No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Through NAT Traversal

Example for Establishing an IPSec Tunnel Through NAT Traversal

Networking Requirements

As shown in Figure 5-47, RouterA and RouterB communicate through the NAT gateway. RouterA is located on the subnet at 10.1.0.2/24, and RouterB is located on the subnet at 10.2.0.2/24.

The enterprise wants to protect traffic exchanged between RouterA and RouterB.

Figure 5-47  Establishing an IPSec tunnel providing NAT traversal

Configuration Roadmap

RouterA and RouterB communicate through the NAT gateway, so NAT traversal must be enabled for establishing an IPSec tunnel. The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Configure an ACL on RouterA to define data flows to be protected.

  3. Configure IPSec proposals to define the method used to protect IPSec traffic.

  4. Configure IKE peers to define IKE negotiation attributes.

  5. Configure IPSec policies on RouterA and RouterB. RouterB uses an IPSec policy template to create an IPSec policy.

  6. Apply IPSec policy groups to interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 192.168.0.2 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.0.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 192.168.0.1.

    [RouterA] ip route-static 0.0.0.0 0.0.0.0 192.168.0.1

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 1.2.0.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.2.0.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 1.2.0.2.

    [RouterB] ip route-static 10.1.0.0 255.255.255.0 1.2.0.2
    [RouterB] ip route-static 192.168.0.0 255.255.255.0 1.2.0.2

  2. # Configure an ACL on RouterA to define data flows sent from 10.1.0.0/24 to 10.2.0.0/24.

    [RouterA] acl number 3101
    [RouterA-acl-adv-3101] rule permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
    [RouterA-acl-adv-3101] quit

  3. Create IPSec proposals on RouterA and RouterB.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
    [RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
    [RouterB-ipsec-proposal-tran1] quit

  4. Set the local ID type to name on RouterA and RouterB.

    # Set the local ID type to name on RouterA.

    [RouterA] ike local-name rta
    

    # Set the local ID type to name on RouterB.

    [RouterB] ike local-name rtb
    

  5. Configure IKE peers on RouterA and RouterB.

    # Create an IKE proposal on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Configure an IKE peer on RouterA.

    [RouterA] ike peer rta
    [RouterA-ike-peer-rta] undo version 2
    [RouterA-ike-peer-rta] exchange-mode aggressive 
    [RouterA-ike-peer-rta] ike-proposal 5
    [RouterA-ike-peer-rta] pre-shared-key cipher huawei@123
    [RouterA-ike-peer-rta] local-id-type fqdn
    [RouterA-ike-peer-rta] remote-address 1.2.0.1
    [RouterA-ike-peer-rta] remote-id rtb
    [RouterA-ike-peer-rta] nat traversal
    [RouterA-ike-peer-rta] quit

    # Create an IKE proposal on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Configure an IKE peer on RouterB.

    [RouterB] ike peer rtb
    [RouterB-ike-peer-rtb] undo version 2
    [RouterB-ike-peer-rtb] exchange-mode aggressive 
    [RouterB-ike-peer-rtb] ike-proposal 5
    [RouterB-ike-peer-rtb] pre-shared-key cipher huawei@123
    [RouterB-ike-peer-rtb] local-id-type fqdn
    [RouterB-ike-peer-rtb] remote-id rta
    [RouterA-ike-peer-rta] nat traversal
    [RouterB-ike-peer-rtb] quit

  6. Create IPSec policies on RouterA and RouterB.

    # Create an IPSec policy in IKE negotiation mode on RouterA.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3101
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rta
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    # Create an IPSec policy in IKE negotiation mode on RouterB.

    [RouterB] ipsec policy-template temp1 10
    [RouterB-ipsec-policy-templet-temp1-10] ike-peer rtb
    [RouterB-ipsec-policy-templet-temp1-10] proposal tran1
    [RouterB-ipsec-policy-templet-temp1-10] quit
    [RouterB] ipsec policy policy1 10 isakmp template temp1
    

    Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies.

  7. Apply IPSec policy groups to interfaces on RouterA and RouterB.

    # Apply the IPSec policy group to the interface of RouterA

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterA-GigabitEthernet1/0/0] quit

    # Apply the IPSec policy group to the interface of RouterB.

    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterB-GigabitEthernet1/0/0] quit

  8. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. Data exchanged between PC A and PC B is encrypted. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ike sa command on RouterA. The following information is displayed:

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer            VPN   Flag(s)   Phase   RemoteType  RemoteID
      ---------------------------------------------------------------------------
         15    1.2.0.1:4500          RD|ST     v1:2    FQDN        rtb
         14    1.2.0.1:4500          RD|ST     v1:1    FQDN        rtb
                                       
      Number of IKE SA : 2 
      ---------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    ike local-name rta
    #
    acl number 3101
     rule 5 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rta
     undo version 2 
     exchange-mode aggressive
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     local-id-type fqdn
     remote-id rtb
     remote-address 1.2.0.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3101
     ike-peer rta
     proposal tran1
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.0.2 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.0.1 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
    #
    return                                                                               
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    ike local-name rtb
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rtb
     undo version 2 
     exchange-mode aggressive
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     local-id-type fqdn
     remote-id rta
    #
    ipsec policy-template temp1 10
     ike-peer rtb
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface GigabitEthernet1/0/0
     ip address 1.2.0.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 10.2.0.1 255.255.255.0
    #
    ip route-static 10.1.0.0 255.255.255.0 1.2.0.2
    ip route-static 192.168.0.0 255.255.255.0 1.2.0.2
    #
    return                                                                               
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153614

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next