××× Huawei firewall configuration between headquarters and distribution

Key: *** core technology; application ***
a *** core technologies:
1. Encryption:
1) ipv6 ipsec is in a field, you can build applications ipv4 ××× (virtual private network);
2) ipsec one before passing the message, using the first encryption algorithm and encryption key, the message is a face-lift, called encryption; use the same encryption algorithm and the encryption key party receiving the message, the message will return to the true reverse face, the process is called for the decryption. (Using symmetric encryption)
3) symmetric encryption algorithms: the DES, 3DES, the AES;
2. Verify:
. 1) party IPSec before the message is transmitted using the first and the verification key verification algorithm processes the message, and obtain the signature with the signed message together sent out; the other party receives the message, using the same algorithm and the verification key verification process the message (the hash), to give the same signature, and then compare the message carrying the signature, if the same is proved that the message has not been tampered .
2) Verify algorithm: MD5, SHA1, SHA2;
in 3.ipsec: AH authentication can only be used without encryption; ESP has both encryption and authentication, the AH and ESP may be used alone or in conjunction.
4.ipsec two encapsulation modes:
1) tunnel mode: the AH IPSec header or ESP header is inserted before the original IP header to the other generates a new packet on the front head AH and ESP; tunnel mode packet head Reviews encapsulated message, the source of the new head ip / ip destination address is the public address of the ends of the tunnel, suitable for establishing an IPsec tunnel between two gateways is commonly used encapsulation mode.
2) Transfer Mode: AH and ESP headers are inserted between the IP header and the transport layer protocol header, without changing the packet header source and destination address of the tunnel communication is the ultimate source and destination addresses of both communication parties can only protect message, the message can not protect a network, only applies to communication between two hosts.
5. Security Alliance: SA
1) ipsec both the communication connection established security association is called the SA, i.e., using the same encapsulation mode, encryption algorithm, encryption key, authentication algorithm, the authentication key; SA is unidirectional logical connection, in order to allow each direction to give protection in each direction need to establish SA; every security alliance has a unique identifier SPI.
Direction 2) a security association SA: outbound direction and inbound, a security association, outbound end of the other end of the inbound;
6.IKE and ISAKMP: Key Management
1) ISAKMP (Internet SA and Key Management Protocol) defined in the main partnership (and IKE SA) between the partners IKE (IKE Peer) building process;
2) core SKEME Oakley protocol and protocol is DH (diffe-hellman Diffie Hellman) algorithm, mainly used on the Internet. secure key distribution and authenticate to ensure secure transmission of data.
3) DH algorithm IPSecSA, IKE SA provide the encryption key needed to verify the key and dynamic refresh;
the ultimate goal of 4) IKE protocol is dynamically established through negotiation ipsec SA between headquarters and branches, and real-time maintenance SA IPSec;
. 5) the IKE (key exchange): divided into v1 and V2;
. 6) IPSec security protocol framework:
security protocols: the ESP (+ encrypted authentication), AH (authentication)
encryption: DES, 3DES, AES (symmetric encryption algorithm )
verification: MD5, SHA (hash algorithm)
key exchange: IKE (ISAKMP, DH)
two .ipsec ××× application:
1.ipsec coexist with NAT requiring a firewall:
1) problem: ipsec requires that the data must be complete rather nat must be the source or destination address, both conflict;
2) to solve the problem: nat disposed in a policy without address translation policy for traffic ipsec, the policy priority than other policy, and the flow rate range defined in the policy is a subset of other policies;
. 3) ipsec nat server coexist and solutions: no-revers specified parameters when configuring NAT server, not a reverse entry to server-map.
2.ipsec security policy configuration ideas:
1) Set the default policy to allow: firewall Packet-filter default in permit All
2) configuration ipsec, initiated the visit, the session table analysis, preparation of security policy rules;
3) to set the default policy to deny: firewall All the deny-filter default Packet
3.ipsec common scenarios:
1) mobile users remote access L2TP over IPSec: configuration L2TP -> ACL -> IPSEC - > client dialing;
2) to the headquarters and branch sites site IPSec ×××: configure ip, routing and security zones -> configure nat and coexistence *** -> ipsec ××× first stage: IPSec proposal to create an IKE peer -> ipsec ××× The second stage: configure a security ipsec proposal to create acl-defined flow of interest, create a security policy, security policy calls outside the network card -> configure inter-regional security policy