Huawei v200r001 5.2 Configuring IKE

User Manual - Configuration Guide (Volume 3)

Versatile Routing Platform Chapter 5

Configuration of IKE

5-2

5.2 Configuring IKE

5.2.1 IKE Configuration Task List

IKE configuration task list is as follows:

z Create IKE security policy

z Select encryption algorithm

z Select authentication algorithm

z Configure pre-shared key

z Select hashing algorithm

z Select DH group ID

z Set IKE negotiation SA lifetime

5.2.2 Creating IKE Security Policy

I. Why these policies should be created?

IKE negotiation must be protected, so each IKE negotiation begins when each terminal

comes to the public (shared) IKE policy, which describes which security parameter to

use to protect subsequent IKE negotiation.

When two terminals come to a policy, the security parameters of this policy are

identified by SA established by each terminal, and these SAs appl y to all s ubsequ ent

IKE communication during negotiation. Multiple policies with prior ity must be cr eated

on each terminal so as to ensure that at least one policy can match that of the rem ote

terminal.

II. Parameters to be defined in policy

z Encryption algorithm: at present, it includes only 56-bit DES-CBC (DES-Ci pher

Block Chaining)

z Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC anamor phosis)

algorithm

z Authentication method: RSA signature or RSA real-time encryption

z Diffie-Hellman group ID

z SA lifetime

III. How to form matched policy

When IKE negotiation begins, IKE looks for a kind of IKE policy, which is consistent at

both terminals. The terminal that originates negotiation sends all its policies to the

remote terminal, and the latter will try to find a matched policy by comparing its policies

with highest priorities with those received from the former. When the policies from the

two terminals include the same encryption, hashing, authentication a nd Diffie-Hellman

parameters and when the specified lifetime of the policy from the remote terminal is

shorter than or equal to the compared policy lifetime, the m atching selection is made (if

no lifetime is specified, the shorter one of the remote terminal policy will be used). If no

acceptable matched policy is found, IKE refuses to negotiate and will not establish

IPSec. If a matched policy is found, IKE will complete negotiation then create IPSec

security tunnel.

IV. Create IKE policy

The following should be clear before IKE configuration:

