The ikev2 authentication sign-hash command configures the certificate signature algorithm used by IKEv2.
The undo ikev2 authentication sign-hash command restores the default configuration.
By default, the certificate signature algorithm used by IKEv2 is SHA2-256.
ikev2 authentication sign-hash { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }
undo ikev2 authentication sign-hash
| Parameter | Description | Value |
|---|---|---|
md5 |
Specifies the certificate signature algorithm as MD5. |
- |
sha1 |
Specifies the certificate signature algorithm as SHA1. |
- |
sha2-256 |
Specifies the certificate signature algorithm as SHA2-256. |
- |
sha2-384 |
Specifies the certificate signature algorithm as SHA2-384. |
- |
sha2-512 |
Specifies the certificate signature algorithm as SHA2-512. |
- |
Usage Scenario
In an IKEv2 certificate authentication scenario, if the device functions as the sender, it uses the configured algorithm to sign the certificate. If the decryption algorithm used by the receiver is different from that used by the sender, the signature verification of the receiver fails. As a result, IKEv2 negotiation between the two ends fails. If the device functions as the receiver, it searches for a matching algorithm to verify the signature of packets. The device searches for the matching algorithm in the following sequence: sha2-256 algorithm, configured algorithm, and then other algorithms. If no matching algorithm is found, the signature verification fails, and IKEv2 negotiation between the two ends fails. To prevent this problem, ensure that the certificate signature algorithms used on the two ends are the same.
Precautions
The following certificate signature algorithms are listed in descending order of security level: sha2-512, sha2-384, sha2-256, sha1, and md5.