No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of IPSec

Overview of IPSec

Definition

Internet Protocol Security (IPSec), defined by the Internet Engineering Task Force (IETF), is a series of open network security protocols and services provided on an IP network. Figure 4-1 shows the IPSec protocol framework.

Figure 4-1  IPSec protocol framework

IPSec protects IP packets using two security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).
  • AH provides data origin authentication, data integrity check, and anti-replay, but does not provide encryption.
  • ESP provides encryption, data origin authentication, data integrity check, and anti-replay.

Security functions provided by the AH and ESP protocols depend on authentication and encryption algorithms.

  • Both AH and ESP can provide data origin authentication and data integrity check using authentication algorithms Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA1), Secure Hash Algorithm 2 (SHA2)-256, SHA2-384, and SHA2-512.

  • ESP can also encrypt IP packets using symmetric encryption algorithms, including Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES).

NOTE:
  • The MD5 and SHA1 authentication algorithms have security risks. The SHA2 algorithm is recommended.

  • The DES and 3DES encryption algorithms have security risks. The AES algorithm is recommended.

The keys used in IPSec encryption and authentication algorithms can be manually configured or dynamically negotiated through the Internet Key Exchange (IKE) protocol. IKE works in the Internet Security Association and Key Management Protocol (ISAKMP) framework. It uses the Diffie-Hellman (DH) algorithm to securely deliver keys and authenticate identities over an insecure network, ensuring data transmission security. IKE improves key security and simplifies IPSec management.

Purpose

On the Internet, most data is transmitted in plain text, causing security risks. For example, bank accounts and passwords face risks of eavesdropping or tampering, user identities may be counterfeited, or bank networks may be attacked. IPSec can protect IP packets transmitted over an insecure network to reduce the risk of information leaks.

Benefits

Taking advantage of encryption and authentication, IPSec ensures secure service data transmission over the Internet in terms of:
  • Data origin authentication: The receiver checks validity of the sender.
  • Data encryption: The sender encrypts data packets and transmits them in cipher text on the Internet. The receiver decrypts or directly forwards the received data packets.
  • Data integrity check: The receiver validates received data to check whether the data has been tampered with.
  • Anti-replay: The receiver rejects old or duplicate packets to prevent attacks that malicious users initiate by re-sending obtained packets.
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31386

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next