No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Services to be Protected by A2A VPN Between a Branch and the Headquarters

Example for Configuring Services to be Protected by A2A VPN Between a Branch and the Headquarters

Networking Requirements

A large enterprise has many widely distributed branches with a large number of multicast services. As shown in Figure 6-9, GM_1 is the enterprise branch gateway (only one branch in this example) and GM_2 is the enterprise headquarters gateway. The branch communicates with the headquarters through the public network.

To protect services between the branch and headquarters, you can deploy A2A VPN between them.

Figure 6-9  Networking for configuring services to be protected by A2A VPN between the branch and headquarters

NOTE:

When the KS connects to a GM, you need to confirm the signature hash algorithm supported by the GM. For example, the GM running a software version earlier than V200R010C00 supports only the SHA1 algorithm.

When the DH algorithm is group2, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 75. Otherwise, the CPU usage of the KS becomes high. When the DH algorithm is group14, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 20. Otherwise, the CPU usage of the KS becomes high.

Configuration Roadmap

  1. Configure an IP address and static routes on each interface of the GMs and KS to implement communication between them.

  2. Configure an ACL on the KS to define the data flows to be protected by the A2A VPN.

  3. Configure IKE on the GMs and KS to define the attributes of IKE negotiation.

  4. Configure an IPSec proposal on the KS to define the protection method used for the A2A VPN.

  5. Configure a GDOI policy on each GM and apply the policy to the interfaces. Configure a GDOI group on the KS and define group policies to be pushed to the GMs.

Procedure

  1. Configure the KS.
    1. Configure the interface IP address and static routes to the peers.

      # Configure the interface IP address and enable the multicast function.

      <Huawei> system-view
      [Huawei] sysname KS
      [KS] multicast routing-enable
      [KS] interface gigabitethernet 1/0/0
      [KS-GigabitEthernet1/0/0] ip address 3.1.1.1 255.255.255.0
      [KS-GigabitEthernet1/0/0] pim dm
      [KS-GigabitEthernet1/0/0] igmp static-group 239.0.1.2
      [KS-GigabitEthernet1/0/0] quit
      

      # Configure static routes to the peers. The following sample assumes that the next-hop IP address is 3.1.1.2.

      [KS] ip route-static 1.1.1.0 255.255.255.0 3.1.1.2
      [KS] ip route-static 2.1.1.0 255.255.255.0 3.1.1.2
      

    2. Define the data flows to be protected by the A2A VPN.

      [KS] acl 3001
      [KS-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
      [KS-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
      [KS-acl-adv-3001] quit
      

    3. Configure an IKE proposal.

      [KS] ike proposal 5
      [KS-ike-proposal-5] authentication-method pre-share
      [KS-ike-proposal-5] encryption-algorithm aes-128
      [KS-ike-proposal-5] authentication-algorithm sha2-256
      [KS-ike-proposal-5] dh group14
      [KS-ike-proposal-5] quit
      

    4. Configure an IPSec proposal.

      [KS] ipsec proposal tran1
      [KS-ipsec-proposal-tran1] encapsulation-mode tunnel
      [KS-ipsec-proposal-tran1] transform esp
      [KS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [KS-ipsec-proposal-tran1] esp encryption-algorithm aes-128
      [KS-ipsec-proposal-tran1] quit
      

    5. Configure a GDOI group.

      # Configure the pre-shared keys for the GMs in the IKE user table.

      [KS] ike user-table 10
      [KS-ike-user-table-10] user gm1
      [KS-ike-user-table-10-gm1] id-type ip 1.1.1.1
      [KS-ike-user-table-10-gm1] pre-shared-key Huawei@123
      [KS-ike-user-table-10-gm1] quit
      [KS-ike-user-table-10] user gm2
      [KS-ike-user-table-10-gm2] id-type ip 2.1.1.1
      [KS-ike-user-table-10-gm2] pre-shared-key Huawei@123
      [KS-ike-user-table-10-gm2] quit
      [KS-ike-user-table-10] quit
      

      # Configure an RSA key pair.

      [KS] pki rsa local-key-pair create keytest modulus 2048 exportable
       Info: The name of the new key-pair will be: keytest
       Generating key-pairs...
      .+++
      ......+++
      

      # Configure GDOI group policies.

      [KS] gdoi ks group test
      [KS-gdoi-group-test] group identity number 10
      [KS-gdoi-group-test] source address 3.1.1.1
      [KS-gdoi-group-test] user-table 10
      [KS-gdoi-group-test] rekey transport-type multicast
      [KS-gdoi-group-test] rekey destination address 239.0.1.2
      [KS-gdoi-group-test] rekey encryption-algorithm aes-128
      [KS-gdoi-group-test] rekey sig-hash-algorithm sha2-512
      [KS-gdoi-group-test] rekey authentication public-key rsa keytest
      [KS-gdoi-group-test] ipsec 5
      [KS-gdoi-group-test-ipsec-5] proposal tran1
      [KS-gdoi-group-test-ipsec-5] security acl 3001
      [KS-gdoi-group-test-ipsec-5] quit
      [KS-gdoi-group-test] quit
      

  2. Configure GM_1. The configuration of GM_2 is similar to that of GM_1 and is not mentioned here.
    1. Configure the interface IP addresses and static routes to the peers.

      # Configure the interface IP addresses.

      <Huawei> system-view
      [Huawei] sysname GM_1
      [GM_1] interface gigabitethernet 1/0/0 
      [GM_1-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
      [GM_1-GigabitEthernet1/0/0] quit
      [GM_1] interface gigabitethernet 2/0/0
      [GM_1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
      [GM_1-GigabitEthernet2/0/0] quit
      

      # Configure static routes to the peers. The following sample assumes that the next-hop IP address is 1.1.1.2.

      [GM_1] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
      [GM_1] ip route-static 3.1.1.0 255.255.255.0 1.1.1.2
      [GM_1] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
      

    2. Configure an IKE peer. The IKE negotiation parameters must be the same as those on the KS.

      # Configure an IKE proposal.
      [GM_1] ike proposal 5
      [GM_1-ike-proposal-5] authentication-method pre-share
      [GM_1-ike-proposal-5] encryption-algorithm aes-128
      [GM_1-ike-proposal-5] authentication-algorithm sha2-256
      [GM_1-ike-proposal-5] dh group14
      [GM_1-ike-proposal-5] quit
      

      # Configure an IKE peer.

      [GM_1] ike peer spub
      [GM_1-ike-peer-spub] undo version 2
      [GM_1-ike-peer-spub] ike-proposal 5
      [GM_1-ike-peer-spub] pre-shared-key cipher Huawei@123
      [GM_1-ike-peer-spub] remote-address 3.1.1.1
      [GM_1-ike-peer-spub] quit

    3. Configure a GDOI policy. The group ID of the GM must be the same as that of the KS.

      [GM_1] ipsec policy map1 10 gdoi
      [GM_1-ipsec-policy-gdoi-map1-10] group identity number 10
      [GM_1-ipsec-policy-gdoi-map1-10] ike-peer spub
      [GM_1-ipsec-policy-gdoi-map1-10] quit
      

    4. Configure an IP address for multicast rekey messages. The IP address must be the same as that configured on the KS.

      [GM_1] multicast routing-enable
      [GM_1] ipsec gdoi multicast-rekey ip 239.0.1.2
      [GM_1] interface gigabitethernet 1/0/0
      [GM_1-GigabitEthernet1/0/0] pim dm
      [GM_1-GigabitEthernet1/0/0] igmp static-group 239.0.1.2
      [GM_1-GigabitEthernet1/0/0] quit
      

    5. Apply the GDOI policy group to the interface.

      [GM_1] interface gigabitethernet 1/0/0
      [GM_1-GigabitEthernet1/0/0] ipsec policy map1
      [GM_1-GigabitEthernet1/0/0] quit
      

  3. Verify the configuration.

    # After the configuration is complete, run the display ike sa command on the devices to view information about the IKE SAs. The command output shows that the IKE SAs between the KS and GM_1/GM_2 are successfully established. The following uses the KS as an example:

    [KS] display ike sa
     Conn-ID    Peer            VPN         Flag(s)     Phase  RemoteType  RemoteID
    --------------------------------------------------------------------------------
     628        1.1.1.1:848                 RD|A        v1:1   IP          1.1.1.1
     602        2.1.1.1:848                 RD|A        v1:1   IP          2.1.1.1
    
      Number of IKE SA : 2
    --------------------------------------------------------------------------------
    
     Flag Description:
     RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
     HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
     M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

    # Run the display gdoi ks sa command on the KS. If information about the TEK SA and KEK SA is displayed, the KS has successfully pushed the security policies to the GMs.

