Cisco Cisco Packet Data Gateway (PDG) Guida Alla Risoluzione Dei Problemi
IPSec Transform Set Configuration Mode Commands
encryption ▀
Cisco ASR 5000 Series Command Line Interface Reference ▄
OL-22947-02
encryption
Configures the appropriate IPsec ESP encryption algorithm and encryption key length. AES-CBC-128 is the default.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
Data Encryption Standard Cipher Block Chaining encryption applied to the message three times using three
different cypher keys (triple DES).
different cypher keys (triple DES).
Advanced Encryption Standard Cipher Block Chaining with a key length of 128 bits. This is the default
setting for this command.
setting for this command.
Advanced Encryption Standard Cipher Block Chaining with a key length of 256 bits.
Data Encryption Standard Cipher Block Chaining. Encryption using a 56-bit key size. Relatively insecure.
The NULL encryption algorithm represents the optional use of applying encryption within ESP. ESP can then
be used to provide authentication and integrity without confidentiality.
be used to provide authentication and integrity without confidentiality.
Usage
In cipher block cryptography, the plaintext is broken into blocks usually of 64 or 128 bits in length. In cipher
block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A
randomly generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC
provides confidentiality, but not message integrity.
Because RFC 4307 calls for interoperability between IPsec and IKEv2, the IKEv2 confidentiality algorithms
must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE
message exchange. In IKEv2, there is no NULL option.
block chaining (CBC) each encrypted block is chained into the next block of plaintext to be encrypted. A
randomly generated vector is applied to the first block of plaintext in lieu of an encrypted block. CBC
provides confidentiality, but not message integrity.
Because RFC 4307 calls for interoperability between IPsec and IKEv2, the IKEv2 confidentiality algorithms
must be the same as those configured for IPsec in order for there to be an acceptable match during the IKE
message exchange. In IKEv2, there is no NULL option.
Example
The following command configures the encryption to be the default aes-cbc-128:
The following command configures the encryption to be the default aes-cbc-128: