Supported message digest algorithms for IPsec VPNs
Message digest algorithms are used to guarantee the integrity of data (that the packets have not been changed in transit). These algorithms are often also referred to using the MAC or HMAC abbreviations (keyed-hash message authentication code).
Algorithm | Description |
---|---|
AES-XCBC-MAC |
128-bit hash algorithm. Available only for checking the integrity of IPsec traffic. Many IPsec-compatible VPN devices do not support this algorithm, but support is becoming increasingly common. Reference: RFC 3566. |
MD5 |
Message-Digest algorithm 5 A 128-bit hash algorithm (also referred to as HMACMD5). Available for checking the integrity of the IKE negotiations and IPsec traffic. Most IPsec-compliant VPN devices still support this algorithm, but it is not considered secure and should not be used unless required for compatibility with legacy devices. Reference: RFC 2403. |
SHA-1 |
Secure Hash Algorithm Has a 160-bit hash (sometimes referred to as HMAC-SHA-1). Available for checking the integrity of the IKE negotiations and IPsec traffic. All VPN devices must support this algorithm to be fully IPsec-compliant. Reference: RFC 2404. |
SHA-2 |
Secure Hash Algorithm Has 256-bit, 384-bit, and 512-bit hashes (includes SHA- 224, SHA-256, SHA-384, and SHA-512). Available for checking the integrity of the IKE negotiations and IPsec traffic. All VPN devices must support this algorithm to be fully IPsec-compliant. Reference: RFC 4868. |