    [KS] display gdoi ks sa
    ===============================================
    GDOI group: test
    ===============================================
       KEK SA
        SPI : 0x2ad569a935d15b75174446fbb0feaf5b
        Rekey transport type        : multicast
        Encrypt algorithm           : AES-128
        Encrypt iv length (bits)    : 128
        Encrypt key length (bits)   : 128
        Signature hash algorithm    : SHA2-512
        Signature key length (bits) : 2160
        Signature algorithm         : SIG_ALG_RSA
        Rekey current sequence      : 3
        Rekey next sequence         : 4
        SA lifetime (secs)          : 86400
        SA remaining lifetime (secs): 85886
        Next rekey time (secs)      : 85816
    
       TEK SA
        SPI          : 770043396 (0x2de5ee04)
        Security acl : 3001
        Proposal     : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        Encrypt key length (bits)   : 128
        Auth key length (bits)      : 256
        Anti-replay (time-based)    : disable
        SA lifetime (secs)          : 3600
        SA remaining lifetime (secs): 1613
        Next rekey time (secs)      : 0
    
       TEK SA
        SPI          : 3948200379 (0xeb54c1bb)
        Security acl : 3001
        Proposal     : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        Encrypt key length (bits)   : 128
        Auth key length (bits)      : 256
        Anti-replay (time-based)    : disable
        SA lifetime (secs)          : 3600
        SA remaining lifetime (secs): 3477
        Next rekey time (secs)      : 3347

    # Run the display ipsec gdoi-sa command on each GM to display information about the GDOI SA. The following uses GM_1 as an example:

    [GM_1] display ipsec gdoi-sa
    ===============================
    Interface: GigabitEthernet1/0/0
     Path MTU: 0
    ===============================
      ---------------------------------
      Gdoi policy name         : "map1"
      Sequence number          : 10
      ---------------------------------
        [TEK SA]
        Protected vrf : 0
        Protocol: 0/permit
        Flow source      : 10.1.1.0/255.255.255.0/0
        Flow destination : 10.1.2.0/255.255.255.0/0
    
        Protocol: 0/permit
        Flow source      : 10.1.2.0/255.255.255.0/0
        Flow destination : 10.1.1.0/255.255.255.0/0
    
        Inpacket count            : 0
        Inpacket decap count      : 0
        Outpacket count           : 0
        Outpacket encap count     : 0
        Inpacket drop count       : 0
        Outpacket drop count      : 0
        Anti-replay drop count    : 0
    
        SA mode : normal
        SPI: 3777428122 (0xe126fa9a)
        Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        SA remaining lifetime (secs) : 3199
        Anti-replay (time based) : disable
    
        [KEK POLICY]
        Rekey transport type        : multicast
        SPI: 0x928fd244e99fd837ee252ee3b428eed2
        Received rekey seqno        : 52
        Lifetime (secs)             : 40894
        Encrypt algorithm           : AES
        Encrypt key size            : 128
        Signature hash algorithm    : HMAC_AUTH_SHA2_512
        Signature key length (bits) : 2160
        Signature algorithm         : SIG_ALG_RSA

    # Run the ping -a source-ip-address host command on each GM to ping the private IP address. If the ping operation succeeds, services on both ends can be forwarded normally. The following uses GM_1 as an example:

    [GM_1] ping -a 10.1.1.1 10.1.2.2
      PING 10.1.2.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms
        Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms
    
      --- 10.1.2.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/18/89 ms

Configuration Files

  • KS configuration file

    #
     sysname KS
    #
    multicast routing-enable
    # 
    acl number 3001
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
     rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
    #
    ike user-table 10
     user gm2
      id-type ip 2.1.1.1
      pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     user gm1
      id-type ip 1.1.1.1
      pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
    #
    gdoi ks group test
     group identity number 10
     rekey destination address 239.0.1.2
     rekey sig-hash-algorithm sha2-512
     rekey encryption-algorithm aes-128
     user-table 10
     rekey authentication public-key rsa keytest
     ipsec 5
      proposal tran1
      security acl 3001
     source address 3.1.1.1
    #
    interface GigabitEthernet1/0/0
     ip address 3.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
    #
    ip route-static 1.1.1.0 255.255.255.0 3.1.1.2
    ip route-static 2.1.1.0 255.255.255.0 3.1.1.2
    #
    return
    
  • GM_1 configuration file

    #
     sysname GM_1
    #
    multicast routing-enable
    # 
    ipsec gdoi multicast-rekey ip 239.0.1.2
    #  
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     ike-proposal 5
     remote-address 3.1.1.1
    #
    ipsec policy map1 10 gdoi
     group identity number 10
     ike-peer spub
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
     ipsec policy map1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
    ip route-static 3.1.1.0 255.255.255.0 1.1.1.2
    ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
    #
    return
    
  • GM_2 configuration file

    #
     sysname GM_2
    #
    multicast routing-enable
    # 
    ipsec gdoi multicast-rekey ip 239.0.1.2
    #  
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     ike-proposal 5
     remote-address 3.1.1.1
    #
    ipsec policy map1 10 gdoi
     group identity number 10
     ike-peer spub
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
     ipsec policy map1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
    ip route-static 3.1.1.0 255.255.255.0 2.1.1.2
    ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152444

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next