No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSec Gateway Redundancy Control

Example for Configuring IPSec Gateway Redundancy Control

Networking Requirements

In Figure 5-64, the branch communicates with the headquarters over the Internet. To improve reliability, the branch connects to the headquarters gateway RouterC through two branch gateways RouterA and RouterB, and the two branch gateways form a VRRP group to implement gateway redundancy.

The enterprise wants traffic transmitted between the branch and headquarters to be protected. If the master device RouterA is faulty, the backup device RouterB takes over as the master device. After RouterA recovers from the failure, it becomes the master device again to act as the gateway.

Figure 5-64  Configuring IPSec gateway redundancy control

Configuration Roadmap

An IPSec tunnel can be established between the headquarters gateway and branch gateway to protect traffic transmitted between the headquarters and branch over the Internet. The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces and configure static routes to the remote end to ensure that there are reachable routes between two ends.

  2. Configure a VRRP group on RouterA and RouterB to implement gateway redundancy.

  3. Configure an ACL on RouterA and RouterB to define IPSec-protected data flows.

  4. Configure an IPSec proposal to define the traffic protection method.

  5. Configure an IKE peer.

  6. Configure an IPSec policy to protect data flows.

    • Configure RouterA and RouterB to control IPSec tunnel setup or teardown according to the VRRP status. This configuration ensures that traffic can be switched to the other gateway for transmission after one gateway is faulty.
    • Configure an IPSec policy using an IPSec policy template on RouterC to respond to the branch gateway access request.
  7. Apply the IPSec policy to interfaces to enable IPSec protection.

Procedure

  1. Configure IP addresses for interfaces and configure static routes to the remote end to ensure that there are reachable routes between RouterA, RouterB, and RouterC.

    # On RouterA, configure IP addresses for interfaces and configure a static route to the remote end. This example assumes that the next-hop address of the static route to the headquarters gateway is 1.1.1.2.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit
    [RouterA] ip route-static 0.0.0.0 0 1.1.1.2
    

    # On RouterB, configure IP addresses for interfaces and configure a static route to the remote end. This example assumes that the next-hop address of the static route to the headquarters gateway is 1.1.2.2.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1 
    [RouterB-GigabitEthernet0/0/1] ip address 1.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] ip address 10.1.1.2 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit
    [RouterB] ip route-static 0.0.0.0 0 1.1.2.2
    

    # On RouterC, configure IP addresses for interfaces and configure a static route to the remote end. This example assumes that the next-hop address of the static route to the branch gateway is 2.1.1.2.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1 
    [RouterC-GigabitEthernet0/0/1] ip address 2.1.1.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ip address 10.2.1.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit
    [RouterC] ip route-static 0.0.0.0 0 2.1.1.2
    

  2. Configure a VRRP group on RouterA and RouterB.

    # Configure VRRP group 1 on RouterA, and set the VRRP priority of RouterA to 120 and the preemption delay to 20s.

    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.1.1.11
    [RouterA-GigabitEthernet0/0/2] vrrp vrid 1 priority 120
    [RouterA-GigabitEthernet0/0/2] vrrp vrid 1 preempt-mode timer delay 20
    [RouterA-GigabitEthernet0/0/2] quit
    

    # Configure VRRP group 1 on RouterB, and set the VRRP priority of RouterB to 80.

    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.1.1.11
    [RouterB-GigabitEthernet0/0/2] vrrp vrid 1 priority 80
    [RouterB-GigabitEthernet0/0/2] quit
    

  3. Configure an ACL on RouterA and RouterB to define the data flows to be protected.

    # Configure RouterA.

    [RouterA] acl number 3002
    [RouterA-acl-adv-3002] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
    [RouterA-acl-adv-3002] quit

    # Configure RouterB.

    [RouterB] acl number 3002
    [RouterB-acl-adv-3002] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
    [RouterB-acl-adv-3002] quit

  4. Configure an IPSec proposal.

    # Configure RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-256
    [RouterA-ipsec-proposal-tran1] quit

    # Configure RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-256
    [RouterB-ipsec-proposal-tran1] quit

    # Configure RouterC.

    [RouterC] ipsec proposal tran1
    [RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-256
    [RouterC-ipsec-proposal-tran1] quit

  5. Configure an IKE proposal and an IKE peer.

    # Configure RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-256
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit
    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterA-ike-peer-rut1] remote-address 2.1.1.1
    [RouterA-ike-peer-rut1] quit

    # Configure RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-256
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit
    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterB-ike-peer-rut1] remote-address 2.1.1.1
    [RouterB-ike-peer-rut1] quit

    # Configure RouterC.

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-256
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit
    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterC-ike-peer-rut1] quit

