The ah authentication-algorithm command configures the AH authentication algorithm.
The undo ah authentication-algorithm command restores the default AH authentication algorithm.
By default, the AH authentication algorithm is SHA2-256.
ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } *
undo ah authentication-algorithm
| Parameter | Description | Value |
|---|---|---|
md5 |
Uses the message digest algorithm 5 (MD5) authentication algorithm. |
- |
sha1 |
Uses the Secure Hash Algorithm 1 (SHA-1) authentication algorithm. |
- |
sha2-256 |
Uses the SHA2-256 authentication algorithm. |
- |
sha2-384 |
Uses the SHA2-384 authentication algorithm. |
- |
sha2-512 |
Uses the SHA2-512 authentication algorithm. |
- |
sm3 |
Uses the SM3 authentication algorithm. |
- |
Usage Scenario
The AH protocol only authenticates packets and does not provide the encryption function.
To improve the IKE negotiation success rate, the device supports multiple authentication algorithms. During IKE negotiation, the system tries the algorithms in descending order of security level. Authentication algorithms that can be used in an IPSec proposal include the following (listed in descending order of security level): sm3 > sha2-512 > sha2-384 > sha2-256 > sha1 > md5.
Prerequisites
ah or ah-esp has been specified in the transform command.
Precautions
Both ends of an IPSec tunnel must use the same authentication algorithm.
SM3 can meet the high confidentiality and security requirements, but it takes a comparatively long time for processing. Authentication algorithms sha2-256, sha2-384, and sha2-512 are recommended for security purpose. md5 and sha1 are not recommended. By default, the device does not support the md5 and sha1 algorithms. To use these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.