No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a DSVPN Based on the LTE Dialup Status

Example for Configuring a DSVPN Based on the LTE Dialup Status

Networking Requirements

As shown in Figure 4-25, an enterprise headquarters (Hub_1 as the primary device and Hub_2 as the secondary device) and branch (Spoke) locate in different areas. The branch connects to the headquarters through an LTE network, that is, LTE network 1 shown in the figure. The enterprise requires that the branch communicate with the headquarters through a VPN and data transmitted between them be encrypted.

To ensure that the enterprise users can still connect to the headquarters even when the primary SIM card 1 or LTE network 1 is faulty, the enterprise leases the other LTE network, that is LTE network 2 shown in the figure, to set up a backup link (through the secondary SIM card 2) for temporary service transmission.

Figure 4-25  Configuring a DSVPN based on the LTE dialup status

Configuration Roadmap

The branch address is not fixed because it connects to the headquarters through an LTE network; therefore, the branch and headquarters must be connected through a VPN.

To ensure reliable data transmission, two SIM cards in redundancy mode need to be configured in the branch and they connect to different LTE networks. A tunnel can be established between the headquarters and branch based on the association between the LTE dialup status and DSVPN to ensure uninterrupted data transmission.

The configuration roadmap is as follows:
  1. Configure a cellular interface and APN profile, so that the branch can connect to the LTE network.

  2. Use the non-shortcut DSVPN scenario because the enterprise has only few branches. Use the RIP protocol to advertise private network routes between the headquarters and branch and associate NHRP peer information with the APN profile. When the APN profile is in use, the associated NHRP peer information takes effect; therefore, a tunnel can be established between the headquarters and branch.

  3. Configure the NQA function to implement switching between the primary and secondary SIM cards.

  4. Install a primary and a secondary SIM card on the cellular interface to ensure reliable data transmission.

  5. Bind IPSec policies to the cellular interface on the branch device and the public network interfaces on the headquarters devices, so that data transmitted between them can be encrypted.

Procedure

  1. Configure IP addresses for interfaces.

    Configure an IP address for each interface on Hub_1 and Hub_2 according to Figure 4-25.

    # Configure an IP address for each interface on Hub_1.

    <Huawei> system-view
    [Huawei] sysname Hub_1
    [Hub_1] interface GigabitEthernet 1/0/0
    [Hub_1-GigabitEthernet1/0/0] ip address 1.10.1.2 255.255.255.252
    [Hub_1-GigabitEthernet1/0/0] quit
    [Hub_1] interface gigabitethernet 2/0/0
    [Hub_1-GigabitEthernet2/0/0] ip address 1.10.1.6 255.255.255.252
    [Hub_1-GigabitEthernet2/0/0] quit
    [Hub_1] interface gigabitethernet 3/0/0
    [Hub_1-GigabitEthernet3/0/0] ip address 192.168.1.1 255.255.255.0
    [Hub_1-GigabitEthernet3/0/0] quit
    [Hub_1] interface tunnel 0/0/1
    [Hub_1-Tunnel0/0/1] ip address 172.16.1.1 255.255.255.0
    [Hub_1-Tunnel0/0/1] quit
    [Hub_1] interface tunnel 0/0/3
    [Hub_1-Tunnel0/0/3] ip address 172.16.3.1 255.255.255.0
    [Hub_1-Tunnel0/0/3] quit
    

    The configurations of Hub_2 and the Spoke are similar to the configuration of Hub_1, and are not mentioned here.

  2. Configure a cellular interface and APN profile.

    # Configure the Spoke.

    [Spoke] dialer-rule
    [Spoke-dialer-rule] dialer-rule 1 ip permit
    [Spoke-dialer-rule] quit
    [Spoke] interface cellular 0/0/0
    [Spoke-Cellular0/0/0] ip address negotiate
    [Spoke-Cellular0/0/0] dialer enable-circular
    [Spoke-Cellular0/0/0] dialer-group 1
    [Spoke-Cellular0/0/0] dialer timer autodial 15
    [Spoke-Cellular0/0/0] dialer timer probe-interval 15
    [Spoke-Cellular0/0/0] dialer number *99# autodial
    [Spoke-Cellular0/0/0] mode lte auto
    [Spoke-Cellular0/0/0] quit
    [Spoke] apn profile ltenet
    [Spoke-apn-profile-ltenet] sim-id 1
    [Spoke-apn-profile-ltenet] apn LTENET1
    [Spoke-apn-profile-ltenet] quit
    [Spoke] apn profile ltewap
    [Spoke-apn-profile-ltewap] sim-id 2
    [Spoke-apn-profile-ltewap] apn LTENET2
    [Spoke-apn-profile-ltewap] quit

  3. Configure reachable public network routes between the devices.

    Configure static routes on each device to ensure that the public network routes between the devices are reachable.

    # Configure Hub_1.

    [Hub_1] ip route-static 0.0.0.0 0 1.10.1.1
    [Hub_1] ip route-static 0.0.0.0 0 1.10.1.5
    

    # Configure Hub_2.

    [Hub_2] ip route-static 0.0.0.0 0 1.10.1.9
    [Hub_2] ip route-static 0.0.0.0 0 1.10.1.13
    

    # Configure the Spoke.

    [Spoke] ip route-static 0.0.0.0 0 cellular 0/0/0
    

  4. Configure the DSVPN function.

    Configure tunnel interfaces on the Hubs and Spoke and associate NHRP peer information with the APN profile. Configure the RIP protocol to advertise private network routes and configure the Spoke to add different metric values to the routes when different tunnel interfaces send or receive RIP packets to implement communication between the headquarters and branch.

    # Configure Hub_1.
    [Hub_1] interface tunnel 0/0/1
    [Hub_1-Tunnel0/0/1] tunnel-protocol gre p2mp
    [Hub_1-Tunnel0/0/1] source GigabitEthernet 1/0/0
    [Hub_1-Tunnel0/0/1] nhrp registration no-unique
    [Hub_1-Tunnel0/0/1] nhrp entry multicast dynamic
    [Hub_1-Tunnel0/0/1] gre key 111
    [Hub_1-Tunnel0/0/1] nhrp authentication cipher Huawei@1
    [Hub_1-Tunnel0/0/1] nhrp entry holdtime seconds 60
    [Hub_1-Tunnel0/0/1] quit
    [Hub_1] interface tunnel 0/0/3
    [Hub_1-Tunnel0/0/3] tunnel-protocol gre p2mp
    [Hub_1-Tunnel0/0/3] source gigabitethernet 2/0/0
    [Hub_1-Tunnel0/0/3] nhrp registration no-unique
    [Hub_1-Tunnel0/0/3] nhrp entry multicast dynamic
    [Hub_1-Tunnel0/0/3] gre key 333
    [Hub_1-Tunnel0/0/3] nhrp authentication cipher Huawei@3
    [Hub_1-Tunnel0/0/3] nhrp entry holdtime seconds 60
    [Hub_1-Tunnel0/0/3] quit
    [Hub_1] rip 1
    [Hub_1-rip-1] version 2
    [Hub_1-rip-1] undo summary
    [Hub_1-rip-1] network 172.16.0.0
    [Hub_1-rip-1] network 192.168.1.0
    [Hub_1-rip-1] quit
    
    # Configure Hub_2.
    [Hub_2] interface tunnel 0/0/2
    [Hub_2-Tunnel0/0/2] tunnel-protocol gre p2mp
    [Hub_2-Tunnel0/0/2] source gigabitethernet 2/0/0
    [Hub_2-Tunnel0/0/2] nhrp registration no-unique
    [Hub_2-Tunnel0/0/2] nhrp entry multicast dynamic
    [Hub_2-Tunnel0/0/2] gre key 222
    [Hub_2-Tunnel0/0/2] nhrp authentication cipher Huawei@2
    [Hub_2-Tunnel0/0/2] nhrp entry holdtime seconds 60
    [Hub_2-Tunnel0/0/2] quit
    [Hub_2] interface tunnel 0/0/4
    [Hub_2-Tunnel0/0/4] tunnel-protocol gre p2mp
    [Hub_2-Tunnel0/0/4] source GigabitEthernet 1/0/0
    [Hub_2-Tunnel0/0/4] nhrp registration no-unique
    [Hub_2-Tunnel0/0/4] nhrp entry multicast dynamic
    [Hub_2-Tunnel0/0/4] gre key 444
    [Hub_2-Tunnel0/0/4] nhrp authentication cipher Huawei@4
    [Hub_2-Tunnel0/0/4] nhrp entry holdtime seconds 60
    [Hub_2-Tunnel0/0/4] quit
    [Hub_2] rip 1
    [Hub_2-rip-1] version 2
    [Hub_2-rip-1] undo summary
    [Hub_2-rip-1] network 172.16.0.0
    [Hub_2-rip-1] network 192.168.1.0
    [Hub_2-rip-1] quit
    
    # Associate NHRP peer information with the APN profile on the Spoke and configure the Spoke to add different metric values to the routes when different tunnel interfaces send or receive RIP packets.
    [Spoke] rip 1
    [Spoke-rip-1] version 2
    [Spoke-rip-1] network 172.16.0.0
    [Spoke-rip-1] network 192.168.3.0
    [Spoke-rip-1] quit
    [Spoke] interface tunnel 0/0/1
    [Spoke-Tunnel0/0/1] tunnel-protocol gre p2mp
    [Spoke-Tunnel0/0/1] source cellular 0/0/0
    [Spoke-Tunnel0/0/1] gre key 111
    [Spoke-Tunnel0/0/1] nhrp authentication cipher Huawei@1
    [Spoke-Tunnel0/0/1] nhrp registration interval 20
    [Spoke-Tunnel0/0/1] nhrp entry 172.16.1.1 1.10.1.2 register track apn ltenet
    [Spoke-Tunnel0/0/1] rip metricin 1
    [Spoke-Tunnel0/0/1] quit
    [Spoke] interface tunnel 0/0/2
    [Spoke-Tunnel0/0/2] tunnel-protocol gre p2mp
    [Spoke-Tunnel0/0/2] source cellular 0/0/0
    [Spoke-Tunnel0/0/2] gre key 222
    [Spoke-Tunnel0/0/2] nhrp authentication cipher Huawei@2
    [Spoke-Tunnel0/0/2] nhrp registration interval 20
    [Spoke-Tunnel0/0/2] nhrp entry 172.16.2.1 1.10.1.10 register track apn ltenet
    [Spoke-Tunnel0/0/2] rip metricin 7
    [Spoke-Tunnel0/0/2] rip metricout 7
    [Spoke-Tunnel0/0/2] quit
    [Spoke] interface tunnel 0/0/3
    [Spoke-Tunnel0/0/3] tunnel-protocol gre p2mp
    [Spoke-Tunnel0/0/3] source cellular 0/0/0
    [Spoke-Tunnel0/0/3] gre key 333
    [Spoke-Tunnel0/0/3] nhrp authentication cipher Huawei@3
    [Spoke-Tunnel0/0/3] nhrp registration interval 20
    [Spoke-Tunnel0/0/3] nhrp entry 172.16.3.1 1.10.1.6 register track apn ltewap
    [Spoke-Tunnel0/0/3] rip metricin 4
    [Spoke-Tunnel0/0/3] rip metricout 4
    [Spoke-Tunnel0/0/3] quit
    [Spoke] interface tunnel 0/0/4
    [Spoke-Tunnel0/0/4] tunnel-protocol gre p2mp
    [Spoke-Tunnel0/0/4] source cellular 0/0/0
    [Spoke-Tunnel0/0/4] gre key 444
    [Spoke-Tunnel0/0/4] nhrp authentication cipher Huawei@4
    [Spoke-Tunnel0/0/4] nhrp registration interval 20
    [Spoke-Tunnel0/0/4] nhrp entry 172.16.4.1 1.10.1.14 register track apn ltewap
    [Spoke-Tunnel0/0/4] rip metricin 10
    [Spoke-Tunnel0/0/4] rip metricout 10
    [Spoke-Tunnel0/0/4] quit
    

  5. Configure the NQA function.

    Determine whether to perform a primary/secondary SIM card switching based on the NQA detection results on tunnel interfaces and the LTE dialup status.

    # Configure the Spoke.

    [Spoke] nqa test-instance admin Tunnel0/0/1
    [Spoke-nqa-admin-Tunnel0/0/1] test-type icmp
    [Spoke-nqa-admin-Tunnel0/0/1] destination-address ipv4 172.16.1.1
    [Spoke-nqa-admin-Tunnel0/0/1] source-address ipv4 172.16.1.2
    [Spoke-nqa-admin-Tunnel0/0/1] frequency 15
    [Spoke-nqa-admin-Tunnel0/0/1] source-interface tunnel 0/0/1
    [Spoke-nqa-admin-Tunnel0/0/1] start now
    [Spoke-nqa-admin-Tunnel0/0/1] quit
    [Spoke] nqa test-instance admin Tunnel0/0/2
    [Spoke-nqa-admin-Tunnel0/0/2] test-type icmp
    [Spoke-nqa-admin-Tunnel0/0/2] destination-address ipv4 172.16.2.1
    [Spoke-nqa-admin-Tunnel0/0/2] source-address ipv4 172.16.2.2
    [Spoke-nqa-admin-Tunnel0/0/2] frequency 15
    [Spoke-nqa-admin-Tunnel0/0/2] source-interface tunnel 0/0/2
    [Spoke-nqa-admin-Tunnel0/0/2] start now
    [Spoke-nqa-admin-Tunnel0/0/2] quit
    [Spoke] nqa test-instance admin Tunnel0/0/3
    [Spoke-nqa-admin-Tunnel0/0/3] test-type icmp
    [Spoke-nqa-admin-Tunnel0/0/3] destination-address ipv4 172.16.3.1
    [Spoke-nqa-admin-Tunnel0/0/3] source-address ipv4 172.16.3.2
    [Spoke-nqa-admin-Tunnel0/0/3] frequency 15
    [Spoke-nqa-admin-Tunnel0/0/3] source-interface tunnel 0/0/3
    [Spoke-nqa-admin-Tunnel0/0/3] start now
    [Spoke-nqa-admin-Tunnel0/0/3] quit
    [Spoke] nqa test-instance admin Tunnel0/0/4
    [Spoke-nqa-admin-Tunnel0/0/4] test-type icmp
    [Spoke-nqa-admin-Tunnel0/0/4] destination-address ipv4 172.16.4.1
    [Spoke-nqa-admin-Tunnel0/0/4] source-address ipv4 172.16.4.2
    [Spoke-nqa-admin-Tunnel0/0/4] frequency 15
    [Spoke-nqa-admin-Tunnel0/0/4] source-interface tunnel 0/0/4
    [Spoke-nqa-admin-Tunnel0/0/4] start now
    [Spoke-nqa-admin-Tunnel0/0/4] quit
    

  6. Install a primary and a secondary SIM card on the Spoke.

    # Configure the Spoke.

    [Spoke] interface cellular 0/0/0
    [Spoke-Cellular0/0/0] apn-profile ltenet priority 200 track nqa admin Tunnel0/0/1 admin Tunnel0/0/2
    [Spoke-Cellular0/0/0] apn-profile ltewap priority 150 track nqa admin Tunnel0/0/3 admin Tunnel0/0/4
    [Spoke-Cellular0/0/0] shutdown
    [Spoke-Cellular0/0/0] undo shutdown
    [Spoke-Cellular0/0/0] quit
    

  7. Configure the IPSec function to protect data transmitted between the headquarters and branch.

    # Configure Hub_1.

    [Hub_1] acl number 3001
    [Hub_1-acl-adv-3001] rule 5 permit ip source 1.10.1.2 0
    [Hub_1-acl-adv-3001] quit
    [Hub_1] acl number 3003
    [Hub_1-acl-adv-3003] rule 5 permit ip source 1.10.1.6 0
    [Hub_1-acl-adv-3003] quit
    [Hub_1] ipsec proposal 1
    [Hub_1-ipsec-proposal-1] esp authentication-algorithm sha2-256
    [Hub_1-ipsec-proposal-1] esp encryption-algorithm aes-192
    [Hub_1-ipsec-proposal-1] quit
    [Hub_1] ipsec proposal 3
    [Hub_1-ipsec-proposal-3] esp authentication-algorithm sha2-256
    [Hub_1-ipsec-proposal-3] esp encryption-algorithm aes-192
    [Hub_1-ipsec-proposal-3] quit
    [Hub_1] ike proposal 1
    [Hub_1-ike-proposal-1] authentication-method pre-share
    [Hub_1-ike-proposal-1] dh group14
    [Hub_1-ike-proposal-1] encryption-algorithm aes-256
    [Hub_1-ike-proposal-1] authentication-algorithm sha2-256
    [Hub_1-ike-proposal-1] quit
    [Hub_1] ike peer 1
    [Hub_1-ike-peer-1] undo version 2
    [Hub_1-ike-peer-1] ike-proposal 1
    [Hub_1-ike-peer-1] pre-shared-key cipher Huawei@1234
    [Hub_1-ike-peer-1] quit
    [Hub_1] ike peer 3
    [Hub_1-ike-peer-3] undo version 2
    [Hub_1-ike-peer-3] ike-proposal 1
    [Hub_1-ike-peer-3] pre-shared-key cipher Huawei@1234
    [Hub_1-ike-peer-3] quit
    [Hub_1] ipsec policy-template use1 10
    [Hub_1-ipsec-policy-templet-use1-10] ike-peer 1
    [Hub_1-ipsec-policy-templet-use1-10] proposal 1
    [Hub_1-ipsec-policy-templet-use1-10] security acl 3001
    [Hub_1-ipsec-policy-templet-use1-10] quit
    [Hub_1] ipsec policy policy1 10 isakmp template use1
    [Hub_1] ipsec policy-template use3 10
    [Hub_1-ipsec-policy-templet-use3-10] ike-peer 3
    [Hub_1-ipsec-policy-templet-use3-10] proposal 3
    [Hub_1-ipsec-policy-templet-use3-10] security acl 3003
    [Hub_1-ipsec-policy-templet-use3-10] quit
    [Hub_1] ipsec policy policy3 10 isakmp template use3
    [Hub_1] interface GigabitEthernet 1/0/0
    [Hub_1-GigabitEthernet1/0/0] ipsec policy policy1
    [Hub_1-GigabitEthernet1/0/0] quit
    [Hub_1] interface gigabitethernet 2/0/0
    [Hub_1-GigabitEthernet2/0/0] ipsec policy policy3
    [Hub_1-GigabitEthernet2/0/0] quit
    

    # Configure Hub_2.

    [Hub_2] acl number 3002
    [Hub_2-acl-adv-3002] rule 5 permit ip source 1.10.1.10 0
    [Hub_2-acl-adv-3002] quit
    [Hub_2] acl number 3004
    [Hub_2-acl-adv-3004] rule 5 permit ip source 1.10.1.14 0
    [Hub_2-acl-adv-3004] quit
    [Hub_2] ipsec proposal 2
    [Hub_2-ipsec-proposal-2] esp authentication-algorithm sha2-256
    [Hub_2-ipsec-proposal-2] esp encryption-algorithm aes-192
    [Hub_2-ipsec-proposal-2] quit
    [Hub_2] ipsec proposal 4
    [Hub_2-ipsec-proposal-4] esp authentication-algorithm sha2-256
    [Hub_2-ipsec-proposal-4] esp encryption-algorithm aes-192
    [Hub_2-ipsec-proposal-4] quit
    [Hub_2] ike proposal 1
    [Hub_2-ike-proposal-1] authentication-method pre-share
    [Hub_2-ike-proposal-1] dh group14
    [Hub_2-ike-proposal-1] encryption-algorithm aes-256
    [Hub_2-ike-proposal-1] authentication-algorithm sha2-256
    [Hub_2-ike-proposal-1] quit
    [Hub_2] ike peer 2
    [Hub_2-ike-peer-2] undo version 2
    [Hub_2-ike-peer-2] ike-proposal 1
    [Hub_2-ike-peer-2] pre-shared-key cipher Huawei@1234
    [Hub_2-ike-peer-2] quit
    [Hub_2] ike peer 4
    [Hub_2-ike-peer-4] undo version 2
    [Hub_2-ike-peer-4] ike-proposal 1
    [Hub_2-ike-peer-4] pre-shared-key cipher Huawei@1234
    [Hub_2-ike-peer-4] quit
    [Hub_2] ipsec policy-template use2 10
    [Hub_2-ipsec-policy-templet-use2-10] ike-peer 2
    [Hub_2-ipsec-policy-templet-use2-10] proposal 2
    [Hub_2-ipsec-policy-templet-use2-10] security acl 3002
    [Hub_2-ipsec-policy-templet-use2-10] quit
    [Hub_2] ipsec policy policy2 10 isakmp template use2
    [Hub_2] ipsec policy-template use4 10
    [Hub_2-ipsec-policy-templet-use4-10] ike-peer 4
    [Hub_2-ipsec-policy-templet-use4-10] proposal 4
    [Hub_2-ipsec-policy-templet-use4-10] security acl 3004
    [Hub_2-ipsec-policy-templet-use4-10] quit
    [Hub_2] ipsec policy policy4 10 isakmp template use4
    [Hub_2] interface GigabitEthernet 1/0/0
    [Hub_2-GigabitEthernet1/0/0] ipsec policy policy4
    [Hub_2-GigabitEthernet1/0/0] quit
    [Hub_2] interface gigabitethernet 2/0/0
    [Hub_2-GigabitEthernet2/0/0] ipsec policy policy2
    [Hub_2-GigabitEthernet2/0/0] quit
    

    # Configure the Spoke.

    [Spoke] acl number 3001
    [Spoke-acl-adv-3001] rule 5 permit ip destination 1.10.1.2 0
    [Spoke-acl-adv-3001] quit
    [Spoke] acl number 3002
    [Spoke-acl-adv-3002] rule 5 permit ip destination 1.10.1.10 0
    [Spoke-acl-adv-3002] quit
    [Spoke] acl number 3003
    [Spoke-acl-adv-3003] rule 5 permit ip destination 1.10.1.6 0
    [Spoke-acl-adv-3003] quit
    [Spoke] acl number 3004
    [Spoke-acl-adv-3004] rule 5 permit ip destination 1.10.1.14 0
    [Spoke-acl-adv-3004] quit
    [Spoke] ipsec proposal 1
    [Spoke-ipsec-proposal-1] esp authentication-algorithm sha2-256
    [Spoke-ipsec-proposal-1] esp encryption-algorithm aes-192
    [Spoke-ipsec-proposal-1] quit
    [Spoke] ipsec proposal 2
    [Spoke-ipsec-proposal-2] esp authentication-algorithm sha2-256
    [Spoke-ipsec-proposal-2] esp encryption-algorithm aes-192
    [Spoke-ipsec-proposal-2] quit
    [Spoke] ipsec proposal 3
    [Spoke-ipsec-proposal-3] esp authentication-algorithm sha2-256
    [Spoke-ipsec-proposal-3] esp encryption-algorithm aes-192
    [Spoke-ipsec-proposal-3] quit
    [Spoke] ipsec proposal 4
    [Spoke-ipsec-proposal-4] esp authentication-algorithm sha2-256
    [Spoke-ipsec-proposal-4] esp encryption-algorithm aes-192
    [Spoke-ipsec-proposal-4] quit
    [Spoke] ike proposal 1
    [Spoke-ike-proposal-1] authentication-method pre-share
    [Spoke-ike-proposal-1] dh group14
    [Spoke-ike-proposal-1] encryption-algorithm aes-256
    [Spoke-ike-proposal-1] authentication-algorithm sha2-256
    [Spoke-ike-proposal-1] quit
    [Spoke] ike peer 1
    [Spoke-ike-peer-1] undo version 2
    [Spoke-ike-peer-1] ike-proposal 1
    [Spoke-ike-peer-1] pre-shared-key cipher Huawei@1234
    [Spoke-ike-peer-1] remote-address 1.10.1.2
    [Spoke-ike-peer-1] quit
    [Spoke] ike peer 2
    [Spoke-ike-peer-2] undo version 2
    [Spoke-ike-peer-2] ike-proposal 1
    [Spoke-ike-peer-2] pre-shared-key cipher Huawei@1234
    [Spoke-ike-peer-2] remote-address 1.10.1.10
    [Spoke-ike-peer-2] quit
    [Spoke] ike peer 3
    [Spoke-ike-peer-3] undo version 2
    [Spoke-ike-peer-3] ike-proposal 1
    [Spoke-ike-peer-3] pre-shared-key cipher Huawei@1234
    [Spoke-ike-peer-3] remote-address 1.10.1.6
    [Spoke-ike-peer-3] quit
    [Spoke] ike peer 4
    [Spoke-ike-peer-4] undo version 2
    [Spoke-ike-peer-4] ike-proposal 1
    [Spoke-ike-peer-4] pre-shared-key cipher Huawei@1234
    [Spoke-ike-peer-4] remote-address 1.10.1.14
    [Spoke-ike-peer-4] quit
    [Spoke] ipsec policy policy1 10 isakmp
    [Spoke-ipsec-policy-isakmp-policy1-10] ike-peer 1
    [Spoke-ipsec-policy-isakmp-policy1-10] proposal 1
    [Spoke-ipsec-policy-isakmp-policy1-10] security acl 3001
    [Spoke-ipsec-policy-isakmp-policy1-10] quit
    [Spoke] ipsec policy policy1 20 isakmp
    [Spoke-ipsec-policy-isakmp-policy1-20] ike-peer 2
    [Spoke-ipsec-policy-isakmp-policy1-20] proposal 2
    [Spoke-ipsec-policy-isakmp-policy1-20] security acl 3002
    [Spoke-ipsec-policy-isakmp-policy1-20] quit
    [Spoke] ipsec policy policy1 30 isakmp
    [Spoke-ipsec-policy-isakmp-policy1-30] ike-peer 3
    [Spoke-ipsec-policy-isakmp-policy1-30] proposal 3
    [Spoke-ipsec-policy-isakmp-policy1-30] security acl 3003
    [Spoke-ipsec-policy-isakmp-policy1-30] quit
    [Spoke] ipsec policy policy1 40 isakmp
    [Spoke-ipsec-policy-isakmp-policy1-40] ike-peer 4
    [Spoke-ipsec-policy-isakmp-policy1-40] proposal 4
    [Spoke-ipsec-policy-isakmp-policy1-40] security acl 3004
    [Spoke-ipsec-policy-isakmp-policy1-40] quit
    [Spoke] interface cellular 0/0/0
    [Spoke-Cellular0/0/0] ipsec policy policy1
    [Spoke-Cellular0/0/0] quit
    

  8. Verify the configuration.

    After the configuration is complete, run the display nhrp peer all command on Hub_1 and Hub_2 to check the registration information of the Spoke. The display on Hub_1 is used as an example:

    [Hub_1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.1.2      32    1.10.10.10      172.16.1.2      registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/1
    Created time    : 00:02:59
    Expire time     : 01:57:01
    

    The branch can ping the headquarters successfully and data transmitted between them is encrypted.

    Run the display ipsec sa command on the Spoke. You can see that the Spoke has set up an IPSec tunnel with Hub_1.

    # Shut down GE1/0/0 on Hub_1 and GE2/0/0 on Hub_2 to simulate a fault on LTE network 1.

    [Hub_1] interface GigabitEthernet 1/0/0
    [Hub_1-GigabitEthernet1/0/0] shutdown
    [Hub_1-GigabitEthernet1/0/0] quit
    
    [Hub_2] interface gigabitethernet 2/0/0
    [Hub_2-GigabitEthernet2/0/0] shutdown
    [Hub_2-GigabitEthernet2/0/0] quit
    

    Run the display nhrp peer all command on Hub_1 and Hub_2. You can see that the Spoke registers to the headquarters through LTE network 2. The display on Hub_1 is used as an example:

    [Hub_1] display nhrp peer all
    -------------------------------------------------------------------------------
    Protocol-addr   Mask  NBMA-addr       NextHop-addr    Type         Flag
    -------------------------------------------------------------------------------
    172.16.3.2      32    1.11.11.11      172.16.3.2      registered   up|unique
    -------------------------------------------------------------------------------
    Tunnel interface: Tunnel0/0/3
    Created time    : 00:02:59
    Expire time     : 01:57:01
    

    The branch can ping the headquarters successfully and data transmitted between them is encrypted.

    [Spoke] ping -a 192.168.3.1 192.168.1.1
      PING 192.168.1.1: 56  data bytes, press CTRL_C to break
        Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms
        Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms
        Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms
        Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms
        Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms
    
      --- 192.168.1.1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 2/2/3 ms
    

Configuration Files

  • Hub_1 configuration file

    #
    sysname Hub_1
    #
    acl number 3001                                                                 
     rule 5 permit ip source 1.10.1.2 0                                           
    acl number 3003                                                                 
     rule 5 permit ip source 1.10.1.6 0 
    #
    ipsec proposal 1
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192  
    ipsec proposal 3
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                                                  
    #
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group14                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share
    #                                                                               
    ike peer 1
     undo version 2
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1 
    ike peer 3
     undo version 2 
                                                       
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1 
    #                                                                               
    ipsec policy-template use1 10                                                   
     security acl 3001                                                              
     ike-peer 1                                                                     
     proposal 1                                                                     
    ipsec policy-template use3 10                                                   
     security acl 3003                                                              
     ike-peer 3                                                                     
     proposal 3                                                                     
    #                                                                               
    ipsec policy policy1 10 isakmp template use1                                    
    ipsec policy policy3 10 isakmp template use3                                    
    # 
    interface GigabitEthernet1/0/0
     ip address 1.10.1.2 255.255.255.252                                          
     ipsec policy policy1
    # 
    interface GigabitEthernet2/0/0
     ip address 1.10.1.6 255.255.255.252                                          
     ipsec policy policy3
    # 
    interface GigabitEthernet3/0/0
     ip address 192.168.1.1 255.255.255.0
    # 
    interface Tunnel0/0/1                                                           
     ip address 172.16.1.1 255.255.255.0                                            
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet1/0/0                                                           
     gre key cipher %^%#3isY%"^lX6F&N'Us)3x+\m@F0A2(SQ&=2|;K8abO%^%#
     nhrp authentication cipher %^%#1"<9Jp7D_'(SE-N.oVH5B5wZ=WO^KClOL|-UOIQ$%^%#
     nhrp registration no-unique                                                    
     nhrp entry multicast dynamic                                                   
     nhrp entry holdtime seconds 60                                                 
    #                                                                               
    interface Tunnel0/0/3                                                           
     ip address 172.16.3.1 255.255.255.0                                            
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet2/0/0                                                           
     gre key cipher %^%#=SXc*PbQgMQ|6<1H|8_W!PU!XFrjE7}LVC(ycs38%^%#
     nhrp authentication cipher %^%#EjU:.Y]}.8YZ8JK07')Qw\rTXJ|;LFAFfIH:C]W=%^%#
     nhrp registration no-unique                                                    
     nhrp entry multicast dynamic                                                   
     nhrp entry holdtime seconds 60                                                 
    #                                                                               
    rip 1                                                                           
     undo summary                                                                   
     version 2                                                                      
     network 172.16.0.0                                                             
     network 192.168.1.0                                                            
    #
    ip route-static 0.0.0.0 0.0.0.0 1.10.1.1                                      
    ip route-static 0.0.0.0 0.0.0.0 1.10.1.5
    #
    return
    
  • Hub_2 configuration file

    #
    sysname Hub_2
    #
    acl number 3002                                                                 
     rule 5 permit ip source 1.10.1.10 0                                           
    acl number 3004                                                                 
     rule 5 permit ip source 1.10.1.14 0 
    #
    ipsec proposal 2                                                     
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192            
    ipsec proposal 4 
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192  
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group14                                                    
     authentication-algorithm sha2-256                                              
     authentication-method pre-share
    #                                                                               
    ike peer 2    
     undo version 2                                         
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1
    ike peer 4 
     undo version 2                                  
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1
    #                                                                               
    ipsec policy-template use2 10                                                   
     security acl 3002                                                              
     ike-peer 2                                                                     
     proposal 2                                                                     
    ipsec policy-template use4 10                                                   
     security acl 3004                                                              
     ike-peer 4                                                                     
     proposal 4                                                                     
    #                                                                               
    ipsec policy policy2 10 isakmp template use2                                    
    ipsec policy policy4 10 isakmp template use4                                    
    # 
    interface GigabitEthernet1/0/0
     ip address 1.10.1.14 255.255.255.252                                          
     ipsec policy policy4
    # 
    interface GigabitEthernet2/0/0
     ip address 1.10.1.10 255.255.255.252                                          
     ipsec policy policy2
    # 
    interface GigabitEthernet3/0/0
     ip address 192.168.1.2 255.255.255.0
    # 
    interface Tunnel0/0/2                                                           
     ip address 172.16.2.1 255.255.255.0                                            
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet2/0/0                                                  
     gre key cipher %^%#9gxVF{"ZQT;-D<%Gm2I1OQd5(uV!2>(3#q2%V3R#%^%#                              
     nhrp authentication cipher %^%#g9*MEwPqQOCw:@Jt2WS9:,LNDn[|8If>@9&!2zQQ%^%#                    
     nhrp registration no-unique                                                    
     nhrp entry multicast dynamic                                                   
     nhrp entry holdtime seconds 60                                                 
    #                                                                               
    interface Tunnel0/0/4                                                           
     ip address 172.16.4.1 255.255.255.0                                            
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet1/0/0                                               
     gre key cipher %^%#Y4YfQCCO%Of+{(KpezQ9b!nWTt:6I9wR)o#:Kr,!%^%#
     nhrp authentication cipher %^%#BChE#]PR%Z'[<-&:Eq/GM@z=L%^%#BChE#]PR%Z'[<-&:Eq/GM@z=L                    
     nhrp registration no-unique                                                    
     nhrp entry multicast dynamic                                                   
     nhrp entry holdtime seconds 60                                                 
    # 
    rip 1                                                                           
     undo summary                                                                   
     version 2                                                                      
     network 172.16.0.0                                                             
     network 192.168.1.0                                                            
    #
    ip route-static 0.0.0.0 0.0.0.0 1.10.1.9                                      
    ip route-static 0.0.0.0 0.0.0.0 1.10.1.13
    #
    return
    
  • Spoke configuration file

    #
    sysname Spoke
    #
    acl number 3001                                                                 
     rule 5 permit ip destination 1.10.1.2 0                                      
    acl number 3002                                                                 
     rule 5 permit ip destination 1.10.1.10 0                                     
    acl number 3003                                                                 
     rule 5 permit ip destination 1.10.1.6 0                                      
    acl number 3004                                                                 
     rule 5 permit ip destination 1.10.1.14 0                                     
    # 
    ipsec proposal 1
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                                                  
    ipsec proposal 2     
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                                             
    ipsec proposal 3  
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                                                
    ipsec proposal 4   
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192 
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group14                                                                  
     authentication-algorithm sha2-256                                              
     authentication-method pre-share                                                              
    #                                                                         
    ike peer 1 
     undo version 2 
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1  
     remote-address 1.10.1.2 
    ike peer 2   
     undo version 2 
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1  
     remote-address 1.10.1.10 
    ike peer 3                                                                    
     undo version 2 
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1  
     remote-address 1.10.1.6 
    ike peer 4                                                                  
     undo version 2 
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1  
     remote-address 1.10.1.14
    #                                                                               
    ipsec policy policy1 10 isakmp                                                  
     security acl 3001                                                              
     ike-peer 1                                                                     
     proposal 1                                                                     
    ipsec policy policy1 20 isakmp                                                  
     security acl 3002                                                              
     ike-peer 2                                                                     
     proposal 2                                                                     
    ipsec policy policy1 30 isakmp                                                  
     security acl 3003                                                              
     ike-peer 3                                                                     
     proposal 3                                                                     
    ipsec policy policy1 40 isakmp                                                  
     security acl 3004                                                              
     ike-peer 4                                                                     
     proposal 4                                                                     
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.3.1 255.255.255.0
    #
    interface Cellular0/0/0                                                         
     dialer enable-circular                                                         
     dialer-group 1                                                                 
     dialer timer autodial 15                                                       
     dialer timer probe-interval 15                                                 
     dialer number *99# autodial                                                    
     apn-profile ltenet priority 200 track nqa admin Tunnel0/0/1 admin Tunnel0/0/2
     apn-profile ltewap priority 150 track nqa admin Tunnel0/0/3 admin Tunnel0/0/4
     ip address negotiate   
     ipsec policy policy1   
    #
    interface Tunnel0/0/1                                                           
     ip address 172.16.1.2 255.255.255.0                                            
     rip metricin 1                                                                 
     tunnel-protocol gre p2mp                                                       
     source Cellular0/0/0                                                           
     gre key cipher %^%#3isY%"^lX6F&N'Us)3x+\m@F0A2(SQ&=2|;K8abO%^%#
     nhrp authentication cipher %^%#1"<9Jp7D_'(SE-N.oVH5B5wZ=WO^KClOL|-UOIQ$%^%#
     nhrp registration interval 20                                                  
     nhrp entry 172.16.1.1 1.10.1.2 register track apn ltenet                      
    #                                                                               
    interface Tunnel0/0/2                                                           
     ip address 172.16.2.2 255.255.255.0                                            
     rip metricin 7                                                                 
     rip metricout 7                                                                
     tunnel-protocol gre p2mp                                                       
     source Cellular0/0/0                                                           
     gre key cipher %^%#9gxVF{"ZQT;-D<%Gm2I1OQd5(uV!2>(3#q2%V3R#%^%#
     nhrp authentication cipher %^%#g9*MEwPqQOCw:@Jt2WS9:,LNDn[|8If>@9&!2zQQ%^%#
     nhrp registration interval 20                                                  
     nhrp entry 172.16.2.1 1.10.1.10 register track apn ltenet                     
    #                                                                               
    interface Tunnel0/0/3                                                           
     ip address 172.16.3.2 255.255.255.0                                            
     rip metricin 4                                                                 
     rip metricout 4                                                                
     tunnel-protocol gre p2mp                                                       
     source Cellular0/0/0                                                           
     gre key cipher %^%#=SXc*PbQgMQ|6<1H|8_W!PU!XFrjE7}LVC(ycs38%^%#
     nhrp authentication cipher %^%#EjU:.Y]}.8YZ8JK07')Qw\rTXJ|;LFAFfIH:C]W=%^%#                    
     nhrp registration interval 20                                                  
     nhrp entry 172.16.3.1 1.10.1.6 register track apn ltewap                      
    #                                                                               
    interface Tunnel0/0/4                                                           
     ip address 172.16.4.2 255.255.255.0                                            
     rip metricin 10                                                                
     rip metricout 10                                                               
     tunnel-protocol gre p2mp                                                       
     source Cellular0/0/0                                                           
     gre key cipher %^%#Y4YfQCCO%Of+{(KpezQ9b!nWTt:6I9wR)o#:Kr,!%^%#
     nhrp authentication cipher %^%#BChE#]PR%Z'[<-&:Eq/GM@z=L%^%#BChE#]PR%Z'[<-&:Eq/GM@z=L
     nhrp registration interval 20                                                  
     nhrp entry 172.16.4.1 1.10.1.14 register track apn ltewap                     
    #                                                                               
    dialer-rule                                                                     
     dialer-rule 1 ip permit                                                        
    #                                                                               
    apn profile ltenet                                                               
     apn LTENET1 
     sim-id 1
    apn profile ltewap                                                               
     apn LTENET2
     sim-id 2
    #                                                                               
    rip 1                                                                           
     version 2                                                                      
     network 172.16.0.0                                                             
     network 192.168.3.0                                                            
    #
    ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0  
    #
    nqa test-instance admin Tunnel0/0/1                                             
     test-type icmp                                                                 
     destination-address ipv4 172.16.1.1                                            
     source-address ipv4 172.16.1.2                                                 
     frequency 15                                                                   
     source-interface Tunnel0/0/1                                                   
     start now                                                                      
    nqa test-instance admin Tunnel0/0/2                                             
     test-type icmp                                                                 
     destination-address ipv4 172.16.2.1                                            
     source-address ipv4 172.16.2.2                                                 
     frequency 15                                                                   
     source-interface Tunnel0/0/2                                                   
     start now                                                                      
    nqa test-instance admin Tunnel0/0/3                                             
     test-type icmp                                                                 
     destination-address ipv4 172.16.3.1                                            
     source-address ipv4 172.16.3.2                                                 
     frequency 15                                                                   
     source-interface Tunnel0/0/3                                                   
     start now                                                                      
    nqa test-instance admin Tunnel0/0/4                                             
     test-type icmp                                                                 
     destination-address ipv4 172.16.4.1                                            
     source-address ipv4 172.16.4.2                                                 
     frequency 15                                                                   
     source-interface Tunnel0/0/4                                                   
     start now                                                                      
    #
    return 
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 150814

Downloads: 365

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next