  6. Configure an IPSec policy.

    # Configure an IPSec policy in ISAKMP mode on RouterA.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterA-ipsec-policy-isakmp-policy1-10] connect track vrrp 1 interface gigabitethernet 0/0/2 master
    [RouterA-ipsec-policy-isakmp-policy1-10] disconnect track vrrp 1 interface gigabitethernet 0/0/2 backup
    [RouterA-ipsec-policy-isakmp-policy1-10] quit
    

    # Configure an IPSec policy in ISAKMP mode on RouterB.

    [RouterB] ipsec policy policy1 10 isakmp
    [RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterB-ipsec-policy-isakmp-policy1-10] connect track vrrp 1 interface gigabitethernet 0/0/2 master
    [RouterB-ipsec-policy-isakmp-policy1-10] disconnect track vrrp 1 interface gigabitethernet 0/0/2 backup
    [RouterB-ipsec-policy-isakmp-policy1-10] quit
    

    # Configure an IPSec policy using an IPSec policy template on RouterC.

    [RouterC] ipsec policy-template temp1 10
    [RouterC-ipsec-policy-templet-temp1-10] ike-peer rut1
    [RouterC-ipsec-policy-templet-temp1-10] proposal tran1
    [RouterC-ipsec-policy-templet-temp1-10] quit
    [RouterC] ipsec policy policy1 10 isakmp template temp1

  7. Apply the IPSec policy to interfaces to enable IPSec protection.

    # Apply the IPSec policy to an interface on RouterA.

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy to an interface on RouterB.

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy to an interface on RouterC.

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit
    

  8. Verify the configuration.

    1. PC_1 can ping PC_2 successfully, and data transmitted between them is encrypted.

      # Run the display ipsec sa command on RouterC to check the configuration.

      [RouterC] display ipsec sa
      ipsec sa information:
      
      ===============================
      Interface: GigabitEthernet0/0/1
      ===============================
      
        -----------------------------
        IPSec policy name: "policy1"
        Sequence number  : 1
        Acl group        : 3002
        Acl rule         : 5
        Mode             : ISAKMP
        -----------------------------
          Connection ID     : 2
          Encapsulation mode: Tunnel
          Holding time      : 0d 0h 26m 12s
          Tunnel local      : 2.1.1.1:500
          Tunnel remote     : 1.1.1.1:500
          Flow source       : 10.2.1.0/255.255.255.0 0/0
          Flow destination  : 10.1.1.0/255.255.255.0 0/0
      
          [Outbound ESP SAs]
            SPI: 184667519 (0xb01cd7f)
            Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
            SA remaining key duration (kilobytes/sec): 1843197/2030
            Outpacket count       : 40
            Outpacket encap count : 40
            Outpacket drop count  : 0
            Slice Failure: 0
            Max sent sequence-number: 40
            UDP encapsulation used for NAT traversal: N
      
          [Inbound ESP SAs]
            SPI: 4822111 (0x49945f)
            Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
            SA remaining key duration (kilobytes/sec): 1843145/2030
            Inpacket count        : 40
            Inpacket decap count  : 40
            Inpacket drop count   : 0
            Authentication Failure: 0
            Replay Failure: 0
            Decrypt Check Failure:  0
            Max received sequence-number: 40
            UDP encapsulation used for NAT traversal: N
            Anti-replay : Enable
            Anti-replay window size: 1024

      The preceding command output shows that traffic from PC_1 to PC_2 is transmitted by RouterA.

    2. Traffic is switched to RouterB for transmission after GE0/0/2 of RouterA is shut down.

      # Run the shutdown command on GE0/0/2 of RouterA, and then run the display ipsec sa command on RouterC to check the configuration.

      [RouterC] display ipsec sa
      ipsec sa information:
      
      ===============================
      Interface: GigabitEthernet0/0/1
      ===============================
      
        -----------------------------
        IPSec policy name: "policy1"
        Sequence number  : 1
        Acl group        : 3002
        Acl rule         : 5
        Mode             : ISAKMP
        -----------------------------
          Connection ID     : 2
          Encapsulation mode: Tunnel
          Holding time      : 0d 0h 26m 12s
          Tunnel local      : 2.1.1.1:500
          Tunnel remote     : 1.1.2.1:500
          Flow source       : 10.2.1.0/255.255.255.0 0/0
          Flow destination  : 10.1.1.0/255.255.255.0 0/0
      
          [Outbound ESP SAs]
            SPI: 184667519 (0xb01cd7f)
            Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
            SA remaining key duration (kilobytes/sec): 1843197/2030
            Outpacket count       : 40
            Outpacket encap count : 40
            Outpacket drop count  : 0
            Slice Failure: 0
            Max sent sequence-number: 40
            UDP encapsulation used for NAT traversal: N
      
          [Inbound ESP SAs]
            SPI: 4822111 (0x49945f)
            Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
            SA remaining key duration (kilobytes/sec): 1843145/2030
            Inpacket count        : 40
            Inpacket decap count  : 40
            Inpacket drop count   : 0
            Authentication Failure: 0
            Replay Failure: 0
            Decrypt Check Failure:  0
            Max received sequence-number: 40
            UDP encapsulation used for NAT traversal: N
            Anti-replay : Enable
            Anti-replay window size: 1024

      The preceding command output shows that traffic is transmitted by RouterB.

