# esp encryption-algorithm

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to restore the default.

## Syntax

In non-FIPS mode:

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *

undo esp encryption-algorithm

In FIPS mode:

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*

undo esp encryption-algorithm

## Default

ESP does not use any encryption algorithms.

## Views

IPsec transform set view

## Predefined user roles

network-admin

mdc-admin

## Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.

aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.

aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.

aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.

aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.

aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key. This keyword is available only for IKEv2.

camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv2.

camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key. This keyword is available only for IKEv2.

camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key. This keyword is available only for IKEv2.

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.

gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

gmac-192: Specifies the GMAC algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.

gmac-256: Specifies the GMAC algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

gcm-192: Specifies the GCM algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.

gcm-256: Specifies the GCM algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

null: Specifies the NULL algorithm, which means encryption is not performed.

## Usage guidelines

You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

For a manual or IKEv1-based IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.

GCM and GMAC algorithms are combined mode algorithms. GCM algorithms provide encryption and authentication services. GMAC algorithms only provide authentication service. Combined mode algorithms can be used only when ESP is used alone without AH. Combined mode algorithms cannot be used together with ordinary ESP authentication algorithms.

## Examples

# Configure IPsec transform set **tran1** to use the AES-CBC-128 algorithm as the ESP encryption algorithm.

<Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

## Related commands

**ipsec ****transform-set**