Working mechanism of IPSec on AR series routers

17

Huawei AR series routers support IPSec. Most data is transmitted in plain text on the Internet. This transmission mode has many potential risks. For example, bank account and password data may be intercepted or tampered, and user identities are used, and malicious attacks occur. After IPSec is deployed on the network, transmitted IP data is protected to reduce risks of information leakage. IPSec is a security protocol suite defined by the Internet Engineering Task Force (IETF). IPSec secures data transmission on the Internet through data origin authentication, data encryption, data integrity check, and anti-replay functions.
For details, see Configuration Guide-VPN.

Other related questions:
Mechanism of IPSec phase 2 on the USG2160
IKEv1 phase 2 negotiation aims to set up the IPSec SAs that are used for data transmission. IKEv1 phase-2 negotiation is completed through fast switch. In fast switch, SKEYID_a generated in IKEv1 phase-1 negotiation is used to implement integrity check and identity authentication on ISAKMP messages, and SKEYID_e is used to encrypt ISAKMP messages, ensuring the security of the switch. In fast switch mode, IPSec SA parameters are negotiated between the two ends of the peer, and the key is generated for data transmission.

What is NQA association mechanism of the AR router
NQA association mechanism: Association indicates that NQA provides detection and notifies the associated module of the detection result. Then the associated module processes services based on the detection result. NQA can be associated with VRRP, static route, backup interface, IGMP proxy, IP address pool, DNS server, and PBR. Static route is used as an example: A static route with the next hop address of 192.168.0.88 is configured. If the next hop address of 192.168.0.88 is reachable, the static route is valid. If the next hop address of 192.168.0.88 is unreachable, the static route is invalid. After association is configured, the static route can be determined in real time. If NQA detects that the next hop address of 192.168.0.88 is unreachable, NQA notifies the static route module. The static route module determines that the static route is invalid.

CE series switch ACL resources
For more information about CloudEngine Series Switches ACL Working Mechanism, click CloudEngine Series Switches ACL Working Mechanism.

Firewall IPSec mechanism
USG IPSec mechanism What is IPSec? 1. Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks, including security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption. 2. IPSec provides following security services for IP packets mainly through encryption and authentication: a. User data encryption: IPSec encrypts user data to ensure data confidentiality. b. Data integrity verification: IPSec ensures that the data is not tampered with during transmission using data integrity verification. c. Data origin authentication: IPSec authenticates data origins to ensure that data comes from real senders. d. Anti-replay: IPSec prevents malicious users from sending captured packets, that is, the receiver discards duplicate packets. 3. Application Scenario a. Connection of LANs Through VPN 1) Site-to-Site VPN Site-to-site VPN is also called LAN-to-LAN VPN or Gateway to Gateway VPN, in which IPSec tunnels are established between the enterprise headquarters and branches. 2) L2TP over IPSec In L2TP over IPSec, packets are encapsulated through L2TP and then IPSec. L2TP authenticates users and assigns IP addresses, and IPSec ensures security. 3) GRE over IPSec IPSec cannot encapsulate multicast, broadcast, or non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using GRE and then encapsulates the packets as IPSec packets. 4) Hub-Spoke VPN In actual networking, the Hub-Spoke IPSec VPN is commonly used for the interworking between the headquarters network and branch networks. b. The IP addresses of mobile devices are not fixed. To avoid attacks from insecure network devices, an IPSec tunnel must be established between a mobile device and the headquarters gateway. The mobile devices can access the headquarters network only after being authenticated by the gateway. In L2TP over IPSec, mobile devices can use the Windows dial-up software, dial-up software supporting IKEv2, or other dial-up software.

IPSec support by AR series routers
Huawei AR series routers support IPSec. Among which, the AR502EG-L, AR502EGW-L, and AR550C-2C6GE do not support Efficient VPN. To support the IPSec protocol standard regulated by the State Cryptography Administration, the AR must have a Network Data Encryption (NDE) card or high-performance Network Data Encryption card installed in a SIC slot. Efficient VPN does not support the IPSec protocol standard regulated by the State Cryptography Administration. The AR510 does not support the IPSec tunnel that is established using an ACL or a virtual tunnel interface. It supports only the IPSec tunnel that is established using Efficient VPN and can only be used as a remote device. Efficient VPN function requires a license. To use the Efficient VPN function, apply for and purchase the following license from the Huawei local office: - AR150&AR160&AR200&AR150-S&AR160-S&AR200-S: AR150&160&200 value-added service package for security services -AR1200&AR1200-S: AR1200 value-added service package for security services -AR2200&AR2200-S: AR2200 value-added service package for security services -AR3200&AR3200-S: AR3200 value-added service package for security services -AR3600: AR3600 value-added service package for security services -AR531-2C-H and AR531-F2C-H: AR530 value-added router package -AR550: AR550 value-added service package for routing services Note: The IPSec function can be used without a license on the AR120, AR503, AR509, and AR510 series, AR531GPe-U-H, AR531GR-U-H, AR531G-U-D-H, AR100-S, AR110-S, AR120-S series, and AR2500 series. In V200R007C00, the AR150-S, AR160-S, AR200-S, and AR1200-S do not require a license. In V200R008 and later versions, the AR150-S series, AR160-S series, AR200-S series, and AR1200-S series do not require a license. For details on how to apply for a license, see License Request guide.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top