Negotiation modes, Ipsec tunnel, Ipsec tunnel interface – H3C Technologies H3C SecPath F1000-E User Manual

4

Negotiation modes

There are two negotiation modes for setting up an SA:

•

Manual mode: In this mode, all information that an SA needs must be configured manually. The
configuration is relatively complex and some advanced features like periodical key update are not

supported. However, this mode implements IPsec independently of IKE.

•

IKE negotiation mode (ISAKMP): In this mode, the configuration is much easier because SAs can be

set up and maintained through IKE negotiation as long as the information for IKE negotiation is
configured properly.

Manual mode applies to scenarios with a small number of peer devices and few changes. For medium-

to large-sized environments, IKE negotiation mode is recommended.

IPsec tunnel

An IPsec tunnel is a bidirectional channel created between two peers. An IPsec tunnel consists of one or

more pairs of SAs.

IPsec Tunnel Interface

IPsec tunnel interface overview

An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including

multicast packets that are routed to an IPsec tunnel interface will be IPsec protected.
Implementing an IPsec tunnel with IPsec tunnel interfaces features the following advantages:

•

Simplified configuration: This mode is easier to configure compared to the much more complex

process of the ACL mode, which uses ACLs to define the flows to be protected. This mode makes the
IPsec configuration flexible, improves the network scalability, and reduces the maintenance cost.

•

Reduced payload: Compared with the tunnel mode of IPsec over GRE and IPsec over L2TP, in which
the GRE header or L2TP header is added to each packet, the IPsec over IPv4 tunnel mode requires

less protocol cost, consuming less bandwidth.

•

Flexible feature application: Owe to IPsec tunnel interfaces, two distinct phases exist:
pre-encryption phase and post-encryption phase. This separation allows you to apply features such

as NAT and QoS in proper phases flexibly as required. For example, if you want to apply QoS to

packets before IPsec encapsulation, apply the QoS policy to the IPsec tunnel interface; if you want

to apply QoS to IPsec packets, apply the QoS to the physical interface.

Operation of the IPsec tunnel interface

IPsec encapsulation and de-encapsulation occur on IPsec tunnel interfaces.

Figure 2

shows how a clear

text packet arriving at a router is forwarded to the IPsec tunnel interface, encapsulated, and forwarded

out.