No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

AR650, AR1600, and AR6100 V300R003

This document describes how to configure and maintain your routers using the web platform.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Policy Management

IPSec Policy Management

Context

Authentication and encryption parameters in an IPSec policy must be consistent on two devices

For details about basic IPSec concepts, see Overview.

Procedure

  • Creating an IPSec policy
    1. Choose VPN > IPSec VPN > IPSec Policy Management.

      Figure 16-1  IPSec Policy Management

    2. Click Create and set IPSec connection name and Interface name in the Create IPSec Policy dialog box that is displayed, and click OK.

      Figure 16-2  Create IPSec Policy

    3. Set other parameters listed in Table 16-1 based on the site requirements.
    4. Click OK.

      The created IPSec policy is displayed in the IPSec Policy Management area.

    Table 16-1  IPSec policy parameters

    Parameter

    Description

    IPSec policy parameter setting

    IPSec connection name

    Name of an IPSec policy.

    The IPSec policy name cannot be changed after an IPSec policy is configured.

    Interface name

    Name of the interface where an IPSec policy is applied.

    Click , select an interface in the interface list, and click OK.

    If a tunnel interface is selected, instead of ACLs, a virtual tunnel interface is used to establish an IPSec tunnel to protect data flows. For details about the tunnel interface configuration, see Logical Interface.

    The interface cannot be changed after an IPSec policy is configured.

    Networking mode

    Networking mode of a router:
    • Branch site: The router functions as the enterprise branch gateway and establishes IPSec tunnels between a branch and the headquarters or among different branches.

      A branch site can be configured as an Efficient VPN remote end.

    • Headquarters site: The router functions as the headquarters gateway and establishes IPSec tunnels with a branch after receiving an IPSec connection request from the branch.

      A headquarters site can be configured as an Efficient VPN server.

    The networking mode cannot be changed after an IPSec policy is configured.

    Connection ID

    ID of an IPSec policy.

    The IPSec connection name and Connection ID parameters identify an IPSec policy. Multiple IPSec policies with the same IPSec connection name constitute an IPSec policy group. An IPSec policy group contains a maximum of 16 IPSec policies, and an IPSec policy with the smallest ID has the highest priority. After an IPSec policy group is applied to an interface, all IPSec policies in the group are applied to the interface to protect different data flows.

    IKE parameter setting

    IKE version

    ID of an IKE version, including IKEv1 or IKEv2.

    Negotiation mode

    IKEv1 negotiation mode.
    • Main mode: The main mode separates the key exchange information from identity authentication information. This provides higher security.

    • Aggressive mode: The aggressive mode does not provide identity authentication but can meet special network requirements. This mode can be used to establish an IKE SA more quickly when the IP address of the SA initiator is unknown or keeps changing, and both ends need to use the pre-shared key authentication to establish the IKE SA.

    Remote address

    IP address or domain name of the remote IKE peer.

    Authentication mode

    Authentication method used by IKE:
    • Pre-shared Key
    • RSA certificate

    By default, the IKE uses pre-shared key authentication.

    Pre-shared Key

    Pre-shared key used by IKE for authentication. The value is a string of characters. A plain text key contains 1 to 128 characters, and a cipher text password contains 48 to 188 characters.If the character string contains question mark (?) or space, you need to put the key in double quotation marks ("). The local and remote ends of IKE negotiation must be configured with the same authenticator.

    PKI Domain

    Configured public key infrastructure (PKI) domain. When IKE uses the Revist-Shamir-Adleman Algorithm (RSA) certificate for authentication, set this parameter. For details about the PKI domain configuration, see PKI Domain.

    Authentication algorithm

    Authentication algorithm used by IKE:
    • MD5: specifies HMAC-MD5 as the authentication algorithm.
    • SHA1: specifies HMAC-SHA-1 as the authentication algorithm.
    • AES-XCBC-MAC-96: specifies AES-XCBC-MAC-96 as the authentication algorithm.
      NOTE:

      The AES-XCBC-MAC-96 algorithm only supports in IKEv2.

    • SHA2-256: SHA-256 as the authentication algorithm.
    • SHA2-384: SHA-384 as the authentication algorithm.
    • SHA2-512: SHA-512 as the authentication algorithm.
    • SM3: SM3 as the authentication algorithm.
      NOTE:

      The SM3 algorithm only supports in IKEv1.

    The MD5 algorithm uses a 128-bit key, and the SHA-1 algorithm uses a 160-bit key. The SHA-256, SHA-384, and SHA-512 algorithms use 256-bit, 384-bit, and 512-bit keys respectively. A larger number of key bits indicate a more secure algorithm but a slower calculation speed. Only IKEv2 supports the AES-XCBC-MAC-96 algorithm.

    By default, the IKE uses the SHA2-256 algorithm.

    Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

    Encryption algorithm

    Encryption algorithm used by IKE:
    • 3DES: indicates that the IKE uses the 168-bit Triple Data Encryption Standard (3DES) encryption algorithm in CBC mode.
    • AES-128: indicates that the IKE uses the 128-bit Advanced Encryption Standard (AES) encryption algorithm.
    • AES-192: indicates that the IKE uses the 192-bit AES algorithm encryption.
    • AES-256: indicates that the IKE uses the 256-bit AES algorithm encryption.
    • DES: indicates that the IKE uses the DES-CBC encryption algorithm.
    • SM1:SM1 encryption algorithm.
    • SM4:SM4 encryption algorithm.

    By default, the IKE uses the AES-256 encryption algorithm.

    Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.

    DH group number

    Diffie-Hellman group used in IKE negotiation, which is key negotiation:
    • Group1: uses the 768-bit Diffie-Hellman group.
    • Group2: uses the 1024-bit Diffie-Hellman group.
    • Group5: uses the 1536-bit Diffie-Hellman group.
    • Group14: uses the 2048-bit Diffie-Hellman group.
    • Group19: uses the 256-bit ECP Diffie-Hellman group.
    • Group20: uses the 384-bit ECP Diffie-Hellman group.
    • Group21: uses the 521-bit ECP Diffie-Hellman group.

    Group1 provides the lowest encryption, while Group14 provides the strongest encryption.

    By default, the Group14 is used in IKE negotiation.

    IPSec parameter setting

    Security protocol

    Security protocol used by an IPSec:
    • AH: indicates that the IPSec uses the AH protocol defined by RFC 2402. The AH protocol authenticates the data source, verifies the data integrity, and prevents packet replay. This protocol uses the MD5 authentication algorithm by default and does not support encryption.
    • AH-ESP: indicates that the IPSec proposal encapsulates packets through ESP, then through AH.
    • ESP: indicates that the IPSec uses the ESP protocol defined by RFC 2406. The ESP protocol uses the DES encryption algorithm. The AH protocol uses the MD5 authentication algorithm by default.

    By default, the IPSec uses the ESP protocol.

    AH authentication algorithm

    Authentication algorithm used by AH in the IPSec:
    • MD5
    • SHA1
    • SHA2-256
    • SHA2-384
    • SHA2-512
    • SM3
      NOTE:

      The SM3 algorithm only supports in IKEv1.

    By default, AH uses the SHA2-256 authentication algorithm.

    Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

    ESP authentication algorithm

    Authentication algorithm used by ESP in the IPSec:
    • Non-authentication
    • MD5
    • SHA1
    • SHA2-256
    • SHA2-384
    • SHA2-512
    • SM3
      NOTE:
      1. The SM3 algorithm only supports in IKEv1.
      2. When configures the SM3 algorithm, the ESP encryption algorithm must select SM1, SM4, or Non-encryption.

    The authentication algorithm and encryption algorithm of ESP cannot be kept blank simultaneously.

    By default, ESP uses the SHA2-256 authentication algorithm.

    Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

    ESP encryption algorithm

    Encryption algorithm used by ESP in the IPSec:
    • Non-encryption
    • DES: indicates that the IKE uses the DES-CBC encryption algorithm.
    • 3DES: indicates that the IKE uses the 168-bit 3DES encryption algorithm in CBC mode.
    • AES-128: indicates that the IKE uses the 128-bit AES encryption algorithm.
    • AES-192: indicates that the IKE uses the 192-bit AES algorithm encryption.
    • AES-256: indicates that the IKE uses the 256-bit AES algorithm encryption.
    • SM1:SM1 encryption algorithm.
    • SM4:SM4 encryption algorithm.
    NOTE:
    1. The SM1 and SM4 algorithm only supports in IKEv1.
    2. When configures SM1 or the SM4 algorithm, the ESP certification algorithm must select SHA1, SM3, or Non-authentication.

    By default, ESP uses the AES-256 encryption algorithm.

    Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.

    Encapsulation mode

    Encapsulation mode that IPSec uses to encapsulate IP packets:
    • Tunnel mode
    • Transport mode

    ACL parameter setting

    ACL name

    Name of a configured ACL that IPSec uses to protect data flows. When the router functions as the headquarters site, you can configure no ACL to protect all data flows on the interface.

    For details about the ACL configuration, see Advanced ACL Setting. IPSec supports ACL rules based on the source IP address, destination IP address, destination port number, and protocol number to protect data flows.

    Advanced

    IKE negotiation

    Mode in which IKE SAs are triggered:
    • Auto: After an IPSec policy is applied, the system completes IKE negotiation and establishes an IPSec tunnel.
    • Traffic-based: When an interface receives packets, the system completes IKE negotiation and establishes an IPSec tunnel.

    By default, the IKE negotiation uses auto mode.

    Local identity type

    Type of the local ID used in IKE negotiation:
    • IP address: The interface IP address is used as the local ID. When performing IKE negotiation with the peer, the local device exchanges identity information with the peer.
    • Name: A string of characters is used as the local ID. You can set Device local name in IPSec Global Setting to identify the local device. When Device local name is left blank, the device name is used.

    By default, the IP address of the local end is used as the local ID.

    Remote ID

    ID of the peer in IKE negotiation. The value must be the local ID configured on the peer.

    DPD(Dead Peer Detection)

    Whether to enable the dead peer detection (DPD) function.

