Configuring an IPsec proposal

IPsec proposal configuration sets encryption parameters for IPsec. An IPsec proposal is activated by attaching it to an IPsec profile.

When IPsec is initialized, a default IPsec proposal (def-ipsec-prop) is created with the following settings:
  • Transform type: ESP
  • Encapsulation mode: Tunnel
  • Encryption algorithm: AES-GCM-256 (Both authentication and encryption are performed by this algorithm.)
  • Extended sequence numbers: Disabled
When the default proposal is not acceptable, perform the following task to configure an IPsec proposal.
  1. From privileged EXEC mode, enter global configuration mode.
    
    device# configure terminal
    
  2. Create an IPsec proposal and enter configuration mode for the proposal.
    
    device(config)# ipsec proposal prop_blue
    
  3. Note: (Optional). By default, the encapsulation mode is set to tunnel. Because this is the only mode currently available, this step is not required.
    Specify the encapsulation mode for the proposal.
    
    device(config-ipsec-proposal-prop_blue)# encapsulation-mode tunnel
    
  4. Note: (Optional). By default, the transform type is set to ESP. Because this is the only mode currently available, this step is not required.
    Specify the transform type for the proposal.
    
    device(config-ipsec-proposal-prop_blue)# transform esp
    
  5. Specify an encryption algorithm for the proposal.
    
    device(config-ipsec-proposal-prop_blue)# encryption-algorithm aes-gcm-128
    

    This step adds the AES-GCM-128 algorithm to the encryption algorithms configured for prop_blue. Because the AES-GCM-256 algorithm is configured by default, after executing this step both the AES-GCM-256 and AES-GCM-128 algorithms are configured for prop_blue. Configuration of multiple encryption algorithms is allowed.

    When you want to configure the AES-CBC-128 algorithm only for the proposal, you must first add the AES-CBC-128 algorithm and then remove the default algorithm by using the no encryption-algorithm aes-cbc-256 command.

    For an IPsec tunnel to come up successfully, IPsec peer devices must be configured with a common encryption algorithm.

  6. (Optional) Enable extended sequence number (ESN) as needed.
    Note: ESN is disabled by default. ESN must be enabled for use with replay protection. Replay protection is configured as part of the IPsec profile.

    Replay protection prevents replay attacks by assigning a 64-bit sequence number to each encrypted packet. Processed packets are tracked by their sequence number at the receiving IPsec endpoint and verified against a sliding window of valid sequence numbers.

    Note: Clear IPsec security associations (SAs) for extended sequence numbering to go into effect.
    
    device(config-ipsec-proposal-prop_blue)# esn-enable
    
  7. Return to privileged EXEC mode.
    
    device(config-ipsec-proposal-prop_blue)# end
    
  8. Verify the IPsec proposal configuration.
    
    device# show ipsec proposal prop_blue
    
    =========================================================================
    Name                : prop_blue
    Protocol            : ESP
    Encryption          : aes-gcm-256,aes-gcm-128
    Authentication      : NULL
    ESN                 : Enable
    Mode                : Tunnel
    Ref Count           : 0
    

The following example creates and configures an IPsec proposal named prop_blue.


device# configure terminal
device(config)# ipsec proposal prop_blue           
device(config-ipsec-proposal-prop_blue)# encapsulation-mode tunnel
device(config-ipsec-proposal-prop_blue)# transform esp
device(config-ipsec-proposal-prop_blue)# encryption-algorithm aes-gcm-128
device(config-ipsec-proposal-prop_blue)# esn-enable
device(config-ipsec-proposal-prop_blue)# end

To use the IPsec proposal to encrypt data in an IPsec tunnel, attach it to an IPsec profile by using the proposal command in IPsec profile configuration mode.