No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using an IPSec Policy Template

Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using an IPSec Policy Template

Networking Requirements

In Figure 5-41, RouterA and RouterB are enterprise branch gateways. RouterA uses a fixed IP address to access the public network, whereas RouterB uses a dynamic IP address to access the public network. RouterC is the enterprise headquarters gateway. Branches and the headquarters communicate through the public network.

The enterprise wants to protect the data flows between the branch subnets and the headquarters subnet and wants the headquarters gateway to specify a branch gateway meeting specific criteria to access it for security.

IPSec tunnels can be set up between the branch gateways and headquarters gateway because they communicate over the Internet.

Figure 5-41  Establishing an IPSec tunnel between the enterprise headquarters and branch using an IPSec policy template

Configuration Roadmap

The headquarters gateway can only respond to IPSec negotiation requests initiated by branch gateways because it cannot identify IP addresses of branch gateways. An IPSec policy template is configured on RouterC and is referenced in an IPSec policy so that RouterC can receive IPSec negotiation requests initiated by branch gateways to complete setup of multiple IPSec tunnels.

  1. Configure IP addresses and static routes for interfaces so that routes among the three gateways are reachable.

  2. Configure ACLs to define the data flows to be protected.

  3. Configure IPSec proposals to define the method used to protect IPSec traffic.

  4. Configure IKE peers to define IKE negotiation attributes.

    • Configure RouterA to use its IP address for authentication with RouterC because RouterA uses a fixed IP address for access.
    • Configure RouterB to use its name for authentication with RouterC because RouterB uses a dynamic IP address for access.
  5. Configure an identity filter set on RouterC to permit access from RouterA and RouterB. This prevents other unauthorized initiators from establishing an IPSec tunnel with RouterC.
    • Check the IP address of RouterA.
    • Check the name of RouterB.
  6. Configure IPSec policies on RouterA, RouterB, and RouterC. RouterC uses an IPSec policy template to create an IPSec policy.

  7. Apply IPSec policy groups to interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA, RouterB, and RouterC so that routes among them are reachable.

    # Assign an IP address to each interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next-hop address of the route to RouterC is 60.1.1.2.

    [RouterA] ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 192.168.3.0 255.255.255.0 60.1.1.2

    # Assign an IP address to each interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1 
    [RouterB-GigabitEthernet0/0/1] ip address dhcp-alloc
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the outbound interface of the route to the headquarters is GE0/0/1.

    [RouterB] ip route-static 60.1.3.0 255.255.255.0 gigabitethernet 0/0/1
    [RouterB] ip route-static 192.168.3.0 255.255.255.0 60.gigabitethernet 0/0/1

    # Assign an IP address to each interface on RouterC.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1 
    [RouterC-GigabitEthernet0/0/1] ip address 60.1.3.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ip address 192.168.3.2 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterC. This example assumes that the next-hop address of the route to RouterA and RouterB is 60.1.3.2.

    [RouterC] ip route-static 0.0.0.0 0.0.0.0 60.1.3.2
    

  2. Configure ACLs on RouterA and RouterB to define the data flows to be protected.

    NOTE:

    Because RouterC uses an IPSec policy template to create an IPSec policy, so referencing an ACL is optional. If an ACL is configured on RouterC, specify the destination address in the ACL.

    # Configure an ACL on RouterA to define the data flows sent from 192.168.1.0/24 to 192.168.3.0/24.

    [RouterA] acl number 3002
    [RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterA-acl-adv-3002] quit

    # Configure an ACL on RouterB to define the data flows sent from 192.168.2.0/24 to 192.168.3.0/24.

    [RouterB] acl number 3002
    [RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterB-acl-adv-3002] quit

  3. Create IPSec proposals on RouterA, RouterB, and RouterC.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterC.

    [RouterC] ipsec proposal tran1
    [RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterC-ipsec-proposal-tran1] quit

  4. Configure IKE peers on RouterA, RouterB, and RouterC.

    # Create an IKE proposal on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Configure an IKE peer on RouterA.

    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterA-ike-peer-rut1] remote-address 60.1.3.1
    [RouterA-ike-peer-rut1] quit

    # Create an IKE proposal on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Configure an IKE peer on RouterB.

    NOTE:

    Configure the local name as huaweirt1 and the local ID type as FQDN for IKE negotiation because RouterB uses a dynamic IP address for access.

