encryption-algorithm
Function
The encryption-algorithm command configures an encryption algorithm for IKE negotiation.
The undo encryption-algorithm command restores the default configuration.
By default, the AES-256 encryption algorithm is used for IKE negotiation.
Format
encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256 | sm4 } *
undo encryption-algorithm
Parameters
| Parameter | Description | Value |
|---|---|---|
des |
Configures the 56-bit Data Encryption Standard (DES) algorithm in Cipher Block Chaining (CBC) mode. |
- |
3des |
Configures the 168-bit Triple Data Encryption Standard (3DES) algorithm in CBC mode. |
- |
aes-128 |
Configures the 128-bit AES algorithm in CBC mode. |
- |
aes-192 |
Configures the 192-bit AES algorithm in CBC mode. |
- |
aes-256 |
Configures the 256-bit AES algorithm in CBC mode. |
- |
sm4 |
Configures SM4, which is an authentication algorithm defined by China's National Password Administration. It uses a 128-bit key. |
- |
Usage Guidelines
To improve the success rate of IKE negotiation, a device supports multiple encryption algorithms. During IKE negotiation, the algorithms are tried in descending order of security level. The following encryption algorithms used in IKE proposals are listed in descending order of security level: sm4 > aes-256 > aes-192 > aes-128 > 3des > des.
SM4 can meet the high confidentiality and security requirements, but it takes a comparatively long time for processing. The 3des and des algorithms provide low security and so are not recommended. By default, the device does not support the 3des and des algorithms. To use these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.