beautypg.com

Configuring an ipsec transform set, Required.) – H3C Technologies H3C S6300 Series Switches User Manual

Page 239

background image

224

Configuring an IPsec transform set

An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation,

including the security protocol, encryption algorithms, and authentication algorithms.
Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the

updated parameters.
To configure an IPsec transform set:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IPsec

transform set and enter
its view.

ipsec transform-set transform-set-name

By default, no IPsec transform set
exists.

3.

Specify the security

protocol for the IPsec
transform set.

protocol { ah | ah-esp | esp }

Optional.
By default, the IPsec transform set
uses ESP as the security protocol.

4.

Specify the security

algorithms.

(In non-FIPS mode.) Specify the

encryption algorithm for ESP:

esp encryption-algorithm { 3des-cbc
| aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 | des-cbc | null } *

(In FIPS mode.) Specify the

encryption algorithm for ESP:

esp encryption-algorithm

{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 } *

(In non-FIPS mode.) Specify the

authentication algorithm for ESP:
esp authentication-algorithm { md5

| sha1 } *

(In FIPS mode.) Specify the

authentication algorithm for ESP:

esp authentication-algorithm sha1

(In non-FIPS mode.) Specify the
authentication algorithm for AH:

ah authentication-algorithm { md5 |

sha1 } *

(In FIPS mode.) Specify the

authentication algorithm for AH:

ah authentication-algorithm sha1

Configure at least one command.
By default, no security algorithm is

specified.
You can specify security algorithms
for a security protocol only when

the security protocol is used by the

transform set. For example, you
can specify the ESP-specific

security algorithms only when you

select ESP or AH-ESP as the security
protocol.
If you use ESP in FIPS mode, you
must specify both the ESP

encryption algorithm and the ESP

authentication algorithm.
You can specify multiple
algorithms by using one command,

and the algorithm specified earlier

has a higher priority.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: