SupportDocumentationRoutersAccess RoutersAR100&200Configuration & CommissioningConfiguration Guide

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 Web-based Configuration Guide

IPSec VPN

IPSec VPN

Overview

Concepts

IPSec

IPSec is a protocol suite defined by the Internet Engineering Task Force (IETF) for securing IP communication by authenticating and encrypting each IP packet of a communication session. Two communicating parties can encrypt data and authenticate the data origin at the IP layer to ensure data confidentiality and integrity and prevent replay of data packets.

IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the IKE protocol, which simplifies use and management of IPSec.

IPSec Security Protocol

AH defines the authentication method and checks data integrity and data origin. ESP defines the encryption and authentication methods and ensures data reliability.

  • AH: provides data origin authentication, data integrity check, and the anti-replay service. The sender performs hash calculation on the IP payload and all header fields of an IP packet except for variable fields to generate a message digest. The receiver calculates a message digest according to the received IP packet and compares the two message digests to determine whether the IP packet has been modified during transmission. AH does not encrypt the IP payload.
  • ESP: encrypts the IP payload in addition to providing all the functions of AH. ESP can encrypt and authenticate the IP payload but does not authenticate the IP packet header.

IPSec Peer

IPSec provides secure IP communication between two endpoints. The two endpoints are called IPSec peers.

Security Association (SA)

A security association (SA) is a set of algorithms such as the encryption algorithm and parameters such as keys for secure data transmission between IPSec peers.

Encapsulation Mode

  • Transport mode: inserts an IPSec header between the IP header and the header of the upper-layer protocol (AH or ESP). In this mode, the protocol type field in the IP header is changed to AH or ESP, and the checksum in the IP header is recalculated. The transport mode applies to communication between two hosts or between a host and a security gateway.

  • Tunnel mode: encapsulates an IPSec header (AH or ESP) on the original IP header and adds a new IP header. In this mode, the original IP packet is transmitted as the payload of the packet and is protected by IPSec. The tunnel mode applies to communication between two security gateways. Packets encrypted by one security gateway must be decrypted by the other security gateway.

Authentication Algorithm and Encryption Algorithm
  • IPSec uses the Message Digest 5 (MD5) algorithm, Secure Hash Algorithm (SHA-1) or Secure Hash Algorithm (SHA-2) for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, but the SHA-1 algorithm is more secure than the MD5 algorithm. SHA-2 increases the number of encrypted data bits and is more secure than SHA-1.
  • IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption Standard (AES) algorithm for encryption. The AES algorithm encrypts plain text by using a key of 128 bits, 192 bits, or 256 bits.

Establishing an IPSec Tunnel Using IKE Negotiation

IKE

IKE builds upon the Internet Security Association and Key Management Protocol (ISAKMP) and provides the key negotiation, identity authentication, and SA establishment functions to simplify IPSec use and management.

IKE Version

IKE supports IKEv1 and IKEv2 versions.
  • IKEv1: defines two phases for IPSec key negotiation. IKEv1 phase 1 operates in either main mode or aggressive mode. The aggressive mode allows two IPSec peers to establish an IKE SA more quickly than in main mode. In main mode, only IP addresses can be used to identify IPSec peers. In aggressive mode, both IP addresses and names can be used to identify IPSec peers.
  • IKEv2: defines three types of exchanges and enables two IPSec peers to establish an IKE SA more quickly than IKEv1.
IKE Security Mechanism
  • Diffie-Hellman (DH) algorithm: DH algorithm is a public key algorithm. The two communicating parties do not transmit a key but exchange data to calculate a shared key. They use the calculated shared key to encrypt data and exchange the encrypted data. IKE-enabled devices never directly transmit a key on an insecure network. Instead, the devices calculate a shared key by exchanging data. Even though a third party (such as a hacker) intercepts all exchanged data for key calculation, it cannot calculate the actual key.
  • Perfect Forward Secrecy (PFS): PFS is a property that prevents other keys from being decoded when one key is decoded. The key used in IPSec phase 2 is derived from the key used in IPSec phase 1. After intercepting the key used in phase 1, an attacker may collect enough information to calculate the key to be used in phase 2. PFS provides an additional DH key exchange to secure the key used in phase 2.
  • Identity authentication: authenticates identities of the two communicating parties including pre-shared key authentication and digital certificate authentication. In pre-shared key authentication, two communicating parties use a shared key to calculate a digest for a received packet and compare the digest with the digest field in the packet. If the calculated digest is the same as that in the packet, authentication succeeds; otherwise, authentication fails. In digital certificate authentication, two communicating parities use an agreed algorithm to calculate the digest for a packet. The sender uses its own private key to encrypt the digest field and generates a digital signature. The receiver uses the sender's public key to decrypt the digital signature and compares the calculated digest with the original digest field. If the calculated digest is the same as the original digest of the packet, authentication succeeds; otherwise, authentication fails.

Establishing an IPSec Tunnel Using an IPSec Virtual Tunnel Interface

An IPSec virtual tunnel interface is a Layer 3 logical interface supporting dynamic routing protocols. All packets passing through the IPSec virtual tunnel interface are protected by IPSec.

After an IPSec tunnel is established using an IPSec virtual tunnel interface, data flows routed to the IPSec virtual tunnel interface are protected by IPSec. Compared to using an ACL to determine data flows to be protected, using routing to determine the flows to be protected simplifies the IPSec policy deployment and prevents IPSec configuration from being affected by the network plan. This enhances network scalability and reduces network maintenance costs.

Establishing an IPSec Tunnel Using An Efficient VPN Policy

Efficient VPN

IPSec Efficient VPN has high security, reliability, and flexibility and has become the first choice for enterprises to establish VPNs. When establishing an IPSec tunnel between a branch and headquarters, an enterprise must configure IPSec and other network resources on the branch. If the network has hundreds of sites, IPSec configurations are complex and network maintenance is difficult.

The Efficient VPN solution integrates IPSec and other configurations on the Efficient VPN server. When basic parameters for establishing an SA are configured on the remote device, the remote device initiates a negotiation with the server and establishes an IPSec tunnel. After the IPSec tunnel is established, the server allocates other IPSec attributes and network resources to the remote device. Efficient VPN simplifies configurations and maintenance of IPSec and network resources for the branches.

Efficient VPN Operation Modes
  • Client mode: A remote device configured with IPSec Efficient VPN connects to the headquarters and automatically applies to the server for an IP address and other network resources such as DNS domain, DNS server address, WINS server address, and delivered ACL resources. The remote device allocates these resources to PCs at the remote end using DHCP. The remote device automatically enables NAT. When receiving a packet from a PC on the remote subnet, the remote device translates the source IP address of the packet matching the pushed ACL resources and sends the packet to the server through an IPSec tunnel. Packets that do not match the pushed ACL resources are not translated by NAT and are not allowed to pass through the IPSec tunnel. These packets are forwarded to the Internet.
  • Network mode: Unlike the client mode, IP addresses of branches and headquarters are configured beforehand in network mode. The remote device does not apply to the server for an IP address or enable NAT.
  • Network-plus mode: The network-plus mode is a combination of the network mode and client mode. IP addresses of branches and headquarters are configured beforehand. The remote device applies to the server for an IP address. The server uses the IP address to perform ping, Telnet mode, or other management and maintenance operations. NAT is not performed on packets to be protected.

Efficient VPN License

The Efficient VPN function is used with a license. To use the Efficient VPN function, apply for and purchase the following license from the Huawei local office:

The AR100&AR120 series can use the Efficient VPN feature without a license.

  • AR150&AR160&AR200 series: AR150&160&200 Value-Added Security Package

  • AR1200 series: AR1200 Value-Added Security Package

  • AR2200 series: AR2200 Value-Added Security Package

  • AR3200 series: AR3200 Value-Added Security Package

  • AR3600 series: AR3600 Value-Added Security Package

IPSec Policy Management

Context

Authentication and encryption parameters in an IPSec policy must be consistent on two devices

For details about basic IPSec concepts, see Overview.

Procedure

  • Creating an IPSec policy
    1. Choose VPN > IPSec VPN > IPSec Policy Management.

      Figure 2-216  IPSec Policy Management

    2. Click Create and set IPSec connection name and Interface name in the Create IPSec Policy dialog box that is displayed, and click OK.

      Figure 2-217  Create IPSec Policy

    3. Set other parameters listed in Table 2-160 based on the site requirements.
    4. Click OK.

      The created IPSec policy is displayed in the IPSec Policy Management area.

    Table 2-160  IPSec policy parameters

    Parameter

    Description

    IPSec policy parameter setting

    IPSec connection name

    Name of an IPSec policy.

    The IPSec policy name cannot be changed after an IPSec policy is configured.

    Interface name

    Name of the interface where an IPSec policy is applied.

    Click , select an interface in the interface list, and click OK.

    If a tunnel interface is selected, instead of ACLs, a virtual tunnel interface is used to establish an IPSec tunnel to protect data flows. For details about the tunnel interface configuration, see Logical Interface.

    The interface cannot be changed after an IPSec policy is configured.

    Networking mode
    Networking mode of a router:

    • Branch site: The router functions as the enterprise branch gateway and establishes IPSec tunnels between a branch and the headquarters or among different branches.

      A branch site can be configured as an Efficient VPN remote end.

    • Headquarters site: The router functions as the headquarters gateway and establishes IPSec tunnels with a branch after receiving an IPSec connection request from the branch.

      A headquarters site can be configured as an Efficient VPN server.

    The networking mode cannot be changed after an IPSec policy is configured.

    Efficient VPN

    Whether to enable Efficient VPN for a branch site.

    The Efficient VPN configuration cannot be changed after an IPSec policy is configured.

    Connection ID

    ID of an IPSec policy.

    The IPSec connection name and Connection ID parameters identify an IPSec policy. Multiple IPSec policies with the same IPSec connection name constitute an IPSec policy group. An IPSec policy group contains a maximum of 16 IPSec policies, and an IPSec policy with the smallest ID has the highest priority. After an IPSec policy group is applied to an interface, all IPSec policies in the group are applied to the interface to protect different data flows.

    IKE parameter setting

    IKE version

    ID of an IKE version, including IKEv1 or IKEv2.

    Negotiation mode
    IKEv1 negotiation mode.

    • Main mode: The main mode separates the key exchange information from identity authentication information. This provides higher security.

    • Aggressive mode: The aggressive mode does not provide identity authentication but can meet special network requirements. This mode can be used to establish an IKE SA more quickly when the IP address of the SA initiator is unknown or keeps changing, and both ends need to use the pre-shared key authentication to establish the IKE SA.

    Mode
    Efficient VPN mode when the device is configured as an Efficient VPN remote end. The Efficient VPN modes are as follows:
    • Client
    • Network
    • Network-plus

    Remote address (IP/Domain name)

    IP address or domain name of the remote IKE peer.

    Authentication mode
    Authentication method used by IKE:
    • Pre-shared Key
    • RSA certificate

    By default, the IKE uses pre-shared key authentication.

    Pre-shared Key

    Pre-shared key used by IKE for authentication. The value is a string of characters. A plain text key contains 1 to 128 characters, and a cipher text password contains 48 to 188 characters. If the character string contains question mark (?) or space, you need to put the key in double quotation marks ("). The local and remote ends of IKE negotiation must be configured with the same authenticator.

    PKI Domain

    Configured public key infrastructure (PKI) domain. When IKE uses the Rivest-Shamir-Adleman Algorithm (RSA) certificate for authentication, set this parameter. For details about the PKI domain configuration, see PKI Domain.

    OCSP

    Whether to enable Online Certificate Status Protocol (OCSP)

    Authentication algorithm
    Authentication algorithm used by the IKE:
    • MD5: specifies HMAC-MD5 as the authentication algorithm.
    • SHA1: specifies HMAC-SHA-1 as the authentication algorithm.
    • AES-XCBC-MAC-96: specifies AES-XCBC-MAC-96 as the authentication algorithm.
      NOTE:

      The AES-XCBC-MAC-96 algorithm only supports in IKEv2.

      The AES-XCBC-MAC-96 algorithm does not supported in V200R010C10 and later versions.

    • SHA2-256: SHA-256 as the authentication algorithm.
    • SHA2-384: SHA-384 as the authentication algorithm.
    • SHA2-512: SHA-512 as the authentication algorithm.
    • SM3: SM3 as the authentication algorithm.
      NOTE:

      The SM3 algorithm only supports in IKEv1.

    The MD5 algorithm uses a 128-bit key, and the SHA-1 algorithm uses a 160-bit key. The SHA-256, SHA-384, and SHA-512 algorithms use 256-bit, 384-bit, and 512-bit keys respectively. A larger number of key bits indicate a more secure algorithm but a slower calculation speed. Only IKEv2 supports the AES-XCBC-MAC-96 algorithm.

