No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSec for OSPFv3

Example for Configuring IPSec for OSPFv3

On an OSPFv3 network, you can configure OSPFv3 IPSec on the interfaces setting up OSPFv3 neighbor relationships to protect the devices against forged OSPFv3 protocol packets.

Networking Requirements

As shown in Figure 5-67, RouterA and RouterB run OSPFv3 and are reachable. If no authentication mechanism is configured, IP packets along the route between RouterA and RouterB may be modified or faked, causing neighbor relationships between RouterA and RouterB to be interrupted or incorrect routes to be imported.

To prevent such attacks, IPSec can be configured between RouterA and RouterB to protect OSPFv3 packets during transmission. Encapsulating Security Payload (ESP) is configured as the security protocol, and Secure Hash Algorithm 1 (SHA-1) is configured as the authentication algorithm.

Figure 5-67  Configuring IPSec

Configuration Roadmap

The IPSec for OSPFv3 configuration roadmap is as follows:

  1. Configure basic OSPFv3 functions on RouterA and RouterB.

  2. Configure a security proposal and select the required security protocol and authentication algorithm.

  3. Configure an Security Association (SA) parameters.

  4. Apply the SA to the OSPFv3 process to protect OSPFv3 packets between RouterA and RouterB.

Procedure

  1. Configure OSPFv3 on RouterA and RouterB.

    # Configure RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] ospfv3 1
    [RouterA-ospfv3-1] router-id 1.1.1.1
    [RouterA-ospfv3-1] area 1
    [RouterA-ospfv3-1-area-0.0.0.1] quit
    [RouterA-ospfv3-1] quit
    

    # Configure RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] ospfv3 1
    [RouterB-ospfv3-1] router-id 2.2.2.2
    [RouterB-ospfv3-1] area 1
    [RouterB-ospfv3-1-area-0.0.0.1] quit
    [RouterB-ospfv3-1] quit
    

  2. Configure IPv6 addresses and enable OSPFv3 on interfaces.

    # Configure RouterA.

    [RouterA] ipv6
    [RouterA] interface gigabitethernet1/0/1
    [RouterA-GigabitEthernet1/0/1] ipv6 enable
    [RouterA-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::1 64
    [RouterA-GigabitEthernet1/0/1] ospfv3 1 area 1
    [RouterA-GigabitEthernet1/0/1] quit
    

    # Configure RouterB.

    [RouterB] ipv6
    [RouterB] interface gigabitethernet1/0/1
    [RouterB-GigabitEthernet1/0/1] ipv6 enable
    [RouterB-GigabitEthernet1/0/1] ipv6 address 2001:DB8:100::2 64
    [RouterB-GigabitEthernet1/0/1] ospfv3 1 area 1
    [RouterB-GigabitEthernet1/0/1] quit
    

  3. Configure security proposals on RouterA and RouterB.

    # Configure a security proposal on RouterA.

    [RouterA] ipsec proto-protect proposal proposal1
    [RouterA-ipsec-proto-protect-proposal-prop1] encapsulation-mode transport
    [RouterA-ipsec-proto-protect-proposal-prop1] transform esp
    [RouterA-ipsec-proto-protect-proposal-prop1] undo esp encryption-algorithm
    [RouterA-ipsec-proto-protect-proposal-prop1] esp authentication-algorithm sha1
    [RouterA-ipsec-proto-protect-proposal-prop1] quit
    

    # Configure a security proposal on RouterB.

    [RouterB] ipsec proto-protect proposal proposal2
    [RouterB-ipsec-proto-protect-proposal-prop2] encapsulation-mode transport
    [RouterB-ipsec-proto-protect-proposal-prop2] transform esp
    [RouterB-ipsec-proto-protect-proposal-prop2] undo esp encryption-algorithm
    [RouterB-ipsec-proto-protect-proposal-prop2] esp authentication-algorithm sha1
    [RouterB-ipsec-proto-protect-proposal-prop2] quit
    

    # Run the display ipsec proto-protect proposal command on RouterA and RouterB to view configurations. Use the display on RouterA as an example.

    [RouterA] display ipsec proto-protect proposal
    Total IP security proposal number: 1
    IP security proposal name: proposal1
    encapsulation mode: transport
    transform: esp-new
    ESP protocol: authentication SHA1-HMAC-96, not use encryption

  4. Configure SAs and apply them to RouterA and RouterB.

    # Configure an SA and apply it to RouterA.

    [RouterA] ipsec sa sa1
    [RouterA-ipsec-sa-sa1] proposal proposal1
    [RouterA-ipsec-sa-sa1] quit
    

    # Configure an SA and apply it to RouterB.

    [RouterB] ipsec sa sa2
    [RouterB-ipsec-sa-sa2] proposal proposal2
    [RouterB-ipsec-sa-sa2] quit
    

  5. Configure Security Parameter Indexes (SPIs) and authentication keys in the string format on RouterA and RouterB.

    # Configure SPIs and authentication keys in the string format on RouterA.

    [RouterA] ipsec sa sa1
    [RouterA-ipsec-sa-sa1] sa spi inbound esp 12345
    [RouterA-ipsec-sa-sa1] sa spi outbound esp 12345
    [RouterA-ipsec-sa-sa1] sa string-key inbound esp Huawei-123
    [RouterA-ipsec-sa-sa1] sa string-key outbound esp Huawei-123
    [RouterA-ipsec-sa-sa1] quit
    

    # Configure SPIs and authentication keys in the string format on RouterB.

    [RouterB] ipsec sa sa2
    [RouterB-ipsec-sa-sa2] sa spi outbound esp 12345
    [RouterB-ipsec-sa-sa2] sa spi inbound esp 12345
    [RouterB-ipsec-sa-sa2] sa string-key outbound esp Huawei-123
    [RouterB-ipsec-sa-sa2] sa string-key inbound esp Huawei-123
    [RouterB-ipsec-sa-sa2] quit
    

  6. Configure SAs for OSPFv3 processes.

    # Configure an IPSec SA for the OSPFv3 process on RouterA.

    [RouterA] ospfv3 1
    [RouterA-ospfv3-1] ipsec sa sa1
    [RouterA-ospfv3-1] quit
    

    # Configure an IPSec SA for the OSPFv3 process on RouterB.

    [RouterB] ospfv3 1
    [RouterB-ospfv3-1] ipsec sa sa2
    [RouterB-ospfv3-1] quit
    

  7. Verify the configuration.

    # Run the display ipsec proto-protect sa command on RouterA and RouterB to view configurations. Use the display on RouterA as an example.

    [RouterA] display ipsec proto-protect sa
      IP security association name: sa1
      Number of references: 1
        proposal name: proposal1
        inbound AH setting: 
          AH spi: 
          AH string-key: 
          AH authentication hex key: 
        inbound ESP setting:
          ESP spi: 12345 (0x3039)
          ESP string-key: %^%#b{br9\zi%X+/Y@:Y>Lw(L\v#%^%#
          ESP encryption hex key: 
          ESP authentication hex key:
        outbound AH setting: 
          AH spi: 
          AH string-key:
          AH authentication hex key: 
        outbound ESP setting:
          ESP spi: 12345 (0x3039)
          ESP string-key: %^%#D0>GQf"}w2@X,k6.E\Z,z\{#%^%#
          ESP encryption hex key: 
          ESP authentication hex key: 
    

    # Run the display ipsec proto-protect statistics command to view statistics about incoming and outgoing packets processed by IPSec and detailed information about dropped packets. Use the display on RouterA as an example.

    [RouterA] display ipsec proto-protect statistics
      IPv6 security packet statistics:
        input/output security packets: 184/19
        input/output security bytes: 13216/1312
        input/output dropped security packets: 0/0
        dropped security packet detail:
          memory process problem: 0
          can't find SA: 0
          queue is full: 0
          authentication is failed: 0
          wrong length: 0
          replay packet: 0
          too long packet: 0
          invalid SA: 0
          policy deny: 0
      the normal packet statistics:
        input/output dropped normal packets: 0/0
      IPv4 security packet statistics:
        input/output security packets: 0/0
        input/output security bytes: 0/0
        input/output dropped security packets: 0/0
        dropped security packet detail:
          memory process problem: 0
          can't find SA: 0
          queue is full: 0
          authentication is failed: 0
          wrong length: 0
          replay packet: 0
          too long packet: 0
          invalid SA: 0
          policy deny: 0
      the normal packet statistics:
        input/output dropped normal packets: 0/0
    

Configuration Files

  • Configuration file of RouterA

    #
    sysname RouterA
    #
    ipsec proto-protect proposal proposal1
     encapsulation-mode transport
     esp authentication-algorithm sha1
     undo esp encryption-algorithm
    #
    ipsec sa sa1
     proposal proposal1
     sa spi inbound esp 12345
     sa string-key inbound esp cipher %^%#b{br9\zi%X+/Y@:Y>Lw(L\v#%^%#
     sa spi outbound esp 12345
     sa string-key outbound esp cipher %^%#D0>GQf"}w2@X,k6.E\Z,z\{#%^%#
    #
    ospfv3 1
     router-id 1.1.1.1
     ipsec sa sa1
    #
    ipv6
    #
    interface GigabitEthernet1/0/1
     ipv6 enable
     ipv6 address 2001:DB8:100::1/64
     ospfv3 1 area 0.0.0.1
    #
  • Configuration file of RouterB

    #
    sysname RouterB
    #
    ipsec proto-protect proposal proposal2
     encapsulation-mode transport
     esp authentication-algorithm sha1
     undo esp encryption-algorithm
    #
    ipsec sa sa2
     proposal proposal2
     sa spi inbound esp 12345
     sa string-key inbound esp cipher %^%#VlrZ=1vTW":z9:%F`[a=o[t#%^%#
     sa spi outbound esp 12345
     sa string-key outbound esp cipher %^%#)YTP%@nFE7bL^B&WSBiQ1[p#%^%#
    #
    ospfv3 1
     router-id 2.2.2.2
     ipsec sa sa2
    #
    ipv6
    #
    interface GigabitEthernet1/0/1
     ipv6 enable
     ipv6 address 2001:DB8:100::2/64
     ospfv3 1 area 0.0.0.1
    #
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142320

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next