The esp encryption-algorithm command configures the ESP encryption algorithm.
The undo esp encryption-algorithm command sets the ESP encryption algorithm to blank (non-encryption).
By default, the ESP encryption algorithm is Advanced Encryption Standard AES-256.
esp encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256 | sm4 | aes-128-gcm-128 | aes-192-gcm-128 | aes-256-gcm-128 | aes-128-gmac | aes-192-gmac | aes-256-gmac } *
undo esp encryption-algorithm
| Parameter | Description | Value |
|---|---|---|
des |
Configures the 56-bit Data Encryption Standard (DES) algorithm in Cipher Block Chaining (CBC) mode. |
- |
3des |
Configures the 168-bit Triple Data Encryption Standard (3DES) algorithm in CBC mode. |
- |
aes-128 |
Configures the 128-bit AES algorithm in CBC mode. |
- |
aes-192 |
Configures the 192-bit AES algorithm in CBC mode. |
- |
aes-256 |
Configures the 256-bit AES algorithm in CBC mode. |
- |
sm4 |
Configures SM4, which is an authentication algorithm defined by China's National Password Administration. It uses a 128-bit key. |
- |
aes-128-gcm-128 |
Configures the 128-bit AES encryption algorithm in 128-bit Galois Counter (GC) mode. |
- |
aes-192-gcm-128 |
Configures the 192-bit AES encryption algorithm in 128-bit GC mode. |
- |
aes-256-gcm-128 |
Configures the 256-bit AES encryption algorithm in 128-bit GC mode. |
- |
aes-128-gmac |
Configures the 128-bit AES encryption algorithm in Galois Message Authentication Code (GMAC) mode. |
- |
aes-192-gmac |
Configures the 192-bit AES encryption algorithm in GMAC mode. |
- |
aes-256-gmac |
Configures the 256-bit AES encryption algorithm in GMAC mode. |
- |
Usage Scenario
ESP allows authenticating and encrypting packets at the same time, or only authenticating or encrypting packets. The ESP authentication and encryption algorithms cannot be kept blank at the same time.
Prerequisites
esp or ah-esp has been specified in the transform command.
Precautions
ESP encryption algorithms in the IPSec proposals referenced in the IPSec policies configured at both ends of an IPSec tunnel must be the same.
The undo esp encryption-algorithm command sets the ESP encryption algorithm to blank (non-encryption) and takes effect only when an ESP encryption algorithm has been specified.
To improve the success rate of IKE negotiation, the device can have multiple encryption algorithms configured. During IKE negotiation, the algorithms are tried in descending order of security level. The following encryption algorithms are listed in descending order of security level: sm4 > aes-256-gcm-128 > aes-192-gcm-128 > aes-128-gcm-128 > aes-256-gmac > aes-192-gmac > aes-128-gmac > aes-256 > aes-192 > aes-128 > 3des > des.
When the GCM or GMAC algorithm is used, the esp authentication-algorithm command configuration does not take effect because the algorithm contains an authentication algorithm.
SM4 can meet the high confidentiality and security requirements, but it takes a comparatively long time for processing. The aes-256, aes-192, aes-128, aes-256-gcm-128, aes-192-gcm-128, aes-128-gcm-128, aes-256-gmac, aes-192-gmac, and aes-128-gmac algorithms are recommended for security purposes. The 3des and des algorithms are not recommended. By default, the device does not support the 3des and des algorithms. To use these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.