No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Efficient VPN in Network-auto-cfg Mode to Establish an IPSec Tunnel

Example for Configuring Efficient VPN in Network-auto-cfg Mode to Establish an IPSec Tunnel

Networking Requirements

As shown in Figure 5-60, Router_1 is a remote enterprise branch gateway and Router_2 is the enterprise headquarters gateway. The branch connects to the headquarters over the LTE network. The headquarters and branch networks are planned beforehand.

The enterprise requires to protect traffic transmitted between the enterprise branch and headquarters. The headquarters gateway is required to uniformly manage and maintain the branch gateway with simple configuration using the ping and Telnet technologies. The enterprise branch and headquarters communicate over the LTE network. An IPSec tunnel can be established between them using Efficient VPN in Network-auto-cfg mode to provide security protection. This mode facilitates establishment, management, and maintenance of the IPSec tunnel.

In Efficient VPN Network-auto-cfg mode, Router_1 applies for authorization information from the RADIUS server located in the headquarters. The authorization information includes an IP address for establishing the IPSec tunnel, an IP address pool for allocating addresses to users, a DNS domain name, DNS server addresses, and WINS server addresses used by the branch users. The headquarters uses the IP address to perform ping, Telnet, or other management and maintenance operations.

Figure 5-60  Configuring Efficient VPN in Network-auto-cfg mode to establish an IPSec tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a Cellular interface on Router_1 to connect it to the LTE network.

  2. Configure static routes to ensure that the devices are reachable to each other over the LTE network.

  3. Configure a RADIUS server template on Router_2.

  4. Configure Router_2 as the responder to establish an IPSec tunnel with Router_1 in policy template mode.

  5. Configure Efficient VPN in Network-auto-cfg mode on Router_1 to initiate an IPSec tunnel establishment request to Router_2.

Procedure

  1. Configure a Cellular interface and an APN profile.

    # Configure Router_1.

    <Huawei> system-view
    [Huawei] sysname Router_1
    [Router_1] dialer-rule
    [Router_1-dialer-rule] dialer-rule 1 ip permit
    [Router_1-dialer-rule] quit
    [Router_1] interface cellular 0/0/0
    [Router_1-Cellular0/0/0] dialer enable-circular
    [Router_1-Cellular0/0/0] ip address negotiate
    [Router_1-Cellular0/0/0] dialer-group 1
    [Router_1-Cellular0/0/0] dialer number *99#
    [Router_1-Cellular0/0/0] mode lte auto
    [Router_1-Cellular0/0/0] quit
    [Router_1] apn profile lteprofile
    [Router_1-apn-profile-lteprofile] apn LTENET
    [Router_1-apn-profile-lteprofile] quit
    [Router_1] interface cellular 0/0/0
    [Router_1-Cellular0/0/0] apn-profile lteprofile
    [Router_1-Cellular0/0/0] shutdown
    [Router_1-Cellular0/0/0] undo shutdown
    [Router_1-Cellular0/0/0] quit

    After Cellular0/0/0 dials up successfully, it obtains the IP address 2.1.10.1/24.

  2. Configure IP addresses for the interfaces of Router_2.

    <Huawei> system-view
    [Huawei] sysname Router_2
    [Router_2] interface gigabitethernet 1/0/0
    [Router_2-GigabitEthernet1/0/0] ip address 2.1.1.2 255.255.255.0
    [Router_2-GigabitEthernet1/0/0] quit
    [Router_2] interface gigabitethernet 2/0/0
    [Router_2-GigabitEthernet2/0/0] ip address 192.168.2.1 255.255.255.0
    [Router_2-GigabitEthernet2/0/0] quit

  3. Configure static routes to ensure that the devices are reachable to each other over the LTE network.

    # Configure Router_1.

    [Router_1] ip route-static 0.0.0.0 0 cellular 0/0/0

    # Configure Router_2.

    [Router_2] ip route-static 0.0.0.0 0 2.1.1.1

  4. Configure a RADIUS server template on Router_2.

    [Router_2] radius-server template shiva
    [Router_2-radius-shiva] radius-server authentication 192.168.10.1 1812
    [Router_2-radius-shiva] radius-server accounting 192.168.10.1 1813
    [Router_2-radius-shiva] radius-server shared-key cipher hello
    [Router_2-radius-shiva] quit
    [Router_2] aaa
    [Router_2-aaa] authentication-scheme rds
    [Router_2-aaa-authen-rds] authentication-mode radius
    [Router_2-aaa-authen-rds] quit
    [Router_2-aaa] domain rds
    [Router_2-aaa-domain-rds] authentication-scheme rds
    [Router_2-aaa-domain-rds] radius-server shiva
    [Router_2-aaa-domain-rds] quit
    [Router_2-aaa] quit

  5. Configure Router_2 as the responder to establish an IPSec tunnel with Router_1 in policy template mode.

    # Configure an IKE proposal and an IKE peer.

    [Router_2] ike proposal 1
    [Router_2-ike-proposal-1] encryption-algorithm aes-256
    [Router_2-ike-proposal-1] dh group14
    [Router_2-ike-proposal-1] quit
    [Router_2] ike peer rut1
    [Router_2-ike-peer-rut1] undo version 2
    [Router_2-ike-peer-rut1] exchange-mode aggressive
    [Router_2-ike-peer-rut1] pre-shared-key cipher Huawei@1234
    [Router_2-ike-peer-rut1] ike-proposal 1
    [Router_2-ike-peer-rut1] aaa authorization domain rds
    [Router_2-ike-peer-rut1] quit

