Configuring an IPSec Session for Encryption

Context

Internet Protocol Security (IPSec) can be configured to prevent data theft and spoofing during data transmission in a network.

A security association (SA) must be established so that IPSec can protect transmitted data. An SA is a unidirectional logical connection set up for security purpose and specifies the elements used by two IPSec peers (two parties that use the IPSec protocol to protect data transmitted between them). The elements of an SA include the following:

Security protocol
Authentication or encryption algorithm supported by the security protocol
Data encapsulation mode
Security parameter index (SPI) of the SA
Authentication key or encryption key of the SA

The first three elements are specified in an IPSec proposal. To configure IPSec functions, first configure an IPSec proposal on the IPSec peers, and then configure an SA.

Procedure

Configure an IPSec proposal.
1. Run system-view
  The system view is displayed.
2. Run ipsec proposal proposal-name
  An IPSec proposal is created and the IPSec proposal view is displayed.
3. Run transform { ah | esp }
  A security protocol is specified for the IPSec proposal.
  
  By default, the security protocol used by an IPSec proposal is the Encapsulation Security Protocol (ESP).
4. An authentication or encryption algorithm is configured.
  - If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.
    
    Run the ah authentication-algorithm { sha1 | sha2-256 } command to specify the authentication algorithm for the AH protocol.
    
    By default, the AH protocol uses the Secure Hash Algorithm-256 (SHA2-256) authentication algorithm.
  - When ESP is specified, ESP can encrypt/authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.
    - Run the esp authentication-algorithm { sha1 | sha2-256 } command to specify the authentication algorithm for the ESP protocol.
      
      By default, the authentication algorithm Secure Hash Algorithm-256 (SHA-256) is used for ESP.
    - Run the esp encryption-algorithm { 3des | aes [ 128 | 192 | 256 ] } command to specify the encryption algorithm for the ESP protocol.
      
      By default, the encryption algorithm Advanced Encryption Standard-256 (AES-256) is used for ESP.
  The SHA-1 and 3DES algorithm is not recommended because it cannot meet your security defense requirements.
5. Run encapsulation-mode { transport | tunnel }
  A data encapsulation mode is specified for the security protocol.
  
  By default, the data encapsulation mode is tunnel.
  
  In transport mode, the packet encryption device and decryption device must be the originator and receiver of packets.
6. Run quit
  Return to the system view.
Configure an IPSec SA.
1. Run ipsec sa sa-name
  An IPSec SA is created and the IPSec SA view is displayed.
  
  By default, no IPSec SA exists in the system.
2. Run proposal proposal-name
  The IPSec proposal is bound to the IPSec SA.
  
  By default, an IPSec policy does not reference any IPSec proposal.
  
  An IPSec can use only one IPSec proposal. To bind a new IPSec proposal to the IPSec SA, delete the original IPSec proposal.
3. Run sa spi { inbound | outbound } { ah | esp } spi-number
  An SPI is configured for the SA.
  - An SPI uniquely identifies an SA. Each SA must be configured with an inbound SPI and an outbound SPI. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
  - The security protocol (AH or ESP) you select when configuring the SPI must be the same as that used in the IPSec proposal bound to the SA.
4. Configure a key according to the security protocol used in the IPSec proposal bound to the SA.
  - If the AH protocol is used, you can configure an authentication key that is a hexadecimal number or a character string.
    - Run the sa authentication-hex { inbound | outbound } ah [ cipher ] hex-cipher-key command to configure a hexadecimal authentication key.
    - Run the sa string-key { inbound | outbound } ah [ cipher ] string-cipher-key command to configure a character string as the authentication key.
  - If the ESP protocol is used, you can run one of the following commands to configure the authentication key or the encryption key. You can also configure both the authentication key and encryption key. If the two keys are configured at the same time, they can only be hexadecimal keys.
    - Run the sa authentication-hex { inbound | outbound } esp [ cipher ] hex-cipher-key command to configure a hexadecimal authentication key.
    - Run the sa string-key { inbound | outbound } esp [ cipher ] string-cipher-key command to configure a character string as the authentication key.
    - Run the sa encryption-hex { inbound | outbound } esp [ cipher ] hex-cipher-key command to configure a hexadecimal encryption key.
  - The security protocol (AH or ESP) you select when configuring the key must be the same as that used in the IPSec proposal bound to the SA.
  - The outbound key on the local end must be the same as the inbound key on the remote end.
  - The IPSec peers must use the authentication or encryption key in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.
  - If you configure multiple keys in different formats, the last configured key takes effect.
Verify the configuration.
1. Run the display ipsec sa [ name sa-name ] [ brief ] command to check information about the SA.
2. Run the display ipsec proposal [ name proposal-name ] command to check information about the security proposal.
3. Run the display ipsec statistics [ sa-name sa-name slot slot-number ] command to check statistics about packets processed by IPSec.