Contents

Main HUAWEI VRP User Manual Configuration Guide Copyright 2001 by Huawei Technologies Co., Ltd. All Rights Reserved Trademarks Notice Huawei Technologies Co., Ltd. About This Manual Contents Target Readers Conventions Used in the Document Keyboard operation Mouse operation Symbol Page Chapter 5 Configuration of IKE 5.1 Brief Introduction to IKE Protocol I. IKE II. IKE features 5.2 Configuring IKE 5.2.1 IKE Configuration Task List 5.2.2 Creating IKE Security Policy I. Why these policies should be created? II. Parameters to be defined in policy 5.2.3 Select Encryption Algorithm 5.2.4 Select Authentication Algorithm 5.2.5 Set Pre-shared Key 5.2.6 Select Hashing Algorithm 5.2.7 Select DH Group ID 5.2.8 Set Lifetime of IKE Association SA 5.3 Monitoring and Maintenance of IKE 5.4 Typical Configuration of IKE 5.5 IKE Fault Diagnosis and Troubleshooting Page Page Page Chapter 1 VPN Overview 1.1 VPN features 1.2 Classification of IP VPN I. According to operation mode II. According to the layer where the tunnel is III. According to service purpose IV. According to networking model Chapter 2 Configuration of L2TP 2.1 Brief Introduction to L2TP Protocol 2.1.1 Overview of VPDN I. Brief induction to VPDN II. Operation principle of VPDN 2.1.2 L2TP Protocol I. Tunnel and session II. Control message and data message III. Two typical L2TP tunnel modes Figure VPN-2-2 Two typical L2TP tunnel modes IV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel is shown in the following: V. Features of L2TP protocol 2.2 Configuring L2TP 2.2.1 L2TP Configuration Task List I. Configuration at LAC side II. Configuration at LNS side III. Optional configuration II. Create VPDN group III. Set user name and password and configure user au thentication IV. Set the connection request to originate L2TP channel. 2.2.3 Configuring at LNS Side I. Enable/disable VPDN II. Create VPDN group III. Create/delete virtual interface template IV. Set receiving the connection request to originate L2TP channel 2.2.4 Optional configuration I. Set local name of channel II. Start channel authentication and set authentication password III. Force local end to perform CHAP authentication IV. LNS forces LCP to renegotiate V. Set domain name delimiter and search sequence VI. Set the size of receiving window of channel flow control. VII. Enable/disable hiding AV pairs VIII. Force to disconnect tunnel 2.3 Monitoring and Maintenance of L2TP 2.4 Typical Configuration of L2TP 2.4.1 NAS-Initialized VPN Page 2.4.2 Client-Initialized VPN 2.4.3 Single User Interconnects Headquarters via Router Page 2.5 Fault Diagnosis of L2TP Chapter 3 Configuration of GRE 3.1 Brief Introduction to GRE Protocol I. Brief introduction to the protocol II. Applicable range 3.2 Configuring GRE 3.2.1 GRE Configuration Task List 3.2.2 Creating Virtual Tunnel Interface 3.2.3 Setting the Source Address of Tunnel Interface 3.2.4 Setting the Destination Address of Tunnel Interface 3.2.5 Setting the Network Address of Tunnel Interface 3.2.6 Setting the Encapsulation Mode of Tunnel Interface Message 3.2.7 Setting the Identification Key Word of Tunnel Interface 3.2.8 Setting Tunnel Interface to Check with Check Sum 3.2.9 Setting Tunnel Interface to Synchronize Datagram Serial Number 3.3 Monitoring and Maintenance of GRE 3.4 Typical Configuration of GRE Page 3.5 Troubleshooting GRE Page Page Chapter 1 Configuration of Backup Center 1.1 Backup Center Overview 1.2 Configuring the Backup Center 1.2.1 Configuration Task List 1.2.2 Entering the Configuration Mode of the Main Interface to be Backed Up 1.2.3 Specifying Backup Interface and Priority Used by the Main Interface 1.2.4 Setting Delay Time for Switchover Between Main and Backup Interface 1.2.5 Setting State-Judging Conditions for Logic-Channel Main Interface 1.2.6 Setting State-Judging