Ipsec sa setup modes, Ipsec tunnel, Ipsec stateful failover – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 363

349
Authentication algorithms and encryption algorithms
1.
Authentication algorithms
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length
digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each
packet. If the resulting digests are identical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:
{
MD5, which takes a message of arbitrary length as input and produces a 128-bit message
digest.
{
SHA-1, which takes a message of a maximum length less than the 64th power of 2 in bits as
input and produces a 160-bit message digest.
Compared with SHA-1, MD5 is faster but less secure.
2.
Encryption algorithms
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the device:
{
Data Encryption Standard (DES), which encrypts a 64-bit plain text block with a 56-bit key.
DES is the least secure but the fastest algorithm. It is sufficient for general security requirements.
{
Triple DES (3DES), which encrypts plain text data with three 56-bit DES keys. The key length
totals up to 168 bits. It provides moderate security strength and is slower than DES.
{
Advanced Encryption Standard (AES), which encrypts plain text data with a 128-bit, 192-bit, or
256-bit key. AES provides the highest security strength and is slower than 3DES.
IPsec SA setup modes
There are two IPsec SA setup modes:
•
Manual mode. In this mode, you manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.
•
ISAKMP mode. In this mode, IKE automatically negotiates and maintains IPsec SAs for IPsec.
The WX series access controllers support only the ISAKMP mode—setting up SAs through IKE.
IPsec tunnel
An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or
more pairs of SAs.
IPsec stateful failover
The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is
usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec
service.
The IPsec stateful failover function must work with the stateful failover feature and the Virtual Router
Redundancy Protocol (VRRP).
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.
They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can work only in standard VRRP mode. In this mode, the master
processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the
master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000