No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring L2TPv3 over IPSec to Implement Secure Communication Between Branches

Example for Configuring L2TPv3 over IPSec to Implement Secure Communication Between Branches

Networking Requirements

In Figure 2-6, enterprise A has two branches that connect to the IP network through LCCE1 and LCCE2 respectively. Branch 1 deploys a local area network (LAN) and uses LCCE1 as the gateway. Branch 2 deploys a LAN and uses LCCE2 as the gateway.

The enterprise wants to protect the services transmitted through the L2TPv3 tunnel against interception and tampering. To encrypt and protect the services, L2TPv3 over IPSec can be used.

Figure 2-6  Configuring L2TPv3 over IPSec for secure communication between branches

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a route to ensure communication between LCCE1 and LCCE2.

  2. Enable the L2TPv3 function globally.

  3. Establish a tunnel and configure the L2TPv3 tunnel parameters.

  4. Configure the link bridge function to bind an AC interface to a tunnel interface.

  5. Configure an ACL to define the data flows to be protected by IPSec.

  6. Configure an IPSec proposal and define the traffic protection method.

  7. Configure an IKE peer and define the attributes used for IKE negotiation.

  8. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peer to the IPSec policy to define the data flows to be protected and protection method.

  9. Apply the IPSec policy group to an interface so that the interface can protect traffic.

Procedure

  1. Configure IP addresses and a static route for the PW interfaces on LCCE1 and LCCE2 respectively.

    # Configure an IP address for the PW interface on LCCE1.

    <Huawei> system-view
    [Huawei] sysname LCCE1
    [LCCE1] interface gigabitethernet 0/0/1
    [LCCE1-GigabitEthernet0/0/1] ip address 10.1.1.2 24
    [LCCE1-GigabitEthernet0/0/1] quit

    # Configure a static route to LCCE2 on LCCE1. This example assumes that the next hop address in the route is 10.1.1.3.

    [LCCE1]ip route-static 10.1.2.0 255.255.255.0 10.1.1.3
    

    # Configure an IP address for the PW interface on LCCE2.

    <Huawei> system-view
    [Huawei] sysname LCCE2
    [LCCE2] interface gigabitethernet 0/0/1
    [LCCE2-GigabitEthernet0/0/1] ip address 10.1.2.2 24
    [LCCE2-GigabitEthernet0/0/1] quit

    # Configure a static route to LCCE1 on LCCE2. This example assumes that the next hop address in the route is 10.1.2.3.

    [LCCE2]ip route-static 10.1.1.0 255.255.255.0 10.1.2.3
    

  2. Enable the L2TPv3 function globally.

    # Enable the L2TPv3 function on LCCE1.

    [LCCE1] l2tpv3 enable
    

    # Enable the L2TPv3 function on LCCE2.

    [LCCE2] l2tpv3 enable
    

  3. Configure L2TPv3 parameters for tunnel interfaces.

    # Create a tunnel on LCCE1 and configure parameters for the tunnel.

    [LCCE1] interface tunnel 0/0/1
    [LCCE1-Tunnel0/0/1] tunnel-protocol svpn
    [LCCE1-Tunnel0/0/1] encapsulation l2tpv3 static
    [LCCE1-Tunnel0/0/1] l2tpv3 local session-id 1
    [LCCE1-Tunnel0/0/1] l2tpv3 remote session-id 4
    [LCCE1-Tunnel0/0/1] l2tpv3 local cookie length 4 plain lower-value 11
    [LCCE1-Tunnel0/0/1] l2tpv3 remote cookie length 4 plain lower-value 22
    [LCCE1-Tunnel0/0/1] tunnel-source 10.1.1.2
    [LCCE1-Tunnel0/0/1] tunnel-destination 10.1.2.2
    [LCCE1-Tunnel0/0/1] quit
    

    # Create a tunnel on LCCE2 and configure parameters for the tunnel.

    [LCCE2] interface tunnel 0/0/1
    [LCCE2-Tunnel0/0/1] tunnel-protocol svpn
    [LCCE2-Tunnel0/0/1] encapsulation l2tpv3 static
    [LCCE2-Tunnel0/0/1] l2tpv3 local session-id 4
    [LCCE2-Tunnel0/0/1] l2tpv3 remote session-id 1
    [LCCE2-Tunnel0/0/1] l2tpv3 local cookie length 4 plain lower-value 22
    [LCCE2-Tunnel0/0/1] l2tpv3 remote cookie length 4 plain lower-value 11
    [LCCE2-Tunnel0/0/1] tunnel-source 10.1.2.2
    [LCCE2-Tunnel0/0/1] tunnel-destination 10.1.1.2
    [LCCE2-Tunnel0/0/1] quit
    