    [RouterB] ike local-name huaweirt1
    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterB-ike-peer-rut1] local-id-type fqdn
    [RouterB-ike-peer-rut1] remote-address 60.1.3.1
    [RouterB-ike-peer-rut1] quit

    # Create an IKE peer on RouterC.

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-128
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit

    # Configure an IKE peer on RouterC.

    NOTE:
    RouterC functions as the IKE responder and uses an IPSec policy template to create an IPSec policy, so the remote-address command does not need to be used.
    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterC-ike-peer-rut1] quit

  5. Configure an identity filter set on RouterC.

    [RouterC] ike identity identity1
    [RouterC-ike-identity-identity1] ip address 60.1.1.1 24
    [RouterC-ike-identity-identity1] fqdn huaweirt1
    [RouterC-ike-identity-identity1] quit
    

  6. Configuring IPSec policies on RouterA, RouterB, and RouterC. RouterC uses an IPSec policy template to create an IPSec policy.

    # Create an IPSec policy on RouterA.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    # Create an IPSec policy on RouterB.

    [RouterB] ipsec policy policy1 10 isakmp
    [RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterB-ipsec-policy-isakmp-policy1-10] quit

    # Configure an IPSec policy template on RouterC and reference the IPSec policy template in the IPSec policy.

    [RouterC] ipsec policy-template use1 10
    [RouterC-ipsec-policy-templet-use1-10] ike-peer rut1
    [RouterC-ipsec-policy-templet-use1-10] proposal tran1
    [RouterC-ipsec-policy-templet-use1-10] match ike-identity identity1
    [RouterC-ipsec-policy-templet-use1-10] quit
    [RouterC] ipsec policy policy1 10 isakmp template use1

  7. Apply IPSec policy groups to interfaces on RouterA, RouterB, and RouterC.

    # Apply an IPSec policy group to the interface of RouterA

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    # Apply an IPSec policy group to the interface of RouterB.

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    # Apply an IPSec policy group to the interface of RouterC.

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit

  8. Verify the configuration.

    # After the configurations are complete, PC A and PC B can ping PC C successfully. The data transmitted between PC A, PC B, and PC C is encrypted.

    # Run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
      ---------------------------------------------------------------------------
      24366    60.1.3.1:500        RD|ST     v1:2    IP          60.1.3.1
      24274    60.1.3.1:500        RD|ST     v1:1    IP          60.1.3.1
                                       
      Number of IKE SA : 2     
      ---------------------------------------------------------------------------
    
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    # Run the display ike sa command on RouterC. The following information is displayed:

    [RouterC] display ike sa
    IKE SA information :
      Conn-ID  Peer           VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------
       961    60.1.2.1:500          RD        v1:2    FQDN        huaweirt1
       933    60.1.2.1:500          RD        v1:1    FQDN        huaweirt1
       937    60.1.1.1:500          RD        v1:2    IP          60.1.1.1
       936    60.1.1.1:500          RD        v1:1    IP          60.1.1.1
                                       
      Number of IKE SA : 4     
      --------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    acl number 3002
     rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256  
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     remote-address 60.1.3.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.2 255.255.255.0
    #
    ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
     ike local-name huaweirt1
    #
    acl number 3002
     rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256  
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     local-id-type fqdn
     remote-address 60.1.3.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address dhcp-alloc
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.2.2 255.255.255.0
    #
    ip route-static 60.1.3.0 255.255.255.0 GigabitEthernet0/0/1
    ip route-static 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1
    #
    return
    
  • Configuration file of RouterC

    #
     sysname RouterC
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256  
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#
     ike-proposal 5
    #
    ike identity identity1
     fqdn huaweirt1
     ip address 60.1.1.0 255.255.255.0
    #
    ipsec policy-template use1 10
     ike-peer rut1
     proposal tran1
     match ike-identity identity1
    #
    ipsec policy policy1 10 isakmp template use1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.3.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.3.2 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 60.1.3.2
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153870

Downloads: 372

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next