3Com 3C13618 Command Reference Manual page 733

Security
ensure the uniqueness of an SA, it is necessary to specify different SPI values for
different SAs.
hex-key: Specifying secret key for the SA input in the hex format. If MD5 is used, then
input a 16-byte secret key; if SHA1 is used, input a 20-byte secret key; if the
hardware encryption algorithm is used, then input a 16-byte secret key. As for ESP,
the authentication-hex key word is used to set the authentication key for the
authentication algorithm, and the encryption-hex key word is used to set the
encryption key for the encryption algorithm.
string-key: Specifying the secret key for an SA input in the character string format,
that is, character string composed of a-z and 0-9 (case insensitive), with a length
ranging 1-150 characters. For different algorithms, you can input character strings of
any length, and the system will generate secret keys meeting the algorithm
requirements automatically, according to the input character strings. As for ESP, the
system will automatically generate the secret key for the authentication algorithm and
that for the encryption algorithm at the same time.
Description
Using the sa inbound/outbound command, you can configure the SA parameter.
Using the undo sa inbound/outbound command, you can cancel the SA parameter
already set.
This command is applicable to the IPSec module of the operating system and crypto
card.
This command is used for the IPSec policy in manual mode. It is used to set the SA
parameter manually and create a SA manually.
The IPSec policy in isakmp negotiation mode, it is unnecessary to set the SA
parameter manually, and this command is invalid. IKE will automatically negotiate the
SA parameter and create a SA.
The SA parameters set at both ends of the security tunnel must be fully matching.
The SPI and secret key for the SA input at the local end must be the same as those
output at the peer. The SA SPI and secret key output at the local end must be the
same as those input at the peer.
There are two methods for inputting the secret key: hex and character string. A secret
key input in the character string has a higher preference. If a secret key is input by
the above two methods respectively, the key input in character string will be adopted.
At both ends of a security tunnel, the secret key should be input by the same method.
If it is input in character string at one end, and it is input in hex at the other end, then
a security tunnel can not be set up correctly.
83