Professional Documents
Culture Documents
NetEngine AR600 AR6000 Series Routers IPSec VPN Delivery Guide
NetEngine AR600 AR6000 Series Routers IPSec VPN Delivery Guide
NetEngine AR600,
AR6000 Series Router
IPSec VPN Delivery Guide
www.huawei.com
IPSec Background
IPSec Overview
AH&ESP
IKE
Application layer
Transport layer
Network layer
Encrypted IP packet
Transport mode
IP Header AH Data
Tunnel mode
New IP Header AH Raw IP Header Data
0 8 16 31
AH header Next Payload Reserved
Header
SPI
Sequence Number
Authentication data
IP Header ESP header Encrypted data ESP Tail ESP Auth Data
New IP Header ESP header Raw IP Header Data ESP Tail ESP Auth Data
ESP packet 0 8 16 24
SPI
Sequence Number
Data (variable)
Authentication Data
Data Confidentiality
Data Integrity
Data Authentication
Anti-Replay
IPSec peers use the same key to encrypt and decrypt data. IPSec
uses the following encryption algorithms:
Data Encryption Standard (DES): encrypts a 64-bit plain text by using a 56-bit key.
Triple Data Encryption Standard (3DES): encrypts a plain text by using three 56-bit
DES keys (a 168-bit key).
Advanced Encryption Standard (AES): encrypts a plain text by using a key of 128
bits, 192 bits, or 256 bits.
IPSec proposal
IPSec policy
SA lifetime
SA SA
TCP UDP TCP UDP
IPSec IPSec
IP
Encrypted IP packet
IP SEC + IKE
Enterprise
branch Internet
POP
Configuration points:
(1) Define an ACL and ensure that encrypted data is reachable.
(2) Define an IKE proposal, IKE peer, IPSec proposal, and IPSec policy.
(3) Note that an IPSec policy needs to reference the IPSec proposal and IKE peer.
(4) Bind the IPSec policy to an outbound interface.
IPSec tunnel
GRE tunnel
The IPSec tunnel interface first adds a GRE header to packets, and then adds
an IPSec header to the packets.
When an IPSec policy is applied to a physical interface and then GRE is configured on the interface,
the interface first adds a GRE header to packets, and then adds an AH or ESP header to the packets.
The receiver first decrypts the IPSec header, and then decapsulates the GRE header.
GRE over IPSec applies to scenarios all traffic between two sites needs to be
protected by IPSec. It effectively reduces ACL configuration.
AnACL is configured to to match the GRE tunnel interface but not the original
subnet.
The encapsulation mode in the IPSec proposal must be transport.
The source and destination IP addresses of the GRE tunnel interface must be
the same as the local and remote addresses of the IPSec interface.
The subnet traffic needs to be imported to the GRE tunnel.
To protect traffic on a GRE tunnel, configure GRE on a physical interface bound
to an IPSec policy or bind an IPSec profile to the GRE tunnel.
Ensure that RTA and RTB can communicate through the NATER.
The local names need to be configured on both RTA and RTB.
The aggressive mode must be used.
The local ID type must be set to name.
The remote names need to be configured on both RTA and RTB.
The remote address need to be specified on RTB because RTB is located on
the private network.
RTA and RTB need to have NAT traversal enabled.
Configure Router A.
ike local-name rta //Configure the local name in IKE negotiation.
acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.0.0.0 0.0.0.255 destination 2.0.0.0 0.0.0.255
ipsec proposal rtb //Create an IPSec proposal.
ike proposal 1 //Create an IKE proposal.
ip route-static 2.0.0.0 255.255.255.0 1.2.0.2 //Configure a static route to the network segment
2.0.0.0.
ip route-static 192.168.0.0 255.255.255.0 1.2.0.2 //// Configure a static route to the network
segment 192.168.0.0.
Step 2
Check whether the IPSec tunnel is successfully set up.
(a) Run the display ike sa[v2] command to view the IKE SA in phase 1.
Notice the flag in the red pane. The flag value indicates that negotiation is successful. ST
indicates the initiator, and RD indicates the receiver.
(a) Run the display ipsec sa command to view the IPSec SA in phase 2.
(c) If the IKE SA and IPSec SA exist, the IPSec tunnel is successfully set up.
(c) If statistics on packets increase, packets are forwarded over the IPSec tunnel.
Step 4
If the value of the Outpacket count field does not increase, perform the following
operations:
(a) Check routing information. Check whether traffic is imported to the IPSec
tunnel through a route. That is, check whether the next hop in the route points to
the interface where the IPSec tunnel is set up.
(b) During the ping operation, check whether the ACL rule is matched. If the
source address in the ACL rule and the address of the tunnel interface on the local
device are on different network segments, specify the source address.
(c) Check whether NAT is configured on the interface where an IPSec policy is
applied. If NAT is configured on the interface, the device first performs NAT, and
then performs IPSec processing. The ACL rule must match the address translated
by NAT.
Note: If the translated address is variable and ACL rules for NAT and IPSec
conflict, configure a deny clause in the ACL rule for NAT. Then addresses of traffic
passing the IPSec tunnel are not translated by NAT.
Step 5
If the value of the Outpacket count field increases but the value of the Inpacket
count does not, packets are sent out from the local end, and may not reach the
peer end or the peer end receives the packets but does not respond to the
packets. Check information about the peer device.
(a) Check routing information of the peer device, and check whether traffic is
imported to the IPSec tunnel through a route.
(b) Check the IPSec tunnel status of the peer device (check the IKE/IPSec SA). If
the SA of the peer device works properly, proceed to the next step.
© Check whether SPIs at both ends match.
IPSec Implementation