No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring GM Link Redundancy

Example for Configuring GM Link Redundancy

Networking Requirements

A large enterprise has many widely distributed branches with a large number of multicast services. As shown in Figure 6-11, GM_1 is the enterprise branch gateway and GM_2 is the enterprise headquarters gateway. (The enterprise has only one branch in this example.) GM_1 uses two egress links in backup or load balancing mode to communicate with the headquarters over the public network.

It is required that traffic between the branch and headquarters be protected and services be transmitted securely when an active/standby switching occurs or one egress link becomes faulty.

An A2A VPN can be deployed between the branch and headquarters to ensure secure communication within the enterprise. In addition, GM link redundancy can be used to allow the two outbound interfaces on GM_1 to register with the KS and download the same group SA. GM_1 selects an appropriate outbound interface based on routing information to forward services. If any egress link fails, traffic is switched to the other link based on route convergence and the SA between group members is not changed.

Figure 6-11  Networking for configuring GM link redundancy

NOTE:

When the KS connects to a GM, you need to confirm the signature hash algorithm supported by the GM. For example, the GM running a software version earlier than V200R010C00 supports only the SHA1 algorithm.

When the DH algorithm is group2, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 75. Otherwise, the CPU usage of the KS becomes high. When the DH algorithm is group14, run the packet-type ipsec-ike rate-limit command in the KS attack defense policy view to set the rate limit of IKE packets sent to the CPU to be less than or equal to 20. Otherwise, the CPU usage of the KS becomes high.

In the GM link load balancing scenario, when the number of rekey packets sent by the KS is too large, multicast rekey packets will be fragmented and transmitted by devices on the network. As GM links work in load balancing mode, multiple interfaces on the GMs receive multicast rekey fragments, which may have the same characteristics. During GM regrouping, duplicate packets are dropped. As a result, some links cannot receive multicast rekey packets. In this case, it is recommended that the KS use the unicast rekey mode.

You can run the ipsec policy shared command on GM_1 to configure the multi-link sharing function. GM_1 then registers with the KS through a loopback interface, removing the need to register with the KS through two GE interfaces. This reduces the load on the KS. In addition, only one shared KEK SA is negotiated between the two ends. When traffic is switched between the active and standby links, a smooth KEK SA switchover can be implemented. For details, see Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using a Multi-Link Shared IPSec Policy Group.

Configuration Roadmap

  1. Configure an IP address and OSPF routes on each interface of the GMs and KS to implement communication between them.

  2. Configure an ACL on the KS to define the data flows to be protected by the A2A VPN.

  3. Configure IKE on the GMs and KS to define the attributes of IKE negotiation.

  4. Configure an IPSec proposal on the KS to define the protection method used for the A2A VPN.

  5. Configure a GDOI policy on each GM and apply the GDOI policy group to the interfaces. Configure a GDOI group on the KS and define group policies to be pushed to the GMs.

    Configure two GDOI policies on GM_1, and apply the GDOI policies to two outbound interfaces separately to be added to the same group.

Procedure

  1. Configure the KS.
    1. Configure the interface IP address and OSPF route to the peers.

      # Configure the interface IP address and enable the multicast function.

      <Huawei> system-view
      [Huawei] sysname KS
      [KS] multicast routing-enable
      [KS] interface gigabitethernet 1/0/0
      [KS-GigabitEthernet1/0/0] ip address 3.1.1.1 255.255.255.0
      [KS-GigabitEthernet1/0/0] pim dm
      [KS-GigabitEthernet1/0/0] igmp static-group 239.0.1.2
      [KS-GigabitEthernet1/0/0] quit
      

      # Configure an OSPF route.

      [KS] ospf 2 router-id 3.1.1.1 
      [KS-ospf-2] area 0
      [KS-ospf-2-area-0.0.0.0] network 3.1.1.0 0.0.0.255
      [KS-ospf-2-area-0.0.0.0] quit
      [KS-ospf-2] quit
      

    2. Define the data flows to be protected by the A2A VPN.

      [KS] acl 3001
      [KS-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
      [KS-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
      [KS-acl-adv-3001] quit
      

    3. Configure an IKE proposal.

      [KS] ike proposal 5
      [KS-ike-proposal-5] authentication-method pre-share
      [KS-ike-proposal-5] encryption-algorithm aes-128
      [KS-ike-proposal-5] authentication-algorithm sha2-256
      [KS-ike-proposal-5] dh group14
      [KS-ike-proposal-5] quit
      

    4. Configure an IPSec proposal.

      [KS] ipsec proposal tran1
      [KS-ipsec-proposal-tran1] encapsulation-mode tunnel
      [KS-ipsec-proposal-tran1] transform esp
      [KS-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [KS-ipsec-proposal-tran1] esp encryption-algorithm aes-128
      [KS-ipsec-proposal-tran1] quit
      

    5. Configure a GDOI group.

      # Configure the pre-shared keys for the GMs in the IKE user table.

      [KS] ike user-table 10
      [KS-ike-user-table-10] user gm1
      [KS-ike-user-table-10-gm1] id-type ip 1.1.1.1
      [KS-ike-user-table-10-gm1] pre-shared-key Huawei@123
      [KS-ike-user-table-10-gm1] quit
      [KS-ike-user-table-10] user gm2
      [KS-ike-user-table-10-gm2] id-type ip 2.1.1.1
      [KS-ike-user-table-10-gm2] pre-shared-key Huawei@123
      [KS-ike-user-table-10-gm2] quit
      [KS-ike-user-table-10] user gm22
      [KS-ike-user-table-10-gm22] id-type ip 4.1.1.1
      [KS-ike-user-table-10-gm22] pre-shared-key Huawei@123
      [KS-ike-user-table-10-gm22] quit
      [KS-ike-user-table-10] quit
      

      # Configure an RSA key pair.

      [KS] pki rsa local-key-pair create keytest modulus 2048 exportable
       Info: The name of the new key-pair will be: keytest
       Generating key-pairs...
      .+++
      ......+++
      

      # Configure GDOI group policies.

      [KS] gdoi ks group test
      [KS-gdoi-group-test] group identity number 10
      [KS-gdoi-group-test] source address 3.1.1.1
      [KS-gdoi-group-test] user-table 10
      [KS-gdoi-group-test] rekey transport-type multicast
      [KS-gdoi-group-test] rekey destination address 239.0.1.2
      [KS-gdoi-group-test] rekey encryption-algorithm aes-128
      [KS-gdoi-group-test] rekey sig-hash-algorithm sha2-512
      [KS-gdoi-group-test] rekey authentication public-key rsa keytest
      [KS-gdoi-group-test] ipsec 5
      [KS-gdoi-group-test-ipsec-5] proposal tran1
      [KS-gdoi-group-test-ipsec-5] security acl 3001
      [KS-gdoi-group-test-ipsec-5] quit
      [KS-gdoi-group-test] quit
      

  2. Configure GM_1. The configuration of GM_2 is similar to that of GM_1 and is not mentioned here.
    1. Configure the interface IP addresses and OSPF routes.

      # Configure the interface IP addresses.

      <Huawei> system-view
      [Huawei] sysname GM_1
      [GM_1] interface gigabitethernet 1/0/0 
      [GM_1-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
      [GM_1-GigabitEthernet1/0/0] quit
      [GM_1] interface gigabitethernet 2/0/0
      [GM_1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
      [GM_1-GigabitEthernet2/0/0] quit
      [GM_1] interface gigabitethernet 3/0/0
      [GM_1-GigabitEthernet3/0/0] ip address 4.1.1.1 255.255.255.0
      [GM_1-GigabitEthernet3/0/0] ospf cost 20
      [GM_1-GigabitEthernet3/0/0] ospf dr-priority 255
      [GM_1-GigabitEthernet3/0/0] quit
      

      # Configure OSPF routes.

      [GM_1] ospf 1 router-id 10.1.1.1
      [GM_1-ospf-1] area 0
      [GM_1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
      [GM_1-ospf-1-area-0.0.0.0] quit
      [GM_1-ospf-1] quit
      [GM_1] ospf 2 router-id 1.1.1.1
      [GM_1-ospf-2] import-route ospf 1
      [GM_1-ospf-2] area 0
      [GM_1-ospf-2-area-0.0.0.0] network 1.1.1.0 0.0.0.255
      [GM_1-ospf-2-area-0.0.0.0] network 4.1.1.0 0.0.0.255
      [GM_1-ospf-2-area-0.0.0.0] quit
      [GM_1-ospf-2] quit

