Configuring an IPsec transform set
An IPsec transform set, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA negotiation, including the security protocol, the encryption and authentication algorithms, and the encapsulation mode.
To configure an IPsec transform set:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IPsec transform set and enter its view. | ipsec transform-set transform-set-name | By default, no IPsec transform set exists. |
3. Specify the security protocol for the transform set. | transform { ah | ah-esp | esp } | Optional. ESP by default. |
4. Specify the security algorithms. |
| Optional. For ESP, the default encryption algorithm is DES in non-FIPS mode and is AES-128 in FIPS mode. For ESP and AH, the default authentication algorithm is MD5 in non-FIPS mode and is SHA1 in FIPS mode. |
5. Specify the IP packet encapsulation mode for the IPsec transform set. | encapsulation-mode { transport | tunnel } | Optional. Tunnel mode by default. Transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel. IPsec for IPv6 routing protocols supports only the transport mode. |
![[NOTE: ]](images/note.png) | NOTE: Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the updated parameters. Only when a security protocol is selected, can you configure security algorithms for it. For example, you can specify the ESP-specific security algorithms only when you select ESP as the security protocol. ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP encryption and authentication. | |