integrity
To specify the ESP integrity algorithm in an IKEv2 security association (SA) for AnyConnect IPsec connections, use the integrity command in IKEv2 policy configuration mode. To remove the command and use the default setting, use the no form of this command:
integrity { md5 | sha | sha256 | sha384 | sha512 | null }
no integrity { md5 | sha | sha256 | sha384 | sha512 | null }
Syntax Description
md5 |
Specifies the MD5 algorithm for the ESP integrity protection. |
null |
Allows an administrator to choose null as the IKEv2 integrity algorithm when AES-GCM is specified as the encryption algorithm. |
sha |
(Default) Specifies the Secure Hash Algorithm (SHA) SHA 1, defined in the U.S. Federal Information Processing Standard (FIPS), for ESP integrity protection. |
sha256 |
Specifies the Secure Hash Algorithm SHA 2 with the 256-bit digest. |
sha384 |
Specifies the Secure Hash Algorithm SHA 2 with the 384-bit digest. |
sha512 |
Specifies the Secure Hash Algorithm SHA 2 with the 512-bit digest. |
Command Default
The default is sha ( SHA 1 algorithm).
Usage Guidelines
An IKEv2 SA is a key used in phase 1 to enable IKEv2 peers to communicate securely in phase 2. After entering the crypto ikev2 policy command, use the integrity command to set the integrity algorithm for the ESP protocol.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode |
Firewall Mode |
Security Context |
|||
---|---|---|---|---|---|
Routed |
Transparent |
Single |
Multiple |
||
Context |
System |
||||
Global Configuration |
|
— |
|
— |
— |
Command History
Release |
Modification |
---|---|
8.4(1) |
This command was added. |
8.4(2) |
The sha256, sha384, and sha512 keywords were added for SHA 2 support. |
9.0(1) |
The null option as an IKEv2 integrity algorithm was added. |
Examples
The following example enters IKEv2 policy configuration mode and sets the integrity algorithm to MD5:
ciscoasa(config)# crypto ikev2 policy 1
ciscoasa(config-ikev2-policy)# integrity md5