Ipsec sa setup modes, Ipsec tunnel, Ipsec stateful failover – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

349

Authentication algorithms and encryption algorithms

1.

Authentication algorithms
IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length
digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each
packet. If the resulting digests are identical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:

{

MD5, which takes a message of arbitrary length as input and produces a 128-bit message
digest.

{

SHA-1, which takes a message of a maximum length less than the 64th power of 2 in bits as
input and produces a 160-bit message digest.

Compared with SHA-1, MD5 is faster but less secure.

2.

Encryption algorithms
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the device:

{

Data Encryption Standard (DES), which encrypts a 64-bit plain text block with a 56-bit key.
DES is the least secure but the fastest algorithm. It is sufficient for general security requirements.

{

Triple DES (3DES), which encrypts plain text data with three 56-bit DES keys. The key length
totals up to 168 bits. It provides moderate security strength and is slower than DES.

{

Advanced Encryption Standard (AES), which encrypts plain text data with a 128-bit, 192-bit, or
256-bit key. AES provides the highest security strength and is slower than 3DES.

IPsec SA setup modes

There are two IPsec SA setup modes:

•

Manual mode. In this mode, you manually configure and maintain all SA settings. Advanced
features like periodical key update are not available. However, this mode implements IPsec

independently of IKE.

•

ISAKMP mode. In this mode, IKE automatically negotiates and maintains IPsec SAs for IPsec.

The WX series access controllers support only the ISAKMP mode—setting up SAs through IKE.

IPsec tunnel

An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or
more pairs of SAs.

IPsec stateful failover

The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is
usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec

service.
The IPsec stateful failover function must work with the stateful failover feature and the Virtual Router

Redundancy Protocol (VRRP).
The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.

They use the virtual IP address of the virtual device to communicate with remote devices.
The IPsec stateful failover function can work only in standard VRRP mode. In this mode, the master

processes and forwards IPsec traffic, and the backup device only synchronizes IPsec service data with the
master. When the master fails, the backup immediately takes over to forward IPsec traffic. This switchover