Supported message digest algorithms for IPsec VPNs

Message digest algorithms are used to guarantee the integrity of data (that the packets have not been changed in transit). These algorithms are often also referred to using the MAC or HMAC abbreviations (keyed-hash message authentication code).

Table 1. Supported message digest algorithms
Algorithm Description
AES-XCBC-MAC

128-bit hash algorithm.

Available only for checking the integrity of IPsec traffic.

Many IPsec-compatible VPN devices do not support this algorithm, but support is becoming increasingly common.

Reference: RFC 3566.

MD5

Message-Digest algorithm 5

A 128-bit hash algorithm (also referred to as HMACMD5).

Available for checking the integrity of the IKE negotiations and IPsec traffic.

Most IPsec-compliant VPN devices still support this algorithm, but it is not considered secure and should not be used unless required for compatibility with legacy devices.

Reference: RFC 2403.

SHA-1

Secure Hash Algorithm

Has a 160-bit hash (sometimes referred to as HMAC-SHA-1).

Available for checking the integrity of the IKE negotiations and IPsec traffic.

All VPN devices must support this algorithm to be fully IPsec-compliant.

Reference: RFC 2404.

SHA-2

Secure Hash Algorithm

Has 256-bit, 384-bit, and 512-bit hashes (includes SHA- 224, SHA-256, SHA-384, and SHA-512).

Available for checking the integrity of the IKE negotiations and IPsec traffic.

All VPN devices must support this algorithm to be fully IPsec-compliant.

Reference: RFC 4868.