Configuring an IPsec Proposal

Procedure

1. Run system-view

   The system view is displayed.

2. Run ipsec proposal proposal-name

   An IPsec proposal is created, and the IPsec proposal view is displayed.

3. Run transform { ah | ah-esp | esp }

   A security protocol for data transmission is configured.

   AH and ESP must be used independently. The rules for using them are as follows:

   • AH provides data source authentication, data integrity check, and the anti-replay function for the protected data.

   • ESP provides encryption, in addition to data source authentication, data integrity check, and anti-replay function, for the protected data.

4. Configure the authentication and encryption algorithms that are used by the security protocol.
   • If AH is used as a security protocol, you only need to configure the authentication algorithm of AH.

     • Run ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

       An authentication algorithm used by AH is configured.

       

       To help improve system security, do not use the MD5 or SHA1 authentication algorithm for the AH protocol.

   • If ESP is used as a security protocol, you need to configure the authentication and encryption algorithms of ESP.

     • Run esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

       An authentication algorithm used by ESP is configured.

       

       To help improve system security, do not use the MD5 or SHA1 authentication algorithm for the ESP protocol.

     • Run esp encryption-algorithm { des | 3des | aes { 128 | 192 | 256 } | aes-gcm-128 { 128 | 192 | 256 } }

       An encryption algorithm used by ESP is configured.

       

       To help improve system security, do not use the DES or 3DES encryption algorithm for the ESP protocol.

5. Run encapsulation-mode { transport | tunnel }

   A packet encapsulation mode is configured.

6. Run commit

   The configuration is committed.