Configures the appropriate
encryption algorithm and encryption key length for the IKEv2 IKE
security association. AES-CBC-128 is the default.
Privilege:
Security Administrator,
Administrator
Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc | null }
default encryption
3des-cbc
Data Encryption Standard
Cipher Block Chaining encryption applied to the message three times
using three different cypher keys (triple DES).
aes-cbc-128
Advanced Encryption
Standard Cipher Block Chaining with a key length of 128 bits.
aes-cbc-256
Advanced Encryption
Standard Cipher Block Chaining with a key length of 256 bits.
des-cbc
Data Encryption Standard
Cipher Block Chaining. Encryption using a 56-bit key size. Relatively
insecure.
null
Configures no IKEv2
IKE Security Association Encryption Algorithm. All IKEv2 IPsec Child
Security Association protected traffic will be sent in the clear.
Note:
USE
OF THIS ALGORITHM FOR IKE_SA ENCRYPTION IS A VIOLATION OF
RFC 4306. THIS ALGORITHM SHOULD ONLY BE USED FOR TESTING PURPOSES.
Usage:
IKEv2 requires a confidentiality
algorithm to be applied in order to work.
In cipher block cryptography,
the plaintext is broken into blocks usually of 64 or 128 bits in
length. In cipher block chaining (CBC) each encrypted block is chained
into the next block of plaintext to be encrypted. A randomly-generated
vector is applied to the first block of plaintext in lieu of an
encrypted block. CBC provides confidentiality, but not message integrity.
Because RFC 4307 calls
for interoperability between IPSec and IKEv2, the IKEv2 confidentiality
algorithms must be the same as those configured for IPSec in order
for there to be an acceptable match during the IKE message exchange.
Because of RFC4307, in IKEv2, there is no viable NULL option, it
is available for testing only.
Example:
The following command
configures the encryption to be aes-cbc-128:
encryption aes-cbc-128