  4. Configure the link bridge function.

    # Configure the link bridge function on LCCE1 and bind an AC interface to a tunnel interface.

    [LCCE1] interface GigabitEthernet 0/0/2 
    [LCCE1-GigabitEthernet0/0/2] link-bridge tunnel0/0/1 tagged

    # Configure the link bridge function on LCCE2 and bind an AC interface to a tunnel interface.

    [LCCE2] interface GigabitEthernet 0/0/2 
    [LCCE2-GigabitEthernet0/0/2] link-bridge tunnel0/0/1 tagged

  5. Configure an ACL to define the data flows to be protected.

    NOTE:

    The tunnel encapsulation protocol is IP (the protocol number is 115). UDP is not supported.

    # Configure ACL on LCCE1.

    [LCCE1] acl number 3000 
    [LCCE1-acl-adv-3000] rule permit 115 source 10.1.1.2 0 destination 10.1.2.2 0 
    [LCCE1-acl-adv-3000] quit

    # Configure ACL on LCCE2.

    [LCCE2] acl number 3000 
    [LCCE2-acl-adv-3000] rule permit 115 source 10.1.2.2 0 destination 10.1.1.2 0 
    [LCCE2-acl-adv-3000] quit

  6. Create an IPSec proposal.

    # Create an IPSec proposal on LCCE1.
    [LCCE1] ipsec proposal rtb
    [LCCE1-ipsec-proposal-rtb] esp authentication-algorithm sha2-256
    [LCCE1-ipsec-proposal-rtb] esp encryption-algorithm aes-192
    [LCCE1-ipsec-proposal-rtb] quit
    # Create an IPSec proposal on LCCE2.
    [LCCE2] ipsec proposal rta
    [LCCE2-ipsec-proposal-rta] esp authentication-algorithm sha2-256
    [LCCE2-ipsec-proposal-rta] esp encryption-algorithm aes-192
    [LCCE2-ipsec-proposal-rta] quit

  7. Configure an IKE peer.

    # Configure an IKE proposal on LCCE1.

    [LCCE1] ike proposal 1
    [LCCE1-ike-proposal-1] encryption-algorithm aes-256
    [LCCE1-ike-proposal-1] authentication-algorithm sha2-256
    [LCCE1-ike-proposal-1] quit

    # Configure an IKE peer on LCCE1 and configure the pre-shared key and the remote ID of the IKE peer.

    [LCCE1] ike peer rtb
    [LCCE1-ike-peer-rtb] ike-proposal 1
    [LCCE1-ike-peer-rtb] pre-shared-key cipher huawei@123
    [LCCE1-ike-peer-rtb] remote-address 10.1.2.2
    [LCCE1-ike-peer-rtb] quit

    # Configure an IKE proposal on LCCE2.

    [LCCE2] ike proposal 1
    [LCCE2-ike-proposal-1] encryption-algorithm aes-256
    [LCCE2-ike-proposal-1] authentication-algorithm sha2-256
    [LCCE2-ike-proposal-1] quit

    # Configure an IKE peer on LCCE2 and configure the pre-shared key and the remote ID of the IKE peer.

    [LCCE2] ike peer rta
    [LCCE2-ike-peer-rta] ike-proposal 1
    [LCCE2-ike-peer-rta] pre-shared-key cipher huawei@123
    [LCCE2-ike-peer-rta] remote-address 10.1.1.2
    [LCCE2-ike-peer-rta] quit

  8. Create an IPSec policy.

    # Configure an IPSec policy in IKE negotiation mode on LCCE1.

    [LCCE1] ipsec policy rtb 1 isakmp
    [LCCE1-ipsec-policy-isakmp-rtb-1] ike-peer rtb
    [LCCE1-ipsec-policy-isakmp-rtb-1] proposal rtb
    [LCCE1-ipsec-policy-isakmp-rtb-1] security acl 3000
    [LCCE1-ipsec-policy-isakmp-rtb-1] quit

    # Configure an IPSec policy in IKE negotiation mode on LCCE2.

    [LCCE2] ipsec policy rta 1 isakmp
    [LCCE2-ipsec-policy-isakmp-rta-1] ike-peer rta
    [LCCE2-ipsec-policy-isakmp-rta-1] proposal rta
    [LCCE2-ipsec-policy-isakmp-rta-1] security acl 3000
    [LCCE2-ipsec-policy-isakmp-rta-1] quit

  9. Apply the IPSec policy group to an interface so that the interface can protect traffic.

    # Apply the IPSec policy group to the PW interface of LCCE1.

    [LCCE1] interface gigabitethernet0/0/1
    [LCCE1-GigabitEthernet0/0/1] ipsec policy rtb
    [LCCE1-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy group to the PW interface of LCCE2.

    [LCCE2] interface gigabitethernet0/0/1
    [LCCE2-GigabitEthernet0/0/1] ipsec policy rta
    [LCCE2-GigabitEthernet0/0/1] quit

  10. Verify the configuration.

    After the configurations are complete, PC1 can ping PC2 successfully. The data transmitted between PC1 and PC2 is encrypted.

    # Run the display ipsec sa command on LCCE1 and LCCE2 to view the IPSec configuration. The command output on LCCE1 is used as an example.

    [LCCE1] display ipsec sa
                 
                                                                                                                                        
    ipsec sa information:                                                                                                               
                                                                                                                                        
    ===============================                                                                                                     
    Interface: GigabitEthernet0/0/1                                                                                                    
    ===============================                                                                                                     
                                                                                                                                        
      -----------------------------                                                                                                     
      IPSec policy name: "rtb"                                                                                                          
      Sequence number  : 1                                                                                                              
      Acl group        : 3000                                                                                                           
      Acl rule         : 5                                                                                                              
      Mode             : ISAKMP                                                                                                         
      -----------------------------                                                                                                     
        Connection ID     : 9                                                                                                         
        Encapsulation mode: Tunnel                                                                                                      
        Tunnel local      : 10.1.1.2                                                                                                    
        Tunnel remote     : 10.1.2.2                                                                                                    
        Flow source       : 10.1.1.2/255.255.255.255 0/0                                                                              
        Flow destination  : 10.1.2.2/255.255.255.255 0/0                                                                             
                                                                                                                                        
        [Outbound ESP SAs]                                                                                                              
          SPI: 1380002640 (0x52412b50)                                                                                                  
          Proposal: ESP-ENCRYPT-AES-192 ESP-AUTH-SHA2-256-128                                                                           
          SA remaining key duration (kilobytes/sec): 1532270/3514                                                                       
          Outpacket count       : 2686500                                                                                               
          Outpacket encap count : 2686495                                                                                               
          Outpacket drop count  : 0                                                                                                     
          Max sent sequence-number: 2686293                                                                                             
          UDP encapsulation used for NAT traversal: N                                                                                   
                                                                                                                                        
        [Inbound ESP SAs]                                                                                                               
          SPI: 2595661893 (0x9ab6a845)                                                                                                  
          Proposal: ESP-ENCRYPT-AES-192 ESP-AUTH-SHA2-256-128                                                                           
          SA remaining key duration (kilobytes/sec): 1490295/3514                                                                       
          Inpacket count        : 3068764                                                                                               
          Inpacket decap count  : 3068761                                                                                               
          Inpacket drop count   : 0                                                                                                     
          Max received sequence-number: 3068590                                                                                         
          UDP encapsulation used for NAT traversal: N                                                                                   
          Anti-replay : Enable                                                                                                          
          Anti-replay window size: 1024  

    # Run the display interface brief command on LCCE1 and LCCE2 to view the brief interface and IP information, including the IP addresses, subnet mask, physical and protocol status (Up or Down), and the number of interfaces in different status. The command output on LCCE1 is used as an example.

    [LCCE1] display interface brief
    PHY: Physical
    *down: administratively down
    (l): loopback
    (s): spoofing
    (b): BFD down
    ^down: standby
    (e): ETHOAM down
    InUti/OutUti: input utility/output utility
    Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
    Atm8/0/0                    down  down         0%     0%          0          0
    Atm8/0/1                    down  down         0%     0%          0          0
    Atm8/0/2                    down  down         0%     0%          0          0
    Atm8/0/3                    down  down         0%     0%          0          0
    Cellular0/0/0               down  down         0%     0%          0          0
    Cellular0/0/1               down  down         0%     0%          0          0
    Ethernet1/0/0               up    up           0%     0%          0          0
    Ethernet1/0/1               up    down      0.01%     0%          0          0
    Ethernet2/0/0               down  down         0%     0%          0          0
    GigabitEthernet0/0/0        up    up        0.01%  0.01%          0          0
    GigabitEthernet0/0/1        up    up        0.01%     0%          0          0
    GigabitEthernet0/0/2        up    up        0.01%     0%          0          0
    GigabitEthernet0/0/3        up    down      0.01%     0%          0          0
    GigabitEthernet3/0/0        down  down         0%     0%          0          0
    MFR0/0/1                    down  down         0%     0%          0          0
    Mp-group0/0/1               down  down         0%     0%          0          0
    NULL0                       up    up(s)        0%     0%          0          0
    Serial4/0/0                 up    up        0.05%  0.05%          0          0
    Serial6/0/0                 down  down         0%     0%          0          0
    Serial6/0/1                 down  down         0%     0%          0          0
    Serial6/0/2                 down  down         0%     0%          0          0
    Serial6/0/3                 down  down         0%     0%          0          0
    Serial6/0/4                 down  down         0%     0%          0          0
    Serial6/0/5                 down  down         0%     0%          0          0
    Serial6/0/6                 down  down         0%     0%          0          0
    Serial6/0/7                 down  down         0%     0%          0          0
    Tunnel0/0/1                 up    up(s)        0%     0%          0          0
    Virtual-Template1           up    down         0%     0%          0          0

