IPSec Capability Comparison
Table 2-10 IPSec capability comparisonIPSec Function
|
HUAWEI Firewalls
|
H3C Firewalls
|
|---|
ISAKMP mode
|
√
|
√
|
Policy template mode
|
√
|
√
|
Virtual tunnel interface mode
|
√
|
×
|
NAT traversal
|
√
|
√
|
GRE over IPSec
|
√
|
√
|
Service mode
|
×
|
√
|
Manual mode
|
√
|
√
|
Comparison of Major Processes for Configuring the IPSec Service
Figure1 shows the major processes of IPSec service configurations on HUAWEI firewalls and H3C firewalls.
Figure 2-12 Process for configuring IPSec services on HUAWEI firewalls and H3C firewalls![]( "click to enlarge")
The following table lists precautions of various configuration steps and their associations.
As shown in the preceding figure, the differences between the two firewalls are as follows: The configurations of the IKEv2 policy, IKE keychain, and IKE profile are additional on the H3C firewalls, and other configurations are similar on the two firewalls.
Table 2-11 Precautions and configuration association between HUAWEI firewalls and H3C firewallsHUAWEI Firewalls
|
H3C Firewalls
|
|---|
Complete basic configurations.
|
Corresponding to the basic configuration, the H3C firewalls configuration also includes the interface, security policy, and route configuration. The configuration methods are basically the same as those on the HUAWEI firewalls.
Different from the HUAWEI firewalls, the tunnel mode cannot be set to ipsec on the H3C firewalls. Therefore, the IPSec tunnel cannot be established in routing mode.
|
Configure an ACL.
|
Basically same as the ACL configuration on the HUAWEI firewalls.
|
Configure an IKE proposal.
- Run the ike proposal command to enter the IKE proposal view and configure the IKE encryption algorithm, authentication algorithm, and DH group.
|
- IKEv1
Configure an IKE proposal.
Run the ike proposal command to enter the IKE proposal view and configure the IKE encryption algorithm, authentication algorithm, DH group, and authentication method (dsa-signature, pre-share, or rsa-signature).
- IKEv2
Configure the IKE proposal and IKEv2 policy.
Run the ikev2 proposal command to enter the IKE proposal view and configure the IKE encryption algorithm, authentication algorithm, and DH group.
Run the ikev2 policy command to enter the IKE policy view and specify the referenced IKE proposal. Perform this step only when the IKEv2 is used.
|
Configure IKE peers.
- Run the ike peer command to enter the IKE peer view and configure the IKE negotiation mode, IKE version, pre-shared key, peer IP address, and referenced IKE proposal.
- Each IKE peer can be configured only with one pre-shared key.
|
Configure the IKE keychain and IKE profile.
Each IKE keychain can be configured with multiple pre-shared keys (bound to the peer identity) so that each peer can use a different pre-shared key.
- IKEv1
Run the ike keychain command to enter the IKE keychain view and specify the pre-shared key used for negotiation with a peer.
Run the ike Profile command to enter the IKE profile view and configure the IKE negotiation mode, peer identity, referenced IKE keychain, and IKE proposal.
- IKEv2
Run the ikev2 keychain command to enter the IKE keychain view and specify the pre-shared key used for negotiation with a peer.
Run the ikev2 Profile command to enter the IKE profile view and configure the local and peer identities, authentication mode (dsa-signature, pre-share, or rsa-signature), and referenced IKE keychain.
|
Configure an IPSec proposal.
|
Basically same as the IPSec proposal configuration on the HUAWEI firewall.
|
Configure an IPSec policy or template.
|
Basically same as the IPSec policy or template configuration on the HUAWEI firewall.
|
Apply the policy to an interface.
|
Basically same as the configuration for applying the policy to an interface on the HUAWEI firewall.
|
Comparison Between IPSec Default Values
Table 2-12 Comparison between the default IPSec values of HUAWEI firewalls and H3C firewallsConfiguration Item
|
HUAWEI Firewalls
|
H3C Firewalls (IKEv1)
|
H3C Firewalls (IKEv2)
|
|---|
IKE proposal
|
- Encryption algorithm: AES-128
- Authentication algorithm: SHA2-256
- Integrity algorithm: HMAC-SHA2-256
- DH: group2
- Authentication method: pre-share
|
- Encryption algorithm: des-cbc
- Authentication algorithm: SHA1
- Authentication method: pre-share
- DH: group1
|
- Encryption algorithm: aes-cbc-128 and 3des
- Integrity authentication algorithm: sha1 and MD5
- dh: group5 and group2
|
IKE profile (IKE peer)
|
- The IKE phase 1 negotiation mode is the main mode.
- IKEv1 and IKEv2 are enabled at the same time.
|
- The IKE phase 1 negotiation mode is the main mode.
- The keychain is not referenced.
|
- No authentication mode is set.
- The local and peer identities are not configured.
- The keychain is not referenced.
|
IPSec proposal
|
- Security protocol: ESP
- ESP encryption algorithm: AES-128
- ESP authentication algorithm: SHA2-256
- The security protocol encapsulates IP packets in tunnel mode.
|
- Security protocol: ESP
- ESP does not use any encryption algorithm.
- ESP does not use any authentication algorithm.
- The security protocol encapsulates IP packets in tunnel mode.
|
IKEv2 policy
|
-
|
-
|
The IKEv2 proposal is not referenced.
|
IKE keychain
|
-
|
By default, the IKE keychain does not exist.
|
By default, the IKE keychain does not exist.
|
