No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Encrypted Tunnels for an International Access from a Financial Enterprise's Branches

Example for Configuring Encrypted Tunnels for an International Access from a Financial Enterprise's Branches

This section provides an example of how to configure encrypted tunnels (OSPF over GRE over IPsec) over the international access network of a financial enterprise. The encrypted tunnels can carry OSPF packets transmitted between the international branch offices and the national HQ network. This improves the reliability and security of data transmission between the branches and HQ.

Applicable Products and Versions

This configuration applies to NE40E series products running V800R010C00 or later.

Networking Requirements

A financial enterprise in this example wants an international access network to be deployed to connect the enterprise's international branches to the national HQ network. This network is shown in Figure 1-6. To meet user requirements for high reliability and security, the OSPF over GRE over IPsec function can be deployed between the two groups of routers:
  • Egress routers (Device A, Device B, Device C, and Device D) of the network where the international branches reside
  • Aggregation routers (AGG A, AGG B, AGG C, and AGG D) of the national HQ network
The deployment process is as follows:
  • IPsec is deployed between the egress routers and the aggregation routers to encrypt communication packets. However, some OSPF packets are sent using multicast addresses, and IPsec cannot protect multicast packets. Therefore, two GRE tunnels must be configured between an egress router and aggregation router, with a tunnel interface configured on each router. Additionally, OSPF must be deployed on the GRE tunnels, forming OSPF over GRE over IPsec tunnels. This allows IPsec to encrypt OSPF packets encapsulated in the GRE tunnels.

  • OSPF is deployed on the egress routers and aggregation routers. After specific route costs are set for different paths, traffic can be quickly switched to a sub-optimal path if the primary path fails. This ensures network reliability. The paths in descending order of priority are as follows:
    1. AGG A-Device A GRE over IPsec tunnel or AGG B-Device C GRE over IPsec tunnel

    2. AGG A-Device A simple text link or AGG B-Device C simple text link

    3. AGG C-Device B GRE over IPsec tunnel

    4. AGG C-Device B simple text link

    5. GRE over IPsec tunnel between AGG D and Device D of different VPNs

Figure 1-6  International branch access

Table 1-2  Data Preparation

Device Name

Parameter

Data

AGG A

IP address of Loopback 1 192.168.1.1/32
IP address of Tunnel 1 (GRE) 10.1.1.1/24
IP address of Tunnel 2 (IPsec) 192.168.11.1/32
IP address of GE 0/1/0 connected to Device C 10.1.2.1/24

AGG B

IP address of Loopback 1 192.168.2.2/32
IP address of Tunnel 1 (GRE) 10.2.1.1/24
IP address of Tunnel 2 (IPsec) 192.168.22.2/32
IP address of GE 0/1/0 connected to Device C 10.2.2.1/24

AGG C

IP address of Loopback 1 192.168.3.3/32
IP address of Tunnel 1 (GRE) 10.3.1.1/24
IP address of Tunnel 2 (IPsec) 192.168.33.3/32
IP address of GE 0/1/0 connected to Device C 10.3.2.1/24

AGG D

IP address of Loopback 1 192.168.4.4/32
IP address of Tunnel 1 (GRE) 10.4.1.1/24
IP address of Tunnel 2 (IPsec) 192.168.44.4/32
IP address of GE 0/1/0 connected to Device C 10.4.2.1/24

Device A

IP address of Loopback 1 192.168.1.9/32
IP address of Tunnel 1 (GRE) 10.1.1.2/24
IP address of Tunnel 2 (IPsec) 192.168.11.9/32
IP address of GE 0/1/0 connected to Device C 10.1.2.2/24

Device B

IP address of Loopback 1 192.168.2.9/32
IP address of Tunnel 1 (GRE) 10.3.1.2/24
IP address of Tunnel 2 (IPsec) 192.168.22.9/32
IP address of GE 0/1/0 connected to Device C 10.3.2.2/24

Device C

IP address of Loopback 1 192.168.3.9/32
IP address of Tunnel 1 (GRE) 10.2.1.2/24
IP address of Tunnel 2 (IPsec) 192.168.33.9/32
IP address of GE 0/1/0 connected to Device C 10.2.2.2/24

Device D

IP address of Loopback 1 192.168.4.9/32
IP address of Tunnel 1 (GRE) 10.4.1.2/24
IP address of Tunnel 2 (IPsec) 192.168.44.9/32
IP address of GE 0/1/0 connected to Device C 10.4.2.2/24

Configuration Roadmap

  1. Configure IP addresses and OSPF on the egress routers and aggregation routers.

  2. Configure GRE tunnels between the egress routers and the aggregation routers, enable OSPF on the network segment in which the tunnel interfaces reside, and set specific costs.

  3. Configure IPsec on the egress routers and aggregation routers.

Procedure

  1. Configure IP addresses and OSPF on the egress routers and aggregation routers.

    # Configure AGG A.

    #
    sysname AGG A
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.1.2.1 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.1.1 255.255.255.255
    #
    ospf 100      //Configure OSPF.
     area 0.0.0.1
      network 192.168.1.1 0.0.0.0
      network 10.1.2.0 0.0.0.255
    #
    return
    

    # Configure AGG B.

    #
    sysname AGG B
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.2.2.1 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.2.2 255.255.255.255
    #
    ospf 100
     area 0.0.0.2
      network 192.168.2.2 0.0.0.0
      network 10.2.2.0 0.0.0.255
    #
    return
    

    # Configure AGG C.

    #
    sysname AGG C
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.3.2.1 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.3.3 255.255.255.255
    #
    ospf 100
     area 0.0.0.3
      network 192.168.3.3 0.0.0.0
      network 10.3.2.0 0.0.0.255
    #
    return
    

    # Configure AGG D.

    #
    sysname AGG D
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.4.2.1 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.4.4 255.255.255.255
    #
    ospf 100
     area 0.0.0.4
      network 192.168.4.4 0.0.0.0
      network 10.4.2.0 0.0.0.255
    #
    return
    

    # Configure Device A.

    #
    sysname Device A
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.1.2.2 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.1.9 255.255.255.255
    #
    ospf 100
     area 0.0.0.1
      network 192.168.1.9 0.0.0.0
      network 10.1.2.0 0.0.0.255
    #
    return
    

    # Configure Device B.

    #
    sysname Device B
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.3.2.2 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.2.9 255.255.255.255
    #
    ospf 100
     area 0.0.0.1
      network 192.168.2.9 0.0.0.0
      network 10.3.2.0 0.0.0.255
    #
    return
    

    # Configure Device C.

    #
    sysname Device C
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.2.2.2 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.3.9 255.255.255.255
    #
    ospf 100
     area 0.0.0.1
      network 192.168.3.9 0.0.0.0
      network 10.2.2.0 0.0.0.255
    #
    return
    

    # Configure Device D.

    #
    sysname Device D
    #
    interface GigabitEthernet 0/1/0
     undo shutdown
     ip address 10.4.2.2 255.255.255.0
    #
    interface LoopBack1
     ip address 192.168.4.9 255.255.255.255
    #
    ospf 100
     area 0.0.0.1
      network 192.168.4.9 0.0.0.0
      network 10.4.2.0 0.0.0.255
    #
    return
    

  2. Configure GRE tunnels between the egress routers and the aggregation routers, enable OSPF on the network segment in which the tunnel interfaces reside, and set specific costs.

    # Configure AGG A.

    #
    interface GigabitEthernet 0/1/0
     ospf cost 1000      //Set an OSPF cost value for the physical link.
    #
    interface LoopBack1      //Configure the IP address of the loopback interface as the source address of the GRE tunnel, configure the mapping from the tunnel source interface to the tunnel service board, and bind GRE to the source interface.
     binding tunnel gre
    #
    interface Tunnel1      //Configure the GRE tunnel interface, protocol address, and source and destination addresses of the GRE tunnel. Enable the keepalive function for the GRE tunnel. By default, keepalive packets are sent at an interval of 5 seconds and are retransmitted three times.
     ip address 10.1.1.1 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.1.1
     destination 192.168.1.9
     ospf cost 990      //Set an OSPF cost for the tunnel interface.
    #
    ospf 100
     area 0.0.0.1
      network 10.1.1.0 0.0.0.255      //Enable OSPF on the network segment in which the GRE tunnel interface resides.
    #
    return
    

