No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Configuration Examples

Typical Configuration Examples

This section describes typical configuration examples in typical application scenarios, helping users complete various operations based on the actual scenarios.

Monitoring and Diagnosing IPSec VPN Services in the Headquarters and Branch Offices in a Centralized Manner

When the headquarters and branch offices are connected in hub-spoke architecture, the branch offices set up IPSec tunnels to the headquarters. This section provides an example for configuring eSight to monitor and diagnose IPSec VPN services in the headquarters and branch offices in a centralized manner.

Networking Requirements

As shown in Figure 12-60, the headquarters is connected to two branches (Branch A and Branch B). The networking requirements are as follows:

  • The USG5500_74, USG5500–75, and USG5500–79 connect the headquarters and branch offices to the Internet.
  • IPSec tunnels are set up between the headquarters and Branch A and between the headquarters and Branch B using IKE security policies.

eSight has been installed at the headquarters. The administrator must perform the following operations:

  • Monitor IPSec VPN services of the headquarters and branch offices in a centralized manner.
  • If a fault occurs in the IPSec VPN services of the headquarters and branch offices, locate and rectify the fault.

    If onsite support is required, initiate work orders to send engineers to the site.

    Fault rectification information can be displayed on the eSight.

Figure 12-60 IPSec VPNs between the headquarters and branch offices

Data Planning

Do not use the public IP address used in data planning. The network administrator needs to plan the data based on site requirements.

Item

USG5500_74

USG5500–79

USG5500–75

Outside interface

Interface name: GigabitEthernet 0/0/0

IP address: 128.18.102.74/24

Interface name: GigabitEthernet 0/0/0

IP address: 128.18.102.79/24

Interface name: GigabitEthernet 0/0/0

IP address: 128.18.102.75/24

Inside interface

Interface name: GigabitEthernet 0/0/1

IP address: 10.1.1.1/24

Interface name: GigabitEthernet 0/0/1

IP address: 10.1.2.1/24

Interface name: GigabitEthernet 0/0/1

IP address: 10.1.3.1/24

Configuration Roadmap

  1. Add USG5500_74, USG5500–75, and USG5500–79 to the eSight.
  2. Discover IPSec VPN services of USG5500_74, USG5500–75, and USG5500–79 to the eSight.
  3. View the IPSec VPN service status and alarm status of the headquarters and branch offices.
  4. If an anomaly occurs, diagnose abnormal IPSec VPN services and locate and rectify the fault.
  5. Re-discover IPSec VPN services and check whether the services are restored.

Procedure

  1. Add USG5500_74, USG5500–75, and USG5500–79 to the eSight.

    1. Choose Resource > Network > Equipment > Network Device from the main menu.

    2. Click , enter the IP address (128.18.102.74) of USG5500_74, and click OK.
    3. Repeat the previous steps to add USG5500–75 and USG5500–79 to the eSight.

  2. Discover IPSec VPN services of USG5500_74, USG5500–75, and USG5500–79 to the eSight.

    1. Choose Resource > Network > Security Business > IPSec VPN Management from the main menu.

    2. Choose Service Management > Service Group from the navigation tree on the left.
    3. Click Discover Service.
    4. Click Add > Undiscovered Device. In the Select Device dialog box that is displayed, select USG5500_74, USG5500–75, and USG5500–79.
    5. Perform operations of service discovery according to instructions in the wizard.

      After the successful discovery, services between the headquarters and branch offices are discovered to the Automatic Discovery -USG5500_74 service group.

  3. View the IPSec VPN service status and alarm status of the headquarters and branch offices.

    1. Click Automatic Discovery-USG5500_74 to access the service group.
    2. In the service list, check the Service Status and Alarm Status values. You find that Service Status of service USG5500_74:GE0/0/0–USG5500–79:GE0/0/0 is Inactive. An anomaly may occur in IPSec VPN services between the headquarters and Branch A, and further diagnosis is required.
    NOTE:

    If Service Status is Inactive, no tunnel is established. IPSec VPN services are abnormal, or no tunnel setup is triggered by any traffic.

  4. Select the check box for service USG5500_74:GE0/0/0–USG5500–79:GE0/0/0, click , and locate the fault that IPSec negotiation fails.

  5. Rectify the fault based on the cause displayed on the diagnosis page and service configurations.

    1. In the service list, click USG5500_74:GE0/0/0–USG5500–79:GE0/0/0 to check the configurations of the local and remote ends. You find that different networks to be protected are configured on the local and remote ends.

    2. Choose Resource > Network > Equipment > Network Device from the main menu.
    3. Click USG5500_74 to access the basic device information page.
    4. Remotely log in to USG5500_74, and reset the network to be protected on USG5500_74.
      <USG5500-79> system-view 
      [USG5500-79] acl 3001 
      [USG5500-79-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    5. Remotely log in to USG5500–79 and reset the network to be protected on USG5500–79.
      <USG5500-79> system-view 
      [USG5500-79] acl 3001 
      [USG5500-79-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

  6. Re-discover IPSec VPN services of USG5500_74 and USG5500–79 and re-diagnose the services.

Configuration Verification

Ping PC2 on the Branch A network from the server on which the eSight is installed and check Service Status of service USG5500_74:GE0/0/0–USG5500–79:GE0/0/0 in the service list.

If PC2 can be pinged and Service Status of service USG5500_74:GE0/0/0–USG5500–79:GE0/0/0 becomes Active, services are restored.

Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 336888

Downloads: 680

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next