No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
esp authentication-algorithm

esp authentication-algorithm


The esp authentication-algorithm command specifies the authentication algorithm used by the Encapsulating Security Payload (ESP) protocol.

The undo esp authentication-algorithm command configures the system not to authenticate packets using the ESP protocol.

By default, ESP uses the SHA-256 authentication algorithm.


esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo esp authentication-algorithm






Specifies MD5 as the authentication algorithm used by the ESP protocol.



Specifies SHA-1 as the authentication algorithm used by the ESP protocol.



Specifies SHA-256 as the authentication algorithm used by the ESP protocol.



Specifies SHA-384 as the authentication algorithm used by the ESP protocol.



Specifies SHA-512 as the authentication algorithm used by the ESP protocol.



AR500 series do not support SHA2-384 and SHA2-512 authentication algorithms.


IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The differences between the MD5 and SHA authentication algorithms are as follows:

  • The MD5 algorithm uses a 128-bit key, and the SHA-1 algorithm uses a 160-bit key. The SHA-256, SHA-384, and SHA-512 algorithms use 256-bit, 384-bit, and 512-bit keys respectively.

  • A larger number of key bits indicate a more secure algorithm but a slower calculation speed. The MD5 and SHA-1 algorithms are not recommended because they cannot meet your security defense requirements.

In practice, select an authentication algorithm according to the requirement for security and device performance. You are advised not to use MD5 or SHA-1; otherwise, security defense requirements may be not met.

ESP supports the following encryption and authentication modes: both, encryption-only, authentication-only, and none. In the efficient VPN scenario, do not configure encryption or authentication algorithm for ESP when the remote device does not support IPSec encryption or authentication.


esp or ah-esp has been specified in the transform command.


The undo esp authentication-algorithm command configures ESP not to authenticate packets instead of restoring the default authentication algorithm. This command takes effect only when an authentication algorithm is used.

The ESP encryption algorithm and authentication algorithm cannot be kept blank simultaneously.

The IPSec proposals referenced by security policies on two ends of an IPSec tunnel must use the same authentication algorithm.


# Configure the IPSec proposal prop1 to use the ESP protocol, and configure the ESP protocol to use the SHA-512 authentication algorithm.

<Huawei> system-view
[Huawei] ipsec proposal prop1
[Huawei-ipsec-proposal-prop1] transform esp 
[Huawei-ipsec-proposal-prop1] esp authentication-algorithm sha2-512 
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 90157

Downloads: 124

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next