Security Level: Internal

NetEngine AR600，
AR6000 Series Router
IPSec VPN Delivery Guide

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential

 Internet Protocol Security (IPSec) provides
secure transmission of IP packets. It defines
how to add fields to IP packets to ensure
integrity, privacy, and authenticity of the IP
packets, and how to encrypt data packets.
IPSec allows data to be securely transmitted
on the public network.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 2

 Upon completing this course, you will be able to:
Understand IPSec and relevant protocols.
Learn about IPSec implementation.
Understand IPSec application scenarios and
configuration.
Learn about IPSec troubleshooting.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 3

 Chapter 1 Introduction to IPSec

Chapter 2 IPSec Configuration

Chapter 3 Typical IPSec

Troubleshooting

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 4

 Chapter 1 Introduction to IPSec

 IPSec Background

 IPSec Overview

 AH&ESP

 IKE

 IPSec and IKE

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 5

 IPSec Background
 IPv4 has the following disadvantages:
 Cannot identify authenticity of communication parties.
 Cannot protect integrity and confidentiality of transmitted data.
 Cannot defend against replicated packet transmission.
 Is prone to attacks including intercepted service flows, IP spoofing attacks,
information leaks, and data modification attacks.

Application layer

Transport layer

Network layer

Provide secure and reliable transmission

for network-layer data

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 6

IPSec Overview
 IPSec is a security protocol suite defined by the Internet
Engineering Task Force (IETF). IPSec secures data transmission
on the Internet.
 IPSec uses the Authentication Header (AH) and Encapsulating
Security Payload (ESP) protocols.
 IPSec works in tunnel and transport modes.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 7

IPSec Architecture
SA negotiation

Encrypted IP packet

 IPSec involves a key exchange protocol and two security protocols.

 Internet Key Exchange (IKE)
 Authentication Header (AH)
 Encapsulating Security Payload (ESP)

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 8

IPSec Authentication Protocols
 IPSec provides two security protocols:

 Authentication Header (AH)

− Message Digest 5 (MD5)
− Secure Hash Algorithm (SHA1)
 Encapsulation Security Payload (ESP)
− Data Encryption Standard (DES)
− 3DES
− Other encryption algorithms: Blowfish, blowfish, cast, and so on

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 9

 AH
IP Header Data

Transport mode
IP Header AH Data

Tunnel mode
New IP Header AH Raw IP Header Data

0 8 16 31
AH header Next Payload Reserved
Header
SPI

Sequence Number

Authentication data

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 10

ESP
IP Header Data
Transport mode

IP Header ESP header Encrypted data ESP Tail ESP Auth Data

Tunnel mode Encrypted data

New IP Header ESP header Raw IP Header Data ESP Tail ESP Auth Data

ESP packet 0 8 16 24

SPI

Sequence Number

Data (variable)

Padding (0-255 bytes)

Padding length Next head

Authentication Data

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 11

IPSec Characteristics

 Data Confidentiality

 Data Integrity

 Data Authentication

 Anti-Replay

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 12

Data Confidentiality

 IPSec peers use the same key to encrypt and decrypt data. IPSec
uses the following encryption algorithms:
 Data Encryption Standard (DES): encrypts a 64-bit plain text by using a 56-bit key.
 Triple Data Encryption Standard (3DES): encrypts a plain text by using three 56-bit
DES keys (a 168-bit key).
 Advanced Encryption Standard (AES): encrypts a plain text by using a key of 128
bits, 192 bits, or 256 bits.

 The preceding encryption algorithms are listed in ascending order

of security. A more secure authentication algorithm has a slower
computing speed because its implementation is more complex.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 13

Data Integrity and Data Authentication

 The hash function processes a variable-length message into a

fixed-length output, which is called a message digest. Both AH
and ESP can calculate a message digest according to the IP
packet content. If the message digest on the sender is the same
as the message digest calculated by the receiver according to the
packet content, the IP packet is not tampered with and the data
source is reliable.
 IPSec has two authentication algorithms:
 Message Digest 5 (MD5): processes a variable-length message into a fixed-length
output of 128 bits.
 Secure Hash Algorithm 1 (SHA-1): processes a message of less than 264 bits into
a 160-bit message digest. SHA-2 generates a message digest of 256, 384, or 512
bits.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 14

Anti-Replay
IPSec uses the sliding window mechanism to check replayed
packets. Each IPSec packet header contains a sequence number
that increases. When an SA is created on the sender, the sequence
number is initialized as 1. When the sender sends an IPSec packet
each time, the sequence number increases by 1. The receiver
defines a receive window. When the receiver receives a data packet
in which the sequence number is smaller than the minimum
sequence number in the receive window, the receiver considers that
the data packet has been processed and discards it. If the sequence
number is within the range of the receive window and is not used, the
receiver considers the data packet as a new data packet. If the
sequence number is larger than the maximum sequence number in
the receive window, adjust the size of the receive window. The sliding
window size is set to 32 or a multiple of 32.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 15

IPSec Parameters

 Security Association (SA)

 IPSec proposal

 IPSec policy

 Security parameter index (SPI)

 SA lifetime

 Perfect Forward Secrecy (PFS)

 Transport mode

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 16

IPSec Tunnel Mode
 In tunnel mode, two IPSec peers establish an IPSec tunnel to
transmit IPSec packets. An IP header is added to the original IP
header, and the AH or ESP header is inserted before the original
IP header. The tunnel mode applies to secure communication
between gateways.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 17

IPSec Transport Mode
 In transport mode, the new IP header is not added, and an AH or
ESP header is inserted between the IP header and the transport-
layer protocol header. The transport mode applies to secure
communication between hosts and gateways.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 18

IKE in IPSec

 Simplifies the IPSec configuration.

 Updates SAs periodically.

 Updates the key periodically.

 Allows IPSec to provide anti-replay services.

 Allows dynamic authentication.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 19

IPSec and IKE
IKE SA negotiation
IKE IKE

SA SA
TCP UDP TCP UDP

IPSec IPSec

IP
Encrypted IP packet

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 20

 Chapter 1 Introduction to IPSec

Chapter 2 IPSec Configuration

Chapter 3 Typical IPSec

Troubleshooting

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 21

 Chapter 2 IPSec Configuration
 IPSec Networking

 IP SEC + IKE

 GRE over IPSec

 IPSec over NAT

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 22

IPSec Application Scenarios
Remote access to VPN
Remote dialup access by
employees or small-scale
branches
Intranet VPN SOHO
Communication between employee
the enterprise Enterprise
headquarters and branch headquarters
POP

Enterprise
branch Internet

POP

Remote access to VPN

Extranet VPN Partner Remote dialup access
Communication between the by employees or small-
enterprise and partner scale branches
Mobile office
employee

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 23

IPSec+IKE Scenario
 Network topology
An IPSec tunnel is established between RouterA and RouterB to protect data flows
between the subnet (10.1.1.x) of PC1 and subnet (10.1.2.x) of PC2. The security
protocol, encryption algorithm, and authentication algorithm adopted during tunnel
setup are respectively Encapsulating Security Payload (ESP), Data Encryption
Standard (DES), and Secure Hash Algorithm-1 (SHA-1).

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 24

IPSec+IKE Scenario

 Configuration points:
(1) Define an ACL and ensure that encrypted data is reachable.
(2) Define an IKE proposal, IKE peer, IPSec proposal, and IPSec policy.
(3) Note that an IPSec policy needs to reference the IPSec proposal and IKE peer.
(4) Bind the IPSec policy to an outbound interface.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 25

IPSec+IKE Scenario
 Configure Router A.
acl number 3101 //Configure an ACL.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
ipsec proposal tran1 //Configure an IPSec proposal.
transform {ah | esp | ah-esp}
ah authentication-algorithm {md5|sha1|sha2} -----------This command is not
involved in ESP.
esp authentication-algorithm {md5|sha1|sha2}
esp encryption-algorithm{des|3des|aes}
encapsulation-mode{transport|tunnel}
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm {des-cbc|3des-cbc|aes-cbc-128|aes-cbc-256}
authentication-algorithm {md5|sha1|aes-xcbc –mac-96}
authentication-method{pre-share|rsa-signature}

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 26

IPSec+IKE Scenario
ike peer spub v1 //Configure an IKE peer.
exchange-mode {main|aggressive} ------main mode
pre-shared-key huawei
ike-proposal 1 ---------Reference the IKE proposal.
local-id-type name -------- In main mode, the local ID type can only be set to the local
IP address.
remote-name huawei02
local-address 202.138.163.1
remote-address 202.138.162.1
ipsec policy map1 10 isakmp //Configure an IPSec policy.
security acl 3101 //Bind the ACL.
ike-peer spub // Bind the IKE peer.
proposal tran1
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
ip route-static 202.138.161.1 255.255.255.0 202.138.163.2

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 27

IPSec+IKE Scenario

interface Ethernet1/0/0 //Configure an external network interface.

ip address 202.138.163.1 255.255.255.0
ipsec policy map1 //Apply the IPSec policy to the interface.
interface Ethernet2/0/0 //Configure an internal network interface.
ip address 10.1.1.1 255.255.255.0

