EasyManua.ls Logo

Huawei AR1200 Series - Ipsec Features Supported by the AR1200

Huawei AR1200 Series
392 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Figure 5-2 Packet format in tunnel mode
Mode
Protocol
tunnel
AH
ESP
AH-ESP
new IP Header
AH
data
TCP Headerraw IP Header
new IP
Header
ESP data
TCP Header
raw IP
Header
ESP Tail
ESP Auth data
ESP
data
ESP TailESP Auth data
new IP Header TCP HeaderAH raw IP Header
l Authentication algorithm and encryption algorithm
– IPSec uses the Message Digest 5 (MD5) algorithm, Secure Hash Algorithm (SHA-1)
or Secure Hash Algorithm (SHA-2) for authentication. The MD5 algorithm computes
faster than the SHA-1 algorithm, but the SHA-1 algorithm is more secure than the MD5
algorithm. SHA-2 increases the number of encrypted data bits and is more secure than
SHA-1.
– IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption
Standard (AES) algorithm for encryption. The ASE algorithm encrypts plain text by
using a key of 128 bits, 192 bits, or 256 bits.
l Negotiation mode
IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE
negotiation mode (isakmp).
5.2 IPSec Features Supported by the AR1200
The AR1200 supports an IPSec tunnel established manually, or using IKE negotiation, IPSec
tunnel interface, or Efficient VPN policy.
The AR1200 implements IPSec tunnel setup as follows:
l In manual mode or IKE negotiation mode, an IPSec tunnel is established based on ACLs.
IPSec peers can use various security protection measures (authentication, encryption, or
both) on different data flows.
The general process of establishing an IPSec tunnel in manual mode or IKE negotiation
mode is as follows:
1. Define an ACL to specify the data flows to be protected.
2. Configure an IPSec proposal to specify the security protocol, authentication algorithm,
encryption algorithm, and encapsulation mode.
3. Configure an IPSec policy or an IPSec policy group to specify the association between
data flows and the IPSec proposal (protection measures for the data flows), SA
negotiation mode, peer IP address (start and end points of the protection path), required
key, and SA lifetime.
4. Apply the IPSec policy on an interface of the router.
In addition, IPSec supports MPLS VPN access. You can implement this function by:
– Associating a VPN instance with an SA
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN 5 IPSec Configuration
Issue 01 (2012-04-20) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
285

Table of Contents

Other manuals for Huawei AR1200 Series

Preview: User Configuration Guide
User Configuration Guide232 pages
Preview: Hardware Description
Hardware Description218 pages
Preview: Usage Guide
Usage Guide69 pages
Preview: Configuration Guide - Wlan
Configuration Guide - Wlan58 pages
Preview: Configuration Guide - Voice
Configuration Guide - Voice65 pages
Preview: Compliance And Safety Manual
Compliance And Safety Manual31 pages
Preview: Configuration Guide - Mpls
Configuration Guide - Mpls132 pages
Preview: Brochure
Brochure12 pages

Related product manuals