    By default, the IKE uses the SHA2-256 algorithm.

    Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

    Encryption algorithm
    Encryption algorithm used by the IKE:
    • 3DES: indicates that the IKE uses the 168-bit Triple Data Encryption Standard (3DES) encryption algorithm in CBC mode.
    • AES-128: indicates that the IKE uses the 128-bit Advanced Encryption Standard (AES) encryption algorithm.
    • AES-192: indicates that the IKE uses the 192-bit AES algorithm encryption.
    • AES-256: indicates that the IKE uses the 256-bit AES algorithm encryption.
    • DES: indicates that the IKE uses the DES-CBC encryption algorithm.
    • SM1:SM1 encryption algorithm.
    • SM4:SM4 encryption algorithm.

    By default, the IKE uses the AES-256 encryption algorithm.

    Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.

    DH group number
    Diffie-Hellman group used in IKE negotiation, which is key negotiation:
    • Group1: uses the 768-bit Diffie-Hellman group.
    • Group2: uses the 1024-bit Diffie-Hellman group.
    • Group5: uses the 1536-bit Diffie-Hellman group.
    • Group14: uses the 2048-bit Diffie-Hellman group.
    • Group19: uses the 256-bit ECP Diffie-Hellman group.
    • Group20: uses the 384-bit ECP Diffie-Hellman group.
    • Group21: uses the 521-bit ECP Diffie-Hellman group.

    Group1 provides the lowest encryption, while Group14 provides the strongest encryption.

    By default, the Group14 is used in IKE negotiation.

    IPSec parameter setting

    Security protocol
    Security protocol used by an IPSec:
    • AH: indicates that the IPSec uses the AH protocol defined by RFC 2402. The AH protocol authenticates the data source, verifies the data integrity, and prevents packet replay. This protocol uses the MD5 authentication algorithm by default and does not support encryption.
    • AH-ESP: indicates that the IPSec proposal encapsulates packets through ESP, then through AH.
    • ESP: indicates that the IPSec uses the ESP protocol defined by RFC 2406. The ESP protocol uses the DES encryption algorithm. The AH protocol uses the MD5 authentication algorithm by default.

    By default, the IPSec uses the ESP protocol.

    AH authentication algorithm
    Authentication algorithm used by AH in the IPSec:
    • MD5
    • SHA1
    • SHA2-256
    • SHA2-384
    • SHA2-512
    • SM3
      NOTE:

      The SM3 algorithm only supports in IKEv1.

    By default, AH uses the SHA2-256 authentication algorithm.

    Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

    NOTE:

    AR100&AR120 series, AR161, AR161W, AR161EW, AR161EW-M1, AR161G-L, AR161G-Lc, AR161G-U, AR169, AR169G-L, AR169CVW, AR169CVW-4B4S, AR169W, AR169W-P-M9, AR169RW-P-M9, AR169EW, AR169EGW-L, AR1220C, AR1220-8GE, AR2204-27GE, AR2204E-D-27GE, AR2204-24GE, AR2204-27GE-P, AR2204-48GE-P, AR2204-51GE, AR2204-51GE-P, AR2204-51GE-R, AR2204E, AR2204E-D, AR2204XE, and AR2204XE-DC do not support SHA2-384 and SHA2-512 authentication algorithms.

    ESP authentication algorithm
    Authentication algorithm used by ESP in the IPSec:
    • Non-authentication
    • MD5
    • SHA1
    • SHA2-256
    • SHA2-384
    • SHA2-512
    • SM3
      NOTE:
      1. The SM3 algorithm only supports in IKEv1.
      2. When configures the SM3 algorithm, the ESP encryption algorithm must select SM1, SM4, or Non-encryption.

    The authentication algorithm and encryption algorithm of ESP cannot be kept blank simultaneously.

    By default, ESP uses the SHA2-256 authentication algorithm.

    Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

    NOTE:

    AR100&AR120 series, AR161, AR161W, AR161EW, AR161EW-M1, AR161G-L, AR161G-Lc, AR161G-U, AR169, AR169G-L, AR169CVW, AR169CVW-4B4S, AR169W, AR169W-P-M9, AR169RW-P-M9, AR169EW, AR169EGW-L, AR1220C, AR1220-8GE, AR2204-27GE, AR2204E-D-27GE, AR2204-24GE, AR2204-27GE-P, AR2204-48GE-P, AR2204-51GE, AR2204-51GE-P, AR2204-51GE-R, AR2204E, AR2204E-D, AR2204XE, and AR2204XE-DC do not support SHA2-384 and SHA2-512 authentication algorithms.

    ESP encryption algorithm
    Encryption algorithm used by ESP in the IPSec:
    • Non-encryption
    • DES: indicates that the IKE uses the DES-CBC encryption algorithm.
    • 3DES: indicates that the IKE uses the 168-bit 3DES encryption algorithm in CBC mode.
    • AES-128: indicates that the IKE uses the 128-bit AES encryption algorithm.
    • AES-192: indicates that the IKE uses the 192-bit AES algorithm encryption.
    • AES-256: indicates that the IKE uses the 256-bit AES algorithm encryption.
    • SM1:SM1 encryption algorithm.
    • SM4:SM4 encryption algorithm.
    NOTE:
    1. The SM1 and SM4 algorithm only supports in IKEv1.
    2. When configures SM1 or the SM4 algorithm, the ESP certification algorithm must select SHA1, SM3, or Non-authentication.

    By default, ESP uses the AES-256 encryption algorithm.

    Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.

    Encapsulation mode
    Encapsulation mode that IPSec uses to encapsulate IP packets:
    • Tunnel mode
    • Transport mode

    ACL parameter setting

    ACL name

    Name of a configured ACL that IPSec uses to protect data flows. When the router functions as the headquarters site, you can configure no ACL to protect all data flows on the interface.

    For details about the ACL configuration, see Advanced ACL Setting. IPSec supports ACL rules based on the source IP address, destination IP address, destination port number, and protocol number to protect data flows.

    Advanced

    IKE negotiation
    Mode in which IKE SAs are triggered:
    • Auto: After an IPSec policy is applied, the system completes IKE negotiation and establishes an IPSec tunnel.
    • Traffic-based: When an interface receives packets, the system completes IKE negotiation and establishes an IPSec tunnel.

    By default, the IKE negotiation uses auto mode.

    Local identity type
    Type of the local ID used in IKE negotiation:
    • IP address: The interface IP address is used as the local ID. When performing IKE negotiation with the peer, the local device exchanges identity information with the peer.
    • Name: A string of characters is used as the local ID. You can set Device local name in IPSec Global Setting to identify the local device. When Device local name is left blank, the device name is used.

    By default, the IP address of the local end is used as the local ID.

    Locale ID

    ID of the local in IKE negotiation.

    Peer identity type
    Type of the remote ID used in IKE negotiation:
    • IP address: value of Peer address (IP/Domain name).
    • Name: value of Peer name.

    By default, the IP address of the remote end is used as the remote ID.

    Remote ID

    ID of the peer in IKE negotiation. The value must be the local ID configured on the peer.

    Re-authentication interval (seconds)

    The IKEv2 re-authentication interval is set.

    By default, IKEv2 re-authentication is not performed.

    DPD(Dead Peer Detection)

    Whether to enable the dead peer detection (DPD) function.

    IKE peers send DPD packets to check whether the other party is alive.

    By default, DPD is disabled.

    DPD type
    DPD mode:
    • on-demand: indicates the on-demand DPD mode. If the local end does not receive any packets from the remote peer within the specified period, it sends a DPD packet to check whether the remote peer is available.
    • periodic: indicates the periodic DPD mode. If the local end does not receive any packets from the remote peer for a long time, it sends DPD packets at specific intervals to check whether the remote peer is available.

    The sequence of the payload in DPD packets
    Sequence of the payload in DPD packets:
    • seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify.
    • seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash.
    By default, the payload in DPD packets is in the sequence of notify-hash.

    Idle time for DPD detection (seconds)

    Idle time for sending DPD packets.

    The default idle time for DPD is 30 seconds.

    DPD packet retransmission interval (seconds)

    Interval for retransmitting DPD packets.

    The default interval for retransmitting DPD packets is 15 seconds.

    DPD packet retransmission count

    Maximum number of times DPD packets are retransmitted.

    The default maximum number of times DPD packets are retransmitted is 3.

