No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - VPN

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPSec Session for Encryption

Configuring an IPSec Session for Encryption

Context

Internet Protocol Security (IPSec) can be configured to prevent data theft and spoofing during data transmission in a network.

A security association (SA) must be established so that IPSec can protect transmitted data. An SA is a unidirectional logical connection set up for security purpose and specifies the elements used by two IPSec peers (two parties that use the IPSec protocol to protect data transmitted between them). The elements of an SA include the following:

  • Security protocol
  • Authentication or encryption algorithm supported by the security protocol
  • Data encapsulation mode
  • Security parameter index (SPI) of the SA
  • Authentication key or encryption key of the SA

The first three elements are specified in an IPSec proposal. To configure IPSec functions, first configure an IPSec proposal on the IPSec peers, and then configure an SA.

Procedure

  1. Configure an IPSec proposal.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec proposal proposal-name

      An IPSec proposal is created and the IPSec proposal view is displayed.

    3. Run transform { ah | esp }

      A security protocol is specified for the IPSec proposal.

      By default, the security protocol used by an IPSec proposal is the Encapsulation Security Protocol (ESP).

    4. An authentication or encryption algorithm is configured.

      • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

        Run the ah authentication-algorithm { md5 | sha1 | sha2-256 } command to specify the authentication algorithm for the AH protocol.

        By default, the AH protocol uses the Secure Hash Algorithm-256 (SHA2-256) authentication algorithm.

      • When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.
        • Run the esp authentication-algorithm { md5 | sha1 | sha2-256 } command to specify the authentication algorithm for the ESP protocol.

          By default, the authentication algorithm Secure Hash Algorithm-256 (SHA-256) is used for ESP.

        • Run the esp encryption-algorithm { des | 3des | aes [ 128 | 192 | 256 ] } command to specify the encryption algorithm for the ESP protocol.

          By default, the encryption algorithm Advanced Encryption Standard-256 (AES-256) is used for ESP.

      The MD5, SHA-1, DES, and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

    5. Run encapsulation-mode { transport | tunnel }

      A data encapsulation mode is specified for the security protocol.

      By default, the data encapsulation mode is tunnel.

      NOTE:

      In transport mode, the packet encryption device and decryption device must be the originator and receiver of packets.

    6. Run quit

      Return to the system view.

  2. Configure an IPSec SA.
    1. Run ipsec sa sa-name

      An IPSec SA is created and the IPSec SA view is displayed.

      By default, no IPSec SA exists in the system.

    2. Run proposal proposal-name

      The IPSec proposal is bound to the IPSec SA.

      By default, an IPSec policy does not reference any IPSec proposal.

      NOTE:

      An IPSec can use only one IPSec proposal. To bind a new IPSec proposal to the IPSec SA, delete the original IPSec proposal.

    3. Run sa spi { inbound | outbound } { ah | esp } spi-number

      An SPI is configured for the SA.

      NOTE:
      • An SPI uniquely identifies an SA. Each SA must be configured with an inbound SPI and an outbound SPI. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
      • The security protocol (AH or ESP) you select when configuring the SPI must be the same as that used in the IPSec proposal bound to the SA.

    4. Configure a key according to the security protocol used in the IPSec proposal bound to the SA.

      • If the AH protocol is used, you can configure an authentication key that is a hexadecimal number or a character string.
        • Run the sa authentication-hex { inbound | outbound } ah [ cipher ] hex-cipher-key command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } ah [ cipher ] string-cipher-key command to configure a character string as the authentication key.

      • If the ESP protocol is used, you can run one of the following commands to configure the authentication key or the encryption key. You can also configure both the authentication key and encryption key. If the two keys are configured at the same time, they can only be hexadecimal keys.
        • Run the sa authentication-hex { inbound | outbound } esp [ cipher ] hex-cipher-key command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } esp [ cipher ] string-cipher-key command to configure a character string as the authentication key.

        • Run the sa encryption-hex { inbound | outbound } esp [ cipher ] hex-cipher-key command to configure a hexadecimal encryption key.

      NOTE:
      • The security protocol (AH or ESP) you select when configuring the key must be the same as that used in the IPSec proposal bound to the SA.
      • The outbound key on the local end must be the same as the inbound key on the remote end.
      • The IPSec peers must use the authentication or encryption key in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.
      • If you configure multiple keys in different formats, the last configured key takes effect.

  3. Verify the configuration.
    1. Run the display ipsec sa [ name sa-name ] [ brief ] command to check information about the SA.
    2. Run the display ipsec proposal [ name proposal-name ] command to check information about the security proposal.
    3. Run the display ipsec statistics [ sa-name sa-name slot slot-number ] command to check statistics about packets processed by IPSec.
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178118

Views: 158804

Downloads: 159

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next