No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring PKI in IPSec

Example for Configuring PKI in IPSec

Networking Requirements

Users in Group 1 communicate with users in Group 2 through public network, as shown in Figure 15-7. Router A and Router B are the outgoing gateways of Group 1 and Group 2 respectively. The public network is not safe. Therefore, the communication between Group 1 and Group 2 is not safe. For example, the communication information may be intercepted.

Figure 15-7  Configuring PKI in IPSec

Configuration Roadmap

To ensure security of data, the administrator can establish an IPSec tunnel between the two gateways to protect the security of data flows transmitted between Group 1 and Group 2. The administrator can also establish a security tunnel between the two gateways using Internet Key Exchange (IKE) negotiation. During IKE negotiation, PKI certificates are used for identity authentication.

The configuration roadmap is as follows:

  1. Configure a PKI entity to identify a certificate applicant.
  2. Configure a PKI domain and specify the identity information required for certificate enrollment in the PKI domain.
  3. Configure IKE to use a digital signature for identity authentication.
  4. Configure IPSec to protect data flows between two subnets.
  5. Request a certificate and download it for IKE negotiation.

Procedure

  1. Configure a PKI entity.

    # Configure RouterA.

    <Huawei> system-view
    [Huawei] pki entity routera
    [Huawei-pki-entity-routera] common-name helloa
    [Huawei-pki-entity-routera] country cn
    [Huawei-pki-entity-routera] state jiangsu
    [Huawei-pki-entity-routera] organization huawei
    [Huawei-pki-entity-routera] organization-unit info
    [Huawei-pki-entity-routera] quit
    

    # Configure RouterB.

    <Huawei> system-view
    [Huawei] pki entity routerb
    [Huawei-pki-entity-routerb] common-name hellob
    [Huawei-pki-entity-routerb] country cn
    [Huawei-pki-entity-routerb] state jiangsu
    [Huawei-pki-entity-routerb] organization huawei
    [Huawei-pki-entity-routerb] organization-unit marketing
    [Huawei-pki-entity-routerb] quit
    

  2. Configure a PKI domain.

    # Configure RouterA.

    [Huawei] pki realm abca
    [Huawei-pki-realm-abca] ca id ca_root
    [Huawei-pki-realm-abca] entity routera
    [Huawei-pki-realm-abca] enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra
    [Huawei-pki-realm-abca] fingerprint sha2 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF7A34D94624B1C1BCBF6D763C
    [Huawei-pki-realm-abca] certificate-check none
    [Huawei-pki-realm-abca] quit

    #Configure RouterB.

    [Huawei] pki realm abcb
    [Huawei-pki-realm-abcb] ca id ca_root
    [Huawei-pki-realm-abcb] entity routerb
    [Huawei-pki-realm-abcb] enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra
    [Huawei-pki-realm-abcb] fingerprint sha2 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF7A34D94624B1C1BCBF6D763C
    [Huawei-pki-realm-abcb] certificate-check none
    [Huawei-pki-realm-abcb] quit

  3. Configure IKE to use a digital signature for identity authentication.

    # Configure RouterA.

    [Huawei] ike proposal 1  
    [Huawei-ike-proposal-1] encryption-algorithm aes-cbc-256 
    [Huawei-ike-proposal-1] authentication-method rsa-signature       
    [Huawei-ike-proposal-1] authentication-algorithm sha2-512  
    [Huawei-ike-proposal-1] quit  
    [Huawei] ike peer routera v2 
    [Huawei-ike-peer-routera] ike-proposal 1   
    [Huawei-ike-peer-routera] local-address 1.1.1.1  
    [Huawei-ike-peer-routera] remote-address 2.2.2.1   
    [Huawei-ike-peer-routera] pki realm abca   
    

    # Configure RouterB.

    [Huawei] ike proposal 1  
    [Huawei-ike-proposal-1] encryption-algorithm aes-cbc-256 
    [Huawei-ike-proposal-1] authentication-method rsa-signature       
    [Huawei-ike-proposal-1] authentication-algorithm sha2-512  
    [Huawei-ike-proposal-1] quit  
    [Huawei] ike peer routerb v2 
    [Huawei-ike-peer-routerb] ike-proposal 1   
    [Huawei-ike-peer-routerb] local-address 2.2.2.1   
    [Huawei-ike-peer-routerb] remote-address 1.1.1.1   
    [Huawei-ike-peer-routerb] pki realm abcb   
     

  4. Configure access control lists (ACLs) and define the data flows to be protected in the ACLs.

    # Configure RouterA.

    [Huawei] acl 3000
    [Huawei-acl-adv-3000] rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0             
    [Huawei-acl-adv-3000] rule 15 permit ip source 10.1.1.1 0 destination 10.2.1.1 0 
    [Huawei-acl-adv-3000] quit     

    # Configure RouterB.

    [Huawei] acl 3000
    [Huawei-acl-adv-3000] rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0 
    [Huawei-acl-adv-3000] rule 10 permit ip source 10.2.1.1 0 destination 10.1.1.1 0 
    [Huawei-acl-adv-3000] quit     

  5. Configure IPSec to protect data flows between two subnets.

    # Configure RouterA.

    [Huawei] ipsec proposal routera   
    [Huawei-ipsec-proposal-routera] transform esp       
    [Huawei-ipsec-proposal-routera] esp authentication-algorithm sha2-512    
    [Huawei-ipsec-proposal-routera] esp encryption-algorithm aes-256   
    [Huawei-ipsec-proposal-routera] quit   
    [Huawei] ipsec policy routera 1 isakmp 
    [Huawei-ipsec-policy-isakmp-routera-1] security acl 3000  
    [Huawei-ipsec-policy-isakmp-routera-1] ike-peer routera    
    [Huawei-ipsec-policy-isakmp-routera-1] proposal routera    
    [Huawei-ipsec-policy-isakmp-routera-1] quit                 

    # Configure RouterB.

    [Huawei] ipsec proposal routerb   
    [Huawei-ipsec-proposal-routerb] transform esp       
    [Huawei-ipsec-proposal-routerb] esp authentication-algorithm sha2-512    
    [Huawei-ipsec-proposal-routerb] esp encryption-algorithm aes-256
    [Huawei-ipsec-proposal-routerb] quit     
    [Huawei] ipsec policy routerb 1 isakmp 
    [Huawei-ipsec-policy-isakmp-routerb-1] security acl 3000  
    [Huawei-ipsec-policy-isakmp-routerb-1] ike-peer routerb    
    [Huawei-ipsec-policy-isakmp-routerb-1] proposal routerb                                          
    [Huawei-ipsec-policy-isakmp-routerb-1] quit                   

  6. Configure an IP address for ports and bind IPSec policies to interfaces.

    # Configure RouterA.

    [Huawei] interface ethernet 0/0/1 
    [Huawei-Ethernet0/0/1] ip address 1.1.1.1 24 
    [Huawei-Ethernet0/0/1] undo portswitch
    [Huawei-Ethernet0/0/1] ipsec policy routera
    [Huawei-Ethernet0/0/1] quit

    # Configure RouterB.

    [Huawei] interface ethernet 0/0/1 
    [Huawei-Ethernet0/0/1] ip address 2.2.2.1 24 
    [Huawei-Ethernet0/0/1] undo portswitch
    [Huawei-Ethernet0/0/1] ipsec policy routerb
    [Huawei-Ethernet0/0/1] quit

  7. Configure devices to request a certificate and download it for IKE negotiation.

    # Configure RouterA.

    [Huawei] pki enroll-certificate abca
     Create a challenge password. You will need to verbally provide this password to
     the CA Administrator in order to revoke your certificate.
     For security reasons your password will not be saved in the configuration. Plea
    se make a note of it.
     Choice no password ,please enter the enter-key.
     Please enter Password:
     Start certificate enrollment ...
     Certificate is enrolling now,It will take a few minutes or more.  
     Please waiting...
     The certificate enroll successful.
    

