No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Rapid Switchover and Revertive Switching

Example for Configuring Rapid Switchover and Revertive Switching

Networking Requirements

As shown in Figure 5-62, the branch communicates with the headquarters over the public network. To improve reliability, the headquarters uses two gateways RouterA and RouterB to connect to the branch gateway RouterC.

The enterprise wants to protect traffic exchanged between the headquarters and branch and has the following requirements: Normally, the branch should communicate with the headquarters through RouterA. Traffic should be switched to RouterB when RouterA becomes faulty but back to RouterA when RouterA recovers.

Figure 5-62  Networking diagram for configuring rapid switchover and revertive switching

Configuration Roadmap

Since the branch and headquarters communicate over the public network, you can set up an IPSec tunnel between them to provide security protection. The configuration roadmap is as follows:

  1. Configure the IP address on each interface and static routes to the peer to implement communication between interfaces.

  2. Configure an NQA test instance to monitor the link between the branch gateway and headquarters gateway A.

  3. Configure ACLs to define the data flows to be protected by the IPSec tunnel.

  4. Configure IPSec proposals to define the traffic protection methods.

  5. Create IKE peers and configure the device to determine the validity of the peer address according to the NQA test instance status, so that traffic can be rapidly switched from gateway A to gateway B when gateway A fails. Enable revertive switching of the IKE peer to ensure that traffic can be switched back to gateway A when gateway A recovers.

  6. Configure IPSec policies to define the data protection methods.

  7. Apply the IPSec policies to interfaces so that the interfaces can protect traffic.

Procedure

  1. Configure an IP address for each interface and static routes to the peer on RouterA, RouterB, and RouterC to ensure that there are reachable routes among them.

    # Configure an IP address for each interface and static routes to the peer on RouterA. This example assumes that the next hop address in the route to the branch gateway is 60.1.1.2.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit
    [RouterA] ip route-static 70.1.1.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 192.168.2.0 255.255.255.0 60.1.1.2

    # Configure an IP address for each interface and static routes to the peer on RouterB. This example assumes that the next hop address in the route to the branch gateway is 60.1.2.2.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1 
    [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit
    [RouterB] ip route-static 70.1.1.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 192.168.2.0 255.255.255.0 60.1.2.2

    # Configure an IP address for each interface and a static route to the peer on RouterC. This example assumes that the next hop addresses in the route to the headquarters gateways A and B are both 70.1.1.2.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1 
    [RouterC-GigabitEthernet0/0/1] ip address 70.1.1.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit
    [RouterC] ip route-static 0.0.0.0 0.0.0.0 70.1.1.2

  2. Configure an NQA test instance on RouterC.

    # Configure an NQA test instance of ICMP type (administrator name admin and instance name test) on RouterC to detect faults on the link 70.1.1.1/24 -> 60.1.1.1/24.

    [RouterC] nqa test-instance admin test
    [RouterC-nqa-admin-test] test-type icmp
    [RouterC-nqa-admin-test] destination-address ipv4 60.1.1.1
    [RouterC-nqa-admin-test] frequency 10
    [RouterC-nqa-admin-test] probe-count 2
    [RouterC-nqa-admin-test] start now
    [RouterC-nqa-admin-test] quit

  3. Configure an ACL on RouterA, RouterB, and RouterC respectively to define the data flows to be protected.

    # Configure an ACL on RouterA to define the data flows from subnet 192.168.1.0/24 to subnet 192.168.2.0/24. The configuration of RouterB is similar to that of RouterA, and is not provided here.

    [RouterA] acl number 3002
    [RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    [RouterA-acl-adv-3002] quit

    # Configure an ACL on RouterC to define the data flows from subnet 192.168.2.0/24 to subnet 192.168.1.0/24.

    [RouterC] acl number 3002
    [RouterC-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    [RouterC-acl-adv-3002] quit

  4. Create an IPSec proposal on RouterA, RouterB, and RouterC respectively.

    # Create an IPSec proposal on RouterA. The configurations of RouterB and RouterC are similar to that of RouterA, and are not provided here.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

  5. Configure an IKE proposal and an IKE peer on RouterA, RouterB, and RouterC respectively.

    # Configure an IKE proposal and an IKE peer on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit
    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterA-ike-peer-rut1] quit

    # Configure an IKE proposal and an IKE peer on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit
    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterB-ike-peer-rut1] quit

    # Configure an IKE proposal and IKE peer rut1 on RouterC, and set the address 60.1.1.1 to take effect when the status of the NQA test instance is Up and the address 60.1.2.1 to take effect when the status of the NQA test instance is Down.

