< Home

Configuring an IPSec Proposal

Context

An IPSec proposal, as part of an IPSec policy or an IPSec profile, defines security parameters for IPSec SA negotiation, including the security protocol, encryption and authentication algorithms, and encapsulation mode. Both ends of an IPSec tunnel must be configured with the same parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec proposal proposal-name

    An IPSec proposal is created and the IPSec proposal view is displayed.

  3. Run transform { ah | esp | ah-esp }

    A security protocol is configured.

    By default, an IPSec proposal uses ESP.

  4. An authentication or encryption algorithm is configured.

    • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

      Run ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } *

      An AH-specific authentication algorithm is configured.

      By default, the AH authentication algorithm is SHA2-256.

    • When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.

      • Run esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } *

        An ESP-specific authentication algorithm is configured.

        By default, the ESP authentication algorithm is SHA2-256.

      • Run esp encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256 | sm4 | aes-128-gcm-128 | aes-192-gcm-128 | aes-256-gcm-128 | aes-128-gmac | aes-192-gmac | aes-256-gmac } *

        An ESP-specific encryption algorithm is configured.

        By default, the ESP encryption algorithm is AES-256.

    • When both AH and ESP are used, AH authenticates packets, and ESP can encrypt and authenticate packets. You can choose to configure an AH-specific authentication algorithm, or ESP-specific authentication and encryption algorithms. The device first encapsulates the ESP header, and then the AH header to packets.

    • SM3 can meet the high confidentiality and security requirements, but it takes a comparatively long time for processing. Authentication algorithms SHA2-256, SHA2-384, and SHA2-512 are recommended to improve packet transmission security, whereas authentication algorithms MD5 and SHA1 are not recommended.
    • SM4 can meet the high confidentiality and security requirements, but it takes a comparatively long time for processing. Encryption algorithms AES-128, AES-192, AES-256, AES-256-GCM-128, AES-192-GCM-128, AES-128-GCM-128, AES-256-GMAC, AES-192-GMAC, and AES-128-GMAC are recommended to improve packet transmission security, whereas encryption algorithm DES and 3DES are not recommended.

  5. Run encapsulation-mode { transport | tunnel | auto }

    An IP packet encapsulation mode is configured.

    By default, IPSec uses the tunnel mode to encapsulate IP packets.

    Auto-sensing mode: The tunnel mode is used if the device serves as the IKE negotiation initiator. If the device serves as the responder, both the tunnel mode and transport mode can be used.

    When IKEv2 is used, the encapsulation modes in all the IPSec proposals configured on the IKE initiator must be the same; otherwise, IKE negotiation fails.

    When L2TP over IPSec or GRE over IPSec is configured, a public IP header is added to packets during L2TP or GRE encapsulation. Compared with the transport mode, the tunnel mode adds another public IP header. In tunnel mode, the packet length is longer and packets are more likely to be fragmented. The transport mode is therefore recommended.

  6. Run quit

    Exit the IPSec proposal view.

Parent Topic: Using an ACL to Establish an IPSec Tunnel-CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >