Example for Configuring Services to be Protected by A2A VPN Between a Branch and the Headquarters

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 CLI-based Configuration Guide - VPN

This document describes VPN features on the device and provides configuration procedures and configuration examples.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Example for Configuring Services to be Protected by A2A VPN Between a Branch and the Headquarters

Networking Requirements

A large enterprise has many widely distributed branches with a large number of multicast services. As shown in Figure 6-9, GM_1 is the enterprise branch gateway (only one branch in this example) and GM_2 is the enterprise headquarters gateway. The branch communicates with the headquarters through the public network.

To protect services between the branch and headquarters, you can deploy A2A VPN between them.

Figure 6-9 Networking for configuring services to be protected by A2A VPN between the branch and headquarters

When the KS connects to a GM, you need to confirm the signature hash algorithm supported by the GM. For example, the GM running a software version earlier than V200R010C00 supports only the SHA1 algorithm.

When the DH algorithm is group2, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 75. Otherwise, the CPU usage of the KS becomes high. When the DH algorithm is group14, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 20. Otherwise, the CPU usage of the KS becomes high.

Configuration Roadmap

Configure an IP address and static routes on each interface of the GMs and KS to implement communication between them.
Configure an ACL on the KS to define the data flows to be protected by the A2A VPN.
Configure IKE on the GMs and KS to define the attributes of IKE negotiation.
Configure an IPSec proposal on the KS to define the protection method used for the A2A VPN.
Configure a GDOI policy on each GM and apply the policy to the interfaces. Configure a GDOI group on the KS and define group policies to be pushed to the GMs.

Procedure

Configure the KS.

Configure the interface IP address and static routes to the peers.

# Configure the interface IP address and enable the multicast function.

<Huawei> system-view
[Huawei] sysname KS
[KS] multicast routing-enable
[KS] interface gigabitethernet 1/0/0
[KS-GigabitEthernet1/0/0] ip address 3.1.1.1 255.255.255.0
[KS-GigabitEthernet1/0/0] pim dm
[KS-GigabitEthernet1/0/0] igmp static-group 239.0.1.2
[KS-GigabitEthernet1/0/0] quit

# Configure static routes to the peers. The following sample assumes that the next-hop IP address is 3.1.1.2.

[KS] ip route-static 1.1.1.0 255.255.255.0 3.1.1.2
[KS] ip route-static 2.1.1.0 255.255.255.0 3.1.1.2

Define the data flows to be protected by the A2A VPN.

[KS] acl 3001
[KS-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[KS-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[KS-acl-adv-3001] quit

Configure an IKE proposal.

[KS] ike proposal 5
[KS-ike-proposal-5] authentication-method pre-share
[KS-ike-proposal-5] encryption-algorithm aes-128
[KS-ike-proposal-5] authentication-algorithm sha2-256
[KS-ike-proposal-5] dh group14
[KS-ike-proposal-5] quit

Configure an IPSec proposal.

[KS] ipsec proposal tran1
[KS-ipsec-proposal-tran1] encapsulation-mode tunnel
[KS-ipsec-proposal-tran1] transform esp
[KS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[KS-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[KS-ipsec-proposal-tran1] quit

Configure a GDOI group.

# Configure the pre-shared keys for the GMs in the IKE user table.

[KS] ike user-table 10
[KS-ike-user-table-10] user gm1
[KS-ike-user-table-10-gm1] id-type ip 1.1.1.1
[KS-ike-user-table-10-gm1] pre-shared-key Huawei@123
[KS-ike-user-table-10-gm1] quit
[KS-ike-user-table-10] user gm2
[KS-ike-user-table-10-gm2] id-type ip 2.1.1.1
[KS-ike-user-table-10-gm2] pre-shared-key Huawei@123
[KS-ike-user-table-10-gm2] quit
[KS-ike-user-table-10] quit

# Configure an RSA key pair.

[KS] pki rsa local-key-pair create keytest modulus 2048 exportable
 Info: The name of the new key-pair will be: keytest
 Generating key-pairs...
.+++
......+++

# Configure GDOI group policies.

[KS] gdoi ks group test
[KS-gdoi-group-test] group identity number 10
[KS-gdoi-group-test] source address 3.1.1.1
[KS-gdoi-group-test] user-table 10
[KS-gdoi-group-test] rekey transport-type multicast
[KS-gdoi-group-test] rekey destination address 239.0.1.2
[KS-gdoi-group-test] rekey encryption-algorithm aes-128
[KS-gdoi-group-test] rekey sig-hash-algorithm sha2-512
[KS-gdoi-group-test] rekey authentication public-key rsa keytest
[KS-gdoi-group-test] ipsec 5
[KS-gdoi-group-test-ipsec-5] proposal tran1
[KS-gdoi-group-test-ipsec-5] security acl 3001
[KS-gdoi-group-test-ipsec-5] quit
[KS-gdoi-group-test] quit

Configure GM_1. The configuration of GM_2 is similar to that of GM_1 and is not mentioned here.