    PRF algorithm
    Algorithm used to generate the pseudo random number:
    • PRF-HMAC-MD5: indicates the HMAC-MD5 algorithm.
    • PRF-HMAC-SHA: indicates the HMAC-SHA-1 algorithm.
    • PRF-AES-XCBC-128: indicates the AES-XCBC-128 algorithm.
    • PRF-HMAC-SHA2-256: indicates the HMAC-SHA-256 algorithm.
    • PRF-HMAC-SHA2-384: indicates the HMAC-SHA-384 algorithm.
    • PRF-HMAC-SHA2-512: indicates the HMAC-SHA-512 algorithm.

    By default, the PRF-HMAC-SHA2-256 algorithm is used.

    PFS
    The Perfect Forward Secrecy (PFS) enables IPSec to perform an additional round of key exchange in phase 2 of IKE negotiation to improve communication security:
    • none: the PFS feature is disabled.
    • Group1: indicates the 768-bit Diffie-Hellman group.
    • Group2: indicates the 1024-bit Diffie-Hellman group.
    • Group5: indicates the 1536-bit Diffie-Hellman group.
    • Group14: indicates the 2014-bit Diffie-Hellman group.
    • Group19: uses the 256-bit ECP Diffie-Hellman group.
    • Group20: uses the 384-bit ECP Diffie-Hellman group.
    • Group21: uses the 521-bit ECP Diffie-Hellman group.

    By default, the PFS feature is disabled.

    IKE SA lifetime (seconds)

    Lifetime of IKE SAs. Both ends negotiate a new SA before the old one times out. The old SA is still used prior to the establishment of the new SA.

    By default, the lifetime of an IKE SA is 86400 seconds.

    IPSec SA aging mode

    SA lifetime in an IPSec policy. In IPSec negotiation, the SA uses the shorter lifetime between the lifetime set on the local end and that set on the remote end.

    The SA lifetime can be measured by time or by traffic:
    • Time-based (s): indicates the period of time an SA can exist after being established.
    • Traffic-based (KB): indicates the maximum traffic volume that an SA can process.

    By default, the time-based SA lifetime is 3600 seconds and the traffic-based SA lifetime is 1843200 Kbytes.

    When the specified time or traffic volume is reached, the SA becomes invalid. When the SA is about to expire, IPSec negotiates a new SA.

    By default, when no IPSec SA lifetime is set for the IPSec policy, the global IPSec SA lifetime is used. The global IPSec SA lifetime is set by the parameter IPSec SA aging management in IPSec Global Setting. If IPSec SA aging management is not set, the default value is used.

    Local IP address

    Whether to set the IP address of the local end.

    By default, the local end address is the IP address of the interface bound to the IPSec policy.

    Address mode
    Type of the local IP address.
    • Interface: The local end address is the IP address of the interface bound to the IPSec policy.
    • IP address: When the outbound interface has a primary address and a secondary address, enter an IP address in the IP address text box.

    IP address

    IP address of the local end in IKE negotiation.

    Route import

    Whether to enable the route import function.

    Route import type
    Route import mode:
    • Static: The route of the IPSec peer is added to the local routing table upon device startup and remains unchanged.
    • Dynamic: Route reachability is determined based on IPSec tunnel status. If the IPSec tunnel is Up, the route of the IPSec peer is added to the local routing table and advertised on the network. If the IPSec tunnel is Down, the route of the IPSec peer is deleted and withdrawn.

    Route priority

    Priority of an injection route.

    By default, the priority is 60.

    Pre-extraction of original IP packets

    Pre-extraction of original IP packets is enabled.

    By default, pre-extraction of original IP packets is disabled.

    In tunnel mode, QoS parameters such as the packet header and protocol type in original packets are hidden after IP packets are encapsulated through IPSec. Although IPSec uses the DSCP field in original packets as the DSCP field in the IP packet header, some QoS solutions require quintuple information. The encryption device can pre-extract quintuple information including the source address, destination address, protocol type, source port number, and destination port number to facilitate refined QoS management on IPSec packets.

  • Modifying an IPSec policy

    If an IPSec policy configured by a command is not applied to a specified interface, the policy is not displayed on the IPSec policy management page.

    1. Choose VPN > IPSec VPN > IPSec Policy Management.
    2. Select an IPSec to modify in the IPSec Policy Management area and click .
    3. In Modify IPSec Policy dialog box that is displayed, modify parameters listed in Table 2-160 based on the site requirements.
    4. Click OK.
  • Deleting an IPSec policy
    1. Choose VPN > IPSec VPN > IPSec Policy Management.
    2. Select an IPSec to delete in the IPSec Policy Management area and click Delete.

