Configuring an IPsec transform set

About IPsec transform set

An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.

Restrictions and guidelines

Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.

In FIPS mode, you must specify both the ESP encryption algorithm and the ESP authentication algorithm for an IPsec transform set that uses the ESP security protocol.

When you set the packet encapsulation mode (tunnel or transport) for an IPsec transform set, follow these guidelines:

The transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel.
IPsec for IPv6 routing protocols supports only the transport mode.

When you configure the Perfect Forward Secrecy (PFS) feature in an IPsec transform set, follow these guidelines:

In IKEv1, the security level of the DH group of the initiator must be higher than or equal to that of the responder. This restriction does not apply to IKEv2.
The end without the PFS feature performs SA negotiation according to the PFS requirements of the peer end.

You can specify multiple authentication or encryption algorithms for the same security protocol. The algorithm specified earlier has a higher priority.

Some algorithms are available only for IKEv2. See Table 27.

Table 27: Algorithms available only for IKEv2

Type	Algorithms
Encryption algorithm	aes-ctr-128 aes-ctr-192 aes-ctr-256 camellia-cbc-128 camellia-cbc-192 camellia-cbc-256 gmac-128 gmac-192 gmac-256 gcm-128 gcm-192 gcm-256
Authentication algorithm	aes-xcbc-mac
PFS algorithm	dh-group19 dh-group20

Type

Algorithms

Encryption algorithm

aes-ctr-128

aes-ctr-192

aes-ctr-256

camellia-cbc-128

camellia-cbc-192

camellia-cbc-256

gmac-128

gmac-192

gmac-256

gcm-128

gcm-192

gcm-256

Authentication algorithm

aes-xcbc-mac

PFS algorithm

dh-group19

dh-group20

Procedure

Enter system view.
system-view
Create an IPsec transform set and enter its view.
ipsec transform-set transform-set-name
Specify the security protocol for the IPsec transform set.
protocol { ah | ah-esp | esp }
By default, the ESP security protocol is used.
Specify the encryption algorithms for ESP. Skip this step if the protocol ah command is configured.
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *
By default, no encryption algorithm is specified for ESP.
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 } *
By default, no encryption algorithm is specified for ESP.
Specify the authentication algorithms for ESP. Skip this step if the protocol ah command is configured.
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
By default, no authentication algorithm is specified for ESP.
The aes-xcbc-mac algorithm is available only for IKEv2.
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
By default, no authentication algorithm is specified for ESP.
Specify the authentication algorithms for AH. Skip this step if the protocol esp command is configured.
In non-FIPS mode:
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
By default, no authentication algorithm is specified for AH.
The aes-xcbc-mac algorithm is available only for IKEv2.
In FIPS mode:
ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
By default, no authentication algorithm is specified for AH.
Specify the packet encapsulation mode.
encapsulation-mode { transport | tunnel }
By default, the security protocol encapsulates IP packets in tunnel mode.
(Optional.) Enable the PFS feature.
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 | dh-group20 }
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 }
By default, the PFS feature is disabled.
For more information about PFS, see "Configuring IKE."
(Optional.) Enable the Extended Sequence Number (ESN) feature.
esn enable [ both ]
By default, the ESN feature is disabled.

prev	up	next
Configuring an ACL	home	Configuring a manual IPsec policy