H3C MSR Series Command Reference Manual page 554

undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1| sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Default
ESP does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword
is available only for IKEv2.
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha256: Uses the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Uses the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Uses the HMAC-SHA512 algorithm, which uses a 512-bit key.
sm3: Uses the HMAC-SM3 algorithm, which uses a 256-bit key. This keyword is available only for
IKEv1.
The following matrix shows the sm3 keyword and hardware compatibility:
Hardware
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE
/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS
MSR2600-10-X1
MSR 2630
MSR3600-28/3600-51
MSR3600-28-SI/3600-51-SI
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC
MSR 3610/3620/3620-DP/3640/3660
MSR5620/5660/5680
Usage guidelines
In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform
set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes
effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets
specified at both ends of the tunnel must have the same first ESP authentication algorithm.
Examples
# Configure the IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP
authentication algorithm.
Keyword compatibility
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
531