No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec

IPSec

Example for Setting Up an IPsec Tunnel in IKE Negotiation Mode (Without Peer Keepalive Detection)

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later, with NSP-A/NSP-B support

Networking Requirements

On the network shown in Figure 1-61, an IPsec tunnel needs to be set up between Device A and Device B to protect the data flows between the sub-network 10.1.1.x where PC A resides and the sub-network 10.1.2.x where PC B resides. The security protocol, encryption algorithm, and authentication algorithm adopted during tunnel setup are, respectively, Encapsulating Security Payload (ESP), Data Encryption Standard (DES), and Secure Hash Algorithm-1 (SHA-1).

Figure 1-61  Setting up an IPsec tunnel in IKE negotiation mode
NOTE:

Interface 1 and interface 2 in this example stand for GE 0/1/0 and GE 0/2/0, respectively.



Procedure

  1. Configure Device A.

    #                                                                                
    service-location 1
     location slot 3
    #
    service-instance-group 1
     service-location 1
    #
    acl number 3101  //Configure an ACL.                                                               
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255      
    #                                                        
    ipsec proposal tran1  //Configure an IPsec proposal.                                                          
     esp authentication-algorithm sha2-256
    #                                                                               
    ike proposal 1  //Configure an IKE proposal.                                                                
     encryption-algorithm aes-cbc 256   
     authentication-algorithm sha2-256
    # 
     ike local-name huawei01                                                  
    #                                                                               
    ike peer spub  //Configure an IKE peer.                                               
     version 1                                                                 
     exchange-mode aggressive                                                       
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as huawei in ciphertext.
     ike-proposal 1                                                                 
     remote-id huawei02    //Configure the name of the IKE peer.                                                    
     remote-address 10.5.5.2                                                    
    #                                                                               
    ipsec policy map1 10 isakmp  //Configure an IPsec policy.                                                   
     security acl 3101                                                              
     ike-peer spub                                                                  
     proposal tran1                                                                 
    #                                                                               
    interface Tunnel 0/1/3                                                  
     ip address 10.5.5.1 255.255.255.0
     tunnel-protocol ipsec
     ipsec policy map1 service-instance-group 1                                          
    #                                                                                                        
     ip route-static 10.1.2.0 255.255.255.0 Tunnel0/1/3  10.5.5.2   
     ip route-static 10.5.5.2 255.255.255.255 192.168.163.2
    #
    interface GigabitEthernet0/1/0  //Configure a public network interface.                                                 
     ip address 192.168.163.1 255.255.255.0
    #                                                                               
    interface GigabitEthernet0/2/0  //Configure a private network interface.                                                
     ip address 10.1.1.1 255.255.255.0
    #                                                                               
    return                                                                               

  2. Configure Device B.

    #
    service-location 1
     location slot 3
    #
    service-instance-group 1
     service-location 1                                                                               
    #
    acl number 3101  //Configure an ACL.                                                               
      rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255        
    #                                                                               
    ipsec proposal tran1  //Configure an IPsec proposal.                                                          
     esp authentication-algorithm sha2-256
    #                                                                               
    ike proposal 1  //Configure an IKE proposal.                                                                
     encryption-algorithm aes-cbc 256   
     authentication-algorithm sha2-256
    # 
     ike local-name huawei02                                                   
    #                                                                               
    ike peer spua
     version 1  //Configure an IKE peer.                                                              
     exchange-mode aggressive                                                       
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#  //Configure the PSK as huawei in ciphertext.
     ike-proposal 1                                                                 
     remote-id huawei01   
     remote-address 10.5.5.1                                                    
    #                                                                               
    ipsec policy use1 10 isakmp  //Configure an IPsec policy.                                                   
     security acl 3101                                                              
     ike-peer spua                                                                 
     proposal tran1                                                                 
    #              
    interface Tunnel0/1/3
    ip address 10.5.5.2 24
    tunnel-protocol ipsec
    ipsec policy use1 service-instance-group 1
                                                                                               
     ip route-static 10.1.1.0 255.255.255.0 Tunnel0/1/3 10.5.5.1   
     ip route-static 10.5.5.1 255.255.255.255 192.168.162.2 
    #                                                                                
    interface GigabitEthernet0/1/0  //Configure a public network interface.          
     ip address 192.168.162.1 255.255.255.0                                          
    #                                                                                
    interface GigabitEthernet0/2/0  //Configure a private network interface.         
     ip address 10.1.2.1 255.255.255.0 
    #                                                                                
    return   

Precautions
  • The head office ACL and branch ACLs must be configured to mirror each other.
  • The external routes between the headquarters and branches must be reachable.

Setting Up an IPsec Tunnel in IKE Negotiation Mode (with Peer Keepalive Detection)

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later, with NSP-A/NSP-B support

Networking Requirements

An IPsec connection is set up between the headquarters and branch, and DPD is configured to detect whether the IPsec peer is alive between the headquarters and branch. If the IPsec SA corresponding to the branch is deleted abnormally on the headquarters and the branch continues sending encrypted data to the headquarters, the headquarters fails to properly decrypt the data, leading to a communications interruption.

Figure 1-62  Setting up an IPsec tunnel in IKE negotiation mode
NOTE:

Interface 1 and interface 2 in this example stand for GE 0/1/0 and GE 0/2/0, respectively.



Procedure

  1. Configure the headquarters.

    # 
     sysname Headquarters   
    # 
    
    service-location 1
     location slot 3
    #
    service-instance-group 1
     service-location 1
    #
    ike dpd on-demand 100 //Configure the DPD mode.
    #
    acl number 3000  //Configure ACL 3000.
     rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255 
    # 
    ipsec proposal def  //Configure an IPsec proposal.
     esp authentication-algorithm sha2-256 
     esp encryption-algorithm aes 192 
    # 
    ike peer Center
     version 1  //Configure an IKE peer.
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as huawei in ciphertext.
     remote-address 10.5.5.2  //Configure a peer IP address.
    # 
    ipsec policy center 1 isakmp  //Configure an IPsec policy.
     security acl 3000 
     ike-peer Center 
     proposal def 
    
    # 
    interface Tunnel0/1/3
    ip address 10.5.5.1 24
    tunnel-protocol ipsec
    ipsec policy center service-instance-group 1
    
    #
    interface GigabitEthernet0/1/0
     ip address 192.168.1.1 255.255.255.0 
    # 
    interface GigabitEthernet0/2/0
     ip address 10.1.0.1 255.255.255.0 
    # 
    ip route-static 10.5.5.2 255.255.255.255 192.168.1.2  //Configure a static route destined to the external egress of the branch.
    ip route-static 10.2.0.0 255.255.255.0 Tunnel0/1/3 10.5.5.2  //Configure a static route destined to the internal network of the branch.
    # 
    return

