Configuring IPSec 567
The default mode is tunnel-encapsulation mode.
Select Security Protocol
After the transport mode is defined, it is necessary to select the security protocol
for the transport mode. The security protocols available at present include AH and
ESP, both of which can also be used at the same time. Both ends of security tunnel
must select the same security protocols.
The data encapsulation forms of various security protocols in transport and tunnel
mode are shown in the following figure:
Figure 173 Data encapsulation form of the security protocol
Please configure the following in IPSec Proposal view (or proposal view of crypto
card).
Table 637 Select Security Protocol
The security protocol esp-new prescribed in RFC2406 is used by default.
Selecting the Encryption
and Authentication
Algorithm
AH protocol cannot encrypt but authenticate packets. ESP in IPSec software
supports five security encryption algorithms that are 3des, des, blowfish, cast
and skipjack. There are seven kinds of security encryption algorithms supported
by ESP crypto card, which are 3des, des, blowfish, cast, skipjack, aes, and qc5.
The current security authentication algorithm includes MD5 (message digest
Version 5) and SHA (security hashing algorithm), both of which are HMAC
variables. HMAC is a hashing algorithm with key, which can authenticate data.
The algorithm md5 uses 128-bit key and the algorithm sha1 uses 160-bit key, and
the former calculates faster than the latter while the latter is more secure than the
former.
Both ends of security tunnel must select the same encryption algorithm and
authentication algorithm.
Restore the default message
encapsulating mode (applicable to IPSec
software and crypto card)
undo encapsulation-mode
Operation Command
Set security protocol used for IPSec
proposal (applicable to IPSec software and
crypto card)
transform { ah-new | esp-new |
ah-esp-new }
Restore the default security protocol
(applicable to IPSec software and crypto
card)
undo transform
Transmission mode
Encryption
protocol
transport tunnel
ah-new
esp-new
ah-esp-new
IP AH
data
IP AH
data
IP
IP ESP
data
ESP-T
IP ESP
data
ESP-T
IP
IP ESP
data
ESP-TAH
IP ESP
data
ESP-TAH
IP