    IKE peers send DPD packets to check whether the other party is alive.

    By default, DPD is disabled.

    DPD type

    DPD mode:
    • on-demand: indicates the on-demand DPD mode. If the local end does not receive any packets from the remote peer within the specified period, it sends a DPD packet to check whether the remote peer is available.
    • periodic: indicates the periodic DPD mode. If the local end does not receive any packets from the remote peer for a long time, it sends DPD packets at specific intervals to check whether the remote peer is available.

    The sequence of the payload in DPD packets

    Sequence of the payload in DPD packets:
    • seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify.
    • seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash.
    By default, the payload in DPD packets is in the sequence of notify-hash.

    Idle time for DPD detection (seconds)

    Idle time for sending DPD packets.

    The default idle time for DPD is 30 seconds.

    DPD packet retransmission interval (seconds)

    Interval for retransmitting DPD packets.

    The default interval for retransmitting DPD packets is 15 seconds.

    DPD packet retransmission count

    Maximum number of times DPD packets are retransmitted.

    The default maximum number of times DPD packets are retransmitted is 3.

    PFS

    The Perfect Forward Secrecy (PFS) enables IPSec to perform an additional round of key exchange in phase 2 of IKE negotiation to improve communication security:
    • none: the PFS feature is disabled.
    • Group1: indicates the 768-bit Diffie-Hellman group.
    • Group2: indicates the 1024-bit Diffie-Hellman group.
    • Group5: indicates the 1536-bit Diffie-Hellman group.
    • Group14: indicates the 2014-bit Diffie-Hellman group.
    • Group19: uses the 256-bit ECP Diffie-Hellman group.
    • Group20: uses the 384-bit ECP Diffie-Hellman group.
    • Group21: uses the 521-bit ECP Diffie-Hellman group.

    By default, the PFS feature is disabled.

    IKE SA lifetime (seconds)

    Lifetime of IKE SAs. Both ends negotiate a new SA before the old one times out. The old SA is still used prior to the establishment of the new SA.

    By default, the lifetime of an IKE SA is 86400 seconds.

    IPSec SA aging mode

    SA lifetime in an IPSec policy. In IPSec negotiation, the SA uses the shorter lifetime between the lifetime set on the local end and that set on the remote end.

    The SA lifetime can be measured by time or by traffic:
    • Time-based (s): indicates the period of time an SA can exist after being established.
    • Traffic-based (KB): indicates the maximum traffic volume that an SA can process.

    When the specified time or traffic volume is reached, the SA becomes invalid. When the SA is about to expire, IPSec negotiates a new SA.

    By default, when no IPSec SA lifetime is set for the IPSec policy, the global IPSec SA lifetime is used. The global IPSec SA lifetime is set by the parameter IPSec SA aging management in IPSec Global Setting. If IPSec SA aging management is not set, the default value is used.

    Local IP address

    Whether to set the IP address of the local end.

    By default, the local end address is the IP address of the interface bound to the IPSec policy.

    Address mode

    Type of the local IP address.
    • Interface: The local end address is the IP address of the interface bound to the IPSec policy.
    • IP address: When the outbound interface has a primary address and a secondary address, enter an IP address in the IP address text box.

    IP address

    IP address of the local end in IKE negotiation.

    Route import

    Whether to enable the route import function.

    Route import type

    Route import mode:
    • Static: The route of the IPSec peer is added to the local routing table upon device startup and remains unchanged.
    • Dynamic: Route reachability is determined based on IPSec tunnel status. If the IPSec tunnel is Up, the route of the IPSec peer is added to the local routing table and advertised on the network. If the IPSec tunnel is Down, the route of the IPSec peer is deleted and withdrawn.

    Route priority

    Priority of an injection route.

    By default, the priority is 60.

    Pre-extraction of original IP packets

    Pre-extraction of original IP packets is enabled.

    By default, pre-extraction of original IP packets is disabled.

    In tunnel mode, QoS parameters such as the packet header and protocol type in original packets are hidden after IP packets are encapsulated through IPSec. Although IPSec uses the DSCP field in original packets as the DSCP field in the IP packet header, some QoS solutions require quintuple information. The encryption device can pre-extract quintuple information including the source address, destination address, protocol type, source port number, and destination port number to facilitate refined QoS management on IPSec packets.

  • Modifying an IPSec policy

    NOTE:

    If an IPSec policy configured by a command is not applied to a specified interface, the policy is not displayed on the IPSec policy management page.

    1. Choose VPN > IPSec VPN > IPSec Policy Management.
    2. Select an IPSec to modify in the IPSec Policy Management area and click .
    3. In Modify IPSec Policy dialog box that is displayed, modify parameters listed in Table 16-1 based on the site requirements.
    4. Click OK.
  • Deleting an IPSec policy
    1. Choose VPN > IPSec VPN > IPSec Policy Management.
    2. Select an IPSec to delete in the IPSec Policy Management area and click Delete.

      The selected IPSec policy is not displayed in the IPSec Policy Management area.

Download
Updated: 2019-04-12

Document ID: EDOC1100041803

Views: 36154

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next