esp authentication-algorithm

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to restore the default.


In non-FIPS mode:

esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm { sha1| sha256 | sha384 | sha512 } *

undo esp authentication-algorithm


ESP does not use any authentication algorithms.


IPsec transform set view

Predefined user roles




aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.

sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.

Usage guidelines

In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.


# Configure IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP authentication algorithm.

<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1

Related commands

ipsec transform-set