Configuring an IPsec transform set

1. Enter system view.

system-view

N/A

2. Create an IPsec transform set and enter its view.

ipsec transform-set transform-set-name

By default, no IPsec transform sets exist.

3. (Optional.) Specify the security protocol for the IPsec transform set.

protocol { ah | ah-esp | esp }

Optional.

By default, the IPsec transform set uses ESP as the security protocol.

4. Specify the security algorithms.

• (In non-FIPS mode.) Specify the encryption algorithm for ESP:esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *

• (In FIPS mode.) Specify the encryption algorithm for ESP:esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 } *

• (In non-FIPS mode.) Specify the authentication algorithm for ESP:esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

• (In FIPS mode.) Specify the authentication algorithm for ESP:esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *

• (In non-FIPS mode.) Specify the authentication algorithm for AH:ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

• (In FIPS mode.) Specify the authentication algorithm for AH:ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *

Configure at least one command.

By default, no security algorithm is specified.

You can specify security algorithms for a security protocol only when the security protocol is used by the transform set. For example, you can specify the ESP-specific security algorithms only when you select ESP or AH-ESP as the security protocol.

If you use ESP in FIPS mode, you must specify both the ESP encryption algorithm and the ESP authentication algorithm.

You can specify multiple algorithms by using one command, and the algorithm specified earlier has a higher priority.

The aes-ctr-128, aes-ctr-192, aes-ctr-256, camellia-cbc-128, camellia-cbc-192, camellia-cbc-256, gmac-128, gmac-192, gmac-256, gcm-128, gcm-192, and gcm-256 encryption algorithms and the aes-xcbc-mac authentication algorithm are available only for IKEv2.

5. (Optional.) Specify the mode in which the security protocol encapsulates IP packets.

encapsulation-mode { transport | tunnel }

By default, the security protocol encapsulates IP packets in tunnel mode.

The transport mode applies only when the source and destination IP addresses of data flows match those of the IPsec tunnel.

IPsec for IPv6 routing protocols supports only the transport mode.

IPsec for ADVPN and IPsec tunnel interfaces supports only the tunnel mode.

6. (Optional.) Enable the Perfect Forward Secrecy (PFS) feature for the IPsec policy.

• In non-FIPS mode:pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 | dh-group20 }

• In FIPS mode:
  pfs { dh-group14 | dh-group19 | dh-group20 }

By default, the PFS feature is not used for SA negotiation.

For more information about PFS, see "Configuring IKE."

The security level of the Diffie-Hellman (DH) group of the initiator must be higher than or equal to that of the responder.

The end without the PFS feature performs SA negotiation according to the PFS requirements of the peer end.

The DH groups 19 and 20 are available only for IKEv2.

7. (Optional.) Enable the Extended Sequence Number (ESN) feature for the IPsec policy.

esn enable [ both ]

By default, the ESN feature is disabled.