  2. Configure the branch.

    # 
     sysname Branch   
    # 
    ike dpd on-demand 100 //Configure the DPD mode.
    
    acl number 3000  //Configure ACL 3000.
     rule 0 permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
    # 
    ipsec proposal def  //Configure an IPsec proposal.
     esp authentication-algorithm sha2-256 
     esp encryption-algorithm aes 192 
    # 
    ike peer Center 
     version 1         //Configure an IKE peer.
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#   //Configure the PSK as huawei in ciphertext.
     remote-address 10.5.5.1  //Configure the peer IP address.
    # 
    ipsec policy branch 1 isakmp  //Configure an IPsec policy.
     security acl 3000 
     ike-peer Branch 
     proposal def 
    
    # 
    interface GigabitEthernet0/1/0
     ip address 192.168.2.1 255.255.255.0 
    # 
    
    interface Tunnel0/1/3
    ip address 10.5.5.2 24
    tunnel-protocol ipsec
    ipsec policy branch service-instance-group 1
    
    interface GigabitEthernet0/2/0
     ip address 10.2.0.1 255.255.255.0 
    # 
    ip route-static 10.5.5.1 255.255.255.255 192.168.2.2  //Configure a static route destined to the external egress of the headquarters.
    ip route-static 10.1.0.0 255.255.255.0 Tunnel0/1/3 10.5.5.1  //Configure a static route destined to the internal network of the headquarters.
    # 
    return 

  3. Verify the configuration.

    1. Run the display ipsec sa command on the headquarters. The command output displays configurations of the IPsec tunnel.
    2. If the link on the branch is disconnected, perform the ping operation on the headquarters. The headquarters can then send DPD requests.

Example for Configuring IPsec NAT Traversal

Applicable Products and Versions

This configuration example applies to NE20E-S series products running V800R010C00 or later.

Networking Requirements

When a NAT gateway exists between the local and remote devices used for IPsec negotiation, NAT traversal capabilities need to be negotiated between the local and remote ends of the IPsec tunnel. Therefore, the local and remote devices must be able to support NAT traversal.

On the network shown in Figure 1-63, the headquarters egress gateway Device A and the branch egress gateway Device B translate addresses using the NATER, and they establish an IPsec tunnel that supports NAT traversal in aggressive mode.

Figure 1-63  Configuring IPsec NAT traversal
NOTE:

Interface 1 and interface 2 in this example stand for GE 0/1/1 and GE 0/1/2, respectively.



Precautions
  • Configure the NATER, to ensure the communication between DeviceA and DeviceB.
  • Device A, the responder of IPsec negotiation, must use a security policy template.
  • Both Device A and Device B must be enabled with NAT traversal.
  • The encapsulation mode can be set to tunnel only.
  • IKE negotiation in main mode does not support IPsec NAT traversal.
  • Configure DPD.

Procedure

  1. Configure Device A.

    #
     sysname DeviceA  //Configure the host name of the device.
    #                                                                                
    service-location 1                                                                
     location follow-forwarding-mode //NSP 1:1 protection mode                   
     location slot 2 //Non-NSP 1: 1 protection mode           
    #                                                                                
    service-instance-group group1                                                          
     service-location 1                                                                    
    
    #  
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000  //Configure an ACL. 
     rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
    # 
    ipsec proposal rta  //Configure an IPsec proposal.
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #                  
    ike proposal 1  //Configure an IKE proposal.    
     dh group14
    #
    ike peer rta   //Configure an IKE peer.
     ike-proposal 1
     exchange-mode aggressive  //Configure the IKE negotiation mode as aggressive.
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as huawei in ciphertext.
     local-id-type ip  //Configure the IKE ID in the IP format.                                                            
     nat traversal   //Configure NAT traversal.
    #                       
    ipsec policy-template rta_temp 1  //Configure the firt IPsec policy template.
     ike-peer rta                             
     proposal rta                             
     security acl 3000
    #
    ipsec policy rta 1 isakmp template rta_temp  //Configure an SA for the IPsec policy template.
    # 
    interface Tunnel1
    ip address 1.2.0.1 24
    tunnel-protocol ipsec
    ipsec policy rta service-instance-group 1
    #
    interface gigabitethernet0/1/1 
     ip address 1.2.1.1 255.255.255.0 
    #
    interface gigabitethernet0/1/2
     ip address 10.1.0.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 1.2.1.0 0.0.0.255
    #
    return 

  2. Configure Device B.

    #
     sysname DeviceB  //Configure a host name for the device.
    #                                                                                
    service-location 1                                                                
     location follow-forwarding-mode //NSP 1:1 protection mode                   
     location slot 2 //Non-NSP 1: 1 protection mode           
    #                                                                                
    service-instance-group group1                                                          
     service-location 1                                                                    
    
    # 
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000  //Configure an ACL.
     rule 0 permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
    #                                         
    ipsec proposal rtb  //Configure an IPsec proposal.
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #                  
    ike proposal 1  //Configure an IKE proposal.     
     dh group14
    #                           
    ike peer rtb   //Configure an IKE peer.
     ike-proposal 1
     exchange-mode aggressive  //Configure the IKE negotiation mode as aggressive.
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as huawei in ciphertext.
     local-id-type ip  //Configure the IKE ID in the IP format.   
     remote-address 1.2.0.1  //Configure the IP address of the IKE peer.
     nat traversal   //Configure NAT traversal.
    #
    ipsec policy rtb 1 isakmp  //Configure an IPsec policy.
     security acl 3000
     ike-peer rtb
     proposal rtb
    #
    interface Tunnel1
    ip address 192.168.0.2 24
    tunnel-protocol ipsec
    ipsec policy rtb service-instance-group 1
    #
    interface gigabitethernet0/1/1                    
     ip address 192.168.1.2 255.255.255.0 
    #                                         
    interface gigabitethernet0/1/2                   
     ip address 10.2.0.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.1.0 0.0.0.255
    #                                         
    ip route-static 10.1.0.0 255.255.255.0 Tunnel1 1.2.0.1  //Configure a static route destined to the network segment 10.1.0.0.
    ip route-static 1.2.0.1 255.255.255.255 192.168.1.1  //Configure the static route destined to DeviceA Tunnel interface.
    #
    return 

  3. Configure NATER.

    #
     sysname NATER  //Configure the host name of the device.
    #                                                                                
    service-location 1                                                                
     location follow-forwarding-mode //NSP 1:1 protection mode                   
     location slot 2 //Non-NSP 1: 1 protection mode           
    #                                                                                
    service-instance-group group1                                                          
     service-location 1                                                                    
    
    #
    nat instance nat1 id 1
     service-instance-group 1
     nat address-group address-group1 group-id 1 10.34.160.101 10.34.160.105
    #
    acl number 3000  //Configure ACL 3000.
     rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 1.2.0.0 0.0.0.255
    #                                         
    interface gigabitethernet0/1/1                   
     ip address 1.2.1.2 255.255.255.0         
     nat bind acl 3000 instance nat1  //Configure NAT outbound on the interface.
    #                                         
    interface gigabitethernet0/1/2            
     ip address 192.168.1.1 255.255.255.0  
    #
    ospf 1
     import-route unr
     area 0.0.0.0
      network 1.2.1.0 0.0.0.255
      network 192.168.1.0 0.0.0.255
    #
    ip route-static 1.2.0.1 32 1.2.1.1  //Configure the static route destined to DeviceA Tunnel interface.
    ip route-static 192.168.0.2 32 192.168.1.2  //Configure the static route destined to DeviceB Tunnel interface. 
    #
    return 

  4. Verify the configuration.

    After an IPsec session is established upon the ping operation, run the display ike sa verbose remote ip-address and display ipsec sa commands on Device A. The command output displays configurations of the IPsec tunnel.

Example for Configuring Encrypted Tunnels for Access of Financial Enterprise's Branches

This section provides an example for configuring an IPsec encrypted tunnel that is used to transmit service packets between an HQ network and branches, which improves the reliability and security of data transmission between the branches and HQ.

Applicable Products and Versions

This configuration example applies to NE40E series products running V800R010C00 or later.

Networking Requirements

In Figure 1-64, a financial enterprise wants to deploy an access network to connect its branches to the HQ network and provide high reliability and security for the access network. To meet the customer requirements, IPsec can be configured on egress routers (Device A and Device B) of the branch network and aggregation routers (Device C and Device D) of the HQ network.

Redundant links exist between devices. An IPsec tunnel can be established over each link to provide protection. The customer also wants to divert services of multiple business departments so that each link is efficiently used and no traffic congestion occurs.

Figure 1-64  Financial enterprise branch access networking
NOTE:

Interfaces 1 through 3 stand for GE 0/1/0, GE 0/1/1, and GE 0/1/2, respectively.



Table 1-41 describes interface addresses and masks of IPsec tunnels.
Table 1-41  Interface addresses and masks of IPsec tunnels

Tunnel Type

Tunnel Link

Interface Address and Mask

Primary tunnel

Device A-Device C

Device A: 10.1.1.2/32

Device C: 10.1.1.1/32

Backup tunnel

Device A-Device C

Device A: 10.1.4.2/32

Device C: 10.1.4.1/32

Primary tunnel

Device B-Device D

Device B: 10.1.5.2/32

Device D: 10.1.5.1/32

Backup tunnel

Device B-Device D

Device B: 10.1.8.2/32

Device D: 10.1.8.1/32

Configuration Roadmap
  1. Configure the primary and backup IPsec tunnels between Device A and Device C and between Device B and Device D. Use an IPsec template on Device C and Device D.

  2. Configure BFD to monitor physical links between Device A and Device C, which helps control the primary/backup IPsec tunnel switchover between Device A and Device C. Configure BFD to monitor physical links between Device B and Device D, which helps control the primary/backup IPsec tunnel switchover between Device B and Device D.

  3. Configure BFD to monitor the loopback interfaces of Device A and Device C and bind BFD to a VRRP backup group, which helps control the IPsec tunnel switchover between Device A and Device C and between Device B and Device D.

Procedure

  1. Configure device names and IP addresses for interfaces.

    For configuration details, see Configuration Files in this section.

  2. Configure the primary and backup IPsec tunnels between Device A and Device C.

    # Configure Device A.

    [*DeviceA] acl 3000
    [*DeviceA-acl-adv-3000] rule permit ip 
    [*DeviceA-acl-adv-3000] quit
    [*DeviceA] acl 3001
    [*DeviceA-acl-adv-3001] rule permit ip 
    [*DeviceA-acl-adv-3001] quit
    [*DeviceA] commit
    [~DeviceA] ipsec proposal p1
    [*DeviceA-ipsec-proposal-p1] encapsulation-mode tunnel
    [*DeviceA-ipsec-proposal-p1] transform esp
    [*DeviceA-ipsec-proposal-p1] esp authentication-algorithm sha2-256
    [*DeviceA-ipsec-proposal-p1] esp encryption-algorithm aes 256
    [*DeviceA-ipsec-proposal-p1] quit
    [*DeviceA] ike proposal 10
    [*DeviceA-ike-proposal-10] authentication-method pre-share
    [*DeviceA-ike-proposal-10] encryption-algorithm aes-cbc 256
    [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
    [*DeviceA-ike-proposal-10] dh group14
    [*DeviceA-ike-proposal-10] quit
    [*DeviceA] ike peer c1
    [*DeviceA-ike-peer-c1] ike-proposal 10
    [*DeviceA-ike-peer-c1] remote-address 10.1.1.1
    [*DeviceA-ike-peer-c1] pre-shared-key cipher Huawei@123
    [*DeviceA-ike-peer-c1] quit
    [*DeviceA] ike peer c2
    [*DeviceA-ike-peer-c2] ike-proposal 10
    [*DeviceA-ike-peer-c2] remote-address 10.1.4.1
    [*DeviceA-ike-peer-c2] pre-shared-key cipher Huawei@123
    [*DeviceA-ike-peer-c2] quit
    [*DeviceA] ike dpd interval 10 10
    [*DeviceA] ipsec policy map1 10 isakmp
    [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
    [*DeviceA-ipsec-policy-isakmp-map1-10] proposal p1
    [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer c1
    [*DeviceA-ipsec-policy-isakmp-map1-10] quit
    [*DeviceA] ipsec policy map2 10 isakmp
    [*DeviceA-ipsec-policy-isakmp-map2-10] security acl 3001
    [*DeviceA-ipsec-policy-isakmp-map2-10] proposal p1
    [*DeviceA-ipsec-policy-isakmp-map2-10] ike-peer c2
    [*DeviceA-ipsec-policy-isakmp-map2-10] quit
    [*DeviceA] service-location 1
    [*DeviceA-service-location-1] location slot 1
    [*DeviceA-service-location-1] quit
    [*DeviceA] service-instance-group group1
    [*DeviceA-service-instance-group-group1] service-location 1
    [*DeviceA-service-instance-group-group1] quit
    [*DeviceA] interface Tunnel 10
    [*DeviceA-Tunnel10] mtu 1400
    [*DeviceA-Tunnel10] tunnel-protocol ipsec
    [*DeviceA-Tunnel10] ip address 10.1.1.2 32
    [*DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceA-Tunnel10] quit
    [*DeviceA] interface Tunnel 20
    [*DeviceA-Tunnel20] mtu 1400
    [*DeviceA-Tunnel20] tunnel-protocol ipsec
    [*DeviceA-Tunnel20] ip address 10.1.4.2 32
    [*DeviceA-Tunnel20] ipsec policy map2 service-instance-group group1
    [*DeviceA-Tunnel20] quit
    [*DeviceA] commit

