No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI Application in IPSec VPN

PKI Application in IPSec VPN

On the network shown in Figure 16-10, the firewalls function as egress gateways of network A and network B. The internal users of the two networks communicate through the Internet. To ensure data security over the Internet, the firewalls have IPSec configured to set up an IPSec tunnel. Generally, IPSec can use pre-shared key to negotiate the IPSec tunnel. However, using a pre-shared key on a large network is not security and time consuming. To address this problem, the devices can use PKI certificates to authenticate each other in PKI tunnel setup.

Figure 16-10  PKI application in IPSec VPN

After PKI is configured, communicating parties authenticate each other during IKE negotiation. This ensures security in key exchange. In addition, the certificate provides a centralized key management function for IPSec and enhances scalability of the entire IPSec network. On an IPSec network with PKI configured, each device has a locate certificate issued by the PKI authentication center. When a new device is deployed, the new device can securely communicate with other devices by applying for a certificate, and the configurations on other devices do not need to be modified. This greatly reduces configuration workload.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126360

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next