Conditions for Logic-Channel Backup Interface 1.2.7 Configuring Routes for Main and Backup Interfaces 1.3 Monitoring and Maintaining of Backup Center 1.4 Typical Configuration of Backup Center 1.4.1 An example of Backup Between Interfaces 1.4.2 An Example of Multiple Backup Interfaces 1.4.3 An Example of Logical Channel Backup Interface 1.4.4 An Example of Multiple Backup Interfaces with a Logical Channel Page Chapter 2 Configuration of HSRP 2.1 HSRP Overview 2.2 Configuring HSRP 2.2.1 Configuration Task List 2.2.2 Starting HSRP Function 2.2.3 Setting Routers Priority in HSRP Hot Standby Group 2.2.4 Setting Routers Preemption Mode in HSRP Standby Group 2.2.5 Setting HSRP Authorization Word 2.2.6 Setting HSRP Timer 2.2.7 Monitoring the Specified Interface 2.2.8 Using Actual Interface MAC Address 2.2.9 Modifying Virtual MAC Address 2.3 Monitoring and Maintaining HSRP Quidway# 2.4 Typical Configurations of HSRP 2.4.1 An example for single hot standby group configuration Page 2.4.2 An example for setting HSRP to monitor a specified interface 2.4.3 An example for multiple hot standby groups configuration 2.5 Fault Diagnosis and Troubleshooting of HSRP Page Page Chapter 1 QoS Overview 1.1 About QoS 1.2 Three service types of QoS I. Best-effort Service II. Integrated Service 1.3 Functions of QoS Page Chapter 2 Traffic Classification and Policing 2.1 Traffic Classification and Policing 2.1.1 Introduction to Traffic Classification I. IP Precedence II. CAR (Committed Access Rate) 2.1.2 Introduction to Traffic Policing I. Features of Token Bucket Forward Classify Packet to be transmitted Drop Put Token into Token Bucket at specified speed 2.1.3 Introduction to CAR 2.2 CAR Configuration 2.2.1 CAR Configuration Task List 2.2.2 Specify CAR rules 2.2.3 Apply the CAR Rule on the Interface 2.2.4 Monitoring and Maintenance of CAR Quidway# Quidway 2.3 CAR Configuration Example 2.3.1 Applying CAR Rules to All Packets II. Networking diagram II. Configuration 2.3.2 Apply CAR Rules to Packets Which is Matched the ACL 2.3.3 Configure CAR Rules Based on the Priority Level II. Networking diagram 2.3.4 Configure CAR Rules Based on the MAC Address Page Chapter 3 Congestion Management 3.1 Congestion and Congestion Management 3.1.1 About Congestion 3.1.2 Congestion Management Policy I. FIFO Queuing II. PQ (Priority Queuing) III. CQ (Custom Queuing) IV. WFQ (Weighted Fair Queuing) 3.1.3 Selecting Congestion Management Policy Table QC-3-1 Comparison table of congestion management policies 3.1.4 Working Principle of Congestion Management Policy I. FIFO II. PQ III. CQ IV. WFQ 3.2 Configuration of Congestion Management 3.2.1 Configuring PQ I. PQ Configuration task list II. Configuring priority queue Page III. Applying priority queue to the interface IV. Maintaining and monitoring the priority queue 3.2.2 Configuring CQ I. CQ configuration task list II. Configuring the custom queue Page III. Applying custom queue to the interface IV. Maintaining and monitoring the custom queue 3.2.3 Configuring WFQ I. WFQ configuration task list II. Configuring the weighted fair queue III. Maintenance and monitoring of the weighted fair queue Quidway 3.3 Configuration Example of Congestion Management 3.3.1 PQ Configuration Example 3.3.2 CQ Configuration Example Page Page 3.4 Troubleshooting of Congestion Management Page Page Page Chapter 1 DDR Configuration 1.1 Brief Introduction to Dial Configuration z Legacy DDR (Legacy DDR): a DDR configuration mode as compared with the 1.2 Introduction to DDR Technology 1.3 Preparing DDR Configuration 1.4 Configuring DDR 1.4.1 Configuring Legacy DDR I. The configuration tasks of Legacy DDR include: II. Configure an interface to send calls Page Page III. Configure an interface to receive calls IV. Configure an interface to send and receive calls V. Set the attribute