The configurations of Router B and Router A mirror each other.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 28

GRE over IPSec
Protected traffic of 172.16.1.64/26

IPSec tunnel

GRE tunnel

Protected traffic of 172.16.1.128/26

Original Data Packet Original IP Header GRE Header AH GRE IP Header

 The IPSec tunnel interface first adds a GRE header to packets, and then adds
an IPSec header to the packets.
When an IPSec policy is applied to a physical interface and then GRE is configured on the interface,
the interface first adds a GRE header to packets, and then adds an AH or ESP header to the packets.
The receiver first decrypts the IPSec header, and then decapsulates the GRE header.

 GRE over IPSec applies to scenarios all traffic between two sites needs to be
protected by IPSec. It effectively reduces ACL configuration.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 29

GRE over IPSec Configuration
 Network topology
PC2 is the multicast source. Multicast data is transmitted between RouterA and RouterC and needs to
be encrypted by IPSec. Because IPSec cannot be directly used for multicast data, adds a GRE header
to the multicast data, and then adds an IPSec header to the multicast data.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 30

Configuration Points

 AnACL is configured to to match the GRE tunnel interface but not the original
subnet.
 The encapsulation mode in the IPSec proposal must be transport.
 The source and destination IP addresses of the GRE tunnel interface must be
the same as the local and remote addresses of the IPSec interface.
 The subnet traffic needs to be imported to the GRE tunnel.
 To protect traffic on a GRE tunnel, configure GRE on a physical interface bound
to an IPSec policy or bind an IPSec profile to the GRE tunnel.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 31

GRE over IPSec Configuration
 Configure Router A.
ike local-name rta
acl number 3000 rule 5 permit ip source 20.1.1.1 0.0.0.0 destination 30.1.1.2 0.0.0.0
ike peer routerc v1
exchange-mode aggressive
pre-shared-key simple 12345
local-id-type name
remote-name rtc
remote-address 30.1.1.2
ipsec proposal p1
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer routerc
proposal p1

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 32

GRE over IPSec Configuration
interface GigabitEthernet1/0/0
ip address 20.1.1.1 255.255.255.0
ipsec policy policy1
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
ospf 1 area 0.0.0.0 network 20.1.1.1 0.0.0.0
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1

The configurations of Router C and Router A mirror each other.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 33

IPSec NAT Traversal
 Network topology
When a NAT gateway is deployed between two devices of the IPSec tunnel, the two devices are required
to support NAT traversal.
RouterA and RouterB translate addresses using the NATER and establish an IPSec tunnel in aggressive
mode where the IPSec tunnel supports NAT traversal.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 34

Configuration Points

 Ensure that RTA and RTB can communicate through the NATER.
 The local names need to be configured on both RTA and RTB.
 The aggressive mode must be used.
 The local ID type must be set to name.
 The remote names need to be configured on both RTA and RTB.
 The remote address need to be specified on RTB because RTB is located on
the private network.
 RTA and RTB need to have NAT traversal enabled.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 35

NAT Configuration
 Configure the NATER so that Router A can communicate with Router B
through the NATER.
acl number 3000 //Configure an ACL.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 1.2.0.0 0.0.0.255
nat address-group 0 1.2.0.0 1.2.0.5 //Configure an address pool.
interface Ethernet1/0/0
ip address 1.2.0.2 255.255.255.0
nat outbound 3000 //Configure outbound NAT on the interface.
interface Ethernet2/0/0
ip address 192.168.0.1 255.255.255.0

 Configure Router A.
ike local-name rta //Configure the local name in IKE negotiation.
acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.0.0.0 0.0.0.255 destination 2.0.0.0 0.0.0.255
ipsec proposal rtb //Create an IPSec proposal.
ike proposal 1 //Create an IKE proposal.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 36

NAT Traversal Configuration
ike peer rtb v1 //Configure an IKE peer.
exchange-mode aggressive //Configure the aggressive mode.
pre-shared-key 123 //Configure the pre-shared key.
remote-name rtb //Configure the name of the remote IKE peer.
remote-address 192.168.0.2 //Configure the address of the remote IKE peer (tunnel outbound
interface address).
nat traversal //Enable NAT traversal.
ipsec policy rtb 1 isakmp //Configure an IPSec
security acl 3000
ike-peer rtb
proposal rtb
interface Ethernet1/0/0
ip address 1.2.0.1 255.255.255.0
ipsec policy rtb
interface Ethernet2/0/0
ip address 1.0.0.1 255.255.255.0

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 37

NAT Traversal Configuration

ip route-static 2.0.0.0 255.255.255.0 1.2.0.2 //Configure a static route to the network segment
2.0.0.0.
ip route-static 192.168.0.0 255.255.255.0 1.2.0.2 //// Configure a static route to the network
segment 192.168.0.0.