    # Configure AGG B.

    #
    interface GigabitEthernet 0/1/0
     ospf cost 1000
    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.2.1.1 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.2.2
     destination 192.168.3.9
     ospf cost 990 
    #
    ospf 100
     area 0.0.0.2
      network 10.2.1.0 0.0.0.255
    #
    return
    

    # Configure AGG C.

    #
    interface GigabitEthernet 0/1/0
     ospf cost 1020
    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.3.1.1 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.3.3
     destination 192.168.2.9
     ospf cost 1010 
    #
    ospf 100
     area 0.0.0.3
      network 10.3.1.0 0.0.0.255
    #
    return
    

    # Configure AGG D.

    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.4.1.1 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.4.4
     destination 192.168.4.9
     ospf cost 1030 
    #
    ospf 100
     area 0.0.0.4
      network 10.4.1.0 0.0.0.255
    #
    return
    

    # Configure Device A.

    #
    interface GigabitEthernet 0/1/0
     ospf cost 550
    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.1.1.2 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.1.9
     destination 192.168.1.1
     ospf cost 500 
    #
    ospf 100
     area 0.0.0.1
      network 10.1.1.0 0.0.0.255
    #
    return
    

    # Configure Device B.

    #
    interface GigabitEthernet 0/1/0
     ospf cost 650
    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.3.1.2 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.2.9
     destination 192.168.3.3
     ospf cost 600 
    #
    ospf 100
     area 0.0.0.3
      network 10.3.1.0 0.0.0.255
    #
    return
    

    # Configure Device C.

    #
    interface GigabitEthernet 0/1/0
     ospf cost 550
    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.2.1.2 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.3.9
     destination 192.168.2.2
     ospf cost 500 
    #
    ospf 100
     area 0.0.0.2
      network 10.1.1.0 0.0.0.255
    #
    return
    

    # Configure Device D.

    #
    interface LoopBack1
     binding tunnel gre
    #
    interface Tunnel1
     ip address 10.4.1.2 255.255.255.0
     tunnel-protocol gre
     keepalive
     source 192.168.4.9
     destination 192.168.4.4
     ospf cost 700 
    #
    ospf 100
     area 0.0.0.4
      network 10.4.1.0 0.0.0.255
    #
    return
    

  3. Configure IPsec on the egress routers and aggregation routers.

    # Configure AGG A.

    #
    ike dpd interval 30 15      //Enable periodic DPD detection at both local and remote ends. The default idle time is 30s. DPD packets are sent at an interval of 15s, and three consecutive detections are performed within a period.
    #
    ipsec sa global anti-replay disable      //Disable the IPsec anti-replay function.
    ipsec global df-bit clear      //Clear the non-fragmentation flag to prevent the UDP packets with the non-fragmentation flag from being discarded due to GRE over IPsec encapsulation. This encapsulation adds about 100 bytes to the original packets and causes the packet length to exceed the MTU of the interface.
    #
    service-location 1      //Configure an IPsec service engine and perform encryption on the specified engine.
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000       //Set the characteristics of the IPsec protection flow in the ACL rule. Set the source to the source address of the GRE tunnel and destination to the destination address of the GRE tunnel, which are the loopback addresses of AGG A and Device A, respectively.
     rule 10 permit ip source 192.168.1.1 0 destination 192.168.1.9 0
    #
    ike proposal 1      //Configure an IKE proposal, the authentication algorithm SM3, and the encryption algorithm SM4. The default authentication mode is shared key.
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1      //Configure an IKE peer and configure the shared key. Bind the IKE proposal.
     pre-shared-key cipher %^%#9<6Gkk6%LpCr0\.>+.ya+\LUTGeZZBxW!-Aw0>DY%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.1.1.2      //The peer address is the IP address of the GRE tunnel interface between Device A and AGG A.
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1      //Configure an IPsec proposal, the authentication algorithm SM3, and the encryption algorithm SM4.
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1      //Enable the IPsec function on the service board in slot 1.
    #
    ipsec policy 1 10 isakmp      //Configure an IPsec policy. Bind the IPsec protection flow, the IKE peer, and the IPsec proposal.
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2      //Apply the IPsec policy to the IPsec interface.
     ip address 192.168.11.1 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.1.9 255.255.255.255 Tunnel2 10.1.1.2
    #
    return

