IPsec commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about
FIPS mode, see Security Configuration Guide.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces
and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port
link-mode route command (see Layer 2—LAN Switching Configuration Guide).
ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH
protocols.
Syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
Default
AH does not use any authentication algorithm.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple AH authentication algorithms for one IPsec transform set, and
the algorithm specified earlier has a higher priority.
For a manual IPsec policy, the first specified AH authentication algorithm takes effect. To make sure
•
an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the
tunnel must have the same first AH authentication algorithm.
For an IKE-based IPsec policy, the initiator sends the first AH authentication algorithm specified in
•
the IPsec transform set to the peer end during the negotiation phase, and the responder matches the
108