No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - VPN

S7700 and S9700 V200R013C00

This document describes the configurations of VPN, including GRE, IPSec, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, VPLS, L2VPN Access to L3VPN.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of IPSec

Overview of IPSec


Internet Protocol Security (IPSec), defined by the Internet Engineering Task Force (IETF), is a series of open network security protocols and services provided on an IP network. Figure 2-1 shows the IPSec protocol framework.

Figure 2-1  IPSec protocol framework

IPSec protects IP packets using two security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).
  • AH provides data origin authentication, data integrity check, and anti-replay, but does not provide encryption.
  • ESP provides encryption, data origin authentication, data integrity check, and anti-replay.

Security functions provided by the AH and ESP protocols depend on authentication and encryption algorithms.

  • Both AH and ESP can provide data origin authentication and data integrity check using authentication algorithms Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA1), Secure Hash Algorithm 2 (SHA2)-256, SHA2-384, and SHA2-512.

  • ESP can also encrypt IP packets using symmetric encryption algorithms, including Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES).

  • The MD5 and SHA1 authentication algorithms have security risks. The SHA2 algorithm is recommended.

  • The DES and 3DES encryption algorithms have security risks. The AES algorithm is recommended.

The keys used in IPSec encryption and authentication algorithms can be manually configured or dynamically negotiated through the Internet Key Exchange (IKE) protocol. IKE works in the Internet Security Association and Key Management Protocol (ISAKMP) framework. It uses the Diffie-Hellman (DH) algorithm to securely deliver keys and authenticate identities over an insecure network, ensuring data transmission security. IKE improves key security and simplifies IPSec management.


On the Internet, most data is transmitted in plain text, causing security risks. For example, bank accounts and passwords face risks of eavesdropping or tampering, user identities may be counterfeited, or bank networks may be attacked. IPSec can protect IP packets transmitted over an insecure network to reduce the risk of information leaks.


Taking advantage of encryption and authentication, IPSec ensures secure service data transmission over the Internet in terms of:
  • Data origin authentication: The receiver checks validity of the sender.
  • Data encryption: The sender encrypts data packets and transmits them in cipher text on the Internet. The receiver decrypts or directly forwards the received data packets.
  • Data integrity check: The receiver validates received data to check whether the data has been tampered with.
  • Anti-replay: The receiver rejects old or duplicate packets to prevent attacks that malicious users initiate by re-sending obtained packets.
Updated: 2019-04-08

Document ID: EDOC1100065751

Views: 35116

Downloads: 50

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next