Enhanced IPsec Functions

IPsec Whitelist

An IPsec gateway uses a certificate-attribute access control policy to authenticate the certificates of IKE peers. This function is similar to the whitelist function, but has the following disadvantages:
  1. Requires heavy workloads and faces management difficulties.
  2. Does not support exact match of certificates' common names (CNs).

The IPsec whitelist function can effectively resolve the preceding problems. IPsec whitelists can be defined by users and then imported to a device, and can also support exact match for certificates' CNs.

The implementation of the IPsec whitelist function is as follows: When IKE negotiation is implemented before an IPsec tunnel is set up, the system checks whether the whitelist check function is enabled. If the whitelist check function is enabled, the system checks whether the CN of the peer end's certificate is whitelisted.
  • If the CN of the peer end's certificate is whitelisted, the peer end passes the check, and IKE negotiation is allowed for IPsec tunnel establishment.
  • If the CN of the peer end's certificate is not whitelisted, the peer end fails the check, and IKE negotiation is not allowed. As a result, the IPsec tunnel fails to be set up.
In this manner, only whitelisted devices are allowed to access the network, hardening network security.
Whitelist files are typically .xml files in the following format:
<SerialnumberList>
    <Serialnumber>CN-on-Certificate_of-RBS-1</Serialnumber>
    <Serialnumber>CN-on-Certificate_of-RBS-2</Serialnumber>
    ...
    <Serialnumber>CN-on-Certificate_of-RBS-n</Serialnumber>
</SerialnumberList>
The character string between <Serialnumber></Serialnumber> is the CN field of the certificate on the device interconnected with the IPsec gateway.
To help users update the whitelist as required, the following functions are available:
  • Imports a whitelist. If importing a whitelist fails, the system rolls back to the state where the whitelist is not imported.
  • Deletes a whitelist.
  • Incrementally adds information to a whitelist.
  • Queries a whitelist.

As shown in Figure 1, an IPsec tunnel is established between the eNodeB and IPsec gateway to secure communication. To prevent unauthorized devices from establishing IPsec tunnels with the IPsec gateway, you can configure the whitelist feature on the IPsec gateway in advance to ensure that only devices in the whitelist can access the network.

Figure 1 IPsec whitelist application

Automatic IPsec Service Route Generation

When a security policy is used to establish IPsec tunnels, IPsec service route information on the remote end (such as the IP address and interface of the remote end) may not be available. Therefore, static routes cannot be configured manually. In this case, you can enable automatic IPsec service route generation.

When IPsec tunnels are established using a security policy, IPsec service routes will be generated during IPsec negotiation. If you want to configure static routes as IPsec service routes based on your network plan, you need to disable automatic IPsec service route generation.

Parent Topic: IPsec Description
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >