No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Using an Efficient VPN Policy in Client Mode

Example for Establishing an IPSec Tunnel Using an Efficient VPN Policy in Client Mode

Networking Requirements

As shown in Figure 5-57, RouterA (remote small-scale branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The headquarters and branch networks are not planned uniformly. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24. The DHCP server is located on the headquarters network and allocates an IP address to the branch gateway.

The enterprise requires that traffic between headquarters and branch networks should be securely transmitted and the headquarters gateway should manage the branch gateway with simplified configuration in centralized manner. An Efficient VPN policy in client mode can be used to establish an IPSec tunnel to protect traffic. This method facilitates IPSec tunnel establishment and maintenance.

In client mode, RouterA requests an IP address from RouterB to establish an IPSec tunnel, and requests the DNS domain name, DNS server IP addresses, and WINS server IP addresses for the branch subnet.

Figure 5-57  Establishing an IPSec tunnel using an Efficient VPN policy in client mode

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Configure the DHCP server address on RouterB so that IP addresses can be dynamically allocated through DHCP.

  3. Configure RouterB as the responder to use an IPSec policy template to establish an IPSec tunnel with RouterA.

  4. Configure an Efficient VPN policy in client mode on RouterA. RouterA as the initiator establishes an IPSec tunnel with RouterB.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 60.1.1.2.

    [RouterA] ip route-static 60.1.2.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 10.1.2.0 255.255.255.0 60.1.1.2

    # Assign an IP address to an interface on RouterB. The IP address of GigabitEthernet4/0/0 must be on the same network segment as the IP address assigned by the DHCP server.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit
    [RouterB] interface gigabitethernet 3/0/0
    [RouterB-GigabitEthernet3/0/0] ip address 10.1.3.1 255.255.255.0
    [RouterB-GigabitEthernet3/0/0] quit
    [RouterB] interface gigabitethernet 4/0/0
    [RouterB-GigabitEthernet4/0/0] ip address 100.1.1.3 255.255.255.0
    [RouterB-GigabitEthernet4/0/0] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 60.1.2.2.

    [RouterB] ip route-static 60.1.1.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 10.1.1.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 100.1.1.0 255.255.255.0 60.1.2.2

  2. Configure the DHCP server address on RouterB so that IP addresses can be dynamically allocated through DHCP.

    # Enable DHCP, create a DHCP server group, and add DHCP servers to the DHCP server group.

    [RouterB] dhcp enable
    [RouterB] dhcp server group dhcp-ser1
    [RouterB-dhcp-server-group-dhcp-ser1] dhcp-server 10.1.3.2
    [RouterB-dhcp-server-group-dhcp-ser1] gateway 100.1.1.3
    [RouterB-dhcp-server-group-dhcp-ser1] quit

  3. Configure RouterB as the responder to use an IPSec policy template to establish an IPSec tunnel with RouterA.

    # In the service scheme view, configure the resources to be allocated, including the IP address, DNS domain name, DNS server IP addresses, and WINS server IP addresses.

    [RouterB] aaa
    [RouterB-aaa] service-scheme schemetest 
    [RouterB-aaa-service-schemetest] dhcp-server group dhcp-ser1
    [RouterB-aaa-service-schemetest] dns-name mydomain.com.cn
    [RouterB-aaa-service-schemetest] dns 2.2.2.2
    [RouterB-aaa-service-schemetest] dns 2.2.2.3 secondary
    [RouterB-aaa-service-schemetest] wins 3.3.3.2
    [RouterB-aaa-service-schemetest] wins 3.3.3.3 secondary
    [RouterB-aaa-service-schemetest] quit
    [RouterB-aaa] quit

    # Configure an IKE proposal and an IKE peer, and bind the service scheme to the IKE peer.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] quit
    [RouterB] ike peer rut3
    [RouterB-ike-peer-rut3] undo version 2
    [RouterB-ike-peer-rut3] pre-shared-key cipher huawei
    [RouterB-ike-peer-rut3] ike-proposal 5
    [RouterB-ike-peer-rut3] service-scheme schemetest
    [RouterB-ike-peer-rut3] quit
    

    # Configure an IPSec proposal and establish an IPSec policy using an IPSec policy template.

    [RouterB] ipsec proposal prop1
    [RouterB-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-prop1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-prop1] quit
    [RouterB] ipsec policy-template temp1 10
    [RouterB-ipsec-policy-templet-temp1-10] ike-peer rut3
    [RouterB-ipsec-policy-templet-temp1-10] proposal prop1
    [RouterB-ipsec-policy-templet-temp1-10] quit
    [RouterB] ipsec policy policy1 10 isakmp template temp1
    

    # Apply the IPSec policy to an interface.

    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterB-GigabitEthernet1/0/0] quit

  4. Configure an Efficient VPN policy in client mode on RouterA to establish an IPSec tunnel.

    # Configure an Efficient VPN policy in client mode and specify the remote address and pre-shared key.

    [RouterA] ipsec efficient-vpn evpn mode client
    [RouterA-ipsec-efficient-vpn-evpn] remote-address 60.1.2.1 v1
    [RouterA-ipsec-efficient-vpn-evpn] pre-shared-key cipher huawei
    [RouterA-ipsec-efficient-vpn-evpn] dh group14
    [RouterA-ipsec-efficient-vpn-evpn] quit
    

    # Apply the Efficient VPN policy to the interface.

    [RouterA] interface gigabitethernet 1/0/0 
    [RouterA-GigabitEthernet1/0/0] ipsec efficient-vpn evpn
    [RouterA-GigabitEthernet1/0/0] quit

  5. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ike sa command on RouterA. The following information is displayed:

    [RouterA] display ike sa
    IKE SA information :
        Conn-ID  Peer            VPN   Flag(s)   Phase   RemoteType  RemoteID
      -----------------------------------------------------------------------------
        26       60.1.2.1:500          RD|ST     v1:2    IP          60.1.2.1
        25       60.1.2.1:500          RD|ST     v1:1    IP          60.1.2.1
                                       
      Number of IKE SA : 2 
      -----------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    ipsec efficient-vpn evpn mode client
     remote-address 60.1.2.1 v1
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     dh group14
    #
    interface GigabitEthernet1/0/0
     ip address 60.1.1.1 255.255.255.0
     ipsec efficient-vpn evpn
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 60.1.2.0 255.255.255.0 60.1.1.2
    ip route-static 10.1.2.0 255.255.255.0 60.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    dhcp enable
    #
    ipsec proposal prop1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut3
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     service-scheme schemetest
    #
    ipsec policy-template temp1 10
     ike-peer rut3
     proposal prop1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    dhcp server group dhcp-ser1
     dhcp-server 10.1.3.2 0
     gateway 100.1.1.3
    #
    aaa
     service-scheme schemetest
      dns 2.2.2.2
      dns 2.2.2.3 secondary
      dhcp-server group dhcp-ser1
      wins 3.3.3.2
      wins 3.3.3.3 secondary
      dns-name mydomain.com.cn
    #
    interface GigabitEthernet1/0/0
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    interface GigabitEthernet3/0/0
     ip address 10.1.3.1 255.255.255.0
    #
    interface GigabitEthernet4/0/0
     ip address 100.1.1.3 255.255.255.0
    #
    ip route-static 60.1.1.0 255.255.255.0 60.1.2.2
    ip route-static 10.1.1.0 255.255.255.0 60.1.2.2
    ip route-static 100.1.1.0 255.255.255.0 60.1.2.2
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142603

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next