    # Configure Device C.

    [*DeviceC] acl 3000
    [*DeviceC-acl-adv-3000] rule permit ip 
    [*DeviceC-acl-adv-3000] quit
    [*DeviceC] acl 3001
    [*DeviceC-acl-adv-3001] rule permit ip 
    [*DeviceC-acl-adv-3001] quit
    [*DeviceC] commit
    [~DeviceC] ipsec proposal p1
    [*DeviceC-ipsec-proposal-p1] encapsulation-mode tunnel
    [*DeviceC-ipsec-proposal-p1] transform esp
    [*DeviceC-ipsec-proposal-p1] esp authentication-algorithm sha2-256
    [*DeviceC-ipsec-proposal-p1] esp encryption-algorithm aes 256
    [*DeviceC-ipsec-proposal-p1] quit
    [*DeviceC] ike proposal 10
    [*DeviceC-ike-proposal-10] authentication-method pre-share
    [*DeviceC-ike-proposal-10] encryption-algorithm aes-cbc 256
    [*DeviceC-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceC-ike-proposal-10] integrity-algorithm hmac-sha2-256
    [*DeviceC-ike-proposal-10] dh group14
    [*DeviceC-ike-proposal-10] quit
    [*DeviceC] ike peer a1
    [*DeviceC-ike-peer-a1] ike-proposal 10
    [*DeviceC-ike-peer-a1] pre-shared-key cipher Huawei@123
    [*DeviceC-ike-peer-a1] quit
    [*DeviceC] ike peer a2
    [*DeviceC-ike-peer-a2] ike-proposal 10
    [*DeviceC-ike-peer-a2] pre-shared-key cipher Huawei@123
    [*DeviceC-ike-peer-a2] quit
    [*DeviceC] ike dpd interval 10 10
    [*DeviceC] ipsec policy-template t1 10 isakmp
    [*DeviceC-ipsec-policy-template-isakmp-t1-10] security acl 3000
    [*DeviceC-ipsec-policy-template-isakmp-t1-10] proposal p1
    [*DeviceC-ipsec-policy-template-isakmp-t1-10] ike-peer a1
    [*DeviceC-ipsec-policy-template-isakmp-t1-10] quit
    [*DeviceC] ipsec policy-template t2 10 isakmp
    [*DeviceC-ipsec-policy-template-isakmp-t2-10] security acl 3001
    [*DeviceC-ipsec-policy-template-isakmp-t2-10] proposal p1
    [*DeviceC-ipsec-policy-template-isakmp-t2-10] ike-peer a2
    [*DeviceC-ipsec-policy-template-isakmp-t2-10] quit
    [*DeviceC] ipsec policy map1 10 isakmp template t1
    [*DeviceC] ipsec policy map2 10 isakmp template t2
    [*DeviceC] service-location 1
    [*DeviceC-service-location-1] location slot 1
    [*DeviceC-service-location-1] quit
    [*DeviceC] service-instance-group group1
    [*DeviceC-service-instance-group-group1] service-location 1
    [*DeviceC-service-instance-group-group1] quit
    [*DeviceC] interface Tunnel 10
    [*DeviceC-Tunnel10] mtu 1400
    [*DeviceC-Tunnel10] tunnel-protocol ipsec
    [*DeviceC-Tunnel10] ip address 10.1.1.1 32
    [*DeviceC-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceC-Tunnel10] quit
    [*DeviceC] interface Tunnel 20
    [*DeviceC-Tunnel20] mtu 1400
    [*DeviceC-Tunnel20] tunnel-protocol ipsec
    [*DeviceC-Tunnel20] ip address 10.1.4.1 32
    [*DeviceC-Tunnel20] ipsec policy map2 service-instance-group group1
    [*DeviceC-Tunnel20] quit
    [*DeviceC] commit

  3. Configure the primary and backup IPsec tunnels between Device B and Device D.

    # Configure Device B.

    [*DeviceB] acl 3000
    [*DeviceB-acl-adv-3000] rule permit ip 
    [*DeviceB-acl-adv-3000] quit
    [*DeviceB] acl 3001
    [*DeviceB-acl-adv-3001] rule permit ip 
    [*DeviceB-acl-adv-3001] quit
    [*DeviceB] commit
    [~DeviceB] ipsec proposal p1
    [*DeviceB-ipsec-proposal-p1] encapsulation-mode tunnel
    [*DeviceB-ipsec-proposal-p1] transform esp
    [*DeviceB-ipsec-proposal-p1] esp authentication-algorithm shb2-256
    [*DeviceB-ipsec-proposal-p1] esp encryption-algorithm aes 256
    [*DeviceB-ipsec-proposal-p1] quit
    [*DeviceB] ike proposal 10
    [*DeviceB-ike-proposal-10] authentication-method pre-share
    [*DeviceB-ike-proposal-10] encryption-algorithm aes-cbc 256
    [*DeviceB-ike-proposal-10] authentication-algorithm shb2-256
    [*DeviceB-ike-proposal-10] integrity-algorithm hmac-shb2-256
    [*DeviceB-ike-proposal-10] dh group14
    [*DeviceB-ike-proposal-10] quit
    [*DeviceB] ike peer d1
    [*DeviceB-ike-peer-d1] ike-proposal 10
    [*DeviceB-ike-peer-d1] remote-address 10.1.5.1
    [*DeviceB-ike-peer-d1] pre-shared-key cipher Huawei@123
    [*DeviceB-ike-peer-d1] quit
    [*DeviceB] ike peer d2
    [*DeviceB-ike-peer-d2] ike-proposal 10
    [*DeviceB-ike-peer-d2] remote-address 10.1.8.1
    [*DeviceB-ike-peer-d2] pre-shared-key cipher Huawei@123
    [*DeviceB-ike-peer-d2] quit
    [*DeviceB] ike dpd interval 10 10
    [*DeviceB] ipsec policy map1 10 isakmp
    [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
    [*DeviceB-ipsec-policy-isakmp-map1-10] proposal p1
    [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer d1
    [*DeviceB-ipsec-policy-isakmp-map1-10] quit
    [*DeviceB] ipsec policy map2 10 isakmp
    [*DeviceB-ipsec-policy-isakmp-map2-10] security acl 3001
    [*DeviceB-ipsec-policy-isakmp-map2-10] proposal p1
    [*DeviceB-ipsec-policy-isakmp-map2-10] ike-peer d2
    [*DeviceB-ipsec-policy-isakmp-map2-10] quit
    [*DeviceB] service-location 1
    [*DeviceB-service-location-1] location slot 1
    [*DeviceB-service-location-1] quit
    [*DeviceB] service-instance-group group1
    [*DeviceB-service-instance-group-group1] service-location 1
    [*DeviceB-service-instance-group-group1] quit
    [*DeviceB] interface Tunnel 10
    [*DeviceB-Tunnel10] mtu 1400
    [*DeviceB-Tunnel10] tunnel-protocol ipsec
    [*DeviceB-Tunnel10] ip address 10.1.5.2 32
    [*DeviceB-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceB-Tunnel10] quit
    [*DeviceB] interface Tunnel 20
    [*DeviceB-Tunnel20] mtu 1400
    [*DeviceB-Tunnel20] tunnel-protocol ipsec
    [*DeviceB-Tunnel20] ip address 10.1.8.2 32
    [*DeviceB-Tunnel20] ipsec policy map2 service-instance-group group1
    [*DeviceB-Tunnel20] quit
    [*DeviceB] commit

    # Configure Device D.

    [*DeviceD] acl 3000
    [*DeviceD-acl-adv-3000] rule permit ip 
    [*DeviceD-acl-adv-3000] quit
    [*DeviceD] acl 3001
    [*DeviceD-acl-adv-3001] rule permit ip 
    [*DeviceD-acl-adv-3001] quit
    [*DeviceD] commit
    [~DeviceD] ipsec proposal p1
    [*DeviceD-ipsec-proposal-p1] encapsulation-mode tunnel
    [*DeviceD-ipsec-proposal-p1] transform esp
    [*DeviceD-ipsec-proposal-p1] esp authentication-algorithm shb2-256
    [*DeviceD-ipsec-proposal-p1] esp encryption-algorithm aes 256
    [*DeviceD-ipsec-proposal-p1] quit
    [*DeviceD] ike proposal 10
    [*DeviceD-ike-proposal-10] authentication-method pre-share
    [*DeviceD-ike-proposal-10] encryption-algorithm aes-cbc 256
    [*DeviceD-ike-proposal-10] authentication-algorithm shb2-256
    [*DeviceD-ike-proposal-10] integrity-algorithm hmac-shb2-256
    [*DeviceD-ike-proposal-10] dh group14
    [*DeviceD-ike-proposal-10] quit
    [*DeviceD] ike peer b1
    [*DeviceD-ike-peer-b1] ike-proposal 10
    [*DeviceD-ike-peer-b1] pre-shared-key cipher Huawei@123
    [*DeviceD-ike-peer-b1] quit
    [*DeviceD] ike peer b2
    [*DeviceD-ike-peer-b2] ike-proposal 10
    [*DeviceD-ike-peer-b2] pre-shared-key cipher Huawei@123
    [*DeviceD-ike-peer-b2] quit
    [*DeviceD] ike dpd interval 10 10
    [*DeviceD] ipsec policy-template t1 10 isakmp
    [*DeviceD-ipsec-policy-template-isakmp-t1-10] security acl 3000
    [*DeviceD-ipsec-policy-template-isakmp-t1-10] proposal p1
    [*DeviceD-ipsec-policy-template-isakmp-t1-10] ike-peer b1
    [*DeviceD-ipsec-policy-template-isakmp-t1-10] quit
    [*DeviceD] ipsec policy-template t2 10 isakmp
    [*DeviceD-ipsec-policy-template-isakmp-t2-10] security acl 3001
    [*DeviceD-ipsec-policy-template-isakmp-t2-10] proposal p1
    [*DeviceD-ipsec-policy-template-isakmp-t2-10] ike-peer b2
    [*DeviceD-ipsec-policy-template-isakmp-t2-10] quit
    [*DeviceD] ipsec policy map1 10 isakmp template t1
    [*DeviceD] ipsec policy map2 10 isakmp template t2
    [*DeviceD] service-location 1
    [*DeviceD-service-location-1] location slot 1
    [*DeviceD-service-location-1] quit
    [*DeviceD] service-instance-group group1
    [*DeviceD-service-instance-group-group1] service-location 1
    [*DeviceD-service-instance-group-group1] quit
    [*DeviceD] interface Tunnel 10
    [*DeviceD-Tunnel10] mtu 1400
    [*DeviceD-Tunnel10] tunnel-protocol ipsec
    [*DeviceD-Tunnel10] ip address 10.1.5.1 32
    [*DeviceD-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceD-Tunnel10] quit
    [*DeviceD] interface Tunnel 20
    [*DeviceD-Tunnel20] mtu 1400
    [*DeviceD-Tunnel20] tunnel-protocol ipsec
    [*DeviceD-Tunnel20] ip address 10.1.8.1 32
    [*DeviceD-Tunnel20] ipsec policy map2 service-instance-group group1
    [*DeviceD-Tunnel20] quit
    [*DeviceD] commit

  4. Configure BFD to monitor physical links between Device A and Device C.

    Configure BFD to monitor physical links between Device A and Device C, which helps control the primary/backup IPsec tunnel switchover between Device A and Device C. Configure BFD to monitor the loopback interfaces of Device A and Device C and bind BFD to a VRRP backup group, which helps control the IPsec tunnel switchover between Device A and Device C and between Device B and Device D.

    # Configure Device A.

    [~DeviceA] bfd acipsecmain bind peer-ip 10.1.2.1 source-ip 10.1.2.2
    [~DeviceA-bfd-session-acipsecmain] discriminator local 200
    [~DeviceA-bfd-session-acipsecmain] discriminator remote 100
    [~DeviceA-bfd-session-acipsecmain] min-tx-interval 10
    [~DeviceA-bfd-session-acipsecmain] min-rx-interval 10
    [~DeviceA] bfd acipsecloopback bind peer-ip 3.3.3.9 source-ip 1.1.1.9
    [~DeviceA-bfd-session-acipsecloopback] discriminator local 112
    [~DeviceA-bfd-session-acipsecloopback] discriminator remote 111
    [~DeviceA-bfd-session-acipsecloopback] min-tx-interval 100
    [~DeviceA-bfd-session-acipsecloopback] min-rx-interval 100

    # Configure Device C.

    [~DeviceC] bfd acipsecmain bind peer-ip 10.1.2.2 source-ip 10.1.2.1
    [~DeviceC-bfd-session-acipsecmain] discriminator local 100
    [~DeviceC-bfd-session-acipsecmain] discriminator remote 200
    [~DeviceC-bfd-session-acipsecmain] min-tx-interval 10
    [~DeviceC-bfd-session-acipsecmain] min-rx-interval 10
    [~DeviceC] bfd acipsecloopback bind peer-ip 1.1.1.9 source-ip 3.3.3.9
    [~DeviceC-bfd-session-acipsecloopback] discriminator local 111
    [~DeviceC-bfd-session-acipsecloopback] discriminator remote 112
    [~DeviceC-bfd-session-acipsecloopback] min-tx-interval 100
    [~DeviceC-bfd-session-acipsecloopback] min-rx-interval 100

  5. Configure BFD to monitor physical links between Device B and Device D.

    Configure BFD to monitor physical links between Device B and Device D, which helps control the primary/backup IPsec tunnel switchover between Device B and Device D.

    # Configure Device B.

    [~DeviceB] bfd acipsecmain bind peer-ip 10.1.6.1 source-ip 10.1.6.2
    [~DeviceB-bfd-session-acipsecmain] discriminator local 200
    [~DeviceB-bfd-session-acipsecmain] discriminator remote 100
    [~DeviceB-bfd-session-acipsecmain] min-tx-interval 10
    [~DeviceB-bfd-session-acipsecmain] min-rx-interval 10
    [~DeviceB] bfd bdipsecloopback bind peer-ip 4.4.4.9 source-ip 2.2.2.9
    [~DeviceB-bfd-session-bdipsecloopback] discriminator local 112
    [~DeviceB-bfd-session-bdipsecloopback] discriminator remote 111
    [~DeviceB-bfd-session-bdipsecloopback] min-tx-interval 100
    [~DeviceB-bfd-session-bdipsecloopback] min-rx-interval 100

    # Configure Device D.

    [~DeviceD] bfd acipsecmain bind peer-ip 10.1.6.2 source-ip 10.1.6.1
    [~DeviceD-bfd-session-acipsecmain] discriminator local 100
    [~DeviceD-bfd-session-acipsecmain] discriminator remote 200
    [~DeviceD-bfd-session-acipsecmain] min-tx-interval 10
    [~DeviceD-bfd-session-acipsecmain] min-rx-interval 10
    [~DeviceD] bfd bdipsecloopback bind peer-ip 2.2.2.9 source-ip 4.4.4.9
    [~DeviceD-bfd-session-bdipsecloopback] discriminator local 111
    [~DeviceD-bfd-session-bdipsecloopback] discriminator remote 112
    [~DeviceD-bfd-session-bdipsecloopback] min-tx-interval 100
    [~DeviceD-bfd-session-bdipsecloopback] min-rx-interval 100

  6. Configure a VRRP backup group on Device A and Device B.

    # Configure Device A.

    [~DeviceA] interface gigabitethernet0/1/2.1
    [~DeviceA-GigabitEthernet0/1/2.1] dot1q termination vid 10
    [~DeviceA-GigabitEthernet0/1/2.1] ip address 172.16.1.101 24
    [~DeviceA-GigabitEthernet0/1/2.1] vrrp vrid 1 virtual-ip 172.16.1.1
    [~DeviceA-GigabitEthernet0/1/2.1] vrrp vrid 1 priority 150
    [~DeviceA-GigabitEthernet0/1/2.1] vrrp vrid 1 preempt-mode timer delay 20
    [~DeviceA-GigabitEthernet0/1/2.1] vrrp vrid 1 track bfd-session acipsecloopback reduced 60
    [~DeviceA] interface gigabitethernet0/1/2.2
    [~DeviceA-GigabitEthernet0/1/2.2] dot1q termination vid 20
    [~DeviceA-GigabitEthernet0/1/2.2] ip address 172.16.3.101 24
    [~DeviceA-GigabitEthernet0/1/2.2] vrrp vrid 2 virtual-ip 172.16.3.1

    # Configure Device B.

    [~DeviceB] interface gigabitethernet0/1/2.1
    [~DeviceB-GigabitEthernet0/1/2.1] dot1q termination vid 10
    [~DeviceB-GigabitEthernet0/1/2.1] ip address 172.16.1.102 24
    [~DeviceB-GigabitEthernet0/1/2.1] vrrp vrid 1 virtual-ip 172.16.1.1
    [~DeviceB] interface gigabitethernet0/1/2.2
    [~DeviceB-GigabitEthernet0/1/2.2] dot1q termination vid 20
    [~DeviceB-GigabitEthernet0/1/2.2] ip address 172.16.3.102 24
    [~DeviceB-GigabitEthernet0/1/2.2] vrrp vrid 2 virtual-ip 172.16.3.1
    [~DeviceB-GigabitEthernet0/1/2.2] vrrp vrid 2 priority 150
    [~DeviceB-GigabitEthernet0/1/2.2] vrrp vrid 2 preempt-mode timer delay 20
    [~DeviceB-GigabitEthernet0/1/2.2] vrrp vrid 2 track bfd-session bdipsecloopback reduced 60

  7. Configure a VRRP backup group on Device C and Device D.

    # Configure Device C.

    [~DeviceC] interface gigabitethernet0/1/2.1
    [~DeviceC-GigabitEthernet0/1/2.1] vlan-type dot1q 10
    [~DeviceC-GigabitEthernet0/1/2.1] ip address 172.16.2.101 24
    [~DeviceC-GigabitEthernet0/1/2.1] vrrp vrid 1 virtual-ip 172.16.2.1
    [~DeviceC-GigabitEthernet0/1/2.1] vrrp vrid 1 priority 150
    [~DeviceC-GigabitEthernet0/1/2.1] vrrp vrid 1 preempt-mode timer delay 20
    [~DeviceC-GigabitEthernet0/1/2.1] vrrp vrid 1 track bfd-session acipsecloopback reduced 60
    [~DeviceC] interface gigabitethernet0/1/2.2
    [~DeviceC-GigabitEthernet0/1/2.2] vlan-type dot1q 20
    [~DeviceC-GigabitEthernet0/1/2.2] ip address 172.16.4.101 24
    [~DeviceC-GigabitEthernet0/1/2.2] vrrp vrid 2 virtual-ip 172.16.4.1

    # Configure Device D.

    [~DeviceD] interface gigabitethernet0/1/2.1
    [~DeviceD-GigabitEthernet0/1/2.1] vlan-type dot1q 10
    [~DeviceD-GigabitEthernet0/1/2.1] ip address 172.16.2.102 24
    [~DeviceD-GigabitEthernet0/1/2.1] vrrp vrid 1 virtual-ip 172.16.2.1
    [~DeviceD] interface gigabitethernet0/1/2.2
    [~DeviceD-GigabitEthernet0/1/2.2] vlan-type dot1q 20
    [~DeviceD-GigabitEthernet0/1/2.2] ip address 172.16.4.102 24
    [~DeviceD-GigabitEthernet0/1/2.2] vrrp vrid 2 virtual-ip 172.16.4.1
    [~DeviceD-GigabitEthernet0/1/2.2] vrrp vrid 2 priority 150
    [~DeviceD-GigabitEthernet0/1/2.2] vrrp vrid 2 preempt-mode timer delay 20
    [~DeviceD-GigabitEthernet0/1/2.2] vrrp vrid 2 track bfd-session bdipsecloopback reduced 60

  8. Configure a static route to divert traffic to IPsec tunnels.

    # Configure Device A.

    [~DeviceA] ip route-static 0.0.0.0 0.0.0.0 10.1.2.1 preference 50 track bfd-session acipsecmain
    [~DeviceA] ip route-static 0.0.0.0 0.0.0.0 10.1.3.1
    [~DeviceA] ip route-static 3.3.3.9 255.255.255.255 10.1.1.1 preference 50 track bfd-session acipsecmain
    [~DeviceA] ip route-static 3.3.3.9 255.255.255.255 10.1.4.1
    [~DeviceA] ip route-static 172.16.2.0 255.255.255.0 10.1.1.1 preference 50 track bfd-session acipsecmain
    [~DeviceA] ip route-static 172.16.2.0 255.255.255.0 10.1.4.1

    # Configure Device B.

    [~DeviceB] ip route-static 0.0.0.0 0.0.0.0 10.1.6.1 preference 50 track bfd-session bdipsecmain
    [~DeviceB] ip route-static 0.0.0.0 0.0.0.0 10.1.7.1
    [~DeviceB] ip route-static 4.4.4.9 255.255.255.255 10.1.5.1 preference 50 track bfd-session bdipsecmain
    [~DeviceB] ip route-static 4.4.4.9 255.255.255.255 10.1.8.1
    [~DeviceB] ip route-static 172.16.4.0 255.255.255.0 10.1.5.1 preference 50 track bfd-session bdipsecmain
    [~DeviceB] ip route-static 172.16.4.0 255.255.255.0 10.1.8.1

    # Configure Device C.

    [~DeviceC] ip route-static 172.16.1.0 255.255.255.0 Tunnel10 10.1.2.2 preference 10 track bfd-session acipsecmain
    [~DeviceC] ip route-static 172.16.1.0 255.255.255.0 Tunnel20 10.1.3.2
    [~DeviceC] ip route-static 1.1.1.9 255.255.255.255 Tunnel10 10.1.2.2 preference 10 track bfd-session acipsecmain
    [~DeviceC] ip route-static 1.1.1.9 255.255.255.255 Tunnel20 10.1.3.2

    # Configure Device D.

    [~DeviceD] ip route-static 172.16.3.0 255.255.255.0 Tunnel10 10.1.6.2 preference 10 track bfd-session bdipsecmain
    [~DeviceD] ip route-static 172.16.3.0 255.255.255.0 Tunnel20 10.1.7.2
    [~DeviceD] ip route-static 2.2.2.9 255.255.255.255 Tunnel10 10.1.6.2 preference 10 track bfd-session bdipsecmain
    [~DeviceD] ip route-static 2.2.2.9 255.255.255.255 Tunnel20 10.1.7.2

  9. Verify the configuration.

    Run the display ipsec sa remote remote-ip command. The IPsec SA status is displayed.

    Run the display ike peer [ name peer-name | brief ] command. The IKE peer configurations are displayed.

    Run the display ike sa remote remote-ip command. The IPsec SA status is displayed.

    Run the ping command to ping a remote device. Then run the display interface tunnel command to view the working status of a tunnel interface. Statistics about packets sent and received by the tunnel interface are displayed.

    Run the display ipsec statistics command to view changes in encrypted packets. The data transmission is encrypted. Due to encryption, the size of output packets is larger than that of the input packets.

Configuration Files
  • Device A configuration file

    #
     sysname DeviceA
    #
    ike dpd interval 10 10
    #
    acl 3000
     rule permit ip 
    acl 3001
     rule permit ip 
    #
    ipsec proposal p1
     encapsulation-mode tunnel
     transform esp
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #
    ike proposal 10
     authentication-method pre-share
     encryption-algorithm aes-cbc 256
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
     dh group14
    #
    ike peer c1
     ike-proposal 10
     remote-address 10.1.1.1
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ike peer c2
     ike-proposal 10
     remote-address 10.1.4.1
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ipsec policy map1 10 isakmp
     security acl 3000
     proposal p1
     ike-peer c1
    #
    ipsec policy map2 10 isakmp
     security acl 3001
     proposal p1
     ike-peer c2
    #
    service-location 1
     location slot 1
    #
    service-instance-group group1
     service-location 1
    # 
    interface LoopBack1 
     ip address 1.1.1.9 255.255.255.255
    # 
    interface GigabitEthernet0/1/0 
     undo shutdown
     ip address 10.1.2.2 255.255.255.0 
    # 
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.3.2 255.255.255.0 
    # 
    interface GigabitEthernet0/1/2  
     undo shutdown
    #
    interface GigabitEthernet0/1/2.1
     dot1q termination vid 10
     ip address 172.16.1.101 24
     vrrp vrid 1 virtual-ip 172.16.1.1
     vrrp vrid 1 priority 150
     vrrp vrid 1 preempt-mode timer delay 20
     vrrp vrid 1 track bfd-session acipsecloopback reduced 60
    #
    interface GigabitEthernet0/1/2.2
     dot1q termination vid 20
     ip address 172.16.3.101 24
     vrrp vrid 2 virtual-ip 172.16.3.1
    #
    interface Tunnel 10
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.1.2 32
     ipsec policy map1 service-instance-group group1
    #
    interface Tunnel 20
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.4.2 32
     ipsec policy map2 service-instance-group group1
    #
    ip route-static 0.0.0.0 0.0.0.0 10.1.2.1 preference 50 track bfd-session acipsecmain
    ip route-static 0.0.0.0 0.0.0.0 10.1.3.1
    ip route-static 3.3.3.9 255.255.255.255 10.1.1.1 preference 50 track bfd-session acipsecmain
    ip route-static 3.3.3.9 255.255.255.255 10.1.4.1
    ip route-static 172.16.2.0 255.255.255.0 10.1.1.1 preference 50 track bfd-session acipsecmain
    ip route-static 172.16.2.0 255.255.255.0 10.1.4.1
    #
    bfd acipsecmain bind peer-ip 10.1.2.1 source-ip 10.1.2.2
     discriminator local 200
     discriminator remote 100
     min-tx-interval 10
     min-rx-interval 10
    #
    bfd acipsecloopback bind peer-ip 3.3.3.9 source-ip 1.1.1.9
     discriminator local 112
     discriminator remote 111
     min-tx-interval 100
     min-rx-interval 100
    #
    return
  • Device B configuration file

    #
     sysname DeviceB
    #
    ike dpd interval 10 10
    #
    acl 3000
     rule permit ip 
    acl 3001
     rule permit ip 
    #
    ipsec proposal p1
     encapsulation-mode tunnel
     transform esp
     esp authentication-algorithm shb2-256
     esp encryption-algorithm aes 256
    #
    ike proposal 10
     authentication-method pre-share
     encryption-algorithm aes-cbc 256
     authentication-algorithm shb2-256
     integrity-algorithm hmac-shb2-256
     dh group14
    #
    ike peer d1
     ike-proposal 10
     remote-address 10.1.5.1
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ike peer d2
     ike-proposal 10
     remote-address 10.1.8.1
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ipsec policy map1 10 isakmp
     security acl 3000
     proposal p1
     ike-peer d1
    #
    ipsec policy map2 10 isakmp
     security acl 3001
     proposal p1
     ike-peer d2
    #
    service-location 1
     location slot 1
    #
    service-instance-group group1
     service-location 1
    # 
    interface LoopBack1 
     ip address 2.2.2.9 255.255.255.255
    #
    interface GigabitEthernet0/1/0 
     undo shutdown
     ip address 10.1.6.2 255.255.255.0   #    
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.7.2 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     undo shutdown
    #
    interface GigabitEthernet0/1/2.1
     dot1q termination vid 10
     ip address 172.16.1.102 24
     vrrp vrid 1 virtual-ip 172.16.1.1
    #
    interface GigabitEthernet10/1/2.2
     dot1q termination vid 20
     ip address 172.16.3.102 24
     vrrp vrid 2 virtual-ip 172.16.3.1
     vrrp vrid 2 priority 150
     vrrp vrid 2 preempt-mode timer delay 20
     vrrp vrid 2 track bfd-session bdipsecloopback reduced 60
    #
    interface Tunnel 10
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.5.2 32
     ipsec policy map1 service-instance-group group1
    #
    interface Tunnel 20
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.8.2 32
     ipsec policy map2 service-instance-group group1
    #
    ip route-static 0.0.0.0 0.0.0.0 10.1.6.1 preference 50 track bfd-session bdipsecmain
    ip route-static 0.0.0.0 0.0.0.0 10.1.7.1
    ip route-static 4.4.4.9 255.255.255.255 10.1.5.1 preference 50 track bfd-session bdipsecmain
    ip route-static 4.4.4.9 255.255.255.255 10.1.8.1
    ip route-static 172.16.4.0 255.255.255.0 10.1.5.1 preference 50 track bfd-session bdipsecmain
    ip route-static 172.16.4.0 255.255.255.0 10.1.8.1
    #
    bfd acipsecmain bind peer-ip 10.1.6.1 source-ip 10.1.6.2
     discriminator local 200
     discriminator remote 100
     min-tx-interval 10
     min-rx-interval 10
    #
    bfd bdipsecloopback bind peer-ip 4.4.4.9 source-ip 2.2.2.9
     discriminator local 112
     discriminator remote 111
     min-tx-interval 100
     min-rx-interval 100
     #
    return
  • Device C configuration file

