Note: The main mode requires a total of 6 messages in three steps to complete the first phase of negotiation, and finally establishes an IKE SA: these three steps are mode negotiation, Diffle-Hellman exchange and nonce exchange, and the identity of both parties. verification. Features of the main mode include identity protection and full utilization of ISAKMP negotiation capabilities. Among them, identity protection is particularly important when the other party wants to hide their identity. Before the messages 1, 2 are sent, the negotiation initiator and the responder must calculate and generate their own cookies, which are used to uniquely identify each individual negotiation exchange. The cookie uses the source/destination IP address, random number, date, and time to perform the MD5 operation. And put into the ISAKMP of Message 1 to identify a separate negotiated exchange. In the first exchange, the two parties need to exchange the cookie and the SA payload. The SA load carries the parameters of the IKE SA to be negotiated, including the IKE hash type, the encryption algorithm, the authentication algorithm, and the negotiation time of the IKE SA. Limits, etc. Before the second exchange after the first exchange, the communicating parties need to generate a DH value for generating a Diffle-Hellman shared key. The generation method is that each party generates a random number, and the random number is processed by the DH algorithm to obtain a DH value Xa (initiator ' s DH value) and Xb (responder ' s DH value), and then both sides calculate according to the DH algorithm. A temporary value of Ni and Nr is given. For the second exchange, the two parties exchange their respective key exchange payloads (Diffle-

Hellman exchange, including Xa and Xb) and temporary value payloads (nonce exchanges containing Ni and Nr). After the two parties exchange the temporary value loads Ni and Nr, the pre-shared key is pre-prepared, and then a pseudo-random function operation can generate a key SKEYID, which is the basis of all subsequent key generation. Then, by calculating the DH value calculated by itself, the DH value obtained by the exchange, and the SKEYID, a shared key SKEYID_d that only the two parties know is generated. This shared key is not transmitted, only the DH value and the temporary value are transmitted, so even if the third party gets these materials, the shared key cannot be calculated. After the second exchange is completed, the calculation materials required by both parties have been exchanged. At this time, both parties can calculate all the keys and use the key to provide security for subsequent IKE messages. These keys include DKEYID_a and DKEYID_e. DKEYID_a is used to provide security services such as integrity and data source authentication for IKE messages. DKEYID_e is used to encrypt IKE messages. The third exchange is the exchange of the identification load and the hash load. The identifier payload contains the identifier information, IP address or host name of the initiator; the hash payload contains the values ​​obtained by HASH operation of the three sets of keys generated in the previous process. These two payloads are encrypted by DKEYID_e. If the payloads of both parties are the same, the authentication is successful. The IKE first-stage master mode pre-shared key exchange is complete.

Note: IKE DPD needs to be enabled on both the master device and the tunnel peer device. After the switch is enabled, the peer device can quickly detect the tunnel and negotiate with the standby device. If the interval parameter is specified, the DPD works in the polling mode. If there is no traffic in the tunnel during the DPD detection interval, the DPD packet is sent periodically. Second, if the on-demand parameter is specified, it means that the DPD works in the traffic trigger mode. Since the last traffic end time, if there is no traffic in the tunnel during the DPD detection interval, the DPD report will be sent only when there is traffic. And the DPD detection time is recalculated from zero. Otherwise there will be no DPD messages in the tunnel. Third, if no interval or on-demand parameters are specified, DPD works in traffic trigger mode by default.

Note: In Huawei firewalls, the usage of the ping command is somewhat different, as follows:

1. Introduction to ping: It is mainly used to check the network connection and whether the host is reachable. Based on the ICMP protocol, after the source sends an ICMP echo request (ECHO-REQUEST) message to the destination, it determines whether the destination is reachable based on whether the destination end ICMP echo reply (ECHO-REPLY) packet is received. .

-a: Sets the source IP address for sending ECHO-REQUEST packets, which is usually used when testing VPN.

-c: Number of times the ECHO-REQUEST packet is sent. The default is 5.

-f: Sets the sent packet to be fragmented. If the MTU value is smaller than the packet size, the packet will be discarded.

-t: The timeout period for waiting for a response after the ECHO-REQUEST is sent. The default is 2s, that is, the response is not reachable within 2s.

-s: Set the message size (excluding IP and ICMP headers);