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-128
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit
    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterC-ike-peer-rut1] remote-address 60.1.1.1 track nqa admin test up
    [RouterC-ike-peer-rut1] remote-address 60.1.2.1 track nqa admin test down
    [RouterC-ike-peer-rut1] switch-back enable
    [RouterC-ike-peer-rut1] quit

  6. Configure an IPSec policy on RouterA, RouterB, and RouterC respectively.

    # Configure an IPSec policy using an IPSec policy template on RouterA.

    [RouterA] ipsec policy-template temp1 10
    [RouterA-ipsec-policy-templet-temp1-10] ike-peer rut1
    [RouterA-ipsec-policy-templet-temp1-10] proposal tran1
    [RouterA-ipsec-policy-templet-temp1-10] quit
    [RouterA] ipsec policy policy1 10 isakmp template temp1

    # Configure an IPSec policy using an IPSec policy template on RouterB.

    [RouterB] ipsec policy-template temp1 10
    [RouterB-ipsec-policy-templet-temp1-10] ike-peer rut1
    [RouterB-ipsec-policy-templet-temp1-10] proposal tran1
    [RouterB-ipsec-policy-templet-temp1-10] quit
    [RouterB] ipsec policy policy1 10 isakmp template temp1

    # Create an IPSec policy in ISAKMP mode on RouterC.

    [RouterC] ipsec policy policy1 10 isakmp
    [RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterC-ipsec-policy-isakmp-policy1-10] quit

  7. Apply the IPSec policies to the corresponding interfaces on RouterA, RouterB, and RouterC to make the interfaces able to protect traffic.

    # Apply the IPSec policy to the interface of RouterA.

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy to the interface of RouterB.

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy to the interface of RouterC.

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit

  8. Verify the configuration.

    After completing the configuration:

    1. PC_1 can ping PC_2 successfully and data transmitted between them is encrypted.

      # Run the display ike sa command on RouterA and RouterB to view the IKE configuration. The command output on RouterA is used as an example.

      [RouterA] display ike sa
      IKE SA information :
         Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
        ---------------------------------------------------------------------------
        24366    70.1.1.1:500         RD        v1:2    IP          70.1.1.1
        24274    70.1.1.1:500         RD        v1:1    IP          70.1.1.1
                                         
        Number of IKE SA : 2
        ---------------------------------------------------------------------------
                                                                 
        Flag Description:           
        RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
        HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
        M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

      # Run the display ike sa command on RouterC. The command output is as follows:

      [RouterC] display ike sa
      IKE SA information :
        Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
        --------------------------------------------------------------------------
         937    60.1.1.1:500         RD|ST     v1:2    IP          60.1.1.1
         936    60.1.1.1:500         RD|ST     v1:1    IP          60.1.1.1
                                         
        Number of IKE SA : 2
        --------------------------------------------------------------------------
                                                                 
        Flag Description:           
        RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
        HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
        M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

      The command output shows that an IKE SA is successfully established between the branch gateway and headquarters gateway A.

    2. Disconnect the link from the Internet to the headquarters gateway A. The IP address of the IKE peer changes to RouterB.

      # After you disconnect the link from the Internet to the headquarters gateway A, run the display nqa results test-instance admin test command on RouterC. The command output is as follows:
      [RouterC] display nqa results test-instance admin test                                                                                
      
       NQA entry(admin, test) :testflag is active ,testtype is icmp                  
        1 . Test 26 result   The test is finished                                     
         Send operation times: 2              Receive response times: 0               
         Completion:failed                   RTD OverThresholds number: 0            
         Attempts number:1                    Drop operation number:0                 
         Disconnect operation number:0        Operation timeout number:2              
         System busy operation number:0       Connection fail number:0                
         Operation sequence errors number:0   RTT Status errors number:0              
         Destination ip address:60.1.1.1                                              
         Min/Max/Average Completion Time: 0/0/0                                       
         Sum/Square-Sum  Completion Time: 0/0                                         
         Last Good Probe Time: 0000-00-00 00:00:00.0                                  
         Lost packet ratio: 100 %  
         ......

