Mechanism of IPSec phase 2 on the USG2160


IKEv1 phase 2 negotiation aims to set up the IPSec SAs that are used for data transmission.
IKEv1 phase-2 negotiation is completed through fast switch. In fast switch, SKEYID_a generated in IKEv1 phase-1 negotiation is used to implement integrity check and identity authentication on ISAKMP messages, and SKEYID_e is used to encrypt ISAKMP messages, ensuring the security of the switch.
In fast switch mode, IPSec SA parameters are negotiated between the two ends of the peer, and the key is generated for data transmission.

Other related questions:
Working mechanism of IPSec on AR series routers
Huawei AR series routers support IPSec. Most data is transmitted in plain text on the Internet. This transmission mode has many potential risks. For example, bank account and password data may be intercepted or tampered, and user identities are used, and malicious attacks occur. After IPSec is deployed on the network, transmitted IP data is protected to reduce risks of information leakage. IPSec is a security protocol suite defined by the Internet Engineering Task Force (IETF). IPSec secures data transmission on the Internet through data origin authentication, data encryption, data integrity check, and anti-replay functions. For details, see Configuration Guide-VPN.

Firewall IPSec mechanism
USG IPSec mechanism What is IPSec? 1. Designed by Internet Engineering Task Force (IETF), IPSec is an open network-layer framework protocol. It is not a single protocol, but a collection of protocols and services that provide security for IP networks, including security protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and certain algorithms used for authentication and encryption. 2. IPSec provides following security services for IP packets mainly through encryption and authentication: a. User data encryption: IPSec encrypts user data to ensure data confidentiality. b. Data integrity verification: IPSec ensures that the data is not tampered with during transmission using data integrity verification. c. Data origin authentication: IPSec authenticates data origins to ensure that data comes from real senders. d. Anti-replay: IPSec prevents malicious users from sending captured packets, that is, the receiver discards duplicate packets. 3. Application Scenario a. Connection of LANs Through VPN 1) Site-to-Site VPN Site-to-site VPN is also called LAN-to-LAN VPN or Gateway to Gateway VPN, in which IPSec tunnels are established between the enterprise headquarters and branches. 2) L2TP over IPSec In L2TP over IPSec, packets are encapsulated through L2TP and then IPSec. L2TP authenticates users and assigns IP addresses, and IPSec ensures security. 3) GRE over IPSec IPSec cannot encapsulate multicast, broadcast, or non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using GRE and then encapsulates the packets as IPSec packets. 4) Hub-Spoke VPN In actual networking, the Hub-Spoke IPSec VPN is commonly used for the interworking between the headquarters network and branch networks. b. The IP addresses of mobile devices are not fixed. To avoid attacks from insecure network devices, an IPSec tunnel must be established between a mobile device and the headquarters gateway. The mobile devices can access the headquarters network only after being authenticated by the gateway. In L2TP over IPSec, mobile devices can use the Windows dial-up software, dial-up software supporting IKEv2, or other dial-up software.

Relationship between IPSec and NAT on the USG2160
During IPSec VPN deployment, the initiator on a private network may need to establish an IPSec tunnel with the responder on a public network. To ensure that an IPSec tunnel can be established when a network address translation (NAT) device exists, NAT traversal is required. In a non-NAT traversal scenario, the gateway uses port 500 to negotiate the IPSec tunnel. In a NAT traversal scenario, the gateway uses port 4500 to negotiate the IPSec tunnel. NAT traversal enables the NAT gateway between the two ends to be discovered during IKE negotiation so that ESP packets can properly traverse the NAT gateway.

When does the firewall clear an IPSec SA in normal cases
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted. If the IPSec SA hard lifetime expires, both the IKE SA and the IPSec SA are deleted. Besides, if the IKE SA keepalive or DPD function is enabled, the IKE SA and IPSec SA are deleted if the keepalive packets or DPD packets time out.

Layer 2 transparent transmission mechanism for 802.1x protocol packets on S series switches
For S series switches (except the S1700), the Layer 2 transparent transmission mechanism for 802.1 protocol packets is as follows: 1. When an 802.1x protocol packet reaches the ingress node, the switch changes the multicast destination MAC address of the packet to a specified multicast MAC address. 2. After the MAC address of an 802.1x protocol packet is changed, the switch does not send the packet to the CPU for processing but directly forwards the packet on the Layer 2 network based on the configuration. 3. When the 802.1x protocol packet reaches the egress node, the switch restores the multicast destination MAC address of the packet to the standard multicast destination MAC address based on the mapping between the specified multicast destination MAC address and the 802.1x protocol configured on the switch.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top