IPsec FAQ

Q.     Does IPsec using AH support NAT traversal?

A.     IPsec using the AH protocol does not support NAT traversal.

After traversing NAT, the IP address of a packet is changed by the NAT gateway. Since AH verifies the entire IP packet, the changed IP address will cause AH verification failure at the receiving end. Therefore, AH and AH-ESP protocols do not support NAT traversal. ESP verifies only the payload of the IP packet, so ESP supports NAT traversal.

Q.     Does the ACL in an IPsec policy support using object groups?

A.     The ACL in an IPsec policy does not support specifying object groups.

Q.     Does the peer address of an IPsec policy support the use of a domain name?

A.     The peer address of an IPsec policy supports the use of a domain name, which must be a DNS-resolvable domain name.

Q.     Is the hostname in an IKE keychain a DNS domain name?

A.     No, the hostname in an IKE keychain represents a FQDN, not a DNS domain name.

Q.     Does a short IPsec lifetime have any impact?

A.     At present, the minimum time-based lifetime of an IPsec SA is 180s, and the minimum traffic-based lifetime is 2560 kilobytes. If a large amount of traffic exists, many IPsec tunnels will be established. If the minimum IPsec SA lifetime is configured, soon after an SA is established, renegotiation will occur due to the lifetime timeout, increasing the CPU usage of the device. Meanwhile, IKE negotiation packets might be lost, leading to negotiation failure. Therefore, set an appropriate IPsec lifetime according to your network conditions.

Q.     How to match multiple keychains configured in an IKE profile on the initiator?

A.     The keychains are matched according to the configuration order.

Q.     What is the reason for incomplete display of an IPsec transform set?

A.     If the ESP is configured, the encryption algorithm must be configured, not only the authentication algorithm.

Q.     When the initiator has multiple transform sets, some of which are enabled with PFS, how can the responder negotiate?

·     If the first configured transform set of the initiator has PFS, the responder must have the corresponding PFS in order to negotiate normally.

·     If the first configured transform set of the initiator does not have PFS, the responder must not have PFS in order to negotiate normally. The responder will not negotiate with other transform sets of the initiator that are enabled with PFS.

Q.     How should the initiator and responder configure the PFS feature if IPsec security policies initiate IKE negotiations?

A.     The initiator's PFS strength must be greater than or equal to the responder's PFS strength, otherwise the IKE negotiation will fail.

Q.     When an IPsec policy has VPN instance configuration, do the ACL rules need to have a VPN instance configured?

A.     No VPN instance configuration is required in ACL rules.

Q.     How does the initiator send proposals to the responder?

A.     As the initiator, if no proposals are configured in the IKE profile, the initiator sends all its proposals to the peer (the responder) for it to select. If proposals are configured in the IKE profile, only the proposals configured in the IKE profile will be sent to the peer.

Q.     Is there any requirement on the NAT keepalive interval setting in NAT traversal network scenarios?

A.     The NAT keepalive intervals on both sides must be less than the session aging time of the NAT device. If the NAT keepalive interval is less than the session aging time of an intermediate NAT device, the NAT session will age first. Subsequent data traffic will fail to be processed because there is no session or the new session port number is inconsistent with the records on both sides.

Q.     Is the anti-replay function applicable to scenarios with serious disorders?

A.     IPsec anti-replay uses the sliding window mechanism to check whether the message is a duplicate message or an expired message. When the disorder is serious, the received message will be discarded when it falls to the left of the receiver's anti-replay sliding window. As a best practice in an environment with serious disorder, turn off the anti-replay function or set the anti-replay window to the maximum.