prf-algorithm
Syntax
prf-algorithm (prf-hmac-sha1 | prf-hmac-sha256 | prf-hmac-sha384 | prf-hmac-sha512);
Hierarchy Level
[edit logical-systems name security ike proposal], [edit logical-systems name tenants name security ike proposal], [edit security ike proposal], [edit tenants name security ike proposal]
Description
Defines a pseudorandom function (PRF) algorithm that explicitly associates a PRF with an Internet Key Exchange version 2 (IKEv2) proposal for IPsec VPN service with the iked process. The IKE handshake succeeds only when both peers use the same PRF algorithm. The following points describe PRF algorithm behavior and operational considerations for IKE proposals:
-
IKEv1 doesn't support PRF algorithm negotiation.
-
If the two peers use different PRF algorithms, the IKE handshake fails.
-
Avoid configuring a PRF in an IKE proposal that uses Authenticated Encryption with Associated Data (AEAD) ciphers, such as AES-GCM and ChaCha20-Poly1305. The commit fails because AEAD ciphers implicitly define the PRF behavior. For example, AES-GCM variants, such as the
aes-256-gcmauthenticated-encryption algorithm, are internally associated with a PRF-384 and cannot use PRF-256. The configuration rejects such inconsistent combinations before they cause negotiation failures. -
If you don't configure a PRF, the iked process preserves the previous behavior and uses the PRF implicitly derived from the configured authentication algorithm.
-
If you configure a PRF, existing SAs remain unchanged when the configured PRF matches the previously derived value. If the configured PRF differs, the iked process deletes the SAs.
- To view the PRF algorithm used during the IKEv2 handshake, use the command
show security ike sa detail.
Options
| prf-hmac-sha1 |
Specify pseudorandom function HMAC SHA1 algorithm. |
| prf-hmac-sha256 |
Specify pseudorandom function HMAC SHA256 algorithm. |
| prf-hmac-sha384 |
Specify pseudorandom function HMAC SHA384 algorithm. |
| prf-hmac-sha512 |
Specify pseudorandom function HMAC SHA512 algorithm. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 26.2R1.