No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the IKE Peer

Configuring the IKE Peer

Through IKE peers, a series of attribute data can be defined to describe parameters required by the IKE negotiation, including quoting IKE proposals, and configuring the negotiation mode, NAT traversal, and IKE version.

Context

During the configuration of an IKE peer, note the following:

  • When IPSec is deployed, the path from the local to the peer and its return path can be the same or different. If they are different, they must work in load balancing mode.

  • If the pre-shared key authentication mode is adopted, you need to configure the same authentication key for both ends of the IPSec tunnel.

  • If the peer end of the IPSec negotiation does not support IKEv2, you need to disable IKEv2; otherwise, the negotiation may fail.

IKEv2 does not involve negotiation modes. Corresponding to IKEv1, the negotiation in the first phase adopts the main mode or aggressive mode.

The aggressive mode does not provide identity protection, and is less secure than the main mode. The aggressive mode, however, can meet certain specific network requirements. For example:

  • During remote access, if the address of the initiator (terminal user) cannot be predicted by the responder (server) or is always changing, and both parties hope to apply the pre-shared key authentication to create an IKE SA, the aggressive mode can be adopted.

    NOTE:
    If the NE20E adopts the pre-shared key authentication mode, and the proxy IP address of the egress gateway can be obtained, the proxy IP address can be specified in main mode.
  • If the initiator knows or has an overall understanding of the policies of the responder, the aggressive mode can be applied to create an IKE SA more rapidly.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ike peer peer-name

    The IKE peer is created and the IKE peer view is displayed.

  3. (Optional) Run version version

    The IKE version number is configured.

    It is recommended that IKEv2 be disabled on the local end when the peer end of an IPsec tunnel does not support IKEv2. Otherwise, the peer end successfully initiates the IKE negotiation (using IKEv1) but the local end fails to initiate the IKE negotiation (using IKEv2).

    If the digital-envelope authentication method is used, only IKEv1 can be configured.

  4. (Optional) Run exchange-mode { main | aggressive }

    The negotiation mode is configured.

    This configuration applies only to IKEv1.

    If the digital-envelope authentication method is used, only the main mode (main) can be configured.

  5. Run ike-proposal proposal-number

    The IKE proposal is applied in the IKE peer.

    In aggressive mode, the first configured IKE proposal is used in the negotiation. In main mode, all the configured IKE proposals are used in the negotiation.

  6. Run local-id-type { ip | fqdn | dn | user-fqdn [ user-fqdn ] }

    The IKE peer ID type is configured.

  7. (Optional) Run ike local-name local-name

    The local end name used for IKE negotiation is configured.

  8. Configure the ID of the IKE peer.

    • Run the following if the ID type is configured as the IP address format:

      Run remote-address [ authentication-address | vpn-instance vpn-instance-name ] remote-low-address [ remote-high-address ]

      The IP address or IP address segment of the peer end is specified.

      NOTE:

      If the IKE peer is referred to by the IPSec policy template, the IP address of the peer end can be also specified as an IP address segment.

    • Run the following if the ID type is configured as the fqdn:

      • Run remote-id remote-id

        The ID of the peer is specified.

      • Run remote-address [ authentication-address | vpn-instance vpn-instance-name ] remote-low-address [ remote-high-address ]

        The IP address or IP address segment of the peer end is specified.

        authentication-address indicates the authentication address of the peer end.

        NOTE:

        If the IKE peer is referred to by the IPSec policy, the IP address of the peer end must be specified, but cannot be specified as an IP address segment.

        If the IKE peer is referred to by the IPSec policy template, the IP address of the peer end may not be specified, or the IP address of the peer end may not be specified as an IP address segment. If the IP address of the peer end is not specified, it indicates that the IP address of the peer end can be any IP address.

    NOTE:

    If a local device corresponds to multiple IKE peers and two IKE peers are allocated the same IP address, the system prompts an address conflict, regardless of whether one is a private IP address and the other is a public IP address. If an IKE peer is allocated an IP address and another IKE peer is allocated an IP address segment that contains the IP address, the system does not prompt an address conflict.

  9. (Optional) Run sa binding vpn-instance vpn-instance-name

    A VPN instance is associated with an SA.

  10. Perform either of the following operations to configure the authentication mode for the peer.

    • The authentication mode is set to pre-shared key (pre-share).

      Run the pre-shared-key [ cipher ] key command to configure the pre-shared key.

      If the pre-shared key authentication mode is employed, you must configure the pre-shared key.

    • The authentication mode is set to certificate (rsa-sig).

      Run the certificate local-filename filename command to configure the name of the certificate used by the local end.

      The digital certificate must be configured in advance. For details, see Configuring the PKI Certificate or Configuring Certificate Management in CMP Mode.

    • The authentication mode is set to digital envelop (digital-envelope).
      1. Obtain relevant certificates used by the digital envelop and import the certificates.
        1. Run the pki import sm2-key-pair keypair-name der key-filename or pki import sm2-key-pair keypair-name pem key-filename password password command to manually import the SM2 key to the memory.

        2. Run the pki import-certificate ca filename file-name, pki import-certificate local filename file-name, and pki import-certificate peer filename file-name commands to import the CA certificate, local certificate, and peer certificate.

      2. Run the undo version 2 command to disable IKEv2, to use version 2.

        Currently, only the main mode of IKEv1 supports the digital envelop authentication mode. Therefore, you need to disable IKEv2.

      3. Run the certificate local-filename filename command to configure the name of the certificate used by the local end.

      4. Run the certificate remote-filename filename command to configure the name of the certificate used by the remote end.

  11. Run commit

    The configuration is committed.

Example

Configure IKE peers on both ends of a tunnel and use the digital envelop for authentication. Assume that the CA certificate named ca.cer, local certificate named local.cer, and peer certificate named remote.cer are obtained. The following example uses the command output on one end of the tunnel.

#
pki import sm2-key-pair keypair1 der keyfile1   //Import the private key information of the SM2 key pair in simple text.
pki import sm2-key-pair keypair2 pem keyfile2 password Huawei-13579   //Import the private key information of the SM2 key pair in ciphertext and set the private key file password.
pki import-certificate ca filename ca.cer   //Import the root certificate.
pki import-certificate local filename local.cer   //Import the local certificate.
pki import-certificate peer filename remote.cer   //Import the peer certificate.
#
ike peer peer1
 undo version 2   //Disable IKEv2.
 ike-proposal 1   //Quote the IKE proposal. The IKE proposal must use the SM3 authentication algorithm and SM4 key algorithm.
 certificate local-filename local.cer   //Specify the certificate used on the local end.
 certificate remote-filename remote.cer   //Specify the certificate used on the peer end.

The default exchange-mode and ike local-name command configurations can be used.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20150

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next