IPsec Configuration
Configure IPsec to provide more secure network services for users.
IPsec is only supported on NetEngine 8000 F1A.
To support IKEv1, you need to install the IKEv1 module file and enable IKEv1. To use the IKEv1 function and understand the IKEv1 principle and configuration method, apply for the corresponding IKEv1 module file and IKEv1 module file documentation. Log in to HUAWEI Technical Support Website, choose Software Download or Software Directory, select a product, and go to the Version or Patch page of the product. You can find the MOD file with IKEv1.
The maximum transmission unit (MTU) of an Ethernet interface indicates the maximum size of an IP packet that can be transmitted without being fragmented. The Ethernet interface discards a packet if the size of the packet sent to the Ethernet interface exceeds the specified interface MTU. The TCP maximum segment size (MSS) indicates the maximum size of the TCP payload that can be transmitted without being fragmented. For TCP packets, the MTU value is equal to the sum of the TCP MSS value, TCP header length (20 bytes), and IP header length (20 bytes) (TCP MSS + 40 bytes).
Before packets pass through an IPsec tunnel, the encryption and authentication fields are added to the original packets. In transport mode, these fields are added between the IP and TCP headers. In tunnel mode, a new IP header and the encryption and authentication fields are added before the existing IP header. In this case, the sum length of the TCP MSS, 40 bytes, and added fields may exceed the interface MTU. As a result, packet loss occurs.
Therefore, when deploying IPsec, run the tcp max-mss command to adjust the TCP MSS value. You can reduce the TCP MSS value to ensure that the IP packet size does not exceed the MTU of the peer interface after the packet is encapsulated and transmitted along the IPsec tunnel.
- Overview of IPsec
- Based on protocol packet encryption and authentication at the IP layer, Internet Protocol Security (IPsec) provides integrity, authenticity, and confidentiality for protocol packets transmitted over networks.
- Configuring an IPsec SA Manually
- Configure an Internet Protocol Security (IPsec) Security Association (SA) manually.
- Configuring Automatic IPsec SA Negotiation (IKE)
- Configure automatic IPsec SA negotiation (IKE).
- Configuring IPsec Security
- Configure IPsec security functions, including the IPsec reverse check function, anti-replay function, and IKE SA lifetime setting.
- Configuring IPsec QoS
- Configure the IPsec packet format or forwarding behavior to implement QoS for IPsec packets.
- Configuring IPsec NAT Traversal
- When an NAT device exists between IPsec peers, the NAT traversal function must be enabled on both ends.
- Enabling PKI Whitelist Check
- In LTE scenarios, a security gateway and base stations use certificates to negotiate IPsec tunnels. The PKI whitelist on the security gateway can be used to uniformly manage certificates of base stations.
- Maintaining IPsec
- After an IPsec tunnel is established, you can view the IPsec tunnel by running the display command. If necessary, you can clear statistics, IKE SA, or IPsec SA.