Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

prf-algorithm

Syntax

Hierarchy Level

Description

Defines a pseudorandom function (PRF) algorithm that explicitly associates a PRF with an Internet Key Exchange version 2 (IKEv2) proposal for IPsec VPN service with the iked process. The IKE handshake succeeds only when both peers use the same PRF algorithm. The following points describe PRF algorithm behavior and operational considerations for IKE proposals:

  • IKEv1 doesn't support PRF algorithm negotiation.

  • If the two peers use different PRF algorithms, the IKE handshake fails.

  • Avoid configuring a PRF in an IKE proposal that uses Authenticated Encryption with Associated Data (AEAD) ciphers, such as AES-GCM and ChaCha20-Poly1305. The commit fails because AEAD ciphers implicitly define the PRF behavior. For example, AES-GCM variants, such as the aes-256-gcm authenticated-encryption algorithm, are internally associated with a PRF-384 and cannot use PRF-256. The configuration rejects such inconsistent combinations before they cause negotiation failures.

  • If you don't configure a PRF, the iked process preserves the previous behavior and uses the PRF implicitly derived from the configured authentication algorithm.

  • If you configure a PRF, existing SAs remain unchanged when the configured PRF matches the previously derived value. If the configured PRF differs, the iked process deletes the SAs.

  • To view the PRF algorithm used during the IKEv2 handshake, use the command show security ike sa detail.

Options

prf-hmac-sha1

Specify pseudorandom function HMAC SHA1 algorithm.

prf-hmac-sha256

Specify pseudorandom function HMAC SHA256 algorithm.

prf-hmac-sha384

Specify pseudorandom function HMAC SHA384 algorithm.

prf-hmac-sha512

Specify pseudorandom function HMAC SHA512 algorithm.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 26.2R1.