Example for Configuring Services to be Protected by A2A VPN Between a Branch and the Headquarters
Networking Requirements
A large enterprise has many widely distributed branches with a large number of multicast services. As shown in Figure 6-9, GM_1 is the enterprise branch gateway (only one branch in this example) and GM_2 is the enterprise headquarters gateway. The branch communicates with the headquarters through the public network.
To protect services between the branch and headquarters, you can deploy A2A VPN between them.
When the KS connects to a GM, you need to confirm the signature hash algorithm supported by the GM. For example, the GM running a software version earlier than V200R010C00 supports only the SHA1 algorithm.
When the DH algorithm is group2, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 75. Otherwise, the CPU usage of the KS becomes high. When the DH algorithm is group14, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 20. Otherwise, the CPU usage of the KS becomes high.
Configuration Roadmap
Configure an IP address and static routes on each interface of the GMs and KS to implement communication between them.
Configure an ACL on the KS to define the data flows to be protected by the A2A VPN.
Configure IKE on the GMs and KS to define the attributes of IKE negotiation.
Configure an IPSec proposal on the KS to define the protection method used for the A2A VPN.
Configure a GDOI policy on each GM and apply the policy to the interfaces. Configure a GDOI group on the KS and define group policies to be pushed to the GMs.
Procedure
- Configure the KS.
- Configure GM_1. The configuration of GM_2 is similar to
that of GM_1 and is not mentioned here.
- Verify the configuration.
# After the configuration is complete, run the display ike sa command on the devices to view information about the IKE SAs. The command output shows that the IKE SAs between the KS and GM_1/GM_2 are successfully established. The following uses the KS as an example:
[KS] display ike sa Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------------------------------------- 628 1.1.1.1:848 RD|A v1:1 IP 1.1.1.1 602 2.1.1.1:848 RD|A v1:1 IP 2.1.1.1 Number of IKE SA : 2 -------------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# Run the display gdoi ks sa command on the KS. If information about the TEK SA and KEK SA is displayed, the KS has successfully pushed the security policies to the GMs.
[KS] display gdoi ks sa =============================================== GDOI group: test =============================================== KEK SA SPI : 0x2ad569a935d15b75174446fbb0feaf5b Rekey transport type : multicast Encrypt algorithm : AES-128 Encrypt iv length (bits) : 128 Encrypt key length (bits) : 128 Signature hash algorithm : SHA2-512 Signature key length (bits) : 2160 Signature algorithm : SIG_ALG_RSA Rekey current sequence : 3 Rekey next sequence : 4 SA lifetime (secs) : 86400 SA remaining lifetime (secs): 85886 Next rekey time (secs) : 85816 TEK SA SPI : 770043396 (0x2de5ee04) Security acl : 3001 Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128 Encrypt key length (bits) : 128 Auth key length (bits) : 256 Anti-replay (time-based) : disable SA lifetime (secs) : 3600 SA remaining lifetime (secs): 1613 Next rekey time (secs) : 0 TEK SA SPI : 3948200379 (0xeb54c1bb) Security acl : 3001 Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128 Encrypt key length (bits) : 128 Auth key length (bits) : 256 Anti-replay (time-based) : disable SA lifetime (secs) : 3600 SA remaining lifetime (secs): 3477 Next rekey time (secs) : 3347
# Run the display ipsec gdoi-sa command on each GM to display information about the GDOI SA. The following uses GM_1 as an example:
[GM_1] display ipsec gdoi-sa =============================== Interface: GigabitEthernet1/0/0 Path MTU: 0 =============================== --------------------------------- Gdoi policy name : "map1" Sequence number : 10 --------------------------------- [TEK SA] Protected vrf : 0 Protocol: 0/permit Flow source : 10.1.1.0/255.255.255.0/0 Flow destination : 10.1.2.0/255.255.255.0/0 Protocol: 0/permit Flow source : 10.1.2.0/255.255.255.0/0 Flow destination : 10.1.1.0/255.255.255.0/0 Inpacket count : 0 Inpacket decap count : 0 Outpacket count : 0 Outpacket encap count : 0 Inpacket drop count : 0 Outpacket drop count : 0 Anti-replay drop count : 0 SA mode : normal SPI: 3777428122 (0xe126fa9a) Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128 SA remaining lifetime (secs) : 3199 Anti-replay (time based) : disable [KEK POLICY] Rekey transport type : multicast SPI: 0x928fd244e99fd837ee252ee3b428eed2 Received rekey seqno : 52 Lifetime (secs) : 40894 Encrypt algorithm : AES Encrypt key size : 128 Signature hash algorithm : HMAC_AUTH_SHA2_512 Signature key length (bits) : 2160 Signature algorithm : SIG_ALG_RSA
# Run the ping -a source-ip-address host command on each GM to ping the private IP address. If the ping operation succeeds, services on both ends can be forwarded normally. The following uses GM_1 as an example:
[GM_1] ping -a 10.1.1.1 10.1.2.2 PING 10.1.2.2: 56 data bytes, press CTRL_C to break Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.1.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/18/89 ms
Configuration Files
KS configuration file
# sysname KS # multicast routing-enable # acl number 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike user-table 10 user gm2 id-type ip 2.1.1.1 pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%# user gm1 id-type ip 1.1.1.1 pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%# # gdoi ks group test group identity number 10 rekey destination address 239.0.1.2 rekey sig-hash-algorithm sha2-512 rekey encryption-algorithm aes-128 user-table 10 rekey authentication public-key rsa keytest ipsec 5 proposal tran1 security acl 3001 source address 3.1.1.1 # interface GigabitEthernet1/0/0 ip address 3.1.1.1 255.255.255.0 pim dm igmp static-group 239.0.1.2 # ip route-static 1.1.1.0 255.255.255.0 3.1.1.2 ip route-static 2.1.1.0 255.255.255.0 3.1.1.2 # return
GM_1 configuration file
# sysname GM_1 # multicast routing-enable # ipsec gdoi multicast-rekey ip 239.0.1.2 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer spub undo version 2 pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%# ike-proposal 5 remote-address 3.1.1.1 # ipsec policy map1 10 gdoi group identity number 10 ike-peer spub # interface GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 pim dm igmp static-group 239.0.1.2 ipsec policy map1 # interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.255.255.0 # ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 ip route-static 3.1.1.0 255.255.255.0 1.1.1.2 ip route-static 10.1.2.0 255.255.255.0 1.1.1.2 # return
GM_2 configuration file
# sysname GM_2 # multicast routing-enable # ipsec gdoi multicast-rekey ip 239.0.1.2 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer spub undo version 2 pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%# ike-proposal 5 remote-address 3.1.1.1 # ipsec policy map1 10 gdoi group identity number 10 ike-peer spub # interface GigabitEthernet1/0/0 ip address 2.1.1.1 255.255.255.0 pim dm igmp static-group 239.0.1.2 ipsec policy map1 # interface GigabitEthernet2/0/0 ip address 10.1.2.1 255.255.255.0 # ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 ip route-static 3.1.1.0 255.255.255.0 2.1.1.2 ip route-static 10.1.1.0 255.255.255.0 2.1.1.2 # return