Configure the interface IP addresses and static routes to the peers.

# Configure the interface IP addresses.

<Huawei> system-view
[Huawei] sysname GM_1
[GM_1] interface gigabitethernet 1/0/0 
[GM_1-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
[GM_1-GigabitEthernet1/0/0] quit
[GM_1] interface gigabitethernet 2/0/0
[GM_1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[GM_1-GigabitEthernet2/0/0] quit

# Configure static routes to the peers. The following sample assumes that the next-hop IP address is 1.1.1.2.

[GM_1] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
[GM_1] ip route-static 3.1.1.0 255.255.255.0 1.1.1.2
[GM_1] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2

Configure an IKE peer. The IKE negotiation parameters must be the same as those on the KS.

# Configure an IKE proposal.

[GM_1] ike proposal 5
[GM_1-ike-proposal-5] authentication-method pre-share
[GM_1-ike-proposal-5] encryption-algorithm aes-128
[GM_1-ike-proposal-5] authentication-algorithm sha2-256
[GM_1-ike-proposal-5] dh group14
[GM_1-ike-proposal-5] quit

# Configure an IKE peer.

[GM_1] ike peer spub
[GM_1-ike-peer-spub] undo version 2
[GM_1-ike-peer-spub] ike-proposal 5
[GM_1-ike-peer-spub] pre-shared-key cipher Huawei@123
[GM_1-ike-peer-spub] remote-address 3.1.1.1
[GM_1-ike-peer-spub] quit

Configure a GDOI policy. The group ID of the GM must be the same as that of the KS.

[GM_1] ipsec policy map1 10 gdoi
[GM_1-ipsec-policy-gdoi-map1-10] group identity number 10
[GM_1-ipsec-policy-gdoi-map1-10] ike-peer spub
[GM_1-ipsec-policy-gdoi-map1-10] quit

Configure an IP address for multicast rekey messages. The IP address must be the same as that configured on the KS.

[GM_1] multicast routing-enable
[GM_1] ipsec gdoi multicast-rekey ip 239.0.1.2
[GM_1] interface gigabitethernet 1/0/0
[GM_1-GigabitEthernet1/0/0] pim dm
[GM_1-GigabitEthernet1/0/0] igmp static-group 239.0.1.2
[GM_1-GigabitEthernet1/0/0] quit

Apply the GDOI policy group to the interface.

[GM_1] interface gigabitethernet 1/0/0
[GM_1-GigabitEthernet1/0/0] ipsec policy map1
[GM_1-GigabitEthernet1/0/0] quit

Verify the configuration.

# After the configuration is complete, run the display ike sa command on the devices to view information about the IKE SAs. The command output shows that the IKE SAs between the KS and GM_1/GM_2 are successfully established. The following uses the KS as an example:

[KS] display ike sa
 Conn-ID    Peer            VPN         Flag(s)     Phase  RemoteType  RemoteID
--------------------------------------------------------------------------------
 628        1.1.1.1:848                 RD|A        v1:1   IP          1.1.1.1
 602        2.1.1.1:848                 RD|A        v1:1   IP          2.1.1.1

  Number of IKE SA : 2
--------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

# Run the display gdoi ks sa command on the KS. If information about the TEK SA and KEK SA is displayed, the KS has successfully pushed the security policies to the GMs.

[KS] display gdoi ks sa
===============================================
GDOI group: test
===============================================
   KEK SA
    SPI : 0x2ad569a935d15b75174446fbb0feaf5b
    Rekey transport type        : multicast
    Encrypt algorithm           : AES-128
    Encrypt iv length (bits)    : 128
    Encrypt key length (bits)   : 128
    Signature hash algorithm    : SHA2-512
    Signature key length (bits) : 2160
    Signature algorithm         : SIG_ALG_RSA
    Rekey current sequence      : 3
    Rekey next sequence         : 4
    SA lifetime (secs)          : 86400
    SA remaining lifetime (secs): 85886
    Next rekey time (secs)      : 85816

   TEK SA
    SPI          : 770043396 (0x2de5ee04)
    Security acl : 3001
    Proposal     : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
    Encrypt key length (bits)   : 128
    Auth key length (bits)      : 256
    Anti-replay (time-based)    : disable
    SA lifetime (secs)          : 3600
    SA remaining lifetime (secs): 1613
    Next rekey time (secs)      : 0

