< Home

transform

Function

The transform command specifies a security protocol used in an IPSec proposal.

The undo transform command restores the default configuration.

By default, an IPSec proposal uses the ESP protocol.

Format

transform { ah | ah-esp | esp }

undo transform

Parameters

Parameter Description Value
ah

Indicates that the IPSec proposal uses the Authentication Header (AH) protocol.

 -
ah-esp

Indicates that the IPSec proposal encapsulates packets through ESP, then through AH.

 -
esp

Indicates that the IPSec proposal uses the ESP protocol.

 -

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Three security modes are available and their differences are as follows:
  • In the AH mode, devices only authenticate packets.
  • In the ESP mode, devices provide packet authentication, encryption, or both functions.
  • In the AH-ESP mode, devices use the AH protocol to authenticate packets and the ESP protocol to encrypt packets. During IPSec encapsulation, devices encapsulate packets using ESP and then AH. During IPSec decapsulation, devices decapsulate packets using AH and then ESP.

AH prevents data tampering but cannot prevent data from being listened to, so it applies only to the transmission of non-confidential data. ESP provides authentication service inferior to that of AH, but it can encrypt packet payloads.

Precautions

The IPSec proposals configured on both ends of an IPSec tunnel must use the same security protocol.

Example

# Set the security protocol used in IPSec proposal newprop1 to AH.

<sysname> system-view
[sysname] ipsec proposal newprop1
[sysname-ipsec-proposal-newprop1] transform ah
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >