No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


  • IPSec configuration
    • The tunnel address and service address of the eNodeB must be different.

    • If site redundancy is not implemented, when you configure the tunnel route to the eNodeB for the FW, IPSec reverse route injection is no longer mandatory, and static routes can be used.

  • Networking

    In the current LTE IPSec solution, most FWs are deployed in hot standby in off-path mode while very few are deployed in in-path mode. This is because off-path deployment has less impact on the original network topology.

  • MTU
    IPSec encryption increases the packet length. Therefore, you must adjust the MTU of the entire path after the IPSec gateway is deployed. There are specifically two MTU adjustment schemes:
    • Reduce the MTU on the EPC side and the eNodeB side without changing it on other nodes. The strength of this scheme is that it involves only a small number of devices.
    • Increase the MTU on the intermediate IPCore, IPRAN, transmission nodes. This scheme is advantageous in a high transmission efficiency and a small IPSec header per packet.
    Transmission efficiency = 1 - IPSec header/packet length. The IPSec header length is fixed. Therefore, a greater packet length indicates a high transmission efficiency.The selection of an MTU adjustment scheme depends on the live network environment.

    The following figure shows the IPSec-encapsulated packet length.

    AES + MD5/SHA1: 20 (New IPHeader) + 4 (SPI) + 4 (SeqNum) + 16 (IV) + 16 (ESP Auth) + 2 to 17 (Padding) = 62 to 77 Byte

    The ESP Auth length varies according to the integrity verification algorithm. The preceding calculation result is based on SHA2-256. SHA2-256 is the recommended integrity verification algorithm. The ESP Auth values in other encapsulation modes are MD5=12, SHA1=12, SHA2-256=16, SHA2-384=24, and SHA2-512=32. For SHA2-384 and SHA2-512 are not recommended because they can cause the device running the current version to be unable to properly interwork with third-party devices.

    Packets are tagged with two layers of labels (eight bytes in all) when being transmitted over the IP-RAN. Therefore, after the packets encrypted by the IPSec gateway enter the IP-RAN, the packet lengths are increased to 70 to 85 bytes (calculated based on SHA2-256).

    For a new IP-RAN and IPCore project, you are advised to reserve more 100 bytes when design the MTU. Therefore, if an IPSec gateway is deployed, you do not need to adjust the configuration of the IP-RAN and IPCore devices.

  • QoS

    In an end-to-end LTE solution, when uplink packets are decrypted from the IPSec tunnel, the DSCP of outer layer packets is mapped to the IP header of the decrypted packet. When downlink packets arrive at the IPSec gateway and encapsulated with an IPSec header, the DSCP of inner layer packets is mapped to the outer layer packets. Therefore, it is not necessary for the IPSec gateway to change the QoS of the packets.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16223

Downloads: 706

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next