Configuring an IPSec Policy in Site-to-Site VPN

Configuring an IPSec Policy

1. Choose Network > IPSec > IPSec.
2. Click Add to add an IPSec policy.
3. Select Site-to-site in Scenario.
4. Set Virtual System to Public.
   

   If Public is selected, the IPSec security policy protects the traffic to the root system. If a virtual system is selected, traffic of the virtual system is forwarded using the public IP address of the root system, and the IPSec security policy protects the traffic to the virtual system.

5. Configure the basic parameters of the IPSec policy.

   Parameter	Description
   Policy Name	Specify a name for the IPSec policy.
   Local Interface	Select an interface from the drop-down list on which the IPSec policy is to be applied. This interface can be a physical interface or a tunnel interface. The physical interface must be the interface the connects the local end to the peer gateway, and it is usually the WAN interface of the device. The local end uses this interface to establish a tunnel to the peer gateway.
   Local Address	Select an IP address for the local gateway to establish a tunnel to the peer gateway. If the Local Interface has several local IP addresses, select an IP address accessible from the peer gateway. In a hot standby network, select a virtual IP address for the local interface.
   Peer Address	Specify the IP address or domain name of the peer gateway, for example, 1.1.1.1 or test1.com. In common practices, the IP address or domain name must be specified to restrict the access from other gateways. Leave this parameter unspecified if the peer gateway does not have a fixed IP address or domain name. In this case, the local gateway cannot initiate negotiations.

   

   The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured IPSec policy to permit tunnel negotiation packets. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic.

6. Configure tunnel authentication.

   There are three IPSec tunnel authentication modes, and some of their parameter values are different.

   • Pre-shared key

     Parameter	Description
     Authentication Type	Pre-shared key
     Pre-shared key	Specify the character string negotiated with the administrator of the peer gateway.
     Local ID	The local ID identifies the local gateway for authentication by the peer gateway. The type and value must be the same as those of the Peer ID of the peer device. If you select Pre-shared key in Authentication Type, this parameter has the following options: IP Address: If this option is selected, the IP address specified in Local Address is used as the local ID. Name: If this option is selected, the local gateway name is used as the default ID. You can specify another name. User-FQDN: If this option is selected, the local gateway name is used as the default ID. You can specify another name. ESN: If this option is selected, the local gateway ESN is used as the local ID. You cannot specify another name.
     Peer ID	The peer ID identifies the peer device. Obtain this parameter value from the administrator of the peer device. The type and value must be the same as those of the local ID specified on the peer device. Select Any if no authentication is required. If only string match is required, select Any Type. NOTE: When the peer ID type is IP address, the device uses Peer Address configured in step 5 as the peer ID for consistency check with the local ID configured on the peer device.

   • RSA signature

     Parameter	Description
     Authentication Type	RSA signature
     Certificate	This parameter is available only when you select RSA signature in Authentication Type. Select the public key certificate when this parameter is available. Certain information in the certificate is to be sent to the peer gateway for authentication. For details about certificate uploading, see Local Certificate.
     Local ID	After the certificate is loaded, select the local ID type. The system automatically extracts the corresponding file value from the certificate as the local ID. The local ID can be one of the following items (corresponding to the specific fields in the certificate): IP Address: The IP Address field value serves as the local ID. DN: The Subject field value serves as the local ID. Name: The Commonname field value serves as the local ID. User-FQDN: The Email field value serves as the local ID.
     Peer ID	The peer ID identifies the peer device. Obtain this parameter value from the administrator of the peer device. The type and value must be the same as those of the local ID specified on the peer device. Select Any if no authentication is required. If only string match is required, select Any Type. NOTE: When the peer ID type is IP address, the device uses Peer Address configured in step 5 as the peer ID for consistency check with the local ID configured on the peer device.

   • RSA digital envelope

     Parameter	Description
     Authentication Type	RSA digital envelope
     Local Certificate	To set this parameter, select the local certificate requested from the CA for the device. Some information in the local certificate is sent to the peer for authentication during tunnel establishment.
     Peer Certificate	To set this parameter, specify the certificate used by the peer device. During tunnel establishment, the local device compares the specified peer certificate with the certificate information sent by the peer to authenticate the peer.

   • SM2 digital envelope

     Parameter	Description
     Authentication Type	SM2 digital envelope
     Encryption Realm	Select the PKI realm of the encryption certificate requested and imported from the SM2 server.
     Signature Realm	Select the PKI realm of the signature certificate requested and imported from the SM2 server. In addition, the CA certificates used by the devices at both ends need to be imported to this signature realm.

7. Configure the data flows to be encrypted through the IPSec tunnel.

   In common cases, only a bunch of data flows need to be encrypted before they are sent to the peer, and the rests are sent directly through the Internet. To avoid those data flows to be transmitted directly through the Internet entering the tunnel, you need to configure certain rules to restrict the them.

   • You can configure multiple rules in a list. Data flows match the rules from top to bottom. If a match is found, data flows are processed according to the specified action, and the matching process ends.

   Under Data Flow to Encrypted, select IPv4 or IPv6 for Address Type and click Add.

   Parameter	Description
   Source Address/Address-set	Specify the source address from which the data flows to be encrypted through the tunnel are originated. In common practices, the source address is usually the address of the intranet subnet to be protected. You can enter an IP address (such as 192.168.1.1), network segment (such as 192.168.1.0/24 or 192.168.1.0/255.255.255.0), or address group. Address groups are usually used when an intranet has multiple network segments, so as to reduce encrypted data flow configuration and increase configuration efficiency. Members cannot be address groups with consecutive IP address segments. Address-set is not supported, when Address Type is set to IPv6.
   Destination Address/Address-set	Specify the destination address for which the data flows to be encrypted through the tunnel are destined. In common practices, the destination address is usually the address of the requested subnet on the peer intranet. You can enter an IP address (such as 10.1.1.1), network segment (such as 10.1.1.0/24 or 10.1.1.0/255.255.255.0), or address group. Address groups are usually used when an intranet has multiple network segments, so as to reduce encrypted data flow configuration and increase configuration efficiency. Members cannot be address groups with consecutive IP address segments. Address-set is not supported, when Address Type is set to IPv6.
   Protocol	Specify the protocol through which the data flows are transmitted, and then the TCP or UDP port for encrypting traffic of specific service. For example, you can specify TCP port 80 to encrypt HTTP traffic, or UDP port 69 to encrypt TFTP traffic. If you do not know the protocol and port or there is no need to perform protocol-based restriction, leave this parameter unspecified or set it to any.
   Source Port	This parameter is available if you select TCP, SCTP or UDP in Protocol. Specify the source port number from which the data flows to be encrypted through the tunnel are originated.
   Destination Port	This parameter is available if you select TCP, SCTP or UDP in Protocol. Specify the destination port number for which the data flows to be encrypted through the tunnel are destined.
   Action	Specify the action for data flows that match the preceding conditions. Encrypt indicates that the data flows are allowed to be encrypted through the tunnel. Do Not Encrypt indicates that the data flows are not allowed to be encrypted through the tunnel. The Do Not Encrypt action is used to exempt traffic of some clients from encryption. For example, to encrypt the traffic from all hosts on subnet 192.168.1.0/24 except a host at 192.168.1.2, configure a rule for exempting traffic of the host at 192.168.1.2 from encryption and a rule for encrypting traffic of hosts on subnet 192.168.1.0/24.

   

   The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to be encrypted to permit encrypted traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic.

   You can select Reverse Route Injection if necessary. If Reverse Route Injection is selected, the device automatically installs the routes pointed to the peer network. This function is usually configured on the HQ gateway connected to multiple branches.

   You can set the Priority if necessary. For example, if other routes to the same destination exist on the device, you can specify the same priority for them to implement load balancing, or different priorities to implement route backup.

8. Configure advanced parameters in security proposals.

   Click Advanced to check the pre-defined sets of security proposal parameters. Modify the parameters in Advanced if the pre-defined sets cannot meet the requirement. All parameters except the SA timeout period must be set to the same values at both ends.

   You can select multiple algorithms for the security proposal. Then the tunnel peers will preferentially use the algorithm with the highest security for the IKE negotiation. On the web UI, the algorithms are ranked in descending order of their priorities from left to right.