parameters of Legacy DDR Page Page 1.4.2 Configuring Dialer Profile I. Introduction to Dialer Profile II. Configuration task list of Dialer Profile III. Configure a logic dial interface IV. Set the attribute parameters of a dial interface V. Bind physical interfaces for a dialer pool 1.4.3 Configuring Callback I. The significance of callback II. Terms and abbreviations III. Functions implemented by callback IV. Configure ISDN calling line identification callback V. Configure PPP callback Page Table DC-1-28 Client end using Legacy DDR to configure PPP Table DC-1-30 Client end using Dialer Profile to configure PPP callback 1.4.4 Configuring DDR Special Functions I. Configure ISDN dedicated line II. Configure autodial III. Configure cyclic use of dialer map 1.5 Monitoring and Maintenance of DDR 1.6 DDR Typical Configuration Example 1.6.1 Legacy DDR I. Network requirements Page 1.6.2 Dialer Profile Page 1.6.3 Point-to-Point DDR Page Page 1.6.4 Point-to-Multipoint DDR Page Page 1.6.5 Multipoint-to-Multipoint DDR Page Page Page Page Page 1.6.6 DDR Bearing IPX Page Page Page 1.6.7 DDR Bearing IP and IPX at the Same Time Page Page Page 1.6.8 Flow Control of Dialer Profile (MP over Dialer Profile)-Case 1 Page 1.6.9 B Channels for Dial-up and Connection to the Remote End - Case 2 Page 1.6.10 Two Serial Ports for Dial-up and Remote Dial Connection Case 3 1.6.11 One Serial Port for Dial-up and Remote Dial Connection Case 4 Page 1.6.12 DDR for Access Service Page Page Page Page 1.6.13 DDR for Inter-Router Callback Page 1.6.14 DDR in Which the Router Calls Back PC Page 1.6.15 DDR for Autodial 1.6.16 DDR Using Dialer Map Cyclically 1.6.17 DDR Using Dialer Map as Backup Page 1.7 Precautions for DDR Configuration 1.7.1 Configuring Dialer-group 1.7.2 Configuring Synchronous/Asynchronous Serial Port Using DDR 1.7.3 Configuring Network Layer Address 1.7.4 Configuring PPP In Dialer Profile Configuration Mode I. Apply PAP authentication Page II. Apply CHAP authentication Page 1.7.5 Configuring PPP In Legacy DDR Configuration Mode I. Apply PAP authentication Page II. Apply CHAP authentication Page 1.7.6 Configure Dialer-list 1.8 Troubleshooting DDR 1.8.1 DDR Fault Diagnosis I. Whether modem is normal II. Check whether network layer address is configured at relevant interface III. Check whether dialer-group is configured IV. Check whether dialer-list is configured correctly V. Check whether the configuration for PPP authentication is correct Page 1.8.2 DDR Fault Elimination 1.8.3 Troubleshooting with DDR Debugging Information I. How to acquire DDR debugging information II. The debugging information displayed when DDR can interwork with the opposite end Page Page Chapter 2 Configuration of Modem Management 2.1 Modem Management Functions Provided by VRP1.4 2.2 Modem Script 2.2.1 Function 2.2.2 Syntax Page 2.3 Configuring Modem Management 2.3.1 Modem Management Configuration Task List 2.3.2 Configuring Modem Call-In and Call-Out Authorities 2.3.3 Configuring Modem Script 2.3.4 Executing Modem Script Manually 2.3.5 Specifying the Event to Trigger Modem Script 2.3.6 Configuring Modem Answer Mode 2.4 Typical Configuration of Modem Management 2.4.1 Managing Modem with Modem Script 2.4.2 Remote Configuration Using Modem and Through Asynchronous Interface 2.4.3 Router Initialization with Initialization Script I. Configuration requirements 2.4.4 Direct Dial with Script 2.4.5 Interactively Connect Cisco Router Through Modem Page Page Page Page Chapter 1 VoIP Configuration 1.1 VoIP Overview 1.1.1 VoIP Principle I. Basic composition II. H.323 protocol stack III. A typical telephone call processing by VoIP 1.1.2 IP Voice Implementation over VRP 1.1.3 IP Voice Feature over VRP Page 1.2 VoIP Configuration 1.2.1 VoIP Configuration Task List 1.2.2 Configuring Dial-peer I. POTS dial-peer