No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPSec Proposal

Configuring an IPSec Proposal


An IPSec proposal, as part of an IPSec policy or an IPSec profile, defines security parameters for IPSec SA negotiation, including the security protocol, encryption and authentication algorithms, and encapsulation mode. Both ends of an IPSec tunnel must be configured with the same parameters.


  1. Run system-view

    The system view is displayed.

  2. Run ipsec proposal proposal-name

    An IPSec proposal is created and the IPSec proposal view is displayed.

  3. Run transform { ah | esp | ah-esp }

    A security protocol is configured.

    By default, an IPSec proposal uses ESP.

  4. An authentication or encryption algorithm is configured.

    • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

      Run ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

      An AH-specific authentication algorithm is configured.

      By default, the AH authentication algorithm is SHA2-256.

    • When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.

      • Run esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

        An ESP-specific authentication algorithm is configured.

        By default, the ESP authentication algorithm is SHA2-256.

      • Run esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }

        An ESP-specific encryption algorithm is configured.

        By default, the ESP encryption algorithm is AES-256.

    • When both AH and ESP are used, AH authenticates packets, and ESP can encrypt and authenticate packets. You can choose to configure an AH-specific authentication algorithm, or ESP-specific authentication and encryption algorithms. The device first encapsulates the ESP header, and then the AH header to packets.

    • Authentication algorithms SHA2-256, SHA2-384, and SHA2-512 are recommended to improve packet transmission security, whereas authentication algorithms MD5 and SHA1 are not recommended.
    • Encryption algorithms AES-128, AES-192, and AES-256 are recommended to improve packet transmission security, whereas encryption algorithm DES and 3DES are not recommended.

  5. Run encapsulation-mode { transport | tunnel }

    An IP packet encapsulation mode is configured.

    By default, IPSec uses the tunnel mode to encapsulate IP packets.

    When IKEv2 is used, the encapsulation modes in all the IPSec proposals configured on the IKE initiator must be the same; otherwise, IKE negotiation fails.


    When L2TP over IPSec or GRE over IPSec is configured, a public IP header is added to packets during L2TP or GRE encapsulation. Compared with the transport mode, the tunnel mode adds another public IP header. In tunnel mode, the packet length is longer and packets are more likely to be fragmented. The transport mode is therefore recommended.

  6. Run quit

    Exit the IPSec proposal view.

  7. (Optional) Run ipsec authentication sha2 compatible enable

    The SHA-2 algorithm is compatible with earlier software versions.

    By default, the SHA-2 algorithm is not compatible with earlier software versions.

    When IPSec uses the SHA-2 algorithm, if the devices on two ends of an IPSec tunnel are from different vendors or run different software versions, they may use different encryption and decryption methods. In this situation, traffic between devices is interrupted.

    To solve this problem, enable SHA-2 to be compatible with earlier versions.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152278

Downloads: 367

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next