Courseiva
VPNISAKMP Policy Config

hash [sha|md5]

Specifies the hash algorithm (SHA or MD5) used for authentication in ISAKMP Phase 1 proposals to ensure data integrity and peer authentication.

Syntax·ISAKMP Policy Config
hash [sha|md5]

When to Use This Command

  • Configuring a VPN between two branch offices requiring SHA-1 for stronger security.
  • Setting up a remote-access VPN with legacy devices that only support MD5.
  • Aligning hash algorithm with a peer that uses SHA-256 (though only SHA-1 and MD5 are available, this command sets the base).
  • Creating multiple ISAKMP policies with different hash algorithms for different peers.

Command Examples

Setting SHA as the hash algorithm

hash sha

No output is displayed; the command configures the hash algorithm silently. Use 'do show crypto isakmp policy' to verify.

Setting MD5 as the hash algorithm

hash md5

No output is displayed; the command configures the hash algorithm silently. Use 'do show crypto isakmp policy' to verify.

Understanding the Output

This command does not produce any output when executed. To verify the configured hash algorithm, use 'show crypto isakmp policy'. In the output, look for the 'hash' field under the policy details. For example: 'hash : sha' or 'hash : md5'. A correct configuration shows the desired algorithm. A mismatch with the peer will cause Phase 1 failures. Ensure both ends use the same hash algorithm.

CCNA Exam Tips

1.

CCNA exam tip: The default hash algorithm is SHA-1; MD5 is considered weaker and less secure.

2.

CCNA exam tip: The hash command is configured under ISAKMP policy config mode; you must first create a policy with 'crypto isakmp policy <priority>'.

3.

CCNA exam tip: Both peers must have matching hash algorithms (and other parameters) for IKE Phase 1 to succeed.

4.

CCNA exam tip: The exam may test that SHA is more secure than MD5; MD5 is still supported for backward compatibility.

Common Mistakes

Mistake 1: Forgetting to enter ISAKMP policy configuration mode before using the hash command, resulting in '% Invalid input detected'.

Mistake 2: Using 'hash sha256' or other unsupported algorithms; only 'sha' and 'md5' are valid.

Mistake 3: Configuring hash on one peer but not the other, causing IKE negotiation to fail.

Related Commands

crypto isakmp policy [priority]

Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions