esp authentication-algorithm

Syntax

In non-FIPS mode:

esp authentication-algorithm { md5 | sha1 }

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm sha1

undo esp authentication-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

md5: Uses the MD5 algorithm, which uses a 128-bit key. The FIPS mode does not support MD5.

sha1: Uses the SHA1 algorithm, which uses a 160-bit key.

Description

Use the esp authentication-algorithm command to specify an authentication algorithm for ESP.

Use the undo esp authentication-algorithm command to configure ESP not to perform authentication on packets.

By default, MD5 is used in non-FIPS mode and SHA-1 is used in FIPS mode.

Compared with SHA-1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a highly secure network, use SHA-1.

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP authentication and encryption.

For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp authentication-algorithm command takes effect only if one encryption algorithm is specified for ESP.

Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.

<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1