No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Headquarters and Branch to Communicate Using VXLAN over IPSec Tunnels

Example for Configuring the Headquarters and Branch to Communicate Using VXLAN over IPSec Tunnels

Networking Requirements

In Figure 13-21, Router1 and Router2 are the branch and headquarters gateways of an enterprise. VXLAN tunnels are established to enable communication between the headquarters and branch.

The enterprise requires that services transmitted over VXLAN tunnels be protected by IPSec to prevent eavesdropping and tampering. To meet this requirement, VXLAN over IPSec can be configured to encrypt service packets transmitted between the headquarters and branch.

Figure 13-21  Configuring the headquarters and branch to communicate using VXLAN over IPSec tunnels

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a routing protocol on Router1, Router2, and Router3 to ensure Layer 3 network connectivity.
  2. Configure a deployment mode for the VXLAN access service on Router1 and Router2.
  3. Configure information for VXLAN tunnel establishment on Router1, Router2, and Router3.
  4. Configure a Layer 3 gateway on Router3.
  5. Configure ACLs on Router1, Router2, and Router3 to define the data flows to be protected by IPSec.
  6. Configure an IPSec proposal on Router1, Router2, and Router3 to define the traffic protection method.
  7. Configure an IKE peer on Router1, Router2, and Router3 and define the attributes used for IKE negotiation.
  8. Configure IPSec policies on Router1, Router2, and Router3 and apply the ACLs, IPSec proposal, and IKE peer to define the data flows to be protected and protection method.
  9. Apply the IPSec policy groups to the interfaces on Router1, Router2, and Router3 to enable the IPSec protection function on the interfaces.

Procedure

  1. Configure a routing protocol.

    # Configure Router1. The configurations of Router2 and Router3 are similar to the configuration of Router1, and are not mentioned here. When OSPF is used, the 32-bit loopback address of each router must be advertised.

    <Huawei> system-view
    [Huawei] sysname Router1
    [Router1] interface loopback 1
    [Router1-LoopBack1] ip address 10.1.1.2 32
    [Router1-LoopBack1] quit
    [Router1] interface ethernet 2/0/0
    [Router1-Ethernet2/0/0] undo portswitch
    [Router1-Ethernet2/0/0] ip address 192.168.2.1 24
    [Router1-Ethernet2/0/0] quit
    [Router1] ospf
    [Router1-ospf-1] area 0
    [Router1-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.0
    [Router1-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [Router1-ospf-1-area-0.0.0.0] quit
    [Router1-ospf-1] quit
    

    # After OSPF is configured, the routers can learn the loopback interface address of each other and successfully ping each other. The following shows the ping result from Router1 to Router3.

    [Router1] ping 10.3.3.2
      PING 10.3.3.2: 56  data bytes, press CTRL_C to break                           
        Reply from 10.3.3.2: bytes=56 Sequence=1 ttl=255 time=1 ms                   
        Reply from 10.3.3.2: bytes=56 Sequence=2 ttl=255 time=1 ms                   
        Reply from 10.3.3.2: bytes=56 Sequence=3 ttl=255 time=2 ms                   
        Reply from 10.3.3.2: bytes=56 Sequence=4 ttl=255 time=1 ms                   
        Reply from 10.3.3.2: bytes=56 Sequence=5 ttl=255 time=44 ms                  
                                                                                    
      --- 10.3.3.2 ping statistics ---                                               
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/9/44 ms                                          
                                                 

  2. Configure a service access point on Router1.

    # Configure a service access point on Router1. The configuration on Router2 is similar to that on Router1, and is not mentioned here.

    [Router1] bridge-domain 10
    [Router1-bd10] quit
    [Router1] interface ethernet 2/0/1.1 mode l2
    [Router1-Ethernet2/0/1.1] encapsulation dot1q vid 10
    [Router1-Ethernet2/0/1.1] bridge-domain 10
    [Router1-Ethernet2/0/1.1] quit
    

  3. Configure information for VXLAN tunnel establishment on Router1, Router2, and Router3.

    # Configure Router1.

    [Router1] bridge-domain 10
    [Router1-bd10] vxlan vni 2010
    [Router1-bd10] quit
    [Router1] interface nve 1
    [Router1-Nve1] source 10.1.1.2
    [Router1-Nve1] vni 2010 head-end peer-list 10.3.3.2
    [Router1-Nve1] quit
    

    # Configure Router2.

    [Router2] bridge-domain 20
    [Router2-bd20] vxlan vni 2020
    [Router2-bd20] quit
    [Router2] interface nve 1
    [Router2-Nve1] source 10.2.2.2
    [Router2-Nve1] vni 2020 head-end peer-list 10.3.3.2
    [Router2-Nve1] quit
    

    # Configure Router3.

    [Router3] bridge-domain 10
    [Router3-bd10] vxlan vni 2010
    [Router3-bd10] quit
    [Router3] interface nve 1
    [Router3-Nve1] source 10.3.3.2
    [Router3-Nve1] vni 2010 head-end peer-list 10.1.1.2
    [Router3-Nve1] quit
    [Router3] bridge-domain 20
    [Router3-bd20] vxlan vni 2020
    [Router3-bd20] quit
    [Router3] interface nve 1
    [Router3-Nve1] source 10.3.3.2
    [Router3-Nve1] vni 2020 head-end peer-list 10.2.2.2
    [Router3-Nve1] quit
    

  4. Configure a Layer 3 VXLAN gateway on Router3.

    [Router3] interface vbdif 10
    [Router3-Vbdif10] ip address 192.168.10.10 24
    [Router3-Vbdif10] quit
    [Router3] interface vbdif 20
    [Router3-Vbdif20] ip address 192.168.20.10 24
    [Router3-Vbdif20] quit
    

  5. Configure ACLs on Router1, Router2, and Router3 to define the data flows to be protected by IPSec.

    # Configure an ACL on Router1.

    [Router1] acl number 3000
    [Router1-acl-adv-3000] rule permit ip source 10.1.1.2 0.0.0.0 destination 10.3.3.2 0.0.0.0
    [Router1-acl-adv-3000] quit
    

    # Configure an ACL on Router2.

    [Router2] acl number 3001
    [Router2-acl-adv-3001] rule permit ip source 10.2.2.2 0.0.0.0 destination 10.3.3.2 0.0.0.0
    [Router2-acl-adv-3001] quit
    

    # Configure two ACLs on Router3.

    [Router3] acl number 3000
    [Router3-acl-adv-3000] rule permit ip source 10.3.3.2 0.0.0.0 destination 10.1.1.2 0.0.0.0
    [Router3-acl-adv-3000] quit
    [Router3] acl number 3001
    [Router3-acl-adv-3001] rule permit ip source 10.3.3.2 0.0.0.0 destination 10.2.2.2 0.0.0.0
    [Router3-acl-adv-3001] quit
    

  6. Configure an IPSec proposal on Router1, Router2, and Router3.

    # Configure an IPSec proposal on Router1.

    [Router1] ipsec proposal s1
    [Router1-ipsec-proposal-s1] esp authentication-algorithm sha2-256
    [Router1-ipsec-proposal-s1] esp encryption-algorithm aes-256
    [Router1-ipsec-proposal-s1] quit
    

    # Configure an IPSec proposal on Router2.

    [Router2] ipsec proposal s1
    [Router2-ipsec-proposal-s1] esp authentication-algorithm sha2-256
    [Router2-ipsec-proposal-s1] esp encryption-algorithm aes-256
    [Router2-ipsec-proposal-s1] quit
    

    # Configure an IPSec proposal on Router3.

    [Router3] ipsec proposal s1
    [Router3-ipsec-proposal-s1] esp authentication-algorithm sha2-256
    [Router3-ipsec-proposal-s1] esp encryption-algorithm aes-256
    [Router3-ipsec-proposal-s1] quit
    

  7. Create an IKE peer on Router1, Router2, and Router3.

    # Configure an IKE proposal on Router1.

    [Router1] ike proposal 1
    [Router1-ike-proposal-1] encryption-algorithm aes-256
    [Router1-ike-proposal-1] authentication-algorithm sha2-256
    [Router1-ike-proposal-1] dh group2
    [Router1-ike-proposal-1] quit
    

    # Create an IKE peer on Router1 and configure the pre-shared key and remote ID based on default settings.

    [Router1] ike peer 23
    [Router1-ike-peer-23] ike-proposal 1
    [Router1-ike-peer-23] pre-shared-key cipher Huawei@123
    [Router1-ike-peer-23] remote-address 192.168.2.2
    [Router1-ike-peer-23] quit
    

    # Configure an IKE proposal on Router2.

    [Router2] ike proposal 1
    [Router2-ike-proposal-1] encryption-algorithm aes-256
    [Router2-ike-proposal-1] authentication-algorithm sha2-256
    [Router2-ike-proposal-1] dh group2
    [Router2-ike-proposal-1] quit
    

    # Create an IKE peer on Router2 and configure the pre-shared key and remote ID based on default settings.

    [Router2] ike peer 24
    [Router2-ike-peer-24] ike-proposal 1
    [Router2-ike-peer-24] pre-shared-key cipher Huawei@123
    [Router2-ike-peer-24] remote-address 192.168.3.2
    [Router2-ike-peer-24] quit
    

    # Configure an IKE proposal on Router3.

    [Router3] ike proposal 1
    [Router3-ike-proposal-1] encryption-algorithm aes-256
    [Router3-ike-proposal-1] authentication-algorithm sha2-256
    [Router3-ike-proposal-1] dh group2
    [Router3-ike-proposal-1] quit
    

    # Create an IKE peer on Router3 and configure the pre-shared key and remote ID based on default settings.

    [Router3] ike peer 21
    [Router3-ike-peer-21] ike-proposal 1
    [Router3-ike-peer-21] pre-shared-key cipher Huawei@123
    [Router3-ike-peer-21] remote-address 192.168.2.1
    [Router3-ike-peer-21] quit
    [Router3] ike peer 22
    [Router3-ike-peer-22] ike-proposal 1
    [Router3-ike-peer-22] pre-shared-key cipher Huawei@123
    [Router3-ike-peer-22] remote-address 192.168.3.1
    [Router3-ike-peer-22] quit
    

  8. Create IPSec policies on Router1, Router2, and Router3.

    # Create an IPSec policy on Router1.

    [Router1] ipsec policy map1 2 isakmp
    [Router1-ipsec-policy-isakmp-map1-2] ike-peer 23
    [Router1-ipsec-policy-isakmp-map1-2] proposal s1
    [Router1-ipsec-policy-isakmp-map1-2] security acl 3000
    [Router1-ipsec-policy-isakmp-map1-2] quit
    

    # Create an IPSec policy on Router2.

    [Router2] ipsec policy user1 2 isakmp
    [Router2-ipsec-policy-isakmp-user1-2] ike-peer 24
    [Router2-ipsec-policy-isakmp-user1-2] proposal s1
    [Router2-ipsec-policy-isakmp-user1-2] security acl 3001
    [Router2-ipsec-policy-isakmp-user1-2] quit
    

    # Create an IPSec policy on Router3.

    [Router3] ipsec policy map1 2 isakmp
    [Router3-ipsec-policy-isakmp-map1-2] ike-peer 21
    [Router3-ipsec-policy-isakmp-map1-2] proposal s1
    [Router3-ipsec-policy-isakmp-map1-2] security acl 3000
    [Router3-ipsec-policy-isakmp-map1-2] quit
    [Router3] ipsec policy user1 2 isakmp
    [Router3-ipsec-policy-isakmp-user1-2] ike-peer 22
    [Router3-ipsec-policy-isakmp-user1-2] proposal s1
    [Router3-ipsec-policy-isakmp-user1-2] security acl 3001
    [Router3-ipsec-policy-isakmp-user1-2] quit
    

  9. Apply the IPSec policy groups to the interfaces on Router1, Router2, and Router3.

    # Apply the IPSec policy to an interface on Router1.

    [Router1] interface ethernet 2/0/0
    [Router1-Ethernet2/0/0] ipsec policy map1
    [Router1-Ethernet2/0/0] quit
    

    # Apply the IPSec policy to an interface on Router2.

    [Router2] interface ethernet 2/0/0
    [Router2-Ethernet2/0/0] ipsec policy user1
    [Router2-Ethernet2/0/0] quit
    

    # Apply the IPSec policies to the interfaces on Router3.

    [Router3] interface ethernet 2/0/1
    [Router3-Ethernet2/0/1] ipsec policy map1
    [Router3-Ethernet2/0/1] quit
    [Router3] interface ethernet 2/0/2
    [Router3-Ethernet2/0/2] ipsec policy user1
    [Router3-Ethernet2/0/2] quit
    

  10. Verify the configuration.

    # After the preceding configuration, PC_1 can still ping PC_2 and the data transmitted between them is encrypted.

    # Run the display ike sa command on Router3. You can find the established IKE SAs.

    [Router3] display ike sa
       Conn-ID    Peer                  VPN         Flag(s)         Phase           
      ------------------------------------------------------------------------------
       2189       192.168.2.1:500                   RD|A            v2:2            
       2188       192.168.2.1:500                   RD|A            v2:1            
       2183       192.168.3.1:500                   RD|A            v2:2            
       2178       192.168.3.1:500                   RD|A            v2:1            
                                                                                    
      Number of IKE SA : 4                                                          
      ------------------------------------------------------------------------------
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING                           
                                                                    
    

    # Run the display vxlan vni and display vxlan tunnel commands on Router1, Router2, and Router3. You can find that the VNI status is Up and VXLAN tunnel information is displayed. The command output on Router3 is used as an example.

    [Router3] display vxlan vni
     VNI               BD-ID             State                                      
     -----------------------------------------                                      
     2010              10                up                                         
     2020              20                up                                         
     -----------------------------------------                                      
     Number of vxlan vni bound to BD is : 2                                         
                                                                                    
     VNI               VRF-ID                                                       
     -----------------------------------------                                      
     -----------------------------------------                                      
     Number of vxlan vni bound to VPN is : 0                                        
                                              
    [Router3] display vxlan tunnel
     Tunnel ID       Source              Destination         State     Type         
     ----------------------------------------------------------------------------   
     4026531842      10.3.3.2             10.1.1.2             up        static       
     4026531841      10.3.3.2             10.2.2.2             up        static       
     ----------------------------------------------------------------------------   
     Number of vxlan tunnel : 2  

Configuration Files

  • Router1 configuration file

    #
    sysname Router1
    #                                                                               
    acl number 3000                                                                 
     rule 5 permit ip source 10.1.1.2 0 destination 10.3.3.2 0        
    #                                                                               
    ipsec proposal s1                                                               
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-256  
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                                   
     dh group2                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share                                                
     integrity-algorithm hmac-sha2-256                                              
     prf hmac-sha2-256                         
    #                                                                               
    ike peer 23                                                                     
     pre-shared-key cipher %^%#I:TE+I3nvA"|a6GX){:*][TI2!r-EJ&,Ck*+)N{N%^%#         
     ike-proposal 1                                                                 
     remote-address 192.168.2.2   
    #                                                                               
    ipsec policy map1 2 isakmp                                                      
     security acl 3000                                                              
     ike-peer 23                                                                    
     proposal s1   
    #
    bridge-domain 10                                                                
     vxlan vni 2010
    #                                                                               
    interface Ethernet2/0/0                                                         
     undo portswitch                                                                
     ip address 192.168.2.1 255.255.255.0                                           
     ipsec policy map1     
    #                                                                               
    interface Ethernet2/0/1.1 mode l2                                               
     encapsulation dot1q vid 10                                                     
     bridge-domain 10
    #                                                                               
    interface LoopBack1                                                             
     ip address 10.1.1.2 255.255.255.255  
    #                                                                               
    interface Nve1                                                                  
     source 10.1.1.2                                                                 
     vni 2010 head-end peer-list 10.3.3.2                                            
    #  
    ospf 1                                                                          
     area 0.0.0.0                                                                   
      network 10.1.1.2 0.0.0.0                                                       
      network 192.168.2.0 0.0.0.255 
    #                                                                               
    return 
    
  • Router2 configuration file

    #
    sysname Router2
    #                                                                               
    acl number 3000                                                                 
     rule 5 permit ip source 10.2.2.2 0 destination 10.3.3.2 0       
    #                                                                               
    ipsec proposal s1                                                               
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-256    
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                                   
     dh group2                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share                                                
     integrity-algorithm hmac-sha2-256                                              
     prf hmac-sha2-256   
    #                                                                               
    ike peer 24                                                                     
     pre-shared-key cipher %^%#%40zAxZ^A~Q}]@EPm$41CLh8A{AdV*Gl6\)G=GiM%^%#         
     ike-proposal 1                                                                 
     remote-address 192.168.3.2    
    #                                                                               
    ipsec policy user1 2 isakmp                                                     
     security acl 3001                                                              
     ike-peer 24                                                                    
     proposal s1  
    #
    bridge-domain 20                                                                
     vxlan vni 2020
    #                                                                               
    interface Ethernet2/0/0                                                         
     undo portswitch                                                                
     ip address 192.168.3.1 255.255.255.0                                           
     ipsec policy user1  
    #                                                                               
    interface Ethernet2/0/1.1 mode l2                                               
     encapsulation dot1q vid 20                                                     
     bridge-domain 20
    #                                                                               
    interface LoopBack1                                                             
     ip address 10.2.2.2 255.255.255.255  
    #                                                                               
    interface Nve1                                                                  
     source 10.2.2.2                                                                 
     vni 2020 head-end peer-list 10.3.3.2                                            
    #  
    ospf 1                                                                          
     area 0.0.0.0                                                                   
      network 10.2.2.2 0.0.0.0                                                       
      network 192.168.3.0 0.0.0.255 
    #                                                                               
    return 
  • Router3 configuration file

    #
    sysname Router3
    #                                                                               
    acl number 3000   
     rule 5 permit ip source 10.3.3.2 0 destination 10.1.1.2 0       
    acl number 3001   
     rule 5 permit ip source 10.3.3.2 0 destination 10.2.2.2 0        
    #     
    ipsec proposal s1                                                               
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-256   
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                                   
     dh group2                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share                                                
     integrity-algorithm hmac-sha2-256                                              
     prf hmac-sha2-256     
    #                                                                               
    ike peer 21                                                                     
     pre-shared-key cipher %^%#T*hBB(Pci9Xmp=+|}(.@/2ki4h1G6N$`@`Ldj`+S%^%#         
     ike-proposal 1                                                                 
     remote-address 192.168.2.1                                                     
    ike peer 22                                                                     
     pre-shared-key cipher %^%#$giTMpBP{PPF^c%!K.^>`!z4Tw>qFX>kX`(\|xhI%^%#         
     ike-proposal 1                                                                 
     remote-address 192.168.3.1                                                     
    #                                                                               
    ipsec policy map1 2 isakmp                                                      
     security acl 3000                                                              
     ike-peer 21                                                                    
     proposal s1   
    ipsec policy user1 2 isakmp                                                     
     security acl 3001                                                              
     ike-peer 22                                                                    
     proposal s1    
    #                                                                               
    bridge-domain 10                                                                
     vxlan vni 2010  
    bridge-domain 20                                                                
     vxlan vni 2020  
    #                                                                               
    interface Ethernet2/0/1                                                         
     undo portswitch                                                                
     ip address 192.168.2.2 255.255.255.0                                           
     ipsec policy map1                                                              
    #                                                                               
    interface Ethernet2/0/2                                                         
     undo portswitch                                                                
     ip address 192.168.3.2 255.255.255.0                                           
     ipsec policy user1  
    #                                                                               
    interface LoopBack1                                                             
     ip address 10.3.3.2 255.255.255.255  
    #                                                                               
    interface Vbdif10                                                               
     ip address 192.168.10.10 255.255.255.0                                         
    #                  
    interface Vbdif20                                                               
     ip address 192.168.20.10 255.255.255.0 
    #                                                                               
    interface Nve1                                                                  
     source 10.3.3.2                                                                 
     vni 2010 head-end peer-list 10.1.1.2                                            
     vni 2020 head-end peer-list 10.2.2.2                                            
    #  
    ospf 1                                                                          
     area 0.0.0.0                                                                   
      network 10.3.3.2 0.0.0.0                                                       
      network 192.168.2.0 0.0.0.255 
      network 192.168.3.0 0.0.0.255 
    #                                                                               
    return 
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153644

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next