esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to restore the default.
Syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*
undo esp encryption-algorithm
Default
ESP does not use any encryption algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.
aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.
aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.
aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key. This keyword is available only for IKEv2.
camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv2.
camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key. This keyword is available only for IKEv2.
camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key. This keyword is available only for IKEv2.
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.
gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
gmac-192: Specifies the GMAC algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.
gmac-256: Specifies the GMAC algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
gcm-192: Specifies the GCM algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.
gcm-256: Specifies the GCM algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
null: Specifies the NULL algorithm, which means encryption is not performed.
Usage guidelines
You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.
GCM and GMAC algorithms are combined mode algorithms. GCM algorithms provide encryption and authentication services. GMAC algorithms only provide authentication service. Combined mode algorithms can be used only when ESP is used alone without AH. Combined mode algorithms cannot be used together with ordinary ESP authentication algorithms.
Examples
# Configure IPsec transform set tran1 to use the AES-CBC-128 algorithm as the ESP encryption algorithm.
<Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
Related commands
ipsec transform-set