    # Configure AGG B.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 10 permit ip source 192.168.2.2 0 destination 192.168.3.9 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#ZZBxW!-Aw0>9<6GkkY6%LpCr0\.>+.ya+\LUTDGe%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.2.1.2
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.22.2 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.3.9 255.255.255.255 Tunnel2 10.2.1.2
    #
    return

    # Configure AGG C.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 10 permit ip source 192.168.3.3 0 destination 192.168.2.9 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#W!-Aw0>9<6GkkYZZBx6%LpCr0\.>+.ya+\LUTDGe%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.3.1.2
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.33.3 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.2.9 255.255.255.255 Tunnel2 10.3.1.2
    #
    return

    # Configure AGG D.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 10 permit ip source 192.168.4.4 0 destination 192.168.4.9 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#W!-Aw0>9<6GkkYZZBx6%LpCr0\.>+.ya+\LUTDGe%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.4.1.2
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.44.4 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.4.9 255.255.255.255 Tunnel2 10.4.1.2
    #
    return

    # Configure Device A.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 5 permit ip source 192.168.1.9 0 destination 192.168.1.1 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#+Nh`gy]AG+3#',z0d(SCIE*Ia{9(j1HTY%x9{.G-%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.1.1.1
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.11.9 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.1.1 255.255.255.255 Tunnel2 10.1.1.1
    #
    return

    # Configure Device B.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 5 permit ip source 192.168.2.9 0 destination 192.168.3.3 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#+Nh`gy]AG+3#',z0d(SCIE*Ia{9(j1HTY%x9{.G-%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.3.1.1
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.22.9 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.3.3 255.255.255.255 Tunnel2 10.3.1.1
    #
    return

    # Configure Device C.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 5 permit ip source 192.168.3.9 0 destination 192.168.2.2 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#+Nh`gy]AG+3#',z0d(SCIE*Ia{9(j1HTY%x9{.G-%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.2.1.1
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.33.9 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.2.2 255.255.255.255 Tunnel2 10.2.1.1
    #
    return

    # Configure Device D.

    #
    ike dpd interval 30 15
    #
    ipsec sa global anti-replay disable
    ipsec global df-bit clear
    #
    service-location 1
     location slot 1 engine 0
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3000
     rule 5 permit ip source 192.168.4.9 0 destination 192.168.4.4 0
    #
    ike proposal 1
     encryption-algorithm sm4-cbc
     dh group14
     authentication-algorithm sm3
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key cipher %^%#0d(SCIE*Ia{9+Nh`gy]AG+3#',z(j1HTY%x9{.G-%^%#
     ike-proposal 1
     undo version 2
     remote-address 10.4.1.1
     ipsec sm4 version draft-standard
    #
    ipsec proposal 1
     esp authentication-algorithm sm3
     esp encryption-algorithm sm4
    #
    license
     active ipsec slot 1
    #
    ipsec policy 1 10 isakmp
     security acl 3000
     ike-peer 1
     proposal 1
    #
    interface Tunnel2
     ip address 192.168.44.9 255.255.255.255
     tunnel-protocol ipsec
     ipsec policy 1 service-instance-group 1
    #
    ip route-static 192.168.4.4 255.255.255.255 Tunnel2 10.4.1.1
    #
    return

  4. Verify the configuration.

    Run the display ip routing-table command on an egress router or aggregation router. The command output shows the OSPF routes to the peer device on the tunnel interface.

    Run the ping command on the device to ping the remote device. Run the display interface tunnel command to check the working status of the tunnel interface. The command output shows information about the packets sent and received by the tunnel interface.

    Run the display ipsec statistics command on the device to check for changes in the encrypted data. The command output indicates whether data transmission is encrypted. Due to encryption, the size of output packets is larger than that of the input packets.

Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 25948

Downloads: 872

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next