    3. Traffic is switched back to RouterA for transmission 20s after GE0/0/2 of RouterA is enabled again..

      # Run the undo shutdown command on GE0/0/2 of RouterA, and then run the display ipsec sa command on RouterC to check the configuration.

      [RouterC] display ipsec sa
      ipsec sa information:
      
      ===============================
      Interface: GigabitEthernet0/0/1
      ===============================
      
        -----------------------------
        IPSec policy name: "policy1"
        Sequence number  : 1
        Acl group        : 3002
        Acl rule         : 5
        Mode             : ISAKMP
        -----------------------------
          Connection ID     : 2
          Encapsulation mode: Tunnel
          Holding time      : 0d 0h 26m 12s
          Tunnel local      : 2.1.1.1:500
          Tunnel remote     : 1.1.1.1:500
          Flow source       : 10.2.1.0/255.255.255.0 0/0
          Flow destination  : 10.1.1.0/255.255.255.0 0/0
      
          [Outbound ESP SAs]
            SPI: 184667519 (0xb01cd7f)
            Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
            SA remaining key duration (kilobytes/sec): 1843197/2030
            Outpacket count       : 40
            Outpacket encap count : 40
            Outpacket drop count  : 0
            Slice Failure: 0
            Max sent sequence-number: 40
            UDP encapsulation used for NAT traversal: N
      
          [Inbound ESP SAs]
            SPI: 4822111 (0x49945f)
            Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
            SA remaining key duration (kilobytes/sec): 1843145/2030
            Inpacket count        : 40
            Inpacket decap count  : 40
            Inpacket drop count   : 0
            Authentication Failure: 0
            Replay Failure: 0
            Decrypt Check Failure:  0
            Max received sequence-number: 40
            UDP encapsulation used for NAT traversal: N
            Anti-replay : Enable
            Anti-replay window size: 1024

      The preceding command output shows that traffic is transmitted by RouterA. This indicates that the configurations are successful.

Configuration Files

  • Router A configuration file

    #
     sysname RouterA
    #
    acl number 3002
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    #
    ike proposal 5
     encryption-algorithm aes-256
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#oDRPE$1Da37|xCPSm+/5/-!{P3CaO/cdZ4EX"Sf"%^%# 
     ike-proposal 5
     remote-address 2.1.1.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
     connect track vrrp 1 interface GigabitEthernet0/0/2 master 
     disconnect track vrrp 1 interface GigabitEthernet0/0/2 backup 
    #
    interface GigabitEthernet0/0/1
     ip address 1.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 10.1.1.1 255.255.255.0
     vrrp vrid 1 virtual-ip 10.1.1.11
     vrrp vrid 1 priority 120
     vrrp vrid 1 preempt-mode timer delay 20
    #
    ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
    #
    return
  • RouterB configuration file

    #
     sysname RouterB
    #
    acl number 3002
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    #
    ike proposal 5
     encryption-algorithm aes-256
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#oDRPE$1Da37|xCPSm+/5/-!{P3CaO/cdZ4EX"Sf"%^%# 
     ike-proposal 5
     remote-address 2.1.1.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
     connect track vrrp 1 interface GigabitEthernet0/0/2 master 
     disconnect track vrrp 1 interface GigabitEthernet0/0/2 backup 
    #
    interface GigabitEthernet0/0/1
     ip address 1.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 10.1.1.2 255.255.255.0
     vrrp vrid 1 virtual-ip 10.1.1.11
     vrrp vrid 1 priority 80
    #
    ip route-static 0.0.0.0 0.0.0.0 1.1.2.2
    #
    return
  • RouterC configuration file

    #
     sysname RouterC
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    #
    ike proposal 5
     encryption-algorithm aes-256
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#oDRPE$1Da37|xCPSm+/5/-!{P3CaO/cdZ4EX"Sf"%^%# 
     ike-proposal 5
    #
    ipsec policy-template temp1 10
     ike-peer rut1
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface GigabitEthernet0/0/1
     ip address 2.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 10.2.1.1 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 145309

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next