R21xx-HP FlexFabric 11900 Security Command Reference
203
• For an IKE-based IPsec policy, the initiator sends all ESP authentication algorithms specified in the
IPsec transform set to the peer end during the negotiation phase, and the responder matches the
received algorithms against its local algorithms starting from the first one until a match is found. To
ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must
have at least one same ESP authentication algorithm.
In FIPS mode, you can configure only one ESP authentication algorithm for an IPsec transform set.
Examples
# Configure the IPsec transform set tran1 to use HMAC-SHA1 algorithm as the ESP authentication
algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1
Related commands
ipsec transform-set
esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } *
undo encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo encryption-algorithm
Default
ESP does not use any encryption algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key.
aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key.
null: Uses the NULL algorithm, which means encryption is not performed.