USG firewall security association

17

USG firewall security association
What is security association (SA)?
The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection.
The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements:
Security Parameter Index (SPI)
The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA.
Destination IP address
Security protocol number (AH or ESP)
Creation mode
The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows:
Different key generation modes
In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated.
In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high.
Different IPSec SA lifetime
In manual mode, once an IPSec SA is created, it permanently exists.
In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

Other related questions:
Configuration of the security association on the USG firewalls
Configuration of the security association on the USG firewalls Create an IPSec SA in IKE negotiation mode. 1. The communication between network A and network B requires an IPSec tunnel, established between USG_A and USG_B, to encrypt and transmit data. The internal network segment of network A is 10.1.1.0/24, and the USA public IP address is 202.38.163.1/24. The internal network segment of network B is 10.1.2.0/24, and the public IP address is 202.38.169.1/24. Network A---USG_A----INTERNET----USG_B---Network B 2. The configuration procedure is as follows: [USG_A] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure the route. [USG_A] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure the IKE security proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure the IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface. [USG_B] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure the route. [USG_B] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure the IKE security proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure the IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

Method used to view the security association information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: display ipsec sa //Display the security association configuration.

Method used to configure the life cycle of the IPSec security association on USG firewalls
You can configure the lifetime of the IPSec security association on USG firewalls as follows: Configure the lifetime for the IPSec VPN security association (SA). 1. Configure the IKE SA hard lifetime. Configure the IKE SA lifetime. You can modify the per-SA lifetime instead of global lifetime. system-view //Enter the system view. ike proposal proposal-number, //Enter the IKE security proposal view. sa duration seconds, //Configure the IKE SA hard lifetime. Pay attention to the following aspects when configuring the IKE SA lifetime: a) If the hard lifetime is expired, the SA is automatically updated. The IKE negotiation needs to perform the DH calculation that consumes a long period of time. It is recommended that the lifetime be longer than 600s, to protect the security communication from being affected by the SA update. b) Before the lifetime (soft lifetime) expires, the SA negotiates with another SA to replace the old SA. Before the new SA negotiation is complete, the old SA is used. After the new SA is established, the new SA immediately takes effect, and the old SA is automatically cleared upon lifetime expiration. By default, the hard lifetime of the IKE SA is 86400s (1 day). 2. Configure the IKE SA soft lifetime. system-view //Enter the system view. ike peer peer-name //Enter the IKE Peer view. sa soft-duration time-based buffer seconds //Configure the soft lifetime of the IKE SA. This configuration is valid only to the IKEv1 protocol. a) By default, the soft lifetime is 9/10 of the hard lifetime. That is, a new SA, used to replace the old SA, is negotiated at the 9/10 length of the SA lifetime. b) After the soft lifetime is configured, if the difference between the hard lifetime and the soft lifetime is longer than 10s, the difference is used as the soft lifetime. Otherwise, the default value (9/10 of the hard lifetime) is used as the soft lifetime. display ike proposal //View the hard lifetime of the IKE SA. [USG] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --- 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA1 AES_CBC MODP_1024 86400 display ike peer [ brief | name peer-name ] //View the soft lifetime of the IKE SA. [USG] display ike peer name b -- IKE peer: b Exchange mode: main on phase 1 Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$ Local certificate file name: Proposal: 10 Local ID type: IP Peer IP address: 202.38.169.1 VPN instance: Authentic IP address: IP address pool: Peer name: Peer domain name: VPN instance bound to the SA: NAT traversal: enable SA soft timeout buffer time: 22 seconds OCSP check: disable OCSP server URL: Applied to 1 policy: ppp1-1-isakmp

Method used to view the IPSec security proposal information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: display ipsec proposal //Display the configuration of IPSec security proposal.

Method used to view the IKE security proposal information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: display ike proposal //Display the configuration of IKE security proposal.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top