No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Unicast Routing

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of IP Unicast Routing, including IP Routing, Static Route, RIP, RIPng, OSPF, OSPFv3, IPv4 IS-IS, IPv6 IS-IS, BGP, Routing Policy, and PBR.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic IPSec Functions

Configuring Basic IPSec Functions

Context

IPsec can be configured to prevent protocol packets from being intercepted or faked on a simple network.

A security association (SA) must be established so that IPSec can protect protocol packets. An SA is a unidirectional logical connection set up for security purpose and specifies the elements used by two IPSec peers (two parties that use the IPSec protocol to protect protocol packets between them). The elements of an SA include the following:

  • Security protocol
  • Authentication or encryption algorithm supported by the security protocol
  • Protocol packet encapsulation mode
  • Security parameter index (SPI) of the SA
  • Authentication key or encryption key of the SA

The first three elements are specified in an IPSec proposal. To configure IPSec functions, first configure an IPSec proposal on the IPSec peers, and then configure an SA.

Procedure

  1. Configure an IPSec proposal.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec proposal proposal-name

      An IPSec proposal is created and the IPSec proposal view is displayed.

    3. Run transform { ah | esp }

      A security protocol is specified for the IPSec proposal.

      By default, the security protocol used by an IPSec proposal is the Encapsulation Security Protocol (ESP).

    4. An authentication or encryption algorithm is configured.

      • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

        Run the ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to specify the authentication algorithm for the AH protocol.

        By default, no authentication algorithm is used for AH.

      • When ESP is specified, ESP can authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.
        • Run the esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to specify the authentication algorithm for the ESP protocol.

          By default, no authentication algorithm is used for ESP.

        • Run the esp encryption-algorithm { 3des | aes { 128 | 192 | 256 } | des | null } command to specify the encryption algorithm for the ESP protocol.

          By default, no encryption algorithm is used for ESP. If encryption is not required, specify null.

    5. Run encapsulation-mode transport

      A packet encapsulation mode is specified for the security protocol.

      By default, the packet encapsulation mode is tunnel.

      NOTE:

      Currently, only the transport mode is supported on the device.

      In transport mode, the packet encryption device and decryption device must be the originator and receiver of packets.

      The MD5, SHA-1, DES and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

    6. Run quit

      Return to the system view.

    7. Run commit

      The configuration is committed.

  2. Configure an IPSec SA.
    1. Run ipsec sa sa-name

      An IPSec SA is created and the IPSec SA view is displayed.

      By default, no IPSec SA exists in the system.

    2. Run proposal proposal-name

      The IPSec proposal is bound to the IPSec SA.

      By default, an IPSec policy does not reference any IPSec proposal.

      NOTE:

      An IPSec can use only one IPSec proposal. To bind a new IPSec proposal to the IPSec SA, delete the original IPSec proposal.

    3. Run sa spi { inbound | outbound } { ah | esp } spi-number

      An SPI is configured for the SA.

      NOTE:
      • An SPI uniquely identifies an SA. Each SA must be configured with an inbound SPI and an outbound SPI. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
      • The security protocol (AH or ESP) you select when configuring the SPI must be the same as that used in the IPSec proposal bound to the SA.

    4. Configure a key according to the security protocol used in the IPSec proposal bound to the SA.

      • If the AH protocol is used, you can configure an authentication key that is a hexadecimal number or a character string.
        • Run the sa authentication-hex { inbound | outbound } ah [ cipher ] hex-string command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } ah [ cipher ] string-key command to configure a character string as the authentication key.

      • If the ESP protocol is used, you can run one of the following commands to configure the authentication key or the encryption key. You can also configure both the authentication key and encryption key. If the two keys are configured at the same time, they can only be hexadecimal keys.
        • Run the sa authentication-hex { inbound | outbound } esp [ cipher ] hex-string command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } esp [ cipher ] string-key command to configure a character string as the authentication key.

        • Run the sa encryption-hex { inbound | outbound } esp [ cipher ] hex-string command to configure a hexadecimal encryption key.

      NOTE:
      • The security protocol (AH or ESP) you select when configuring the key must be the same as that used in the IPSec proposal bound to the SA.
      • The outbound key on the local end must be the same as the inbound key on the remote end.
      • The IPSec peers must use the authentication or encryption key in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.
      • If you configure multiple keys in different formats, the last configured key takes effect.

    5. Run quit

      Return to the system view.

    6. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074760

Views: 50709

Downloads: 60

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next