No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Web-based Configuration Guide

AR650, AR1600, and AR6100 V300R003

This document describes how to configure and maintain your routers using the web platform.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).




IPSec is a protocol suite defined by the Internet Engineering Task Force (IETF) for securing IP communication by authenticating and encrypting each IP packet of a communication session. Two communicating parties can encrypt data and authenticate the data origin at the IP layer to ensure data confidentiality and integrity and prevent replay of data packets.

IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the IKE protocol, which simplifies use and management of IPSec.

IPSec Security Protocol

AH defines the authentication method and checks data integrity and data origin. ESP defines the encryption and authentication methods and ensures data reliability.

  • AH: provides data origin authentication, data integrity check, and the anti-replay service. The sender performs hash calculation on the IP payload and all header fields of an IP packet except for variable fields to generate a message digest. The receiver calculates a message digest according to the received IP packet and compares the two message digests to determine whether the IP packet has been modified during transmission. AH does not encrypt the IP payload.
  • ESP: encrypts the IP payload in addition to providing all the functions of AH. ESP can encrypt and authenticate the IP payload but does not authenticate the IP packet header.

IPSec Peer

IPSec provides secure IP communication between two endpoints. The two endpoints are called IPSec peers.

Security Association (SA)

A security association (SA) is a set of algorithms such as the encryption algorithm and parameters such as keys for secure data transmission between IPSec peers.

Encapsulation Mode
  • Transport mode: inserts an IPSec header between the IP header and the header of the upper-layer protocol (AH or ESP). In this mode, the protocol type field in the IP header is changed to AH or ESP, and the checksum in the IP header is recalculated. The transport mode applies to communication between two hosts or between a host and a security gateway.

  • Tunnel mode: encapsulates an IPSec header (AH or ESP) on the original IP header and adds a new IP header. In this mode, the original IP packet is transmitted as the payload of the packet and is protected by IPSec. The tunnel mode applies to communication between two security gateways. Packets encrypted by one security gateway must be decrypted by the other security gateway.

Authentication Algorithm and Encryption Algorithm
  • IPSec uses the Message Digest 5 (MD5) algorithm, Secure Hash Algorithm (SHA-1) or Secure Hash Algorithm (SHA-2) for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, but the SHA-1 algorithm is more secure than the MD5 algorithm. SHA-2 increases the number of encrypted data bits and is more secure than SHA-1.
  • IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption Standard (AES) algorithm for encryption. The AES algorithm encrypts plain text by using a key of 128 bits, 192 bits, or 256 bits.

Establishing an IPSec Tunnel Using IKE Negotiation


IKE builds upon the Internet Security Association and Key Management Protocol (ISAKMP) and provides the key negotiation, identity authentication, and SA establishment functions to simplify IPSec use and management.

IKE Version

IKE supports IKEv1 and IKEv2 versions.
  • IKEv1: defines two phases for IPSec key negotiation. IKEv1 phase 1 operates in either main mode or aggressive mode. The aggressive mode allows two IPSec peers to establish an IKE SA more quickly than in main mode. In main mode, only IP addresses can be used to identify IPSec peers. In aggressive mode, both IP addresses and names can be used to identify IPSec peers.
  • IKEv2: defines three types of exchanges and enables two IPSec peers to establish an IKE SA more quickly than IKEv1.
IKE Security Mechanism
  • Diffie-Hellman (DH) algorithm: DH algorithm is a public key algorithm. The two communicating parties do not transmit a key but exchange data to calculate a shared key. They use the calculated shared key to encrypt data and exchange the encrypted data. IKE-enabled devices never directly transmit a key on an insecure network. Instead, the devices calculate a shared key by exchanging data. Even though a third party (such as a hacker) intercepts all exchanged data for key calculation, it cannot calculate the actual key.
  • Perfect Forward Secrecy (PFS): PFS is a property that prevents other keys from being decoded when one key is decoded. The key used in IPSec phase 2 is derived from the key used in IPSec phase 1. After intercepting the key used in phase 1, an attacker may collect enough information to calculate the key to be used in phase 2. PFS provides an additional DH key exchange to secure the key used in phase 2.
  • Identity authentication: authenticates identities of the two communicating parties including pre-shared key authentication and digital certificate authentication. In pre-shared key authentication, two communicating parties use a shared key to calculate a digest for a received packet and compare the digest with the digest field in the packet. If the calculated digest is the same as that in the packet, authentication succeeds; otherwise, authentication fails. In digital certificate authentication, two communicating parities use an agreed algorithm to calculate the digest for a packet. The sender uses its own private key to encrypt the digest field and generates a digital signature. The receiver uses the sender's public key to decrypt the digital signature and compares the calculated digest with the original digest field. If the calculated digest is the same as the original digest of the packet, authentication succeeds; otherwise, authentication fails.

Establishing an IPSec Tunnel Using an IPSec Virtual Tunnel Interface

An IPSec virtual tunnel interface is a Layer 3 logical interface supporting dynamic routing protocols. All packets passing through the IPSec virtual tunnel interface are protected by IPSec.

After an IPSec tunnel is established using an IPSec virtual tunnel interface, data flows routed to the IPSec virtual tunnel interface are protected by IPSec. Compared to using an ACL to determine data flows to be protected, using routing to determine the flows to be protected simplifies the IPSec policy deployment and prevents IPSec configuration from being affected by the network plan. This enhances network scalability and reduces network maintenance costs.

Updated: 2019-04-12

Document ID: EDOC1100041803

Views: 35687

Downloads: 92

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next