Firewall IPSec mechanism

14

USG IPSec mechanism
What is IPSec?
1. Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks, including security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption.
2. IPSec provides following security services for IP packets mainly through encryption and authentication:
a. User data encryption: IPSec encrypts user data to ensure data confidentiality.
b. Data integrity verification: IPSec ensures that the data is not tampered with during transmission using data integrity verification.
c. Data origin authentication: IPSec authenticates data origins to ensure that data comes from real senders.
d. Anti-replay: IPSec prevents malicious users from sending captured packets, that is, the receiver discards duplicate packets.
3. Application Scenario
a. Connection of LANs Through VPN
1) Site-to-Site VPN
Site-to-site VPN is also called LAN-to-LAN VPN or Gateway to Gateway VPN, in which IPSec tunnels are established between the enterprise headquarters and branches.
2) L2TP over IPSec
In L2TP over IPSec, packets are encapsulated through L2TP and then IPSec. L2TP authenticates users and assigns IP addresses, and IPSec ensures security.
3) GRE over IPSec
IPSec cannot encapsulate multicast, broadcast, or non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using GRE and then encapsulates the packets as IPSec packets.
4) Hub-Spoke VPN
In actual networking, the Hub-Spoke IPSec VPN is commonly used for the interworking between the headquarters network and branch networks.
b. The IP addresses of mobile devices are not fixed. To avoid attacks from insecure network devices, an IPSec tunnel must be established between a mobile device and the headquarters gateway. The mobile devices can access the headquarters network only after being authenticated by the gateway. In L2TP over IPSec, mobile devices can use the Windows dial-up software, dial-up software supporting IKEv2, or other dial-up software.

Other related questions:
Firewall IPSec mechanism
USG IPSec mechanism What is IPSec? 1. Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks, including security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption. 2. IPSec provides following security services for IP packets mainly through encryption and authentication: a. User data encryption: IPSec encrypts user data to ensure data confidentiality. b. Data integrity verification: IPSec ensures that the data is not tampered with during transmission using data integrity verification. c. Data origin authentication: IPSec authenticates data origins to ensure that data comes from real senders. d. Anti-replay: IPSec prevents malicious users from sending captured packets, that is, the receiver discards duplicate packets. 3. Application Scenario a. Connection of LANs Through VPN 1) Site-to-Site VPN Site-to-site VPN is also called LAN-to-LAN VPN or Gateway to Gateway VPN, in which IPSec tunnels are established between the enterprise headquarters and branches. 2) L2TP over IPSec In L2TP over IPSec, packets are encapsulated through L2TP and then IPSec. L2TP authenticates users and assigns IP addresses, and IPSec ensures security. 3) GRE over IPSec IPSec cannot encapsulate multicast, broadcast, or non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using GRE and then encapsulates the packets as IPSec packets. 4) Hub-Spoke VPN In actual networking, the Hub-Spoke IPSec VPN is commonly used for the interworking between the headquarters network and branch networks. b. The IP addresses of mobile devices are not fixed. To avoid attacks from insecure network devices, an IPSec tunnel must be established between a mobile device and the headquarters gateway. The mobile devices can access the headquarters network only after being authenticated by the gateway. In L2TP over IPSec, mobile devices can use the Windows dial-up software, dial-up software supporting IKEv2, or other dial-up software.

Working mechanism of IPSec on AR series routers
Huawei AR series routers support IPSec. Most data is transmitted in plain text on the Internet. This transmission mode has many potential risks. For example, bank account and password data may be intercepted or tampered, and user identities are used, and malicious attacks occur. After IPSec is deployed on the network, transmitted IP data is protected to reduce risks of information leakage. IPSec is a security protocol suite defined by the Internet Engineering Task Force (IETF). IPSec secures data transmission on the Internet through data origin authentication, data encryption, data integrity check, and anti-replay functions. For details, see Configuration Guide-VPN.

Firewall NAT traversal
NAT traversal on the USG What is IPSec NAT traversal? When a NAT device is deployed between IPSec peers, NAT traversal must be enabled at both ends. Authentication Header (AH) hashes the entire IP packet (including the IP address in the IP header) to authenticate data integrity. If NAT is deployed, the IP address changes after NAT, and the hash values will also change, causing an authentication failure. Therefore, the IPSec tunnel that uses AH cannot traverse the NAT gateway. Encapsulating Security Payload (ESP) hashes the payload only. Therefore, IP address changes will not affect the ESP authentication. ESP is a Layer 3 protocol that has no port. Therefore, ESP cannot apply to Network Address Port Translation (NAPT). To resolve this issue, NAT traversal adds a UDP header to the ESP packet. In transport mode, a standard UDP header is inserted between the IP header of the original packet and the ESP header. In tunnel mode, a standard UDP header is inserted between the new IP header and the ESP header. When an ESP packet traverses a NAT device, the NAT device translates the IP address in the outer IP header and the port in the UDP header. The peer end of the IPSec tunnel processes the translated packet as a common IPSec packet. A UDP header is also inserted between the IP header and the ESP header of the reply packet.

Configuring link groups on the firewall
Mechanism of the HA link group on the firewall 1. In hot standby environment, add the upstream and downstream service interfaces to the same link group. When an interface is faulty and becomes down, it triggers the status of all interfaces in the group to be down. This guarantees fast route convergence on the upstream and downstream routers. 2. The link-group function binds the status of several interfaces to form a logical group. If any of the interfaces in the link-group fails, the system changes the status of all other interfaces to Down. After all interfaces in the group recover, the system changes the interfaces to Up. The link-group function guarantees that the upstream and downstream interfaces are in the same status. This prevents inconsistent upstream and downstream link paths after active/standby switchover. You are advised not to add interfaces on interface cards 18FE+2SFP, 16GE+4SFP, 5FSW, and 8FE+2GE to the link-group. Using them first is recommended. 3. Configure or delete the link group primary interface or interfaces on other interface cards through the web UI. a. Choose System > High Availability > Link Group. b. In Link Group, select the link group to be configured and modify it. c. Perform as follows to add the interface to or remove it from the link group. Add the interface to the link group. In the Available group box, select one or multiple interfaces or double-click an interface. To add all interfaces to the link group, click All. After the configuration succeeds, added interfaces are displayed in the Selected group box. Remove the interface from the link group. In the Selected group box, select one or multiple interfaces or double-click an interface. To remove all interfaces from the link group, click Clear. After the configuration succeeds, removed interfaces are displayed in the Available group box. d. Click Apply. 4. CLI configuration method: Run the system-view command to access the system view. Run the interface interface-type interface-number command to enter the interface view. Run the link-group link-group-id command to add the interface to the link group. Run the undo link-group command to remove the interface from the link group.

When does the firewall clear an IPSec SA in normal cases
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted. If the IPSec SA hard lifetime expires, both the IKE SA and the IPSec SA are deleted. Besides, if the IKE SA keepalive or DPD function is enabled, the IKE SA and IPSec SA are deleted if the keepalive packets or DPD packets time out.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top