Method used to modify the IKE algorithm on AR series routers

34

Huawei AR series routers can be configured with the IKE authentication and encryption algorithms. The configuration procedure is as follows:
1. Run the ike proposal proposal-number command to create an IKE proposal and enter the IKE proposal view.
2. Run the authentication-algorithm { aes-xcbc-mac-96 | md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } command to configure an authentication algorithm for the IKE proposal. Starting from V200R002C00, the AR supports aes-xcbc-mac-96. Starting from V200R005C10, the AR supports SHA2-256, SHA2-384, and SHA2-512. Starting from V200R005C00, the AR supports SM3, but the NE16EX series do not support SM3.
It is recommended that you do not use MD5 and SHA-1. Otherwise, security defense cannot be met.
3. Run the encryption-algorithm { des-cbc | 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | sm4 } command to configure an encryption algorithm for the IKE proposal. Starting from V200R005C90, the AR supports SM4.
It is recommended that you should not use DES-CBC and 3DES-CBC. Otherwise, security defense cannot be met.

Other related questions:
Default IKE algorithm on AR series routers
Huawei AR series routers can be configured with the IKE authentication algorithm and encryption algorithm. In V200R005C90 and earlier versions, the IKE authentication algorithm SHA-1 and IKE encryption algorithm DES-CBC are used by default. In V200R005C90 and earlier versions, the IKE authentication algorithm SHA-256 and IKE encryption algorithm AES-CBC-256 are used by default.

Method used to configure the DDNS clients on AR series routers
A Huawei AR (except for the AR 550) supports the DDNS client function. When the IP address mapping the domain name is changed, the DDNS client can notify the DNS server of updating the mapping between domain names and IP addresses on the DNS server to ensure that users can successfully access the servers on the network using domain names. The AR used as the DDNS client supports update through DDNS (defined by RFC 2136) and the DDNS server. DDNS update defined by RFC 2136: The AR used as the DDNS client directly updates the mapping between domain names and IP addresses on the DNS server. This function has been available since V200R005C10. Update through the DDNS server: The AR used as the DDNS client sends the mapping between domain names and IP addresses to the DDNS server with the specified URL. Then the DDNS server notifies the DNS server of dynamically updating the mapping between domain names and IP addresses. The AR can connect to DDNS servers from DDNS service providers www.3322.org,www.dyndns.com, and www.oray.cn, Siemens DDNS server, and common DDNS servers that use HTTP. There is no difference in the DDNS configuration between different models and versions of AR series routers. For details about the configuration process, see Configuration Guide - IP Service - DNS.

Method used to configure the public domain name for AR series routers
Huawei AR series routers support DNS client, DNS proxy or relay, and DDNS client, but do not support the DNS server. Public domain names need to be purchased and bound to the IP addresses on the DNS servers of carriers.

Method used to configure a DNS resolution policy on AR series routers
In V2R5C90 and V200R006C10, an Huawei AR supports the DNS resolution policy. That is, access control can be performed for some sites based on the domain name. The DNS resolution policy is supported only when the AR functions as the DNS proxy or relay agent. DNS resolution policy rules are configured using the rule rule-id [ if-match name hostname ] { deny | permit | spoofing ip-address } command. The domain name hostname can be parsed or not parsed, or a spoofing response is sent. rule-id specifies the DNS resolution rule ID. A smaller value indicates a higher priority of the rule. If the specified rule ID already exists, the new rule will overwrite the existing rule. The configuration procedure is as follows: [Huawei] dns proxy enable //Enable the DNS proxy function, or run the dns relay enable command to enable the DNS relay function. [Huawei] dns resolve //Enable dynamic domain name resolution. [Huawei] dns server 10.3.1.2 //Configure the IP address of the DNS server. [Huawei] dns resolve policy a //Enter the DNS resolution policy view. [Huawei-dns-resolve-policy-a] rule 0 if-match name www.huawei.com permit //Configure the rule to 0. If the domain name is www.huawei.com, parsing is allowed. [Huawei-dns-resolve-policy-a] rule 1 spoofing 192.168.1.1 //For other domain names, a spoofing response is sent with the response address of 192.168.1.1.

Method used to view the IKE peer information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: Display ike peer //Display the configuration of the IKE peer.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top