Ipsec sa setup modes, Ipsec tunnel, Ipsec rri – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

845

IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length

digest for an arbitrary-length message. IPsec peers calculate message digests for each packet. If
the resulting digests are identical, the packet is considered intact.
IPsec supports the following hash algorithms for authentication:

MD5—Takes a message of arbitrary length as input and produces a 128-bit message digest.

SHA-1—Takes a message of a maximum length less than the 64th power of 2 in bits as input
and produces a 160-bit message digest.

Compared with SHA-1, MD5 is faster but less secure.

•

Encryption algorithms
IPsec mainly uses symmetric encryption algorithms, which encrypt and decrypt data by using the
same keys. The following encryption algorithms are available for IPsec on the device:

DES—Encrypts a 64-bit plain text block with a 56-bit key. DES is the least secure but the fastest
algorithm. It is sufficient for general security requirements.

3DES—Encrypts plain text data with three 56-bit DES keys. The key length totals up to 168 bits.
It provides moderate security strength and is slower than DES.

AES—Encrypts plain text data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.

IPsec SA setup modes

There are two IPsec SA setup modes:

•

Manual mode—In this mode, you must manually configure and maintain all SA settings. Advanced

features like periodical key update are not available. However, this mode implements IPsec
independently of IKE.

•

ISAKMP mode—In this mode, IKE negotiates and maintains IPsec SAs for IPsec automatically.

If the number of IPsec tunnels in your network is small, use the manual mode. If the number of IPsec

tunnels is large, use the ISAKMP mode.
The Web interface supports only the ISAKMP mode.

IPsec tunnel

An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel comprises one or

more pairs of SAs.

IPsec RRI

With IPsec Reverse Route Inject (RRI), an IPsec tunnel gateway can automatically add static routes

destined for its peer IPsec tunnel gateways to a routing table.
IPsec RRI frees you from the tedious work of manually configuring and maintaining static routes for IPsec

tunnels. For example, if you enable RRI on Device A in

Figure 619

, Device A can automatically create a

static route to branch network 192.168.2.0/24 for the IPsec protected traffic from the headquarters to the

branch. You do not need to add the route manually.