    # Configure RouterB.

    [Huawei] pki enroll-certificate abcb
     Create a challenge password. You will need to verbally provide this password to
     the CA Administrator in order to revoke your certificate.
     For security reasons your password will not be saved in the configuration. Plea
    se make a note of it.
     Choice no password ,please enter the enter-key.
     Please enter Password:
     Start certificate enrollment ...
     Certificate is enrolling now,It will take a few minutes or more.
     Please waiting...
     The certificate enroll successful.
    

  8. Verify the configuration.

    # Run the display ike sa v2 command on RouterA and RouterB to view IKE SA information. The command output shows that RouterA and RouterB have established an IKE SA and can ping each other successfully.

    The display on RouterA is as follows.

    [Huawei] display ike sa v2                                                
        Conn-ID  Peer            VPN   Flag(s)                Phase                 
      ---------------------------------------------------------------               
          898    2.2.2.1         0     RD|ST                  2                     
          895    2.2.2.1         0     RD|ST                  1                     
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
     

    The display on RouterB is as follows.

    [Huawei] display ike sa v2                                                
        Conn-ID  Peer            VPN   Flag(s)                Phase                 
      ---------------------------------------------------------------               
          874    1.1.1.1         0     RD                     2                     
          873    1.1.1.1         0     RD                     1                     
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP              

    # Ping RouterB from RouterA. RouterA can ping RouterB successfully.

    [Huawei] ping 2.2.2.1                                                     
      PING 2.2.2.1: 56  data bytes, press CTRL_C to break                           
        Reply from 2.2.2.1: bytes=56 Sequence=1 ttl=255 time=3 ms                   
        Reply from 2.2.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms                   
        Reply from 2.2.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms                   
        Reply from 2.2.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms                   
        Reply from 2.2.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms                   
                                                                                    
      --- 2.2.2.1 ping statistics ---                                               
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 2/2/3 ms                                                                   
    NOTE:

    During IKE negotiation, if RouterA and Router B do not obtain CA certificates or local certificates, IKE negotiation fails.

Configuration Files

  • Configuration file of RouterA

    #
    acl number 3000
     rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1 0
     rule 15 permit ip source 10.1.1.1 0 destination 10.2.1.1 0
    #
    ipsec proposal routera
     esp authentication-algorithm sha2-512
     esp encryption-algorithm aes-256
    #
    ike proposal 1
     encryption-algorithm aes-cbc-256
     authentication-method rsa-signature
    #
    ike peer routera v2
     ike-proposal 1
     local-address 1.1.1.1
     remote-address 2.2.2.1
     pki realm abca
    #
    ipsec policy routera 1 isakmp
     security acl 3000
     ike-peer routera
     proposal routera
    #
    interface Ethernet0/0/1
     ip address 1.1.1.1 255.255.255.0
     undo portswitch
     ipsec policy routera
    #
    pki entity routera
     country CN
     state jiangsu
     organization huawei
     organization-unit info
     common-name helloa
    #
    pki realm abca
     ca id ca_root
     enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra
     entity routera
     fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf7a34d94624b1c1bcbf6d763c
     certificate-check none
    #
    return
    
  • Configuration file of RouterB

    #
    acl number 3000
     rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0
     rule 10 permit ip source 10.2.1.1 0 destination 10.1.1.1 0
    #
    ipsec proposal routerb
     esp authentication-algorithm sha2-512
     esp encryption-algorithm aes-256
    #
    ike proposal 1
     encryption-algorithm aes-cbc-256
     authentication-method rsa-signature
    #
    ike peer routerb v2
     ike-proposal 1
     local-address 2.2.2.1
     remote-address 1.1.1.1
     pki realm abcb
    #
    ipsec policy routerb 1 isakmp
     security acl 3000
     ike-peer routerb
     proposal routerb
    #
    interface Ethernet0/0/1
     ip address 2.2.2.1 255.255.255.0
     undo portswitch
     ipsec policy routerb
    #
    pki entity routerb
     country CN
     state jiangsu
     organization huawei
     organization-unit marketing
     common-name hellob
    #
    pki realm abcb
     ca id ca_root
     enrollment-url http://3.1.1.1:8080/certsrv/mscep/mscep.dll ra
     entity routerb
     fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf7a34d94624b1c1bcbf6d763c
     certificate-check none
    #
    return
    
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13641

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next