authentication algorithm for AH: In non-FIPS mode:ah authentication-algorithm { md5 \| sha1 } * In FIPS mode:ah authentication-algorithm sha1 (Release 1121 and later.) Specify the authentication algorithm for AH: In non-FIPS mode:ah authentication-algorithm { aes-xcbc-mac \| md5 \| sha1 \| sha256 \| sha384 \| sha512 } * In FIPS mode:ah authentication-algorithm { sha1 \| sha256 \| sha384 \| sha512 } *	Configure at least one command. By default, no security algorithm is specified. You can specify security algorithms for a security protocol only when the security protocol is used by the transform set. For example, you can specify the ESP-specific security algorithms only when you select ESP or AH-ESP as the security protocol. If you use ESP in FIPS mode, you must specify both the ESP encryption algorithm and the ESP authentication algorithm. You can specify multiple algorithms by using one command, and the algorithm specified earlier has a higher priority. The aes-ctr-128, aes-ctr-192, aes-ctr-256, camellia-cbc-128, camellia-cbc-192, camellia-cbc-256, gmac-128, gmac-192, gmac-256, gcm-128, gcm-192, and gcm-256 encryption algorithms and the aes-xcbc-mac, sha256, sha384, and sha512 authentication algorithms are available only for IKEv2.
5. Specify the mode in which the security protocol encapsulates IP packets.	encapsulation-mode { transport \| tunnel }	By default, the security protocol encapsulates IP packets in tunnel mode. The transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel. IPsec for IPv6 routing protocols supports only the transport mode.
6. (Optional.) Enable the Perfect Forward Secrecy (PFS) feature for the IPsec policy.	In non-FIPS mode:pfs { dh-group1 \| dh-group2 \| dh-group5 \| dh-group14 \| dh-group19 \| dh-group20 \| dh-group24 } In FIPS mode:pfs { dh-group14 \| dh-group24 \| dh-group19 \| dh-group20 }	By default, the PFS feature is not used for SA negotiation. For more information about PFS, see "Configuring IKE." The security level of the Diffie-Hellman (DH) group of the initiator must be higher than or equal to that of the responder. The end without the PFS feature performs SA negotiation according to the PFS requirements of the peer end. The DH groups 19 and 20 are available only for IKEv2.
7. (Optional.) Enable the Extended Sequence Number (ESN) feature.	esn enable [ both ]	By default, the ESN feature is disabled.

prev	up	next
Configuring an ACL	home	Configuring a manual IPsec policy