No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch User That Dynamically Obtains an IP Address

Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch User That Dynamically Obtains an IP Address

Networking Requirements

As shown in Figure 5-49, RouterA (branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The branch subnet IP addresses are allocated by the branch gateway through DHCP, and the headquarters subnet is located on 10.1.2.0/24. The branch gateway connects to the Internet using PPPoE, and obtains an IP address from the PPPoE_server.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the Internet. The branch gateway functions as the PPPoE client to obtain an IP address, so the headquarters gateway cannot obtain the branch gateway's IP address and can only respond to IPSec negotiation request sent by the branch gateway.

Figure 5-49  Establishing an IPSec tunnel through negotiation initiated by the branch user that dynamically obtains an IP address

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the PPPoE client on RouterA so that RouterA can obtain an IP address from the PPPoE server.
  2. Enable DHCP on RouterA so that IP addresses can be dynamically allocated through DHCP.
  3. Configure the IKE negotiation mode in which an IPSec tunnel is set up. RouterB functions as the responder to receive IPSec negotiation requests initiated by RouterA.

Procedure

  1. Configure the PPPoE client on RouterA so that RouterA can obtain an IP address from the PPPoE server.

    # Configure a dialer access group to permit all IPv4 packets to pass through.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] dialer-rule
    [RouterA-dialer-rule] dialer-rule 1 ip permit
    [RouterA-dialer-rule] quit
    

    # Create a dialer interface and set parameters of the dialer interface.

    [RouterA] interface dialer 1
    [RouterA-Dialer1] link-protocol ppp
    [RouterA-Dialer1] ppp chap user user@huawei.com
    [RouterA-Dialer1] ppp chap password cipher Huawei@1234
    [RouterA-Dialer1] ip address ppp-negotiate
    [RouterA-Dialer1] dialer user huawei
    [RouterA-Dialer1] dialer bundle 1
    [RouterA-Dialer1] dialer-group 1
    [RouterA-Dialer1] quit

    # Bind the dialer interface to a physical interface and establish a PPPoE session.

    [RouterA] interface gigabitethernet1/0/0
    [RouterA-GigabitEthernet1/0/0] pppoe-client dial-bundle-number 1
    [RouterA-GigabitEthernet1/0/0] quit

    # On RouterA, configure a static route to PC B. The route uses the IP address of Dialer1 as the next hop address.

    [RouterA] ip route-static 6.6.6.0 24 dialer1
    [RouterA] ip route-static 10.1.2.0 24 dialer1

  2. Enable DHCP on RouterA so that IP addresses can be dynamically allocated through DHCP.

    # Enable DHCP and configure a global address pool.

    [RouterA] dhcp enable
    [RouterA] ip pool pooltest
    [RouterA-ip-pool-pooltest] network 10.1.1.0 mask 255.255.255.0
    [RouterA-ip-pool-pooltest] quit

    # Configure RouterA to assign IP addresses from a global address pool on an interface.

    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] dhcp select global
    [RouterA-GigabitEthernet2/0/0] quit

  3. On RouterA, set parameters for establishing an IPSec tunnel in IKE negotiation mode.

    # Configure an ACL to define data flows destined for 10.1.2.0/24.

    [RouterA] acl number 3003
    [RouterA-acl-adv-3003] rule permit ip destination 10.1.2.0 0.0.0.255
    [RouterA-acl-adv-3003] quit

    # Configure an IPSec proposal.

    [RouterA] ipsec proposal prop1
    [RouterA-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-prop1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-prop1] quit

    # Configure an IKE proposal.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Configure an IKE peer.

    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] pre-shared-key cipher Huawei@1234
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] remote-address 6.6.6.6
    [RouterA-ike-peer-rut1] quit

    # Configure an IPSec policy.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal prop1
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3003 dynamic-source
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    # Apply the IPSec policy group to the dialer interface.

    [RouterA] interface dialer 1
    [RouterA-Dialer1] ipsec policy policy1
    [RouterA-Dialer1] quit
    

  4. On RouterB used as the responder, set parameters for establishing an IPSec tunnel in IKE negotiation mode.

    # Configure an IP address for an interface and a static route to the peer.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 6.6.6.6 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0 
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit
    

    # Configure a static route to peer. This example assumes that the next hop address in the route is 6.6.6.1.

    [RouterB] ip route-static 10.1.1.0 255.255.255.0 6.6.6.1

    # Configure an IPSec proposal.

    [RouterB] ipsec proposal prop1
    [RouterB-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-prop1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-prop1] quit

    # Configure an IKE proposal.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Configure an IKE peer.

    Because RouterB as the responder uses an IPSec policy template to configure an IPSec policy, so you do not need to specify the remote IP address for the IKE peer.

    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] pre-shared-key cipher Huawei@1234
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] quit

    # Configure an IPSec policy template.

    [RouterB] ipsec policy-template temp1 10
    [RouterB-ipsec-policy-templet-temp1-10] ike-peer rut1
    [RouterB-ipsec-policy-templet-temp1-10] proposal prop1
    [RouterB-ipsec-policy-templet-temp1-10] quit

    # Reference the IPSec policy template in the IPSec policy.

    [RouterB] ipsec policy policy1 10 isakmp template temp1

    # Apply the IPSec policy group to an interface.

    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterB-GigabitEthernet1/0/0] quit

  5. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. Data exchanged between PC A and PC B is encrypted. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ike sa command on RouterA. The following information is displayed:

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
      -------------------------------------------------------------------------
        246    6.6.6.6:500         RD|ST     v1:2    IP          6.6.6.6
        245    6.6.6.6:500         RD|ST     v1:1    IP          6.6.6.6
                                                                                    
       Number of IKE SA : 2
      -------------------------------------------------------------------------
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING      

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    acl number 3003
     rule 5 permit ip destination 10.1.2.0 0.0.0.255
    #
    ipsec proposal prop1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     remote-address 6.6.6.6
    #
    ipsec policy policy1 10 isakmp
     security acl 3003 dynamic-source
     ike-peer rut1
     proposal prop1
    #
    interface Dialer1
     link-protocol ppp
     ppp chap user user@huawei.com
     ppp chap password cipher %@%@^_PfANXK0(,Jr-(3p]"R,eOL%@%@ 
     policy policy1
    #
    interface GigabitEthernet1/0/0
     pppoe-client dial-bundle-number 1
    #
    interface GigabitEthernet2/0/0
     dhcp select global
    #
    dialer-rule
     dialer-rule 1 ip permit
    #
    ip route-static 6.6.6.0 255.255.255.0 dialer1
    ip route-static 10.1.2.0 255.255.255.0 Dialer1
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    ipsec proposal prop1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
    #
    ipsec policy-template temp1
     ike-peer rut1
     proposal prop1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface Ethernet1/0/0
     ip address 6.6.6.6 255.255.255.0
     ipsec policy policy1
    #
    interface Ethernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 10.1.1.0 255.255.255.0 6.6.6.1
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153358

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next