beautypg.com

Userloginwithoui configuration example, Configuring a manual ipsec policy – H3C Technologies H3C S12500-X Series Switches User Manual

Page 147

background image

135

Step Command

Remarks

4.

Specify the security
algorithms.

(In non-FIPS mode.) Specify the
encryption algorithm for ESP:

esp encryption-algorithm { 3des-cbc

| aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc | null } *

(In FIPS mode.) Specify the

encryption algorithm for ESP:
esp encryption-algorithm

{ aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 } *

(In non-FIPS mode.) Specify the

authentication algorithm for ESP:

esp authentication-algorithm { md5
| sha1 } *

(In FIPS mode.) Specify the

authentication algorithm for ESP:
esp authentication-algorithm sha1

(In non-FIPS mode.) Specify the

authentication algorithm for AH:
ah authentication-algorithm { md5 |

sha1 } *

(In FIPS mode.) Specify the

authentication algorithm for AH:

ah authentication-algorithm sha1

Configure at least one command.
By default, no security algorithm is
specified.
You can specify security algorithms

for a security protocol only when
the security protocol is used by the

transform set. For example, you

can specify the ESP-specific
security algorithms only when you

select ESP or AH-ESP as the security

protocol.
If you use ESP in FIPS mode, you
must specify both the ESP

encryption algorithm and the ESP

authentication algorithm.
You can specify multiple

algorithms by using one command,
and the algorithm specified earlier

has a higher priority.

5.

Specify the mode in

which the security
protocol encapsulates IP

packets.

encapsulation-mode { transport |
tunnel }

By default, the security protocol
encapsulates IP packets in tunnel

mode.
The transport mode applies only

when the source and destination IP
addresses of data flows match

those of the IPsec tunnel.

6.

(Optional.) Enable the
Perfect Forward Secrecy

(PFS) feature for the IPsec

policy.

In non-FIPS mode:
pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 |

dh-group24 }

In FIPS mode:

pfs dh-group14

By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,

see "

854H

Configuring IKE

."

The security level of the
Diffie-Hellman (DH) group of the

initiator must be higher than or

equal to that of the responder.
The end without the PFS feature
performs SA negotiation according

to the PFS requirements of the peer

end.

240B

Configuring a manual IPsec policy

In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP

addresses of the two ends in tunnel mode.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: