Ipsec Features Supported By The Ar1200 - Huawei AR1200 series Configuration Manual
Enterprise routers
Hide thumbs
Also See for AR1200 series:
- Configuration manual (342 pages) ,
- User configuration manual (232 pages) ,
- Hardware description (218 pages)
Table of Contents
Advertisement
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Figure 5-2 Packet format in tunnel mode
Protocol
AH-ESP
l
l
5.2 IPSec Features Supported by the AR1200
The AR1200 supports an IPSec tunnel established manually, or using IKE negotiation, IPSec
tunnel interface, or Efficient VPN policy.
The AR1200 implements IPSec tunnel setup as follows:
l
Issue 01 (2012-04-20)
Mode
AH
new IP Header AH
new IP
ESP
Header
new IP Header
Authentication algorithm and encryption algorithm
– IPSec uses the Message Digest 5 (MD5) algorithm, Secure Hash Algorithm (SHA-1)
or Secure Hash Algorithm (SHA-2) for authentication. The MD5 algorithm computes
faster than the SHA-1 algorithm, but the SHA-1 algorithm is more secure than the MD5
algorithm. SHA-2 increases the number of encrypted data bits and is more secure than
SHA-1.
– IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption
Standard (AES) algorithm for encryption. The ASE algorithm encrypts plain text by
using a key of 128 bits, 192 bits, or 256 bits.
Negotiation mode
IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE
negotiation mode (isakmp).
In manual mode or IKE negotiation mode, an IPSec tunnel is established based on ACLs.
IPSec peers can use various security protection measures (authentication, encryption, or
both) on different data flows.
The general process of establishing an IPSec tunnel in manual mode or IKE negotiation
mode is as follows:
1.
Define an ACL to specify the data flows to be protected.
2.
Configure an IPSec proposal to specify the security protocol, authentication algorithm,
encryption algorithm, and encapsulation mode.
3.
Configure an IPSec policy or an IPSec policy group to specify the association between
data flows and the IPSec proposal (protection measures for the data flows), SA
negotiation mode, peer IP address (start and end points of the protection path), required
key, and SA lifetime.
4.
Apply the IPSec policy on an interface of the router.
In addition, IPSec supports MPLS VPN access. You can implement this function by:
– Associating a VPN instance with an SA
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
tunnel
raw IP Header
TCP Header
raw IP
ESP
TCP Header
Header
AH
ESP
raw IP Header
5 IPSec Configuration
data
ESP Tail ESP Auth data
data
data ESP TailESP Auth data
TCP Header
285
Hide quick links:
Advertisement
Table of Contents