Configure Router B. (The IPSec policy template is used on an IPSec peer.)

ipsec policy-template rta_temp 1 //Create an IPSec policy template.
ike-peer rta
proposal rta
ipsec policy rta 1 isakmp template rta_temp //Establish an SA using the IPSec policy
template.
Other configurations of Router B mirror the configurations of Router A.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 38

 Chapter 1 Introduction to IPSec

Chapter 2 IPSec Configuration

Chapter 3 Typical IPSec

Troubleshooting

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 39

 Chapter 3 Typical IPSec Troubleshooting

The local device cannot ping the peer device.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 40

Local Device Cannot Ping the Peer Device

Check whether the

peer device can be
Manually trigger IPSec
pinged if ping packets
tunnel re-negotiation.
do not pass the IPSec
tunnel.

Check whether a NAT-

enabled device exists
Check whether the
between both devices.
IPSec tunnel is
If a NAT-enabled device
successfully set up.
exists, enable NAT
traversal.

Check whether the

Check whether packets
are encapsulated and
forwarded over the
IPSec tunnel.
local end sends
packets but the peer
end does not receive,
or the local end does
not send packets.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 41

Local Device Cannot Ping the Peer Device
 Step 1
Check whether the peer device can be pinged if ping packets do not pass the IPSec tunnel. If
the peer device cannot be pinged, check the link and routing information. If the peer device can
be pinged, proceed to the next step.

 Step 2
Check whether the IPSec tunnel is successfully set up.
(a) Run the display ike sa[v2] command to view the IKE SA in phase 1.

Notice the flag in the red pane. The flag value indicates that negotiation is successful. ST
indicates the initiator, and RD indicates the receiver.
(a) Run the display ipsec sa command to view the IPSec SA in phase 2.
(c) If the IKE SA and IPSec SA exist, the IPSec tunnel is successfully set up.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 42

Local Device Cannot Ping the Peer Device
 Step 3
Check the value of the Outpacket count field.
(a) Run the display ipsec sa command to check the encapsulation protocol.
(b) Check statistics on IPSec packets passing through the IPSec tunnel.

Nnumber of packets encapsulated with IPSec

received by the local end from the remote end

Number of packets encapsulated with IPSec sent

by the local end to the remote end

(c) If statistics on packets increase, packets are forwarded over the IPSec tunnel.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 43

Local Device Cannot Ping the Peer Device

 Step 4
If the value of the Outpacket count field does not increase, perform the following
operations:
(a) Check routing information. Check whether traffic is imported to the IPSec
tunnel through a route. That is, check whether the next hop in the route points to
the interface where the IPSec tunnel is set up.
(b) During the ping operation, check whether the ACL rule is matched. If the
source address in the ACL rule and the address of the tunnel interface on the local
device are on different network segments, specify the source address.
(c) Check whether NAT is configured on the interface where an IPSec policy is
applied. If NAT is configured on the interface, the device first performs NAT, and
then performs IPSec processing. The ACL rule must match the address translated
by NAT.
Note: If the translated address is variable and ACL rules for NAT and IPSec
conflict, configure a deny clause in the ACL rule for NAT. Then addresses of traffic
passing the IPSec tunnel are not translated by NAT.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 44

Local Device Cannot Ping the Peer Device

 Step 5
If the value of the Outpacket count field increases but the value of the Inpacket
count does not, packets are sent out from the local end, and may not reach the
peer end or the peer end receives the packets but does not respond to the
packets. Check information about the peer device.
(a) Check routing information of the peer device, and check whether traffic is
imported to the IPSec tunnel through a route.
(b) Check the IPSec tunnel status of the peer device (check the IKE/IPSec SA). If
the SA of the peer device works properly, proceed to the next step.
© Check whether SPIs at both ends match.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 45

 The outbound SPI must be the same
as the inbound SPI of the peer end.

The inbound SPI must be the same as the

outbound SPI of the peer end.

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 46

Local Device Cannot Ping the Peer Device
 Step 6
Check whether a NAT-enabled device exists between both devices. If a NAT-
enabled device exists, enable NAT traversal.
Check IPSec SA information.

NAT traversal flag

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 47

Summary

 IPSec Implementation

 IPSec VPN Application and Configuration

 IPSec VPN Troubleshooting

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 48

Thank you
www.huawei.com