prf
Function
The prf command configures the pseudo-random function (PRF) algorithm used in IKEv2 negotiation.
The undo prf command restores the default configuration.
By default, the HMAC-SHA2-256 PRF algorithm is used in IKEv2 negotiation.
Format
prf { aes-xcbc-128 | hmac-md5 | hmac-sha1 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 } *
undo prf
Parameters
| Parameter | Description | Value |
|---|---|---|
aes-xcbc-128 |
Indicates that the PRF algorithm is AES-XCBC-128. This algorithm applies only to IKEv2 negotiation. |
- |
hmac-md5 |
Indicates that the PRF algorithm is HMAC-MD5. |
- |
hmac-sha1 |
Indicates that the PRF algorithm is HMAC-SHA1. |
- |
hmac-sha2-256 |
Indicates that the PRF algorithm is HMAC-SHA2-256. |
- |
hmac-sha2-384 |
Indicates that the PRF algorithm is HMAC-SHA2-384. |
- |
hmac-sha2-512 |
Indicates that the PRF algorithm is HMAC-SHA2-512. |
- |
Usage Guidelines
The PRF algorithm is required in IKEv2 negotiation. The PRFs are listed as follows from the highest security level to the lowest security level: hmac-sha2-512 > hmac-sha2-384 > hmac-sha2-256 > aes-xcbc-128 > hmac-sha1 > hmac-md5. If multiple PRF algorithms are configured, the device selects the algorithms in the following sequence: aes-xcbc-128 > hmac-sha2-512 > hmac-sha2-384 > hmac-sha2-256 > hmac-sha1 > hmac-md5.
If you run the prf command multiple times, only the latest configuration takes effect.
By default, the device does not support the hmac-md5 and hmac-sha1 parameters. To use these parameters, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading. hmac-md5 and hmac-sha1 are not recommended due to their low security.