security ipsec authentication-type—Configure the type of authentication to use on IPsec tunnel connections between vEdge routers (on vEdge routers only).
- Authentication Type
Type of authentication to use on IPsec tunnel connections. You can configure multiple authentication types. Configure each type with a separate security ipsec authentication-type command. The order in which these commands appear in the configuration does not matter. Each pair of vEdge routers advertise their configured authentications in their TLOC properties, and then the two routers negotiate the authentication to use on the IPsec tunnel connection between them. They use the strongest authentication type configured on each router. For example, if vEdge-1 advertises AH-HMAC-SHA1, ESP HMAC-SHA1, and none and vEdge-2 advertises ESP HMAC-SHA1 and none, the two routers negotiate to use ESP HMAC-SHA1 as the integrity method between them.
type can be one of the following options, which are listed in order from most strong to least strong:
• ah-sha1-hmac enables AH-SHA1 HMAC and ESP HMAC-SHA1. With the authentication type, ESP encrypts the inner header, packet payload, ESP trailer, and MPLS label (if applicable), and AH authenticates these fields, as well as the non-mutable fields in the outer header. AH creates an HMAC-SHA1 hash and places it in the last field of the data packet.
• ah-no-id enables a modified version of AH-SHA1 HMAC and ESP HMAC-SHA1 that ignores the ID field in the packet's outer IP header. This option accommodates some non-Viptela devices, including the Apple AirPort Express NAT, that have a bug that causes the ID field in the IP header, a non-mutable field, to be modified. Configure the ah-no-id option in the list of authentication types to have the Viptela AH software ignore the ID field in the IP header so that the Viptela software can work in conjunction with these devices.
• sha1-hmac enables ESP HMAC-SHA1. With this authentication type, ESP encrypts the inner header, packet payload, ESP trailer, and MPLS label (if applicable). ESP then creates an HMAC-SHA1 hash and places it in the last field of the data packet.
• none maps to no authentication. With this authentication type, ESP encrypts the inner header, packet payload, ESP trailer, and MPLS label (if applicable), but no HMAC-SHA1 hash is calculated. You can choose this option in situations where data plane authentication and integrity are not a concern.
For information about which data packet fields are affected by these authentication types, see the "Data Plane Integrity" section in the Data Plane Security Overview article for your software release.
For Releases 16.2 and later, the encryption algorithm on IPsec tunnel connections is either AES-256-GCM or AES-256-CBC. For unicast traffic, if the remote side supports AES-256-GCM, that encryption algorithm is used. Otherwise, AES-256-CBC is used. For multicast traffic, the encryption algorithm is AES-256-CBC. For Releases 16.1 and earlier, the encryption algorithm on IPsec tunnel connections is AES-256-CBC. You cannot modify the encryption algorithm choice made by the software.
When you change the IPsec authentication, the AES key for the data path is changed.
Default: ah-sha1-hmac and sha1-hmac
Have the vEdge router negotiate the IPsec tunnel authentication type among AH-SHA1, ESP SHA1-HMAC, and none:
vEdge# config Entering configuration mode terminal vm6(config)# security ipsec authentication-type sha1-hmac vm6(config-ipsec)# authentication-type ah-sha1-hmac vm6(config-ipsec)# authentication-type none
Command introduced in Viptela Software Release 14.2.