Configure an ESP group on WEST
Encapsulated Security Payload (ESP) is an authentication protocol that provides authentication for IP packets, and it also encrypts them.
The ESP protocol negotiates a unique number for the session connection, called the Security Parameter Index (SPI). It also starts a numbering sequence for the packets and negotiates the hashing algorithm that authenticates packets.
The vRouter allows you to pre-define multiple ESP configurations. Each configuration is known as an ESP group. An ESP group includes the Phase 2 proposals, which contain the parameters that are needed to negotiate an IPsec security association:
- Cipher to encrypt user data across the IPsec tunnel
- Hashing function to authenticate packets in the IPsec tunnel
- Lifetime of the IPsec security association
This task creates ESP group ESP-1W on vRouter WEST. This ESP group contains two proposals:
- Proposal 1 uses AES-256 as the encryption cipher and SHA-1 as the hash algorithm
- Proposal 2 uses Triple-DES as the encryption cipher and MD5 as the hash algorithm
The lifetime of a proposal from this ESP group is set to 1800 seconds.
To create this ESP group, perform the following steps on WEST in configuration mode.
Step | Command |
---|---|
Create the configuration node for proposal 1 of ESP group ESP-1W. |
|
Set the encryption cipher for proposal 1. |
|
Set the hash algorithm for proposal 1. |
|
Set the encryption cipher for proposal 2. This also creates the configuration node for proposal 2 of ESP group ESP-1W. |
|
Set the hash algorithm for proposal 2. |
|
Set the lifetime for the whole ESP group. |
|
View the configuration for the ESP group. Don't commit yet. |
|