    #
     sysname DeviceC
    #
    ike dpd interval 10 10
    #
    acl 3000
     rule permit ip 
    #
    acl 3001
     rule permit ip 
    #
    ipsec proposal p1
     encapsulation-mode tunnel
     transform esp
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #
    ike proposal 10
     authentication-method pre-share
     encryption-algorithm aes-cbc 256
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
     dh group14
    #
    ike peer a1
     ike-proposal 10
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ike peer a2
     ike-proposal 10
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ike dpd interval 10 10
    #
    ipsec policy-template t1 10 isakmp
     security acl 3000
     proposal p1
     ike-peer a1
    #
    ipsec policy-template t2 10 isakmp
     security acl 3001
     proposal p1
     ike-peer a2
    #
    ipsec policy map1 10 isakmp template t1
    ipsec policy map2 10 isakmp template t2
    #
    service-location 1
     location slot 1
    #
    service-instance-group group1
     service-location 1
    # 
    interface LoopBack1 
     ip address 3.3.3.9 255.255.255.255
    #
    interface GigabitEthernet0/1/0 
     undo shutdown
     ip address 10.1.2.1 255.255.255.0  
    #
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.3.1 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     undo shutdown
    #
    interface GigabitEthernet0/1/2.1
     vlan-type dot1q 10
     ip address 172.16.2.101 24
     vrrp vrid 1 virtual-ip 172.16.2.1
     vrrp vrid 1 priority 150
     vrrp vrid 1 preempt-mode timer delay 20
     vrrp vrid 1 track bfd-session acipsecloopback reduced 60
    #
    interface GigabitEthernet0/1/2.2
     vlan-type dot1q 20
     ip address 172.16.4.101 24
     vrrp vrid 2 virtual-ip 172.16.4.1
    #
    interface Tunnel 10
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.1.1 32
     ipsec policy map1 service-instance-group group1
    #
    interface Tunnel 20
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.4.1 32
     ipsec policy map2 service-instance-group group1
    #
    ip route-static 172.16.1.0 255.255.255.0 Tunnel10 10.1.2.2 preference 10 track bfd-session acipsecmain
    ip route-static 172.16.1.0 255.255.255.0 Tunnel20 10.1.3.2
    ip route-static 1.1.1.9 255.255.255.255 Tunnel10 10.1.2.2 preference 10 track bfd-session acipsecmain
    ip route-static 1.1.1.9 255.255.255.255 Tunnel20 10.1.3.2
    #
    bfd acipsecmain bind peer-ip 10.1.2.2 source-ip 10.1.2.1
     discriminator local 100
     discriminator remote 200
     min-tx-interval 10
     min-rx-interval 10
    #
    bfd acipsecloopback bind peer-ip 1.1.1.9 source-ip 3.3.3.9
     discriminator local 111
     discriminator remote 112
     min-tx-interval 100
     min-rx-interval 100
    #
    return
  • Device D configuration file

    #
     sysname DeviceD
    #
    ike dpd interval 10 10
    #
    acl 3000
     rule permit ip 
    #
    acl 3001
     rule permit ip 
    #
    ipsec proposal p1
     encapsulation-mode tunnel
     transform esp
     esp authentication-algorithm shb2-256
     esp encryption-algorithm aes 256
    #
    ike proposal 10
     authentication-method pre-share
     encryption-algorithm aes-cbc 256
     authentication-algorithm shb2-256
     integrity-algorithm hmac-shb2-256
     dh group14
    #
    ike peer b1
     ike-proposal 10
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ike peer b2
     ike-proposal 10
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
    #
    ipsec policy-template t1 10 isakmp
     security acl 3000
     proposal p1
     ike-peer b1
    #
    ipsec policy-template t2 10 isakmp
     security acl 3001
     proposal p1
     ike-peer b2
    #
    ipsec policy map1 10 isakmp template t1
    ipsec policy map2 10 isakmp template t2
    #
    service-location 1
     location slot 1
    #
    service-instance-group group1
     service-location 1
    #
    interface LoopBack1 
     ip address 4.4.4.9 255.255.255.255
    #
    interface GigabitEthernet0/1/0 
     undo shutdown
     ip address 10.1.6.1 255.255.255.0  
    #
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.7.1 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     undo shutdown
    #
    interface gigabitethernet0/1/2.1
     vlan-type dot1q 10
     ip address 172.16.2.102 24
     vrrp vrid 1 virtual-ip 172.16.2.1
    #
    interface gigabitethernet0/1/2.2
     vlan-type dot1q 20
     ip address 172.16.4.102 24
     vrrp vrid 2 virtual-ip 172.16.4.1
     vrrp vrid 2 priority 150
     vrrp vrid 2 preempt-mode timer delay 20
     vrrp vrid 2 track bfd-session bdipsecloopback reduced 60
    #
    interface Tunnel 10
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.5.1 32
     ipsec policy map1 service-instance-group group1
    
    #
    interface Tunnel 20
     mtu 1400
     tunnel-protocol ipsec
     ip address 10.1.8.1 32
     ipsec policy map2 service-instance-group group1
    
    #
    ip route-static 172.16.3.0 255.255.255.0 Tunnel10 10.1.6.2 preference 10 track bfd-session bdipsecmain
    ip route-static 172.16.3.0 255.255.255.0 Tunnel20 10.1.7.2
    ip route-static 2.2.2.9 255.255.255.255 Tunnel10 10.1.6.2 preference 10 track bfd-session bdipsecmain
    ip route-static 2.2.2.9 255.255.255.255 Tunnel20 10.1.7.2
    #
    bfd acipsecmain bind peer-ip 10.1.6.2 source-ip 10.1.6.1
     discriminator local 100
     discriminator remote 200
     min-tx-interval 10
     min-rx-interval 10
    #
    bfd bdipsecloopback bind peer-ip 2.2.2.9 source-ip 4.4.4.9
     discriminator local 111
     discriminator remote 112
     min-tx-interval 100
     min-rx-interval 100
    # 
    return
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 24352

Downloads: 845

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next