No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPsec Proposal

Configuring an IPsec Proposal

An IPSec proposal is a combination of the adopted security protocol, algorithm, and packet encapsulation mode to implement IPSec protection. An IPSec policy determines the adopted security protocols, algorithms, and packet encapsulation modes by quoting the IPSec proposal.

Context

During the configuration of an IPSec proposal, the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode must be configured at both ends of the tunnel.

IPSec provides a high-quality and cryptology-based security for IP packets through AH and ESP security protocols.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec proposal proposal-name

    An IPSec proposal is created and the IPSec proposal view is displayed.

  3. Run transform { ah | ah-esp | esp }

    The security protocol for data transmission is configured.

    AH and ESP are used independently. The principle for using them is as follows:

    • AH mode provides the data source authentication, data integrity check, and anti-replay function for the protected data. If data integrity check is performed using AH, the device checks the entire IP packet.

    • ESP mode provides encryption function along with data source authentication, data integrity check, and anti-replay function, for the protected data. If data integrity check is performed using ESP, the device checks all other fields except for the header in the IP packet.

  4. Configure the authentication algorithm and encryption algorithm that are adopted by the security protocol.

    • If AH is adopted as the security protocol, you only need to configure the authentication algorithm of AH.
      • Run ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 }

        The authentication algorithm adopted by AH is configured.

        NOTE:

        To improve the system security, using the MD5/SHA1 authentication algorithm for the AH protocol is not recommended.

    • If ESP is adopted as the security protocol, you need to configure the authentication algorithm and encryption algorithm of ESP.
      • Run esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 }

        The authentication algorithm adopted by ESP is configured.

        NOTE:

        To improve the system security, using the MD5/SHA1 authentication algorithm is not recommended for the ESP protocol.

      • Run esp encryption-algorithm { des | 3des | aes { 128 | 192 | 256 } | sm4 }

        The encryption algorithm adopted by ESP is configured.

        NOTE:

        To improve the system security, using the DES/3DES encryption algorithm is not recommended for the ESP protocol.

  5. Run encapsulation-mode { transport | tunnel }

    The packet encapsulation mode is configured.

  6. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19693

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next