    # Configure an IPSec proposal and an IPSec policy using the policy template.

    [Router_2] ipsec proposal prop1
    [Router_2-ipsec-proposal-prop1] undo esp authentication-algorithm
    [Router_2-ipsec-proposal-prop1] undo esp encryption-algorithm
    [Router_2-ipsec-proposal-prop1] quit
    [Router_2] ipsec policy-template temp1 10
    [Router_2-ipsec-policy-templet-temp1-10] ike-peer rut1
    [Router_2-ipsec-policy-templet-temp1-10] proposal prop1
    [Router_2-ipsec-policy-templet-temp1-10] quit
    [Router_2] ipsec policy policy1 10 isakmp template temp1
    

    # Apply the IPSec policy group to the interface.

    [Router_2] interface gigabitethernet 1/0/0
    [Router_2-GigabitEthernet1/0/0] ipsec policy policy1
    [Router_2-GigabitEthernet1/0/0] quit
    

  6. Configure Efficient VPN in Network-auto-cfg mode on Router_1 to establish an IPSec tunnel.

    # Set the Efficient VPN mode to Network-auto-cfg, and specify the remote address and pre-shared key for IKE negotiation in the Network-auto-cfg mode view.

    [Router_1] ipsec efficient-vpn evpn mode network-auto-cfg
    [Router_1-ipsec-efficient-vpn-evpn] remote-address 2.1.1.2 v1
    [Router_1-ipsec-efficient-vpn-evpn] pre-shared-key cipher Huawei@1234
    [Router_1-ipsec-efficient-vpn-evpn] sim-based-username type imsi password huawei@123
    [Router_1-ipsec-efficient-vpn-evpn] dh group14
    [Router_1-ipsec-efficient-vpn-evpn] quit
    

    # Apply Efficient VPN to the interface.

    [Router_1] interface cellular 0/0/0
    [Router_1-Cellular0/0/0] ipsec efficient-vpn evpn
    [Router_1-Cellular0/0/0] quit

  7. Verify the configuration.

    # After the configurations are complete, perform the ping operation on Router_1. Router_1 can still ping Router_2 successfully.

    [Router_1] ping 2.1.1.2
      PING 2.1.1.2: 56  data bytes, press CTRL_C to break                          
        Reply from 2.1.1.2: bytes=56 Sequence=1 ttl=255 time=4 ms                  
        Reply from 2.1.1.2: bytes=56 Sequence=2 ttl=255 time=2 ms                  
        Reply from 2.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms                  
        Reply from 2.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms                  
        Reply from 2.1.1.2: bytes=56 Sequence=5 ttl=255 time=2 ms                  
                                                                                    
      --- 2.1.1.2 ping statistics ---                                              
        5 packet(s) transmitted                                                     
        5 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 1/2/4 ms   

    # Run the display ipsec sa brief command on Router_1 and Router_2 respectively to check whether an IPSec SA is successfully negotiated. The command output on Router_1 is used as an example.

    [Router_1] display ipsec sa brief
       Src address     Dst address        SPI    VPN  Protocol     Algorithm       
    ------------------------------------------------------------------------------- 
          2.1.10.1       2.1.1.2 2622706230      0    ESP                        
          2.1.10.1       2.1.1.2 3375760671      0    ESP                        
           2.1.1.2      2.1.10.1  645145990      0    ESP                        
           2.1.1.2      2.1.10.1 3429582856      0    ESP     

Configuration Files

  • Configuration file of Router_1

    #
     sysname Router_1
    #
    ipsec efficient-vpn evpn mode network-auto-cfg
     remote-address 2.1.1.2 v1
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     sim-based-username type imsi password %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     dh group14
    #
    interface Cellular0/0/0
     dialer enable-circular
     dialer-group 1
     apn-profile lteprofile
     dialer timer autodial 10
     dialer number *99#
     ipsec efficient-vpn evpn
     ip address negotiate
     mode lte auto
    #
    ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
    #
    dialer-rule
     dialer-rule 1 ip permit
    #
    apn profile lteprofile
     apn LTENET
    # 
    return
    
  • Configuration file of Router_2

    #
     sysname Router_2
    #
    radius-server template shiva
     radius-server shared-key cipher %#%#R,T#A1Imu&K9;*-wF=/2x{Ib*(^v><;=s*)mBup9%#%
     radius-server authentication 192.168.10.1 1812 weight 80
     radius-server accounting 192.168.10.1 1813 weight 80
    #
    ipsec proposal prop1
     undo esp authentication-algorithm
     undo esp encryption-algorithm
    #
    ike proposal 1
     encryption-algorithm aes-256                                                   
     dh group14                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share                                                
     integrity-algorithm hmac-sha2-256                                              
     prf hmac-sha2-256 
    #
    ike peer rut1
     undo version 2
     exchange-mode aggressive
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 1 
     aaa authorization domain rds
    #
    ipsec policy-template temp1 10
     ike-peer rut1
     proposal prop1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    aaa
     authentication-scheme rds
      authentication-mode radius
     domain rds
      authentication-scheme rds
      radius-server shiva
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.2 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 192.168.2.1 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 2.1.1.1 
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142086

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next