   Parameter	Description
   IKE Parameters
   IKE Version	Select v1 or v2 to specify the version of the IKE protocol used in negotiations with the peer gateway. For details on IKE versions. If both versions are selected, the local end can respond to both IKEv1 and IKEv2 requests but initiate only IKEv2 requests.
   Negotiation Mode	Select the IKEv1 negotiation mode. Automatic: Both the main mode and aggressive mode are acceptable in the response to IKE requests, but only the main mode is acceptable in the initiation of IKE requests. Main Mode: Only the main mode is acceptable in the negotiation. Aggressive Mode: Only the aggressive mode is acceptable in the negotiation.
   Encryption	Select an encryption algorithm as required. The AES algorithm has higher security than DES and 3DES and delivers more complicated calculation than 3DES. Compared with DES, 3DES provides higher security but lower encryption speed.
   Authentication	This parameter is available only after you select v1 in IKE Version. Select the algorithm used in data source authentication. NOTE: Only IKEv1 supports this parameter. In the case of interconnection with a device running V100R001, if the peer device uses IKEv1 for negotiation, ensure that Authentication on the local device is the same as Authentication on the peer device.
   Integrity Hash	This parameter is available only after you select v2 in IKE Version. Specify the algorithm for data integrity checks if IKEv2 is used in the negotiation.
   PRF	This parameter is available only after you select v2 in IKE Version. Select the algorithm used in data source authentication. NOTE: Only IKEv2 supports this parameter. In the case of interconnection with a device running V100R001, if the peer device uses IKEv2 for negotiation, ensure that PRF on the local device is the same as Authentication on the peer device.
   DH Group	Select the key exchange methods.
   SA Timeout	Set the IKE SA lifetime. When the lifetime is about to expire, the FW will negotiate a new SA. The new SA will immediately replace the old SA once it is established. Specify the timeout period, in seconds.
   IPSec Parameters
   Encapsulation Mode	Select an IPSec encryption mode. Automatic: Both the transport mode and tunnel mode can be used to respond to negotiation requests, but only the tunnel mode can be used to initiate negotiation requests. Tunnel: It is usually used in establishing tunnels between the VPN gateways. Transport: It is used in establishing tunnels between mobile devices and the VPN gateway.
   Security Protocol	Select an IPSec protocol. Encapsulating Security Payload (ESP): Encrypts and authenticates the packet payload. Authentication Header (AH): Authenticates the entire packet, but does not encrypt the packet. AH-ESP: Encrypts and authenticates the entire packet.
   ESP Encryption	This parameter is available if you select ESP or AH-ESP in Security Protocol. Select the algorithm used in data encryption. NOTE: During IKEv2 negotiation, do not select only Chinese cryptographic algorithms. Otherwise, the negotiation fails.
   ESP Authentication	This parameter is available if you select ESP or AH-ESP in Security Protocol. Select the algorithm used in data source authentication. NOTE: During IKEv2 negotiation, do not select only Chinese cryptographic algorithms. Otherwise, the negotiation fails.
   AH Authentication	This parameter is available if you select AH or AH-ESP in Security Protocol. Select the algorithm used in data source authentication. This parameter is available if you select ESP or AH-ESP in Security Protocol. Select the algorithm used in data source authentication. NOTE: During IKEv2 negotiation, do not select only Chinese cryptographic algorithms. Otherwise, the negotiation fails.
   PFS	Select the key exchange methods. A greater group ID indicates a longer key and higher security. None indicates no extra key exchanges are to be performed.
   SA Timeout	The IPSec tunnel is renegotiated to ensure security when the establishment time or transmitted traffic volume reaches the specified threshold. Specify the idle period for SA renegotiation in Based on Time. Specify the traffic volume threshold in Based on Traffic. When either of the preceding conditions are met after an IPSec tunnel is established, IPSec SA renegotiates the tunnel. The renegotiation does not disconnect the currently available tunnel.
   Dead Peer Detection (DPD)
   Detection Mode	After Dead Peer Detection (DPD) is enabled, the local end sends DPD packets to detect whether the peer gateway is still alive. Available detection methods are as follows: Periodic: The local end resends DPD packets if no packet is received from the peer device within the period specified in Detection Interval. On-demand: The local end sends DPD packets only when the communication is required and no packet is received from the peer device within the period specified in Detection Interval. Enable or disable this function on both ends at the same time. A detection failure is logged if no response is received within the period specified in Retry Interval after the local end sends a DPD packet. After five consecutive detection failures, the peer is regarded to be down and the tunnel is automatically removed.
   Detection Interval	Specify a period in Detection Interval, in seconds.
   Retry Interval	Specify a period in Retry Interval, in seconds. This parameter is applicable only when the tunnel uses IKEv1.

9. Click Apply. The newly configured IPSec policy is displayed in the policy list.

Cloning an IPSec Policy

Select an existing IPSec policy in IPSec Policy List and click Copy to create an IPSec policy using the selected policy as a template. On the configuration page of the newly created IPSec policy, some parameters (such as the scenario, authentication mode, and security proposal) have been configured. You only need to set the remaining parameters (such as pre-shared key, and data flow to be encrypted).

In V600R007C20SPC500 and later versions, IPSec policy whose Policy Type is profile can be viewed in the IPSec policy list, but cannot be copied.

Viewing and Exporting Recommended Settings for the Peer Device