      The command output shows that the status of gateway A is failed in NQA test results, and the status of the NQA test instance is Down.

      # Run the display ike sa command on RouterC. The command output is as follows:

      [RouterC] display ike sa
      IKE SA information :
        Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
        --------------------------------------------------------------------------
        21576   60.1.2.1:500       RD        v1:2    IP          60.1.2.1
        21575   60.1.2.1:500       RD        v1:1    IP          60.1.2.1
                                         
        Number of IKE SA : 2
        --------------------------------------------------------------------------
                                                                 
        Flag Description:           
        RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
        HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
        M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

      The command output shows that the IKE peer address is 60.1.2.1, indicating that traffic is switched to gateway B.

    3. Recover the link from the Internet to the headquarters gateway A. The IP address of the IKE peer changes to RouterA.

      # After you recover the link from the Internet to the headquarters gateway A, run the display nqa results test-instance admin test command on RouterC. The command output is as follows:
      [RouterC] display nqa results test-instance admin test                                                                                
      
       NQA entry(admin1, test) :testflag is active ,testtype is icmp                  
        1 . Test 17 result   The test is finished                                     
         Send operation times: 2              Receive response times: 2               
         Completion:success                  RTD OverThresholds number: 0            
         Attempts number:1                    Drop operation number:0                 
         Disconnect operation number:0        Operation timeout number:0              
         System busy operation number:0       Connection fail number:0                
         Operation sequence errors number:0   RTT Status errors number:0              
         Destination ip address:60.1.1.1                                              
         Min/Max/Average Completion Time: 3/4/3                                       
         Sum/Square-Sum  Completion Time: 7/25                                        
         Last Good Probe Time: 2014-09-26 16:38:07.3                                  
         Lost packet ratio: 0 %                                                       
         ......

      The command output shows that the status of gateway A is success in NQA test results, and the status of the NQA test instance is Up.

      # Run the display ike sa command on RouterC. The command output is as follows:

      [RouterC] display ike sa
      IKE SA information :
        Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
        --------------------------------------------------------------------------
        21578   60.1.1.1:500       RD|ST     v1:2    IP          60.1.1.1
        21577   60.1.1.1:500       RD|ST     v1:1    IP          60.1.1.1
                                         
        Number of IKE SA : 2
        --------------------------------------------------------------------------
                                                                 
        Flag Description:           
        RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
        HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
        M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

      The command output shows that the IKE peer address is 60.1.1.1, indicating that traffic is switched back to gateway A. Rapid switchover and revertive switching are successfully configured.

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    acl number 3002
     rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128         
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256  
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
    #
    ipsec policy-template temp1 10
     ike-peer rut1
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.2 255.255.255.0
    #
    ip route-static 70.1.1.0 255.255.255.0 60.1.1.2
    ip route-static 192.168.2.0 255.255.255.0 60.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    acl number 3002
     rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128         
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256  
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
    #
    ipsec policy-template temp1 10
     ike-peer rut1
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.2 255.255.255.0
    #
    ip route-static 70.1.1.0 255.255.255.0 60.1.2.2
    ip route-static 192.168.2.0 255.255.255.0 60.1.2.2
    #
    return
    
  • Configuration file of RouterC

    #
     sysname RouterC
    #
    acl number 3002
     rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128         
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256  
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
     remote-address 60.1.1.1 track nqa admin test up
     remote-address 60.1.2.1 track nqa admin test down
     switch-back enable
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 70.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.2.2 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 70.1.1.2
    #                                                                               
    nqa test-instance admin test                                                   
     test-type icmp                                                                 
     destination-address ipv4 60.1.1.1                                              
     frequency 10                                                                   
     probe-count 2                                                                  
     start now
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142672

Downloads: 359

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next