Data Transmission Security

Security Policy

IPsec can help prevent data theft and spoofing during data transmission on a network.

The first three elements are specified in an IPsec proposal. An IPsec proposal must be configured on IPsec peers before an SA.

Configuration Method

1. Configure an IPsec proposal.

   <HUAWEI> system-view
   [HUAWEI] ipsec proposal newprop1  //Create an IPsec proposal named newprop1.
   [HUAWEI-ipsec-proposal-newprop1] transform esp  //Set the security protocol for newprop1 to ESP.
   [HUAWEI-ipsec-proposal-newprop1] esp authentication-algorithm sha2-256  //Set the ESP authentication algorithm to SHA-256.
   [HUAWEI-ipsec-proposal-newprop1] esp encryption-algorithm aes 256  //Set the ESP encryption algorithm to AES-256.
   [HUAWEI-ipsec-proposal-newprop1] encapsulation-mode transport  //Set the data encapsulation mode for the security protocol to transport.
   [HUAWEI-ipsec-proposal-newprop1] quit

2. Configure an IPsec SA.

   [HUAWEI] ipsec sa sa1  //Create an SA named sa1.
   [HUAWEI-ipsec-sa-sa1] proposal newprop1  //Configure sa1 to use the IPsec proposal newprop1.
   [HUAWEI-ipsec-sa-sa1] sa spi inbound esp 10000  //Set the SPI of the inbound SA to 10000.
   [HUAWEI-ipsec-sa-sa1] sa spi outbound esp 20000  //Set the SPI of the outbound SA to 20000.
   [HUAWEI-ipsec-sa-sa1] sa authentication-hex inbound esp cipher 112233445566778899aabbccddeeff00  //Set the authentication key of the inbound SA to 112233445566778899aabbccddeeff00.
   [HUAWEI-ipsec-sa-sa1] sa authentication-hex outbound esp cipher aabbccddeeff001100aabbccddeeff00  //Set the authentication key of the outbound SA to aabbccddeeff001100aabbccddeeff00.