No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPSec Proposal

Configuring an IPSec Proposal

Context

An IPSec proposal, as part of an IPSec policy or an IPSec profile, defines security parameters for IPSec SA negotiation, including the security protocol, encryption and authentication algorithms, and encapsulation mode. Both ends of an IPSec tunnel must be configured with the same parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec proposal proposal-name

    An IPSec proposal is created and the IPSec proposal view is displayed.

  3. Run transform { ah | esp | ah-esp }

    A security protocol is configured.

    By default, an IPSec proposal uses ESP.

  4. An authentication or encryption algorithm is configured.

    • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

      Run ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

      An AH-specific authentication algorithm is configured.

      By default, AH uses the SHA2-256 authentication algorithm.

    • When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.

      • Run esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

        An ESP-specific authentication algorithm is configured.

        By default, ESP uses the SHA2-256 authentication algorithm.

      • Run esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }

        An ESP-specific encryption algorithm is configured.

        By default, ESP uses the AES-256 encryption algorithm.

    • When both AH and ESP are used, AH authenticates packets, and ESP can encrypt and authenticate packets. You can choose to configure an AH-specific authentication algorithm, or ESP-specific authentication and encryption algorithms. The device first encapsulates the ESP header, and then the AH header to packets.

    NOTE:
    • Authentication algorithms SHA2-256, SHA2-384, and SHA2-512 are recommended to improve packet transmission security, whereas authentication algorithms MD5 and SHA1 are not recommended.
    • Encryption algorithms AES-128, AES-192, and AES-256 are recommended to improve packet transmission security, whereas encryption algorithm DES and 3DES are not recommended.

  5. Run encapsulation-mode { transport | tunnel }

    An IP packet encapsulation mode is configured.

    By default, IPSec uses the tunnel mode to encapsulate IP packets.

    When IKEv2 is used, the encapsulation modes in all the IPSec proposals configured on the IKE initiator must be the same; otherwise, IKE negotiation fails.

  6. Run quit

    Exit the IPSec proposal view.

  7. (Optional) Run ipsec authentication sha2 compatible enable

    The SHA-2 algorithm is compatible with earlier software versions.

    By default, the SHA-2 algorithm is not compatible with earlier software versions.

    When IPSec uses the SHA-2 algorithm, if the devices on two ends of an IPSec tunnel are from different vendors or run different software versions, they may use different encryption and decryption methods. In this situation, traffic between devices is interrupted.

    To solve this problem, enable SHA-2 to be compatible with earlier versions.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 34772

Downloads: 48

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next