      The selected IPSec policy is not displayed in the IPSec Policy Management area.

  • Viewing IKE SA information

    This function is supported only in the V200R010C10 and later versions.

    You can refresh and view information about the SA set up using IKE negotiation through the IKE SA Information window.

    Figure 2-218  IKE SA Information

  • Viewing tunnel failure information.

    This function is supported only in the V200R010C10 and later versions.

    In Tunnel Down Reason, click Refresh to refresh and view tunnel failure information

    Figure 2-219  Tunnel Down Reason

IPSec Global Settings

Context

This section describes how to set optional global IPSec parameters.

Procedure

  • Setting global IPSec parameters
    1. Choose VPN > IPSec VPN > IPSec Global Setting.

      Figure 2-220  Setting global IPSec parameters

    2. Set parameters listed in Table 2-161.
    3. Click Apply to make the settings to take effect.

      To restore the default settings of all parameters, click Reset.

    Table 2-161  Global IPSec parameters

    Parameter

    Description

    Device local name

    Local host name used in IKE negotiation, which is case-insensitive.

    You can configure IPSec policies on the IPSec Policy Management tab page. You need to set Device local name only when Local identity type is set to Name. The value of Device local name must be the same as the value of Peer name set on the peer device.

    By default, no local host name is configured for IKE negotiation. The device name is used as the local name. To view or change the device name, see device information in Device Information.

    IPSec SA aging management

    Global SA lifetime in an IPSec policy. In IPSec negotiation, the SA uses the shorter lifetime between the lifetime set on the local end and that set on the remote end.

    The SA lifetime can be measured by time or by traffic:
    • Time-based (s): indicates the period of time an SA can exist after being established.
    • Traffic-based (KB): indicates the maximum traffic volume that an SA can process.

    When the specified time or traffic volume is reached, the SA becomes invalid. When the SA is about to expire, IPSec negotiates a new SA.

    If SA aging mode is set on the IPSec Policy Management tab page, the global SA lifetime does not take effect.

    By default, the time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 KB.

    IKE heartbeat interval (s)

    Interval for sending heartbeat packets.

    If no heartbeat packet is received during the duration specified by IKE heartbeat timeout, the IPSec SA is deleted. Therefore, the timeout duration of heartbeat packets must be set longer than the interval for sending heartbeat packets.

    IKE heartbeat timeout (s)

    Timeout interval during which an IKE SA waits for a heartbeat packet.

    On a network, packet loss rarely occurs more than three consecutive times. Therefore, the timeout interval of heartbeat packets on one end can be set to three times the interval for sending heartbeat packets on the other end.

    NAT saving interval (s)

    Interval for sending NAT keepalive packets.

    If the IPSec tunnel with NAT traversal enabled is established and no packet passes through the NAT gateway in a long period, NAT session entries are aged and deleted on the NAT gateway. In this case, data cannot be transmitted through the IPSec tunnel. Therefore, to retain NAT session entries, configure the device to send NAT keepalive packets periodically.

    By default, the interval for sending NAT keepalive packets is 20 seconds.

    Anti-replay

    Whether to enable the anti-replay function.

    After the anti-replay function is enabled, the system discards replayed packets and does not encapsulate them, saving system resources.

    By default, the anti-replay function is enabled.

    DF bit setting
    Don't fragment (DF) flag bit:
    • clear: If the DF flag bit is 0, IP packets can be fragmented.
    • set: If the DF flag bit is 1, no IP packet is fragmented.
    • copy: Specifies the flag bit of original packets.

    By default, the DF flag bit on an IPSec tunnel is the flag bit of original packets.

    Fragment packets before encryption

    Whether to enable packet fragment before encryption when the DF flag bit is 0.

    Before IP packets are encapsulated with the IPSec header, the system calculates the predicted length of the encapsulated IP packets. If the predicted length of the encapsulated IP packets exceeds the MTU of the outbound interface, the router fragments the IP packets before encryption. The IKE peer of the router decrypts and assembles IPSec fragments. This reduces the CPU usage of the router.

    By default, IP packets are fragmented after being encrypted on an IPSec tunnel.