integrity-algorithm

Function

The integrity-algorithm command sets the integrity algorithm to be used in an IKE proposal.

The undo integrity-algorithm command restores the default setting.

By default, the integrity algorithm to be used in an IKE proposal is HMAC-SHA2-256.

This command is supported only on the NetEngine 8000 F1A.

Format

integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 }

undo integrity-algorithm

Parameters

Parameter	Description	Value
aes-xcbc-96	Indicates that the integrity algorithm is AES-XCBC-96. To improve the system security, using the AES-XCBC-96 integrity algorithm for the IKEv2 negotiation is not recommended.	-
hmac-md5-96	Indicates that the integrity algorithm is HMAC-MD5-96. To improve the system security, using the HMAC-MD5-96 integrity algorithm for the IKEv2 negotiation is not recommended.	-
hmac-sha1-96	Indicates that the integrity algorithm is HMAC-SHA1-96. To improve the system security, using the HMAC-SHA1-96 integrity algorithm for the IKEv2 negotiation is not recommended.	-
hmac-sha2-256	Indicates that the integrity algorithm is HMAC-SHA2-256.	-
hmac-sha2-384	Indicates that the integrity algorithm is HMAC-SHA2-384.	-
hmac-sha2-512	Indicates that the integrity algorithm is HMAC-SHA2-512.	-

Views

IKE proposal view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

The security of hmac-md5-96, hmac-sha1-96, aes-xcbc-96 , hmac-sha2-256, hmac-sha2-384 and hmac-sha2-512 ascends gradually, and thus the calculation time increases accordingly.

The configuration is valid only for IKEv2 protocol.

To improve the system security, using the AES-XCBC-96, HMAC-MD5-96 and HMAC-SHA1-96 integrity algorithms for the IKEv2 negotiation is not recommended.

Example

# Set the integrity algorithm to be used in IKE proposal 20 to HMAC-SHA2-256.

<HUAWEI> system-view
[~HUAWEI] ike proposal 20
[*HUAWEI-ike-proposal-20] integrity-algorithm hmac-sha2-256