    2. Configure an IKE peer. The IKE negotiation parameters must be the same as those on the KS.

      # Configure an IKE proposal.
      [GM_1] ike proposal 5
      [GM_1-ike-proposal-5] authentication-method pre-share
      [GM_1-ike-proposal-5] encryption-algorithm aes-128
      [GM_1-ike-proposal-5] authentication-algorithm sha2-256
      [GM_1-ike-proposal-5] dh group14
      [GM_1-ike-proposal-5] quit
      

      # Configure an IKE peer.

      [GM_1] ike peer spub
      [GM_1-ike-peer-spub] undo version 2
      [GM_1-ike-peer-spub] ike-proposal 5
      [GM_1-ike-peer-spub] pre-shared-key cipher Huawei@123
      [GM_1-ike-peer-spub] remote-address 3.1.1.1
      [GM_1-ike-peer-spub] quit

    3. Configure a GDOI policy. The group ID of the GM must be the same as that of the KS.

      [GM_1] ipsec policy map1 10 gdoi
      [GM_1-ipsec-policy-gdoi-map1-10] group identity number 10
      [GM_1-ipsec-policy-gdoi-map1-10] ike-peer spub
      [GM_1-ipsec-policy-gdoi-map1-10] tunnel local applied-interface
      [GM_1-ipsec-policy-gdoi-map1-10] quit
      [GM_1] ipsec policy map2 10 gdoi
      [GM_1-ipsec-policy-gdoi-map2-10] group identity number 10
      [GM_1-ipsec-policy-gdoi-map2-10] ike-peer spub
      [GM_1-ipsec-policy-gdoi-map2-10] tunnel local applied-interface
      [GM_1-ipsec-policy-gdoi-map2-10] quit
      

    4. Configure an IP address for multicast rekey messages. The IP address must be the same as that configured on the KS.

      [GM_1] multicast routing-enable
      [GM_1] ipsec gdoi multicast-rekey ip 239.0.1.2
      [GM_1] interface gigabitethernet 1/0/0
      [GM_1-GigabitEthernet1/0/0] pim dm
      [GM_1-GigabitEthernet1/0/0] igmp static-group 239.0.1.2
      [GM_1-GigabitEthernet1/0/0] quit
      [GM_1] interface gigabitethernet 3/0/0
      [GM_1-GigabitEthernet3/0/0] pim dm
      [GM_1-GigabitEthernet3/0/0] igmp static-group 239.0.1.2
      [GM_1-GigabitEthernet3/0/0] quit
      

    5. Apply the GDOI policy group to the interfaces.

      [GM_1] interface gigabitethernet 1/0/0
      [GM_1-GigabitEthernet1/0/0] ipsec policy map1
      [GM_1-GigabitEthernet1/0/0] quit
      [GM_1] interface gigabitethernet 3/0/0
      [GM_1-GigabitEthernet3/0/0] ipsec policy map2
      [GM_1-GigabitEthernet3/0/0] quit
      

  3. Verify the configuration.

    # After the configuration is complete, run the display ike sa command on the devices to view information about the IKE SAs. The command output shows that the IKE SAs between the KS and GM_1/GM_2 are successfully established. The following uses the KS as an example:

    [KS] display ike sa
     Conn-ID    Peer           VPN         Flag(s)        Phase  RemoteType  RemoteID
    ----------------------------------------------------------------------------------
     1828       4.1.1.1:848                RD|A           v1:1   IP          4.1.1.1
     1804       1.1.1.1:848                RD|A           v1:1   IP          1.1.1.1
     1808       2.1.1.1:848                RD|A           v1:1   IP          2.1.1.1
    
      Number of IKE SA : 3
    -----------------------------------------------------------------------------------
    
     Flag Description:
     RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
     HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
     M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

    The command output shows that both interfaces of GM_1 establish an IKE SA with the KS.