   TEK SA
    SPI          : 3948200379 (0xeb54c1bb)
    Security acl : 3001
    Proposal     : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
    Encrypt key length (bits)   : 128
    Auth key length (bits)      : 256
    Anti-replay (time-based)    : disable
    SA lifetime (secs)          : 3600
    SA remaining lifetime (secs): 3477
    Next rekey time (secs)      : 3347

# Run the display ipsec gdoi-sa command on each GM to display information about the GDOI SA. The following uses GM_1 as an example:

[GM_1] display ipsec gdoi-sa
===============================
Interface: GigabitEthernet1/0/0
 Path MTU: 0
===============================
  ---------------------------------
  Gdoi policy name         : "map1"
  Sequence number          : 10
  ---------------------------------
    [TEK SA]
    Protected vrf : 0
    Protocol: 0/permit
    Flow source      : 10.1.1.0/255.255.255.0/0
    Flow destination : 10.1.2.0/255.255.255.0/0

    Protocol: 0/permit
    Flow source      : 10.1.2.0/255.255.255.0/0
    Flow destination : 10.1.1.0/255.255.255.0/0

    Inpacket count            : 0
    Inpacket decap count      : 0
    Outpacket count           : 0
    Outpacket encap count     : 0
    Inpacket drop count       : 0
    Outpacket drop count      : 0
    Anti-replay drop count    : 0

    SA mode : normal
    SPI: 3777428122 (0xe126fa9a)
    Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
    SA remaining lifetime (secs) : 3199
    Anti-replay (time based) : disable

    [KEK POLICY]
    Rekey transport type        : multicast
    SPI: 0x928fd244e99fd837ee252ee3b428eed2
    Received rekey seqno        : 52
    Lifetime (secs)             : 40894
    Encrypt algorithm           : AES
    Encrypt key size            : 128
    Signature hash algorithm    : HMAC_AUTH_SHA2_512
    Signature key length (bits) : 2160
    Signature algorithm         : SIG_ALG_RSA

# Run the ping -a source-ip-address host command on each GM to ping the private IP address. If the ping operation succeeds, services on both ends can be forwarded normally. The following uses GM_1 as an example:

[GM_1] ping -a 10.1.1.1 10.1.2.2
  PING 10.1.2.2: 56  data bytes, press CTRL_C to break
    Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms
    Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms

  --- 10.1.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/18/89 ms

Configuration Files

KS configuration file

#
 sysname KS
#
multicast routing-enable
# 
acl number 3001
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 5
 encryption-algorithm aes-128
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
#
ike user-table 10
 user gm2
  id-type ip 2.1.1.1
  pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
 user gm1
  id-type ip 1.1.1.1
  pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
#
gdoi ks group test
 group identity number 10
 rekey destination address 239.0.1.2
 rekey sig-hash-algorithm sha2-512
 rekey encryption-algorithm aes-128
 user-table 10
 rekey authentication public-key rsa keytest
 ipsec 5
  proposal tran1
  security acl 3001
 source address 3.1.1.1
#
interface GigabitEthernet1/0/0
 ip address 3.1.1.1 255.255.255.0
 pim dm
 igmp static-group 239.0.1.2
#
ip route-static 1.1.1.0 255.255.255.0 3.1.1.2
ip route-static 2.1.1.0 255.255.255.0 3.1.1.2
#
return

GM_1 configuration file

#
 sysname GM_1
#
multicast routing-enable
# 
ipsec gdoi multicast-rekey ip 239.0.1.2
#  
ike proposal 5
 encryption-algorithm aes-128
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
#
ike peer spub
 undo version 2
 pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
 ike-proposal 5
 remote-address 3.1.1.1
#
ipsec policy map1 10 gdoi
 group identity number 10
 ike-peer spub
#
interface GigabitEthernet1/0/0
 ip address 1.1.1.1 255.255.255.0
 pim dm
 igmp static-group 239.0.1.2
 ipsec policy map1
#
interface GigabitEthernet2/0/0
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
ip route-static 3.1.1.0 255.255.255.0 1.1.1.2
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
#
return

GM_2 configuration file

#
 sysname GM_2
#
multicast routing-enable
# 
ipsec gdoi multicast-rekey ip 239.0.1.2
#  
ike proposal 5
 encryption-algorithm aes-128
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
#
ike peer spub
 undo version 2
 pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
 ike-proposal 5
 remote-address 3.1.1.1
#
ipsec policy map1 10 gdoi
 group identity number 10
 ike-peer spub
#
interface GigabitEthernet1/0/0
 ip address 2.1.1.1 255.255.255.0
 pim dm
 igmp static-group 239.0.1.2
 ipsec policy map1
#
interface GigabitEthernet2/0/0
 ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
ip route-static 3.1.1.0 255.255.255.0 2.1.1.2
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
#
return

Translation

简体中文

Download

Updated: 2022-05-16

Document ID: EDOC1100033725

Downloads: 1010

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode