No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Automatic Upgrade of the Efficient VPN Remote Device

Example for Configuring Automatic Upgrade of the Efficient VPN Remote Device

Networking Requirements

As shown in Figure 5-61, RouterA (remote small-sized branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24. The branch gateway can download upgrade files from the FTP server. The branch gateway and headquarters gateway establish an IPSec tunnel to protect data flows using an Efficient VPN policy in client mode. Efficient VPN facilitates IPSec tunnel establishment and maintenance.

The enterprise requires that RouterA should obtain the FTP server IP address and network resources from RouterB through the IPSec tunnel to implement automatic upgrade so that the headquarters can manage the branch in centralized manner. Network deployment and maintenance can be also improved.

Figure 5-61  Configuring automatic upgrade of the Efficient VPN remote device

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Prepare the *.ini file on the FTP server. This file provides guidance for the upgrade of the branch gateway.

  3. Configure an Efficient VPN policy in client mode on RouterA. RouterA as the initiator establishes an IPSec tunnel with RouterB.

  4. Configure RouterB as the responder to use an IPSec policy template to establish an IPSec tunnel with RouterA.

After the device is upgraded, the original configuration is deleted. You can save the original configuration before the upgrade or write the required configuration in the configuration file for upgrade.

Procedure

  1. Prepare the huawei.ini file on the FTP server. This file provides guidance for the upgrade of the branch gateway.

    Format of the huawei.ini file:

    MAC=5489-9874-ce3b;vrpfile=devicesoft_nocounter.cc;vrpver=V200R003C00B160;patchfile=patch.pat;cfgfile=cfg_1.cfg;restartflag=Y;location=nanjing;

    The parameters are described as follows:
    • MAC: MAC address of the branch device interface to which an Efficient VPN policy is applied. The branch device downloads the version file, patch file, and configuration file in which the MAC address is matched.
    • vrpfile: path and file name of the version file. The file name extension of the version file is *.cc.
    • vrpver: version number of the version file on the server.
    • patchfile: path and file name of the patch file. The file name extension of the patch file is *.pat.
    • cfgfile: path and file name of the configuration file on the server. The file name extension of the configuration file can be *.cfg or *.zip.
    • restartflag: whether the device needs to restart. Y indicates that the device needs to restart. If hot patch files are used, the device does not need to restart. If cold patch files or files of other types are used, the device needs to restart; otherwise, the device upgrade fails.
    • location: device location.

  2. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 60.1.1.2.

    [RouterA] ip route-static 60.1.2.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 10.1.2.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 70.1.1.0 255.255.255.0 60.1.1.2

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 60.1.2.2.

    [RouterB] ip route-static 60.1.1.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 10.1.1.0 255.255.255.0 60.1.2.2

  3. Configure an Efficient VPN policy in client mode on RouterA. RouterA as the initiator establishes an IPSec tunnel with RouterB.

    # Configure an Efficient VPN policy in client mode and specify the remote address and pre-shared key.

    [RouterA] ipsec efficient-vpn evpn mode client
    [RouterA-ipsec-efficient-vpn-evpn] remote-address 60.1.2.1 v1
    [RouterA-ipsec-efficient-vpn-evpn] pre-shared-key cipher Huawei@1234
    [RouterA-ipsec-efficient-vpn-evpn] dh group14
    [RouterA-ipsec-efficient-vpn-evpn] quit

    # Apply the Efficient VPN policy to the interface.

    [RouterA] interface gigabitethernet 1/0/0 
    [RouterA-GigabitEthernet1/0/0] ipsec efficient-vpn evpn
    [RouterA-GigabitEthernet1/0/0] quit

  4. Configure RouterB as the responder to use an IPSec policy template to establish an IPSec tunnel with RouterA.

    # Configure the URL and version number to be delivered in the service scheme view so that the IKE peer can reference them.

    [RouterB] ip pool poo1test
    [RouterB-ip-pool-poo1test] network 100.1.1.0 mask 255.255.255.0
    [RouterB-ip-pool-poo1test] gateway-list 100.1.1.2
    [RouterB-ip-pool-poo1test] quit
    [RouterB] aaa
    [RouterB-aaa] service-scheme schemetest
    [RouterB-aaa-service-schemetest] ip-pool poo1test
    [RouterB-aaa-service-schemetest] auto-update url ftp://username:userpassword@70.1.1.1/huawei.ini version 1
    [RouterB-aaa-service-schemetest] quit
    [RouterB-aaa] quit
    
    NOTE:

    The branch gateway determines whether to perform the upgrade according to the version number in the auto-update url command. The upgrade is performed only when the version to be delivered is later than the current version of the branch gateway.

    # Configure an IKE proposal and an IKE peer.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] encryption-algorithm aes-256
    [RouterB-ike-proposal-5] quit
    [RouterB] ike peer rut
    [RouterB-ike-peer-rut] undo version 2 
    [RouterB-ike-peer-rut] exchange-mode aggressive
    [RouterB-ike-peer-rut] pre-shared-key cipher Huawei@1234
    [RouterB-ike-peer-rut] ike-proposal 5
    [RouterB-ike-peer-rut] service-scheme schemetest
    [RouterB-ike-peer-rut] quit
    

    # Configure an IPSec proposal and establish an IPSec policy using an IPSec policy template.

    [RouterB] ipsec proposal prop1
    [RouterB-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-prop1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-prop1] quit
    [RouterB] ipsec policy-template temp1 10
    [RouterB-ipsec-policy-templet-temp1-10] ike-peer rut
    [RouterB-ipsec-policy-templet-temp1-10] proposal prop1
    [RouterB-ipsec-policy-templet-temp1-10] quit
    [RouterB] ipsec policy policy1 10 isakmp template temp1
    

    # Apply the IPSec policy to an interface.

    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterB-GigabitEthernet1/0/0] quit

  5. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer           VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------
      117      60.1.2.1:500         RD|ST     V1:2    IP          60.1.2.1
      116      60.1.2.1:500         RD|ST     V1:1    IP          60.1.2.1
                                       
      Number of IKE SA : 2 
      --------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    # Run the display ipsec efficient-vpn command on RouterA to view information about the Efficient VPN policy. In the command output, Auto-update url and Auto-update version indicate that the URL and version number are delivered to RouterA.

    [RouterA] display ipsec efficient-vpn
    ===========================================
    IPSec efficient-vpn name: evpn
    Using interface         : GigabitEthernet1/0/0
    ===========================================
     IPSec Efficient-vpn Name  : evpn
     IPSec Efficient-vpn Mode  : 1 (1:Client 2:Network 3:Network-plus 4:Network-auto-cfg)
     ACL Number                :
     Auth Method               : 8 (8:PSK 9:RSA)
     VPN name                  :
     Local ID Type             : 1 (1:IP 2:Name 3:User-fqdn 9:DN 11:Key-id)
     IKE Version               : 1 (1:IKEv1 2:IKEv2)
     Remote Address            : 60.1.2.1  (selected)
     Pre Shared Key Cipher     : %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     PFS Type                  : 0 (0:Disable 1:Group1 2:Group2 5:Group5 14:Group14 15:Group15 16:Group16)
     Remote Name               :
     PKI Object                :
     Anti-replay window size   : 32
     Qos pre-classify          : 0 (0:Disable 1:Enable)
     Qos group                 : - 
     Service-scheme name       :    
     DPD Msg Type              : seq-notify-hash
     Sim-based-username Type   :  
     Interface loopback        : LoopBack100
     Interface loopback IP     : 100.1.1.254/24
     Dns server IP             :
     Wins server IP            :
     Dns default domain name   :
     Auto-update url           : ftp://70.1.1.1/huawei.ini
     Auto-update version       : 1
     IP pool                   :  
    

    # Run the display ipsec efficient-vpn remote command on RouterB to view device running information including the device MAC address, version information, and whether the last upgrade is successful.

    # After an IPSec SA is established successfully, RouterA starts to download the version file, patch file, and configuration file. Then RouterA restarts. Run the display startup command to check whether the software version, configuration file, and patch file are target ones.

    [RouterA] display startup
    MainBoard:
      Startup system software:                   sd1:/devicesoft_nocounter.cc
      Next startup system software:              sd1:/devicesoft_nocounter.cc
      Backup system software for next startup:   null
      Startup saved-configuration file:          sd1:/cfg_1.cfg
      Next startup saved-configuration file:     sd1:/cfg_1.cfg
      Startup license file:                      null
      Next startup license file:                 null
      Startup patch package:                     sd1:/patch.pat
      Next startup patch package:                sd1:/patch.pat
      Startup voice-files:                       null
      Next startup voice-files:                  null                               

    # Run the display patch-information command on RouterA to view the patch file version.

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    ipsec efficient-vpn evpn mode client
     remote-address 60.1.2.1 v1
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     dh group14
    #
    interface GigabitEthernet1/0/0
     ip address 60.1.1.1 255.255.255.0
     ipsec efficient-vpn evpn
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 60.1.2.0 255.255.255.0 60.1.1.2
    ip route-static 10.1.2.0 255.255.255.0 60.1.1.2
    ip route-static 70.1.1.0 255.255.255.0 60.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    ipsec proposal prop1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-256                                                   
     dh group14                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share                                                
     integrity-algorithm hmac-sha2-256                                              
     prf hmac-sha2-256  
    #
    ike peer rut
     undo version 2
     exchange-mode aggressive
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     service-scheme schemetest
    #
    ipsec policy-template temp1 10
     ike-peer rut
     proposal prop1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    ip pool poo1test
     gateway-list 100.1.1.2
     network 100.1.1.0 mask 255.255.255.0
    #
    aaa
     service-scheme schemetest
      ip-pool poo1test
      auto-update url ftp://username:%#%#[HXY>~%M:~$uaIE@=Q.'gp=*B5]QO%zr>MIy+QuK%#%#@70.1.1.1/huawei.ini version 1
    #
    interface GigabitEthernet1/0/0
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 60.1.1.0 255.255.255.0 60.1.2.2
    ip route-static 10.1.1.0 255.255.255.0 60.1.2.2
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 143751

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next