    # Run the display ipsec gdoi-sa command on each GM to display information about the GDOI SA. The following uses GM_1 as an example:

    [GM_1] display ipsec gdoi-sa
    ===============================
    Interface: GigabitEthernet1/0/0
     Path MTU: 0
    ===============================
      ---------------------------------
      Gdoi policy name         : "map1"
      Sequence number          : 10
      ---------------------------------
        [TEK SA]
        Protected vrf : 0
        Inpacket count            : 0
        Inpacket decap count      : 0
        Outpacket count           : 0
        Outpacket encap count     : 0
        Inpacket drop count       : 0
        Outpacket drop count      : 0
        Anti-replay drop count    : 0
    
        SA mode : normal
        SPI: 3149628814 (0xbbbb858e)
        Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        SA remaining lifetime (secs) : 15
        Anti-replay (time based) : disable
    
        [TEK SA]
        Protected vrf : 0
        Protocol: 0/permit
        Flow source      : 10.1.1.0/255.255.255.0/0
        Flow destination : 10.1.2.0/255.255.255.0/0
    
        Protocol: 0/permit
        Flow source      : 10.1.2.0/255.255.255.0/0
        Flow destination : 10.1.1.0/255.255.255.0/0
    
        Inpacket count            : 0
        Inpacket decap count      : 0
        Outpacket count           : 0
        Outpacket encap count     : 0
        Inpacket drop count       : 0
        Outpacket drop count      : 0
        Anti-replay drop count    : 0
    
        SA mode : normal
        SPI: 1196964601 (0x47583af9)
        Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        SA remaining lifetime (secs) : 3484
        Anti-replay (time based) : disable
    
        [KEK POLICY]
        Rekey transport type        : multicast
        SPI: 0x2ad569a935d15b75174446fbb0feaf5b
        Received rekey seqno        : 40
        Lifetime (secs)             : 59954
        Encrypt algorithm           : AES
        Encrypt key size            : 128
        Signature hash algorithm    : HMAC_AUTH_SHA2_512
        Signature key length (bits) : 2160
        Signature algorithm         : SIG_ALG_RSA
    
    
    ===============================
    Interface: GigabitEthernet3/0/0
     Path MTU: 0
    ===============================
      ---------------------------------
      Gdoi policy name         : "map2"
      Sequence number          : 10
      ---------------------------------
        [TEK SA]
        Protected vrf : 0
        Inpacket count            : 0
        Inpacket decap count      : 0
        Outpacket count           : 0
        Outpacket encap count     : 0
        Inpacket drop count       : 0
        Outpacket drop count      : 0
        Anti-replay drop count    : 0
    
        SA mode : normal
        SPI: 3149628814 (0xbbbb858e)
        Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        SA remaining lifetime (secs) : 14
        Anti-replay (time based) : disable
    
        [TEK SA]
        Protected vrf : 0
        Protocol: 0/permit
        Flow source      : 10.1.1.0/255.255.255.0/0
        Flow destination : 10.1.2.0/255.255.255.0/0
    
        Protocol: 0/permit
        Flow source      : 10.1.2.0/255.255.255.0/0
        Flow destination : 10.1.1.0/255.255.255.0/0
    
        Inpacket count            : 0
        Inpacket decap count      : 0
        Outpacket count           : 0
        Outpacket encap count     : 0
        Inpacket drop count       : 0
        Outpacket drop count      : 0
        Anti-replay drop count    : 0
    
        SA mode : normal
        SPI: 1196964601 (0x47583af9)
        Proposal : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128
        SA remaining lifetime (secs) : 3483
        Anti-replay (time based) : disable
    
        [KEK POLICY]
        Rekey transport type        : multicast
        SPI: 0x2ad569a935d15b75174446fbb0feaf5b
        Received rekey seqno        : 40
        Lifetime (secs)             : 59953
        Encrypt algorithm           : AES
        Encrypt key size            : 128
        Signature hash algorithm    : HMAC_AUTH_SHA2_512
        Signature key length (bits) : 2160
        Signature algorithm         : SIG_ALG_RSA

    The command output shows that the two interfaces of GM_1 have successfully registered with the KS and that TEK SAs are successfully established between the GMs.

    # Run the ping -a source-ip-address host command on each GM to ping the private IP address. If the ping operation succeeds, services on both ends can be forwarded normally. The following uses GM_1 as an example:

    [GM_1] ping -a 10.1.1.1 10.1.2.2
      PING 10.1.2.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms
        Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms
    
      --- 10.1.2.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/18/89 ms

    # Run the display ip routing-table protocol ospf command on GM_1 to check the routing information. The command output shows that the outbound interface is GE1/0/0.

    [GM_1] display ip routing-table protocol ospf
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Public routing table : OSPF
             Destinations : 3        Routes : 3
    
    OSPF routing table status : <Active>
             Destinations : 2        Routes : 2
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
            2.1.1.0/24  OSPF    10   2           D   1.1.1.2         GigabitEthernet1/0/0
            3.1.1.0/24  OSPF    10   2           D   1.1.1.2         GigabitEthernet1/0/0
           10.1.2.0/24  O_ASE   150  1           D   1.1.1.2         GigabitEthernet1/0/0
    OSPF routing table status : <Inactive>
             Destinations : 0        Routes : 0
    

    Shut down GE1/0/0 of GM_1, and then run the ping -a source-ip-address host command. It is found that the ping operation succeeds and that traffic is sent out from GE3/0/0. This ensures service continuity.

    [GM_1] ping -a 10.1.1.1 10.1.2.2
      PING 10.1.2.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms
        Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms
    
      --- 10.1.2.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/18/89 ms
    [GM_1] display ip routing-table protocol ospf
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Public routing table : OSPF
             Destinations : 3        Routes : 3
    
    OSPF routing table status : <Active>
             Destinations : 3        Routes : 3
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
            2.1.1.0/24  OSPF    10   21          D   4.1.1.2         GigabitEthernet3/0/0
            3.1.1.0/24  OSPF    10   21          D   4.1.1.2         GigabitEthernet3/0/0
           10.1.2.0/24  O_ASE   150  1           D   4.1.1.2         GigabitEthernet3/0/0
    
    OSPF routing table status : <Inactive>
             Destinations : 0        Routes : 0

Configuration Files

  • KS configuration file

    #
     sysname KS
    #
    multicast routing-enable
    # 
    acl number 3001
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
     rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
    #
    ike user-table 10
     user gm2
      id-type ip 2.1.1.1
      pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     user gm22
      id-type ip 4.1.1.1
      pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     user gm1
      id-type ip 1.1.1.1
      pre-shared-key %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
    #
    gdoi ks group test
     group identity number 10
     rekey destination address 239.0.1.2
     rekey sig-hash-algorithm sha2-512
     rekey encryption-algorithm aes-128
     user-table 10
     rekey authentication public-key rsa keytest
     ipsec 5
      proposal tran1
      security acl 3001
     source address 3.1.1.1
    #
    interface GigabitEthernet1/0/0
     ip address 3.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
    #
    ospf 2 router-id 3.1.1.1
     area 0.0.0.0
      network 3.1.1.0 0.0.0.255
    #
    return
    
  • GM_1 configuration file

    #
     sysname GM_1
    #
    multicast routing-enable
    # 
    ipsec gdoi multicast-rekey ip 239.0.1.2
    #  
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     ike-proposal 5
     remote-address 3.1.1.1
    #
    ipsec policy map1 10 gdoi
     group identity number 10
     ike-peer spub
     tunnel local applied-interface
    ipsec policy map2 10 gdoi
     group identity number 10
     ike-peer spub
     tunnel local applied-interface
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
     ipsec policy map1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    interface GigabitEthernet3/0/0
     ip address 4.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
     ospf cost 20
     ospf dr-priority 255
     ipsec policy map2
    #
    ospf 1 router-id 10.1.1.1
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
    #
    ospf 2 router-id 1.1.1.1
     import-route ospf 1
     area 0.0.0.0
      network 1.1.1.0 0.0.0.255
      network 4.1.1.0 0.0.0.255
    #
    return
    
  • GM_2 configuration file

    #
     sysname GM_2
    #
    multicast routing-enable
    # 
    ipsec gdoi multicast-rekey ip 239.0.1.2
    #  
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#5FM@~#qRB6!z"YT[gn;6~aCG:K}f(B'wpjJ0!:xO%^%#
     ike-proposal 5
     remote-address 3.1.1.1
    #
    ipsec policy map1 10 gdoi
     group identity number 10
     ike-peer spub
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
     pim dm
     igmp static-group 239.0.1.2
     ipsec policy map1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ospf 1 router-id 10.1.2.1
     area 0.0.0.0
      network 10.1.2.0 0.0.0.255
    #
    ospf 2 router-id 2.1.1.1
     import-route ospf 1
     area 0.0.0.0
      network 2.1.1.0 0.0.0.255
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 144586

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next