(Optional) Configuring CAPWAP Tunnel Encryption

Context

The parent and an AS transmit management packets through a CAPWAP tunnel. To ensure tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to encrypt packets transmitted in the CAPWAP tunnel.

The parent and AS encrypt packets transmitted in the CAPWAP tunnel using the pre-shared key. That is, a key is pre-configured on the parent and AS. When the pre-shared keys of the parent and AS are the same, the parent and AS can negotiate successfully and set up a CAPWAP tunnel.

After DTLS is used for CAPWAP tunnel encryption, the CPUs of the parent and AS participate in DTLS encryption, deteriorating AS login performance. To mitigate this impact, use DTLS only in scenarios requiring high confidentiality.

Procedure

Configure a pre-shared key on the parent.
1. Run system-view
  The system view is displayed.
2. Run capwap dtls psk psk-value
  A pre-shared key is configured on the parent.
  
  The default pre-shared key for DTLS encryption is huawei_seccwp.
3. (Optional) Run capwap dtls psk-mandatory-match enable
  An AS is not allowed to establish a DTLS session with the parent using the default pre-shared key.
  
  By default, an AS uses the default pre-shared key to establish a DTLS session with the parent.
  
  When an AS is allowed to establish a DTLS session with the parent using the default pre-shared key, the AS first uses the pre-shared key configured using the as access dtls psk psk-value command to establish a DTLS session with the parent. If the DTLS session cannot be established, the AS uses the default pre-shared key to establish a DTLS session with the parent (it also uses the default pre-shared key).
4. Run capwap dtls control-link encrypt
  CAPWAP tunnel DTLS encryption is enabled.
  
  By default, CAPWAP tunnel DTLS encryption is disabled.
5. (Optional) Run capwap sensitive-info psk psk-value
  The pre-shared key (PSK) for encrypting sensitive information is modified.
  
  By default, the default PSK is used for encrypting sensitive information.
6. (Optional) Run capwap message-integrity psk psk-value
  A pre-shared key (PSK) for checking integrity of CAPWAP packets is configured.
  
  By default, no PSK is configured for checking integrity of CAPWAP packets.
  - The parent and an AS cannot support the HA and CAPWAP tunnel DTLS encryption functions simultaneously. If the two functions are enabled simultaneously, the AS waits until the original CAPWAP tunnel ages before it can re-establish a CAPWAP tunnel when an active/standby switchover occurs on the parent, causing service interruption. When an active/standby switchover occurs on the AS, the AS needs to re-establish a link and go online again, causing service interruption.
  - When the status of DTLS encryption and the shared key for encrypting sensitive information change on the parent or a PSK for checking integrity of CAPWAP packets is configured on the parent, ASs connected to the parent will restart.
  - When an AS is being upgraded, you cannot change the status of DTLS encryption or the shared key for encrypting sensitive information, or cannot configure a PSK for checking integrity of CAPWAP packets on the parent.
Configure a pre-shared key on an AS.
1. Run as access dtls psk psk-value
  A pre-shared key is configured on an AS.
  
  The default pre-shared key for DTLS encryption is huawei_seccwp.
  
  When CAPWAP tunnel DTLS encryption is enabled on the parent and an AS has connected to the parent, the pre-shared key is automatically delivered to the AS if the pre-shared key is modified on the parent. You are advised not to repeatedly modify the pre-shared key in 10 minutes.