173Step Command Remarks3. Specify the security protocolfor the IPsec proposal. transform { ah | ah-esp | esp }Optional.ESP by default.You can configure securityalgorithms for a security protocolonly after you select the protocol.For example, you can specify theESP-specific security algorithmsonly when you select ESP as thesecurity protocol.In non-FIPS mode, ESP supportsthree IP packet protection schemes:encryption only, authenticationonly, or both encryption andauthentication.In FIPS mode, ESP must use boththe authentication and encryptionalgorithms.4. Specify the securityalgorithms.• Specify the encryptionalgorithm for ESP:esp encryption-algorithm{ 3des | aes [ key-length ] |des }• Specify the authenticationalgorithm for ESP:esp authentication-algorithm{ md5 | sha1 }• Specify the authenticationalgorithm for AH:ah authentication-algorithm{ md5 | sha1 }Configure at least one command.By default, ESP uses the DESencryption algorithm and the MD5authentication algorithm innon-FIPS mode, and it uses theAES-128 encryption algorithm andthe SHA1 authentication algorithmin FIPS mode.By default, AH uses the MD5authentication algorithm innon-FIPS mode and uses the SHA1authentication algorithm in FIPSmode.The 3des, des, and md5 keywordsare not available for ESP in FIPSmode.The md5 keyword is not availablefor AH in FIPS mode.5. Specify the IP packetencapsulation mode for theIPsec proposal.encapsulation-mode { transport |tunnel }Optional.Tunnel mode by default.Transport mode applies only whenthe source and destination IPaddresses of data flows matchthose of the IPsec tunnel.IPsec for IPv6 routing protocolssupports only the transport mode.Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes toexisting SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using theupdated parameters.