    # Run the display interface tunnel 0/0/1 command on LCCE1 and LCCE2 to view the tunnel interface status. You can find that the status is Up (spoofing). The command output on LCCE1 is used as an example.

    [LCCE1] display interface tunnel 0/0/1
    Tunnel0/0/1 current state : UP
    Line protocol current state : UP (spoofing)
    Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
    Route Port,The Maximum Transmit Unit is 1500
    Internet protocol processing : disabled
    Encapsulation is TUNNEL, loopback not set
    Tunnel protocol/transport SVPN/IP
    Current system time: 2016-02-25 17:10:48
        300 seconds input rate 0 bits/sec, 0 packets/sec
        300 seconds output rate 0 bits/sec, 0 packets/sec
        99 seconds input rate 0 bits/sec, 0 packets/sec
        99 seconds output rate 0 bits/sec, 0 packets/sec
        0 packets input,  0 bytes
        0 input error
        0 packets output,  0 bytes
        0 output error
        Input bandwidth utilization  :    0%
        Output bandwidth utilization :    0%

Configuration Files

  • LCCE1 configuration file

    #
     sysname LCCE1
    #
     l2tpv3 enable
    #
    acl number 3000  
     rule 5 permit 115 source 10.1.1.2 0 destination 10.1.2.2 0 
    #
    ipsec proposal rtb
     esp authentication-algorithm sha2-256 
     esp encryption-algorithm aes-192
    #
    ike proposal 1
     encryption-algorithm aes-256
     authentication-algorithm sha2-256
    #
    ike peer rtb
     pre-shared-key cipher %^%#`KJ{)J4dRTcJ2eLBf[3SEp3hQbWrGA;#K()Bw*h1%^%#
     ike-proposal 1
    remote-address 10.1.2.2
    #
    ipsec policy rtb 1 isakmp
     security acl 3000
     ike-peer rtb
     proposal rtb
    #
    interface GigabitEthernet0/0/1
     ip address 10.1.1.2 255.255.255.0
     ipsec policy rtb
    #
    interface GigabitEthernet0/0/2
     link-bridge Tunnel0/0/1 tagged
    #
    interface Tunnel0/0/1
     tunnel-protocol svpn
     encapsulation l2tpv3 
     l2tpv3 local session-id 1
     l2tpv3 remote session-id 4
     l2tpv3 local cookie length 4 plain lower-value 11
     l2tpv3 remote cookie length 4 plain lower-value 22
     tunnel-source 10.1.1.2
     tunnel-destination 10.1.2.2
    #
    ip route-static 10.1.2.0 255.255.255.0 10.1.1.3
    #
    return
  • LCCE2 configuration file

    #
     sysname LCCE2
    #
     l2tpv3 enable
    #
    acl number 3000 
     rule 5 permit 115 source 10.1.2.2 0 destination 10.1.1.2 0 
    #
    ipsec proposal rta
     esp authentication-algorithm sha2-256 
     esp encryption-algorithm aes-192
    #
    ike proposal 1
     encryption-algorithm aes-256
     authentication-algorithm sha2-256
    #
    ike peer rta
     pre-shared-key cipher %^%#`KJ{)J4dRTcJ2eLBf[3SEp3hQbWrGA;#K()Bw*h1%^%#
     ike-proposal 1
     remote-address 10.1.1.2
    #
    ipsec policy rta 1 isakmp
     security acl 3000
     ike-peer rta
     proposal rta
    #
    interface GigabitEthernet0/0/1
     ip address 10.1.2.2 255.255.255.0
     ipsec policy rta 
    #
    interface GigabitEthernet0/0/2
     link-bridge Tunnel0/0/1 tagged
    #
    interface Tunnel0/0/1
     tunnel-protocol svpn
     encapsulation l2tpv3 
     l2tpv3 local session-id 4
     l2tpv3 remote session-id 1
     l2tpv3 local cookie length 4 plain lower-value 22
     l2tpv3 remote cookie length 4 plain lower-value 11
     tunnel-source 10.1.2.2
     tunnel-destination 10.1.1.2
    #
    ip route-static 10.1.1.0 255.255.255.0 10.1.2.3
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142323

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next