ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to restore the default.
Syntax
In non-FIPS mode:
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm { sha1| sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Default
AH does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified AH authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first AH authentication algorithm.
Examples
# Specify HMAC-SHA1 as the AH authentication algorithm for IPsec transform set tran1.
<Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1