esp authentication-algorithm

Function

The esp authentication-algorithm command configures the authentication algorithm for Encapsulating Security Payload (ESP).

The undo esp authentication-algorithm command cancels the authentication algorithm used by the ESP security algorithm and applies the NULL authentication. The configuration is insecure.

By default, the authentication algorithm for ESP is SHA2-256.

Format

esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo esp authentication-algorithm

Parameters

Parameter Description Value
md5

Indicates that the authentication algorithm MD5 is used for ESP.

To ensure high security, do not use the MD5 algorithm as the ESP authentication algorithm.

-
sha1

Indicates that the authentication algorithm Secure Hash Algorithm-1 (SHA-1) is used for ESP.

To ensure high security, do not use the SHA-1 algorithm as the ESP authentication algorithm.

-
sha2-256

Indicates the authentication algorithm SHA-2 256 is used for ESP.

-
sha2-384

Indicates the authentication algorithm SHA-2 384 is used for ESP.

-
sha2-512

Indicates the authentication algorithm SHA-2 512 is used for ESP.

-

Views

IPsec proposal view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
ipsec write

Usage Guidelines

Usage Scenario

IPsec can use Authentication Header (AH) or ESP to authenticate protocol packets, preventing protocol packets from being intercepted or modified. When ESP is used, the authentication and encryption algorithms must be configured. You can run the transform command to configure AH or ESP. When ESP is used, you can run the esp authentication-algorithm command to specify an authentication algorithm for ESP.

MD5 is faster than SHA, but is less secure.

The undo esp authentication-algorithm command functions differently from the undo ah authentication-algorithm command. The undo esp authentication-algorithm command configures ESP not to authenticate protocol packets, whereas the undo ah authentication-algorithm command restores the default authentication algorithm for AH.

Prerequisites

IPsec ensures security using AH or ESP. An authentication algorithm can be configured only after AH or ESP is specified. Therefore, you can configure an ESP authentication algorithm only after running the transform command to specify ESP.

Precautions

The encryption algorithm and authentication algorithm cannot be both set to NULL for ESP.

The authentication algorithms on both IPsec peers must be identical.

Example

# Set the authentication algorithm to SHA-2 256 for ESP.
<HUAWEI> system-view
[~HUAWEI] ipsec proposal prop1
[*HUAWEI-ipsec-proposal-prop1] transform esp
[*HUAWEI-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >