## encryption

Configures the appropriate IPSec ESP encryption algorithm and encryption key length. AES-CBC-128 is the default.

### Product

ePDG

PDIF

SCM

### Privilege

Security Administrator, Administrator

### Mode

Exec > Global Configuration > Context Configuration > IPSec Transform Set Configuration

configure > context `context_name ` > ipsec transform-set `set_name`

Entering the above command sequence results in the following prompt:

`[``context_name`]`host_name`(config-context-vrf)#

### Syntax

```
encryption { 3des-cbc | aes-128-gcm-128 | aes-cbc-128 | aes-128-gcm-64 | aes-128-gcm-96 | aes-256-gcm-128 | aes-256-gcm-64 | aes-256-gcm-96 | aes-cbc-256 | des-cbc | null }
default encryption
```

### 3des-cbc

Data Encryption Standard Cipher Block Chaining encryption applied to the message three times using three different cypher keys (triple DES).

### aes-128-gcm-128

IKEv2 Child Security Association IPsec ESP Algorithm is AES-GCM-128 with 128-bit ICV (Integrity Check Value). HMAC algorithm with this encryption algorithm should be None.

### aes-128-gcm-64

IKEv2 Child SA (Security Association) IPsec ESP Algorithm is AES-GCM-128 with 64-bit ICV. HMAC algorithm with this encryption algorithm should be None.

### aes-128-gcm-96

IKEv2 Child SA IPsec ESP Algorithm to be AES-GCM-128 with 96-bit ICV. HMAC algorithm with this encryption algorithm should be None.

### aes-256-gcm-128

IKEv2 Child SA IPsec ESP Algorithm is AES-GCM-256 with 128-bit ICV. HMAC algorithm with this encryption algorithm should be None.

### aes-256-gcm-64

IKEv2 Child SA IPsec ESP Algorithm is AES-GCM-256 with 64-bit ICV. HMAC algorithm with this encryption algorithm should be None.

### aes-256-gcm-96

IKEv2 Child SA IPsec ESP Algorithm is AES-GCM-256 with 96-bit ICV. HMAC algorithm with this encryption algorithm should be None.

### aes-cbc-128

Advanced Encryption Standard Cipher Block Chaining with a key length of 128 bits. This is the default setting for this command.

### aes-cbc-256

Advanced Encryption Standard Cipher Block Chaining with a key length of 256 bits.

### des-cbc

Data Encryption Standard Cipher Block Chaining. Encryption using a 56-bit key size. Relatively insecure.

### null

The NULL encryption algorithm represents the optional use of applying encryption within ESP. ESP can then be used to provide authentication and integrity without confidentiality.

### default

Sets the default IPSec ESP algorithm to AES-CBC-128.

### Usage Guidelines

AES-GCM (Advanced Encryption Standard-Galois Counter Mode) is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption (RFC 5288). It uses mechanisms that are supported by a well-understood theoretical foundation, and its security follows from a single reasonable assumption about the security of the block cipher. StarOS supports these AEAD (Authenticated Encryption with Associated Data) algorithms for improved IPsec performance when using OpenSSL to process ESP packets.

Important |
The AEAD algorithms
are only supported on virtualized platforms. They are |

In cipher block cryptography, the plaintext is broken into blocks usually of 64 or 128 bits in length. In cipher block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A randomly generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC provides confidentiality, but not message integrity.

Because RFC 4307 calls for interoperability between IPSec and IKEv2, the IKEv2 confidentiality algorithms must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE message exchange. In IKEv2, there is no NULL option.

### Example

`default encryption `