H3C SecPath F1800-A Operation Manual page 521

Operation Manual - VPN
H3C SecPath F1800-A Firewall
Through IPSec, data streams between peers (here refer to the router and its peer)
can be protected by means of authentication, encryption or both.
Data streams are differentiated based on ACL.
Security protection elements are defined in IPSec, including:
Security protocol
Authentication algorithm
Encryption algorithm
Operation mode
Following are defined in IPSec policy:
The association between data streams and IPSec proposal (namely, apply a
certain protection on a certain data stream)
SA negotiation mode
Peer IP address configuration (that is, the start/end of protection path)
The key
The life duration of SA
Finally, IPSec policies are applied on router interfaces. This is the process of IPSec
configuration.
Following details the procedure.
1) Defining data streams to be protected
A data stream is an aggregation of a series of traffics, regulated by:
Source address/mask
Destination address/mask
Number of protocol over IP
Source port number
Destination port number
An ACL rule defines a data stream, that is, traffic that matches an ACL rule is a data
stream logically. A data stream can be a single TCP connection between two hosts or
all traffic between two subnets. IPSec can apply different security protections on data
streams. So the first step in IPSec configuration is to define data streams.
2) Defining IPSec proposal
IPSec proposal defines the following for the data stream to be protected:
Security protocol
Authentication or encryption algorithm
Operation mode (namely, the packet encapsulation mode)
AH and ESP supported by the SecPath F1800-A can be used either separately or
together. AH supports MD5 and SHA-1 authentication algorithms.
ESP supports MD5 and SHA-1 authentication algorithms as well as DES and 3DES
encryption algorithms.
7-41
Chapter 3 IPSec Configuration