configuration II. VoIP dial-peer configuration 1.2.3 Configuring Dial Terminator 1.2.4 Configuring Abbreviated Dialing 1.2.5 Configuring Voice Port Page 1.2.6 Configuring Global Number Match Policy 1.2.7 Configuring the Recovery Method of Voice Board 1.3 VoIP Monitoring and Maintenance Page User Manual - Configuration Guide (Volume 3) Versatile Routing Platform Chapter 1 VoIP Configuration 1-14 Page 1.4 Typical VoIP Configuration Examples 1.4.1 Configuring Router FXS Port for Interconnection Page 1.4.2 Configuring Router FXO and E&M Trunk Ports for Interconnection Page 1.4.3 Configuring the Interconnection of Router FXO Port in PLAR Mode 1.4.4 Configuring Interconnection with Refiner for Large Network Solution I. Network requirements III. Configuration description 1.5 VoIP Troubleshooting Chapter 2 IP Fax Configuration 2.1 Overview to IP Fax 2.2 Configuring IP Fax 2.2.1 Task List of IP Fax Configuration 2.2.2 Checking If Configuring Fax to Use ECM Mode 2.2.3 Configuring Fax Rate 2.2.4 Configuring Fax Train Mode 2.2.5 Configuring Fax Local-train Threshold Value 2.2.6 Configuring Gateway Carrier Transmit Energy Level 2.2.7 Configuring Sending Redundancy Packet Number of T38 Fax Protocol 2.2.8 Configuring the Fax Protocol Intercommunicating with Cisco Equipment 2.2.9 Configuring the Intercommunication Method with Other Equipment 2.3 Monitoring and Maintenance of IP Fax 2.4 Typical Configuration of IP Fax Internet Router 0101002 port2 1.1.1.2 Beijing Router 1.1.1.1 port1 07551001 Shenzhen Page Chapter 3 E1 Voice Configuration 3.1 Overview of E1 Voice Configuration 3.1.1 Function of E1 Voice 3.1.2 Usage of cE1/PRI Interface I. Interface not divided into TSs logically 3.1.3 Features of E1 Voice I. Signaling modes supported II. Protocols and standards supported III. Support single stage dialing and two-stage dialing IV. Integrated transmission of voice and data 3.2 E1 Voice Configuration 3.2.1 Configuration Task List of E1 Voice 3.2.2 Configuring POTS dial-peer 3.2.3 Configuring VoIP dial-peer 3.2.4 Configuring the Basic Parameters of E1 Interface 3.2.5 Configuring Voice Port (E1 Interface) 3.2.6 Configuring E1 Voice R2 Signaling I. Configuring DS0 group II. Configuring Related Parameters of R2 Signaling Page 3.2.7 Configuring the Basic Parameters of ISDN PRI Interface 3.2.8 Configuring Voice Port (ISDN PRI Interface) 3.3 Monitoring and Maintenance of E1 Voice I. Maintaining the MFC Channel and Circuit of the Specified TS II. show Command Related to E1 Voice Page III. debug Commands Related to E1 Voice 3.4 Typical Configuration Examples of E1 Voice 3.4.1 Router Connected to PBX through E1 Voice Port Page 3.4.2 Router Connected to PBX in ISDN PRI Mode 3.4.3 Two-stage Dialing Configuration II. Netwoking diagram 3.4.4 Transmission of Data and Voice Simultaneously 3.5 Fault Diagnosis and Troubleshooting of E1 Voice Chapter 4 GK Client Configuration 4.1 Overview of GK Client 4.2 Configuration of GK Client 4.2.1 Configuration Task List of GK Client 4.2.2 Configuring One Interface as H.323 Gateway Interface 4.2.3 Activating or Deactivate GK Client Function 4.2.4 Configuring Gateway Alias 4.2.5 Configure the GK Server Name and Address 4.2.6 Configuring Tech-Prefix 4.2.7 Configuring GK Interworking Mode 4.3 Typical Configuration Examples of GK Client Page 4.4 Fault Diagnosis and Troubleshooting of GK Client Chapter 5 IPHC Configuration 5.1 Overview of IPHC 5.2 IPHC Configuration 5.2.1 Configuration Task List of IPHC 5.2.2 Enable/disable RTP header compression 5.2.3. Configure the Max. Connection Number of RTP Header Compressions 5.2.4 Configure the Max. Connection Number of TCP Header Compressions 5.2.5 Configure the Cisco-compatible RTP header compression 5.2.6 Configure the deleting of udp_chk field from UDP header 5.3 Monitoring and Maintenance of IPHC How Are We Doing