IPSec

Date:2017-12-20
1.Basic Introduction
IPSec (Internet Protocol Security) protocol is a common security protocol on the Internet. It is the most widely used security protocol standard in the development of VPN technologies in various network security solutions. It has a wide range of Mechanism and strong security.
 
2.Application
181.png
An underlying issue between IPSec tunnels and dynamic routing protocols is that dynamic routing relies on multicast or broadcast packets for routing reachability notification, whereas IPSec tunnels do not support multicast or broadcast packet encryption. Our company put forward the solution to this problem by adopting the combination of GRE and IPSec to make the configuration easier.

GRE configuration of the device:

Device 1
182.png

Device 2
183.png
ParameterDescription
VPN EnableEnable VPN Enable, select GRE
GRE tunnel nameFill in the tunnel name
Remote IPFill in Remote IP
Local IPFill in Local IP
Local tunnel IPFill in the IP of the local tunnel
Remote tunnel IPFill in the IP of the opposite tunnel
Remote destinationFill in the destination segment

IPSec configuration
184.png
ParameterDescription
IPSec ConnectionSelect the IPSec connection name or create a new IPSec
Connection nameFill in the IPSec connection name
IPSec enableEnable IPSec
Interface20171220041059922.pngSelect the type of connection for IPSec
IPSec Networking TypeChoose IPSec networking mode, there are two options, one is the way to the site, the other is from the remote access
Authentication TypeThe type of authentication here can only be pre-shared key option
PSKFill in a password, the remote password and the local password must be the same
Local ID TypeChoose one of the three types Default / FQDN / ID as the local ID
Local WAN IP Address/FQDNFill in the address of the local device WAN
Remote ID TypeChoose one of the three types Default / FQDN / ID as the remote ID
Remote WAN IP Address/FQDNEnter the IP address of the remote device that establishes the tunnel with the local device
Local LAN IP Address/Subnet Mask LengthEnter the length of the subnet mask of the local area network
Remote LAN IP Address/Subnet Mask LengthFill in the length of the subnet mask of the peer LAN
Policy ProtocolChoose a policy agreement, any or L2TP
Encapsulated ModeIPSec has two encapsulation modes, one is tunnel mode and the other is transmission mode. The purpose of transmission mode is to protect end-to-end secure communication. The purpose of tunnel mode is to protect certain or all data between stations. Users can According to their actual needs of choice model.
NAT EnableSelect to enable or disable NAT disability
The First Phase 
ModeThe first phase of the model there are two, one is the main mode, one is the savage mode (also known as the positive mode)
Encryption Algorithm20171220041200323.pngChoose the encryption algorithm you need
Integrity AlgorithmThere are two authentication algorithms, one is SHA-1 and the other is MD5
Diffie-Hellman (DH) Group20171220041316767.pngChoose one of three key patterns from the algorithm
SA Lifetime of Phase 1The life cycle of SA is 10800 by default, you can set it yourself
DPDSelect to enable or disable DPD, the default DPD is disabled
The Second Phase 
Encryption Algorithm20171220041228953.pngChoose the encryption algorithm you need
Integrity AlgorithmThere are two authentication algorithms and the first phase, one is SHA-1, the other is MD5
SA Lifetime of Phase 2The life cycle of SA is 10800 by default, you can set it yourself
PFSSelect to enable or disable PFS, the default DPD is Enabled.