The esp authentication-algorithm command configures the Encapsulating Security Payload (ESP) authentication algorithm.
The undo esp authentication-algorithm command configures ESP not to authenticate packets.
By default, the ESP authentication algorithm is Secure Hash Algorithm SHA2-256.
esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } *
undo esp authentication-algorithm
| Parameter | Description | Value |
|---|---|---|
md5 |
Specifies MD5 as the ESP authentication algorithm. |
- |
sha1 |
Specifies SHA1 as the ESP authentication algorithm. |
- |
sha2-256 |
Specifies SHA2-256 as the ESP authentication algorithm. |
- |
sha2-384 |
Specifies SHA2-384 as the ESP authentication algorithm. |
- |
sha2-512 |
Specifies SHA2-512 as the ESP authentication algorithm. |
- |
sm3 |
Specifies SM3 as the ESP authentication algorithm. |
- |
Usage Scenario
ESP allows authenticating and encrypting packets at the same time, or only authenticating or encrypting packets. The ESP authentication and encryption algorithms cannot be kept blank at the same time.
Prerequisites
esp or ah-esp has been specified in the transform command.
Precautions
ESP authentication algorithms in the IPSec proposals referenced in the IPSec policies configured at both ends of an IPSec tunnel must be the same.
The undo esp authentication-algorithm command sets the ESP authentication algorithm to blank (non-authentication) and takes effect only when an ESP authentication algorithm has been specified.
To improve the success rate of IKE negotiation, the device can have multiple authentication algorithms configured. The algorithms are tried in descending order of security level. The following algorithms are listed in descending order of security level: sm3 > sha2-512 > sha2-384 > sha2-256 > sha1 > md5.
SM3 can meet the high confidentiality and security requirements, but it takes a comparatively long time for processing.
The sha2-256, sha2-384, and sha2-512 algorithms are recommended for security purposes. The md5 and sha1 algorithms are not recommended. By default, the device does not support the md5 and sha1 algorithms. To use these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.