Supported message digest algorithms for IPsec VPNs

Message digest algorithms are used to guarantee the integrity of data (that the packets have not been changed in transit). These algorithms are often also referred to using the MAC or HMAC abbreviations (keyed-hash message authentication code).

Table 1. Supported message digest algorithms
Algorithm Description
AES-XCBC-MAC

128-bit hash algorithm.

Available only for checking the integrity of IPsec traffic.

Many IPsec-compatible VPN devices do not support this algorithm, but support is becoming increasingly common.

Reference: RFC 3566.

MD5

Message-Digest algorithm 5

A 128-bit hash algorithm (also referred to as HMACMD5).

Available for checking the integrity of the IKE negotiations and IPsec traffic.

Most IPsec-compliant VPN devices still support this algorithm, but support might become less common in the future.

Reference: RFC 2403.

SHA-1

Secure Hash Algorithm

Has a 160-bit hash (sometimes referred to as HMAC-SHA-1).

Available for checking the integrity of the IKE negotiations and IPsec traffic.

All VPN devices must support this algorithm to be fully IPsec-compliant.

Reference: RFC 2404.

SHA-2

Secure Hash Algorithm

Has 256-bit, 384-bit, and 512-bit hashes (includes SHA- 224, SHA-256, SHA-384, and SHA-512).

Available for checking the integrity of the IKE negotiations and IPsec traffic.

Most IPsec-compliant VPN devices support this method.

Reference: RFC 4868.

Note: The restricted (-R) product version has no strong encryption algorithms.