beautypg.com

Mirror image acls, Protection modes, Configuring an ipsec proposal – H3C Technologies H3C SecPath F1000-E User Manual

Page 187: Configuration guidelines, Configuration procedure

background image

175

Mirror image ACLs

See "

Mirror image ACLs

."

Protection modes

See "

Protection modes

."

Configuring an IPsec proposal

An IPsec proposal, part of an IPsec policy or an IPsec profile, defines the security parameters for IPsec SA
negotiation, including the security protocol, the encryption and authentication algorithms, and the

encapsulation mode.

Configuration guidelines

Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes

to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using
the updated parameters.

Only when a security protocol is selected, can you configure security algorithms for it. For example,
you can specify the ESP-specific security algorithms only when you select ESP as the security

protocol. ESP supports three IP packet protection schemes: encryption only, authentication only, or

both encryption and authentication.

You can configure up to 10000 IPsec proposals.

Configuration procedure

To configure an IPsec proposal:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IPsec proposal

and enter its view.

ipsec proposal proposal-name

By default, no IPsec proposal exists.

3.

Specify the security
protocol for the

proposal.

transform { ah | ah-esp | esp }

Optional.
ESP by default.

4.

Specify the security
algorithms.

Specify the encryption

algorithm for ESP:

esp encryption-algorithm
{ 3des | aes [ key-length ] |

des }

Specify the authentication

algorithm for ESP:

esp authentication-algorithm

{ md5 | sha1 }

Specify the authentication

algorithm for AH:

ah authentication-algorithm
{ md5 | sha1 }

Optional.
By default, the encryption algorithm for
ESP is DES, the authentication algorithm

for ESP is MD5, and the authentication
algorithm for AH is MD5.
In FIPS mode, the firewall does not
support DES, 3DES, or MD5, and the

default encryption algorithm for ESP is
AES-128, the default authentication

algorithm for ESP is SHA1, and the

default authentication algorithm for AH
is SHA1.
In FIPS mode, if you use ESP, you must
specify both an encryption algorithm

and an authentication algorithm for ESP.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: