R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101
79
Examples
# Configure IPsec proposal prop2 to encapsulate IP packets in transport mode.
<Sysname> system-view
[Sysname] ipsec proposal prop2
[Sysname-ipsec-proposal-prop2] encapsulation-mode transport
esp authentication-algorithm
Syntax
esp authentication-algorithm { md5 | sha1 }
undo esp authentication-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
md5: Uses the MD5 algorithm, which uses a 128-bit key. This keyword is not available for FIPS mode.
sha1: Uses the SHA1 algorithm, which uses a 160-bit key.
Description
Use esp authentication-algorithm to specify an authentication algorithm for ESP.
Use undo esp authentication-algorithm to configure ESP not to perform authentication on packets.
The default authentication algrithm for ESP is MD5.
In FIPS mode, MD5 is not supported and the default authentication algorithm for ESP is SHA1, and you
must specify both an authentication algorithm and an encryption algorithm for ESP.
Compared with SHA-1, MD5 is faster but less secure. SHA-1 applies to scenarios with higher security and
confidentiality requirements. Use MD5 in common scenarios.
ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption
and authentication. For ESP, you must specify an encryption algorithm, an authentication algorithm, or
both. The undo esp authentication-algorithm command takes effect only if one encryption algorithm is
specified for ESP. In FIPS mode, ESP must use both encryption and authentication algorithms. If you
disable ESP authentication, the default authentication algorithm is used.
Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform.
Examples
# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1