Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
what is ipsec vpn and how...

what is ipsec vpn and how it works episode 1 REPRINT

Latest reply: Dec 15, 2021 13:02:56 1160 4 4 0 0
View the author 1#

Hi, everyone! Today I’m going to introduce what is ipsec vpn and how it works episode 1 REPRINT.

authorized reprint by author zhushigeng(Vinsoney)

 

1. Technical Background

090302jlwrjlluhh2zh0wp.png

 

The preceding figure shows the network of a large company. In addition to the central site, there are multiple branches or offices across a country and employees on business trips. The nodes need to communicate with one another. The simplest and most economical method is to use the Internet to implement mutual data access. However, the Internet is a shared network environment with many security threats. It is risky to transmit confidential data directly over the Internet. Traditionally, private lines are leased by such a company. A private line is a dedicated line, which is more secure but more expensive. In addition, the private lines cannot support mobility. IPsec VPN can solve the preceding problems.

090303szc132phg3kbycez.png

 

 

IPsec VPN is a widely used and mature VPN technology. IPsec VPN transmits confidential data on the public network because IPsec provides various functions, such as security, integrity, identity authentication, and anti-replay defense. IPsec VPN networking is flexible. In addition to the typical site-to-site IPsec VPN networking, remote dialup networking is supported.

2. IPsec VPN Implementation

090303ozs61pslohp888ho.png

 

As shown in the preceding figure, if data is transmitted directly over the Internet, the data is exposed to many security risks. IPsec VPN technology can protect data transmission. The figure illustrates a typical site-to-site or LAN-to-LAN IPsec VPN application scenario. The two sites communicate with each other across the Internet. IPsec VPN is deployed on a firewall at each site to protect traffic exchanged between the two sites. After IPsec VPN is deployed, an IPsec VPN tunnel is established between the firewalls.

090303dkd22a9ts2cc82tu.png

 

In this process, the two ends negotiate an encryption algorithm and a hash algorithm used to protect traffic transmitted along the tunnel. After a unified algorithm or policy is used, two ends exchange common values to generate matching keys for subsequent encryption and hash implementation. Then, peer identity authentication is performed to verify identities of the two firewalls. The packets exchanged between the two ends for identity authentication are protected using the negotiated encryption algorithm and hash algorithm.

After the preceding operations are complete, the two parties negotiate various security policies (IPsec proposals) for protecting traffic between internal networks at the two sites. The security policies include the security protocol type, encryption algorithm, and hash algorithm. After the preceding operations are complete, an IPsec VPN tunnel is established.

090303o4n0fi8030n3u4q8.png

 

This means that an invisible and protected communication channel is established across the Internet. Protected traffic (also known as IPsec VPN traffic) between sites 1 and 2 is transmitted along the tunnel and encrypted during transmission, which ensures communication confidentiality. In addition, data integrity check is performed to check whether data is tampered with during transmission. As shown in the preceding figure, user data is to be protected. After being sent to a site firewall, the data is identified and is to be processed using IPsec VPN. Then the data is encrypted and hashed. In addition, a security protocol header (for example, an ESP header) is added to the data. To allow the data packets to be transmitted through the firewall of the other site on the Internet, a new IP header or a new tunnel header is added to the data.

090304kkogvvro7o1nzrvy.png

 

The preceding figure illustrates an example of data transmission in an IPsec VPN environment. A node on the network segment (192.168.1.0/24) at site 1 wants to access site 2. The node can use the destination IP address in the 192.168.2.x format to access site 2. This is because IPsec VPN tunneling technology enables the two sites to communicate with each other using the actual peer IP addresses.

 

After a simple text data packet reaches the egress firewall at site 1, the firewall finds that the traffic matches the configured IPsec VPN. Therefore, the firewall uses the negotiated encryption policy and key to encrypt the packet and performs hash calculation on the encrypted data. Then the processed data packet is encapsulated behind a security protocol header. A new IP header is also added to the packet. The new IP header is called a tunnel header, with the source address of 100.1.1.1 and destination address of 200.2.2.2. Note that the source and destination IP addresses are public IP addresses that belong to the external interfaces of the firewall. Ultimately, the data packet is transmitted to the firewall at the peer site through the Internet.

 

The data packet has been securely processed and cannot be intercepted or tampered with during transmission. After the data packet arrives at the firewall at site 2, the tunnel header is removed. The firewall checks the security protocol header and obtains information, such as the locally stored security policy and key, and then performs integrity check and decryption on the data packet. Then the decrypted simple text data is sent to the destination network of 192.168.2.0.


learn more: what is ipsec vpn and how it works episode 2 REPRINT


If you have any problems, please post them in our Community. We are happy to solve them for you!

Like (4) Dislike (0) Favorite(0) Share Report
Previous: MSTP Basic LAB.
Next: Floating static route switchove fails due to route iteration
(0) (0)
2#
lan2019
Created Jan 27, 2021 14:03:58

Interesting
View more
  • x
  • convention:
(0) (0)
3#
nochhie
Created Nov 22, 2021 05:59:21

nice
View more
  • x
  • convention:
(0) (0)
4#
Kevin_Thomas
Created Dec 12, 2021 18:44:33

Good share! Keep up the excellent work!
View more
  • x
  • convention:
(0) (0)
5#
AL_93
Moderator Created Dec 15, 2021 13:02:56

Good article! Thank you
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.