Involved Network Elements

None

Licensing Requirements

To support the SM1 algorithm in the IPSec protocol specifications described by the State Cryptography Administration of China, a Network Data Encryption (NDE) card must be installed in the SIC slot of the device. Efficient VPN, however, does not support the IPSec protocol specifications described by the State Cryptography Administration of China.

In most scenarios, IPSec is not under license control.

By default, when the device functions as the server end, the Efficient VPN function is not under license control. When the device functions as the remote end, the Efficient VPN function is under license control. To use the Efficient VPN function on the remote end, apply for and purchase the following license from the Huawei local office:

This function is not under license control on the AR611W, AR611W-LTE4CN, AR617VW, AR617VW-LTE4, AR617VW-LTE4EA, and AR651F-Lite.

This function is not under license control on the AR6121-S, AR6121C-S, and AR6120-S.

• AR650 series: AR650 Value-Added Security Package
• AR1600 series: AR1600 Value-Added Security Package
• AR6100 series: AR6100 Value-Added Security Package
• AR6200 series: AR6200 Value-Added Security Package
• AR6300 series: AR6300 Value-Added Security Package

Impact on Performance

• The DH group value has impacts on IKE negotiation performance (such as the tunnel creation rate). A higher DH group value has greater impacts on IKE negotiation performance (for example, the tunnel creation rate greatly decreases).
• When the number of IPSec tunnels is greater than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec policy or undo ipsec profile command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

Hardware Requirements

This section is applicable to all models. For details about differences for specific models, see the description in the corresponding section.

Restrictions on the Use of IPSec

• SM1, SM3 and SM4 can be used only in IKEv1 negotiation.
• The RSA digital envelope authentication method is defined by the State Cryptography Administration of China. It applies only to the IKEv1 main mode negotiation.
• The security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode on both tunnel endpoints must be the same when you configure a security proposal. Otherwise, tunnel negotiation will fail. If the PFS algorithm is configured, ensure that the two ends use the same PFS algorithm. Otherwise, tunnel negotiation will fail.
• In L2TP over IPSec scenarios, the function that the responder accepts the security proposal of the initiator is usually used together with L2TP. Separate use of this function will reduce network security, and is therefore not preferred.
• To reference an ACL in an IPSec policy, ensure that rules must be configured in this ACL view and the number of rules configured in this ACL view does not exceed 256. Otherwise, this ACL cannot be referenced in this IPSec policy.
• When configuring data flows to be encrypted by IPSec, configure refined ACL rules based on services to prevent unnecessary data flows from entering the encryption tunnel due to loose ACL rules, causing service interruption.
• Setting the MTU to a value less than 256 bytes is not recommended for the interface to which an IPSec policy group applies. As IP packets become longer after IPSec processing, a small MTU makes the interface divide a large IP packet into multiple fragments. The peer device may not properly receive or process such fragmented packets.

• When a NAT device is deployed between IPSec peers, NAT traversal must be enabled and the security protocol must be ESP.

• In AH encapsulation mode, the DF flag bit of the inner packet is inherited to the outer packet, and the Router combines it with the DF flag bit of the outer layer to calculate the checksum of the packet. If the peer end of the tunnel removes the DF flag bit from the outer packet and then calculates the checksum, the checksums on both ends of the tunnel are inconsistent. As a result, the interconnection fails. To prevent this, run the ipsec df-bit clear command to ensure that the checksums on both ends of the tunnel are consistent.

• When the IPSec protocol on both the AR router and its connected other device uses the SHA-2 algorithm, an IPSec tunnel can be established but traffic cannot be transmitted if the SHA-2 encryption and decryption modes on the two devices are different. If so, you are advised to run the ipsec authentication sha2 compatible enable command on the AR router to set the SHA-2 encryption and decryption modes to be the same as those on the other device.
• Packets before and after IPSec encryption supported by the routers can contain 1800 bytes at most.
• It is not recommended that IPSec be deployed on both physical interfaces and tunnel interfaces. If IPSec is deployed on both physical interfaces and tunnel interfaces, the device functioning as the negotiation responder first attempts to perform tunnel negotiation through IPSec of a tunnel interface. If the device does not match IPSec access requirements of the tunnel interface, the device attempts to perform tunnel negotiation through IPSec of a physical interface.
• In transport mode, the flow information after IPSec negotiation must be consistent with the IPSec tunnel address, which is a 32-bit host address.

Restrictions on the Use with NAT