Warning

If you are operating in the FIPS-140-3 mode, refer to FIPS Mode Security Restrictions to see the complete list of restrictions applicable for the upgrade from any pre-10.1.3 SBC version.

This profile specifies an encryption cipher, a maximum time period for maintaining a security association between these peers (the SA "lifetime"), and an anti-replay policy. The three profiles are prioritized from one to three for usage with the SPD entry.

Command Syntax

% set profiles security ipsecProtectionProfile <profile name> 
	espAlgorithms 
		encryption <_3DesCbc | aesCbc128 | null> 
		integrity <hmacMd5 | hmacSha1> 
	saLifetimeByte <10000-4294967295 (in bytes), or unlimited> 
	saLifetimeTime <1200-1000000 (in seconds)>   
% show profiles security ipsecProtectionProfile <profile name> 
	displaylevel <displaylevel> 
	espAlgorithms 
		encryption 
		integrity 
	saLifetimeByte 
	saLifetimeTime   
% delete profiles security ipsecProtectionProfile <profile name>

Command Parameters

The IPsec Protection Profile Parameters are as shown below:

Parameter

Length/Range

Description

ipsecProtectionProfile

1-23

The name of the IPsec Protection Profile. This profile establishes the encryption algorithm, the maximum SA lifetime, and the replay rules for an SPD entry. These properties are used by the SBC when it forms an IPsec Security Association with a peer.

espAlgorithms

N/A

The IPsec Protection Profile ESP protocol cipher configurations.

  • encryption – The IPsec Protection Profile Encryption Cipher.
    • _3DesCbc
    • aesCbc128 (default)
    • null
  • integrity – The IPsec Protection Profile Integrity Cipher.
    • hmacMd5
    • hmacSha1 (default)

Note: _3DesCbc and hmacMd5 are not supported when the FIPS-140-3 is enabled.

saLifetimeByte

10000-4294967295

IPsec Protection Profile SA Lifetime setting in the number of bytes. (default = unlimited)

saLifetimeTime

1200-1000000

The SA Lifetime setting, in seconds. This is the maximum interval that any one Security Association will be maintained before possible re-keying. This parameter applies to the IKE SA when it appears in the IKE Protection Profile and to the IPsec SA when it appears in the IPsec Protection Profile. (default = 28800, which corresponds to 8 hours)

displaylevel

1-64

To display different levels of output information in show commands.

Command Example 

% show profiles security ipsecProtectionProfile 
 AesSha1IpsecProfile 
	{ 
	saLifetimeTime 28800; 
	saLifetimeByte unlimited; 
	espAlgorithms 
	{ 
		encryption null,_3DesCbc,aesCbc128; 
		integrity hmacSha1; 
	} 
	}