Related commands
ipsec transform-set
esp authentication-algorithm
Use esp authentication-algorithm to specify an authentication algorithm for ESP.
Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
Default
ESP does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
You can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm
specified earlier has a higher priority.
• For a manual IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure
an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the
tunnel must have the same first ESP authentication algorithm.
• For an IKE-based IPsec policy, the initiator sends all ESP authentication algorithms specified in the
IPsec transform set to the peer end during the negotiation phase, and the responder matches the
received algorithms against its local algorithms starting from the first one until a match is found. To
ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must
have at least one same ESP authentication algorithm.
In FIPS mode, you can configure only one ESP authentication algorithm for an IPsec transform set.
333
To Next Page
Loading...
Need help?
General
