HP 12500 Series Configuration Manual page 183

Step
3. Specify the security protocol
for the IPsec proposal.
4. Specify the security
algorithms.
Specify the IP packet
5.
encapsulation mode for the
IPsec proposal.
Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to
existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the
updated parameters.
Command
transform { ah | ah-esp | esp }
•
Specify the encryption
algorithm for ESP:
esp encryption-algorithm
{ 3des | aes [ key-length ] |
des }
•
Specify the authentication
algorithm for ESP:
esp authentication-algorithm
{ md5 | sha1 }
•
Specify the authentication
algorithm for AH:
ah authentication-algorithm
{ md5 | sha1 }
encapsulation-mode { transport |
tunnel }
173
Remarks
Optional.
ESP by default.
You can configure security
algorithms for a security protocol
only after you select the protocol.
For example, you can specify the
ESP-specific security algorithms
only when you select ESP as the
security protocol.
In non-FIPS mode, ESP supports
three IP packet protection schemes:
encryption only, authentication
only, or both encryption and
authentication.
In FIPS mode, ESP must use both
the authentication and encryption
algorithms.
Configure at least one command.
By default, ESP uses the DES
encryption algorithm and the MD5
authentication algorithm in
non-FIPS mode, and it uses the
AES-128 encryption algorithm and
the SHA1 authentication algorithm
in FIPS mode.
By default, AH uses the MD5
authentication algorithm in
non-FIPS mode and uses the SHA1
authentication algorithm in FIPS
mode.
The 3des, des, and md5 keywords
are not available for ESP in FIPS
mode.
The md5 keyword is not available
for AH in FIPS mode.
Optional.
Tunnel mode by default.
Transport mode applies only when
the source and destination IP
addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.