Configures the appropriate
encryption algorithm and encryption key length for the IKEv2 IKE
security association. AES-CBC-128 is the default.
Privilege
Security Administrator,
Administrator
Mode
Exec > Global Configuration
> Context Configuration > IKEv2 Security Association Configuration
configure > context context_name > ikev2-ikesa transform-set set_name
Entering the above
command sequence results in the following prompt:
[context_name]host_name(cfg-ctx-ikev2ikesa-tran-set)#
Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-256 | des-cbc | null }
default encryption
3des-cbc
Data Encryption Standard
Cipher Block Chaining encryption applied to the message three times
using three different cypher keys (triple DES).
aes-cbc-128
Advanced Encryption
Standard Cipher Block Chaining with a key length of 128 bits.
aes-cbc-256
Advanced Encryption
Standard Cipher Block Chaining with a key length of 256 bits.
des-cbc
Data Encryption Standard
Cipher Block Chaining. Encryption using a 56-bit key size. Relatively
insecure.
null
Configures no IKEv2
IKE Security Association Encryption Algorithm. All IKEv2 IPsec Child
Security Association protected traffic will be sent in the clear.
Note |
USE OF THIS ALGORITHM
FOR IKE_SA ENCRYPTION IS A VIOLATION OF RFC 4306. THIS
ALGORITHM SHOULD ONLY BE USED FOR TESTING PURPOSES.
|
Usage Guidelines
IKEv2 requires a confidentiality
algorithm to be applied in order to work.
In cipher block cryptography,
the plaintext is broken into blocks usually of 64 or 128 bits in
length. In cipher block chaining (CBC) each encrypted block is chained
into the next block of plaintext to be encrypted. A randomly-generated
vector is applied to the first block of plaintext in lieu of an
encrypted block. CBC provides confidentiality, but not message integrity.
Because RFC 4307 calls
for interoperability between IPSec and IKEv2, the IKEv2 confidentiality
algorithms must be the same as those configured for IPSec in order
for there to be an acceptable match during the IKE message exchange.
Because of RFC4307, in IKEv2, there is no viable NULL option, it
is available for testing only.
Examples
The following command
configures the encryption to be aes-cbc-128:encryption aes-cbc-128