No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

AR650, AR1600, and AR6100 V300R003

This document describes how to configure and maintain your routers using the web platform.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec VPN Configuration Wizard

IPSec VPN Configuration Wizard

Procedure

  1. Select a usage scenario.

    1. Choose Configuration Wizard > IPSec VPN Configuration Wizard.

      Figure 10-9  IPSec VPN Configuration Wizard

    2. Select one from the usage scenarios listed as follows:
      • Site-to-Site

        Select Site-to-Site when both the local device and the peer device can function as the initiator. Parameters on the local and peer devices must be the same.

      • Central Site

        Select Central Site when the peer device has no fixed IP address or the IP address is unknown. In this scenario, the local device functions as the responder to respond to negotiation request initiated by the peer device.

      • Branch Site

        Select Branch Site when the local device actively sets up an IPSec tunnel with the Central Site. In this scenario, the local device functions as the initiator.

    3. Click Next.

  2. Configure the network.

    Figure 10-10  Configure the network

    1. Configure the interface where the IPSec policy is applied and determine the outbound interface for data flows protected by IPSec.

    2. Configure the IP address or domain name for the peer device and click Ping to test network connectivity.

      NOTE:

      This step is not required when you select Central Site.

    3. Click Next.

  3. Define the protected data flow.

    Figure 10-11  Define the protected data flow

    NOTE:

    This step is optional when you select Central Site.

    1. Enter the source IP address, destination IP address, and wildcards of source and destination IP addresses of a protected data flow. If this parameter is not specified, any data flow can be used as the protected data flow.

      Configurations on the local and peer devices must mirror each other.

      NOTE:

      You can define multiple data flows that are protected by IPSec.

    2. Click Next.

  4. Configure encryption and authentication.

    Figure 10-12  Configure encryption and authentication

    To ensure successful IPSec negotiation, configurations of the following parameters must be the same on the local and peer devices.
    1. Configure the pre-shared key. The value is a string of characters. A plain text key contains 1 to 128 characters, and a cipher text password contains 48 to 188 characters.If the character string contains question mark (?) or space, you need to put the key in double quotation marks ("). The local and remote ends of IKE negotiation must be configured with the same authenticator.
    2. Configure IKE parameters shown in Table 10-9.

      Internet Key Exchange (IKE) provides the functions of key negotiation and SA establishment to simplify IPSec usage and management. After IPSec peers establish an IKE SA and complete identity authentication and key exchange, they negotiate a pair of IPSec SAs based on security parameters such as AH or ESP. Then data exchanged between the IPSec peers is encrypted and transmitted over the IPSec tunnel.

      Table 10-9  IKE parameter settings
      Parameter Description
      Negotiation mode The negotiation mode for IKEv1 negotiation phase 1.
      • Main mode: The main mode encrypts identity information to improve security. However, the negotiation speed is slow.
      • Aggressive mode: Compared with the main mode, the aggressive mode establishes an IKE SA more quickly. However, the aggressive mode does not encrypt identity information.

      Authentication algorithm The authentication algorithm used by IKE.
      • SHA1: The SHA-1 algorithm uses a 160-bit key.
      • MD5: The MD5 algorithm uses a 128-bit key.
      • AES-XCBC-MAC-96: The AES-XCBC-MAC-96 algorithm uses a 128-bit key.
        NOTE:

        The AES-XCBC-MAC-96 algorithm only supports in IKEv2.

      • SHA2-256: The SHA2-256 algorithm uses a 256-bit key.
      • SHA2-384: The SHA2-384 algorithm uses a 384-bit key.
      • SHA2-512: The SHA2-512 algorithm uses a 512-bit key.
      • SM3: The SM3 algorithm uses a 256-bit key.
        NOTE:

        The SM3 algorithm only supports in IKEv1.

      The authentication algorithm and encryption algorithm of ESP cannot be kept blank simultaneously.

      Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

      Encryption algorithm The encryption algorithm used by IKE.
      • 3DES: The 3DES algorithm uses a 168-bit key.
      • AES–128: The AES–128 algorithm uses a 128-bit key.
      • AES–192: The AES–192 algorithm uses a 192-bit key.
      • AES–256: The AES–256 algorithm uses a 256-bit key.
      • DES: The DES algorithm uses a 56-bit key.
      • SM1:SM1 encryption algorithm.
      • SM4:SM4 encryption algorithm.

      Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.

      DH group number The Diffie-Hellman group used in IKE negotiation.
      • Group1: Group1 uses the 768-bit Diffie-Hellman group.
      • Group2: Group2 uses the 1024-bit Diffie-Hellman group.
      • Group5: Group5 uses the 1536-bit Diffie-Hellman group.
      • Group14: Group14 uses the 2048-bit Diffie-Hellman group.
      • Group19: Group19 uses the 256-bit ECP Diffie-Hellman group.
      • Group20: Group20 uses the 384-bit ECP Diffie-Hellman group.
      • Group21: Group21 uses the 521-bit ECP Diffie-Hellman group.
    3. Configure IPSec parameters shown in Table 10-10.

      Table 10-10  IPSec parameter settings
      Parameter Description
      Security protocol A security protocol used by IPSec.
      • AH: Authentication Header (AH) only authenticates packets.
      • ESP: Encapsulating Security Payload (ESP) can encrypt/authenticate, or encrypt and authenticate packets.
      • AH–ESP: AH authenticates packets, and ESP can encrypt and authenticate packets.
      AH authentication algorithm AH provide data origin authentication and data integrity check.
      • MD5: The MD5 algorithm uses a 128-bit key.
      • SHA1: The SHA1 algorithm uses a 160-bit key.
      • SHA2–256: The SHA2–256 algorithm uses a 256-bit key.
      • SHA2–384: The SHA2–384 algorithm uses a 384-bit key.
      • SHA2–512: The SHA2–512 algorithm uses a 512-bit key.
      • SM3: The SM3 algorithm uses a 256-bit key.
        NOTE:
        1. The SM3 algorithm only supports in IKEv1.

      Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

      ESP authentication algorithm ESP provide data origin authentication and data integrity check.
      • Non-authentication
      • MD5: The MD5 algorithm uses a 128-bit key.
      • SHA1: The SHA1 algorithm uses a 160-bit key.
      • SHA2–256: The SHA2–256 algorithm uses a 256-bit key.
      • SHA2–384: The SHA2–384 algorithm uses a 384-bit key.
      • SHA2–512: The SHA2–512 algorithm uses a 512-bit key.
      • SM3: The SM3 algorithm uses a 256-bit key.
        NOTE:
        1. The SM3 algorithm only supports in IKEv1.
        2. When configures the SM3 algorithm, the ESP encryption algorithm must select SM1, SM4, or Non-encryption.

      Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.

      ESP encryption algorithm ESP encrypts packet payloads encryption.
      • •Non-encryption
      • DES: The DES algorithm uses a 56-bit key.
      • 3DES: The 3DES algorithm uses a 168-bit key.
      • AES–128: The AES–128 algorithm uses a 128-bit key.
      • AES–192: The AES–192 algorithm uses a 192-bit key.
      • AES–256: The AES–256 algorithm uses a 256-bit key.
      • SM1:SM1 encryption algorithm.
      • SM4:SM4 encryption algorithm.
      NOTE:
      1. The SM1 and SM4 algorithm only supports in IKEv1.
      2. When configures SM1 or the SM4 algorithm, the ESP certification algorithm must select SHA1, SM3, or Non-authentication.

      Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.

      Encapsulation mode IPSec encapsulates IP packets by adding an AH or ESP header and ESP tail to original IP packets for authentication and encryption.
      • Tunnel mode: An AH or ESP header is inserted before the original IP header, and the new IP header (IP address of the local device) is then inserted before the AH or ESP header.

        The tunnel mode shields internal host IP addresses and protects security of original data packets on an end-to-end connection. Generally, the tunnel mode is used for data encapsulation between forwarding devices.

      • Transport mode: An AH or ESP header is inserted between the IP header and the transport-layer protocol header.

        The transport mode protects the original data packet payloads. The transport mode is used for data encapsulation between hosts or between hosts and gateways.

    4. Click Next.

  5. Confirm settings.

    Figure 10-13  Confirm settings

    Check the IPSec VPN configuration in details, and click Finish.

Download
Updated: 2019-04-12

Document ID: EDOC1100041803

Views: 35315

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next