R2511-HP MSR Router Series Security Command Reference(V5)
199
Usage guidelines
The anti-replay function works based on sequence numbers. The ESN function extends the size of the
sequence number from 32 bits to 64 bits. When a great quantity of traffic needs IPsec protection, this
extension can help prevent the sequence number resource from being depleted due to frequent rekeying.
The ESN function takes effect only when it is enabled on both the initiator and responder.
Examples
# Enable ESN for IPsec transform set prop1.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] esn enable
Related commands
ipsec transform-set
esp authentication-algorithm
Use esp authentication-algorithm to specify authentication algorithms for ESP.
Use undo esp authentication-algorithm to restore the default.
Syntax
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha2-256 } *
undo esp authentication-algorithm
Default
In FIPS mode, MD5 is not supported, and ESP uses SHA-1 for authentication.
In non-FIPS mode, no authentication algorithm is specified.
Views
IPsec transform set view
Default command level
2: System level
Parameters
aes-xcbc-mac: Uses the AEX-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha2-256: Uses the SHA2-256 algorithm.
Usage guidelines
Compared with SHA1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a
highly secure network, use SHA1.
In non-FIPS mode, you can configure ESP authentication, encryption, or both authentication and
encryption. In FIPS mode, you must configure both ESP authentication and encryption.
Examples
# Configure IPsec transform set prop1 to use ESP and specify SHA1 as the authentication algorithm for
ESP.