No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Tunnel Template Interface for IPSec Tunnel Setup

Example for Configuring a Tunnel Template Interface for IPSec Tunnel Setup

Networking Requirements

As shown in Figure 5-56, enterprise's branch and headquarters communicate through the public network. However, the topologies of headquarters and branch networks change frequently. The enterprise requires to protect traffic transmitted over the public network between the branch and headquarters, and the enterprise hopes that the IPSec configuration does not change when the network topologies change.

  1. The branch gateway RouterA and headquarters gateway RouterB can set up an IPSec tunnel over the public network to protect traffic between them.
  2. The topologies of headquarters and branch networks change frequently, the IPSec tunnel needs to be set up using tunnel interfaces, and information about the subnet and interface to be protected by IPSec needs to be configured locally.
Figure 5-56  Configuring a virtual tunnel template interface for IPSec Tunnel setup

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes on the interfaces to implement communication between them.

  2. Configure ACLs to define the subnet that the local device needs to protect.

  3. Configure AAA service schemes to define the subnet route information and the ip-address interface that the local device needs to send.

  4. Configure IPSec proposals to define the data flow protection method.

  5. Configure IKE peers and define the attributes used for IKE negotiation.

  6. Configure IPSec profiles, and apply the IPSec proposal and IKE peers to the IPSec profile to define the data flows to be protected and protection method.

  7. Apply the IPSec profiles to the tunnel template interface and tunnel interface respectively to enable IPSec protection on the interfaces.

Procedure

  1. Configure IP addresses and static routes on the interfaces of RouterA and RouterB.

    # Configure an IP address for each interface of RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0 
    [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route from RouterA to RouterB. This example assumes that the next hop address of the route is 1.1.1.2.

    [RouterA] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2

    # Configure an IP address for each interface of RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit

    # Configure a static route from RouterB to RouterA. This example assumes that the next hop address of the route is 2.1.1.2.

    [RouterB] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2

  2. Configure ACLs to define the subnet that the local device needs to protect.

    # Configure an ACL on RouterA to permit data flows with the source address 10.1.1.0/24 to pass through.

    [RouterA] acl number 3001
    [RouterA-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255
    [RouterA-acl-adv-3001] quit
    

    # Configure an ACL on RouterB to permit data flows with the source address 10.1.2.0/24 to pass through.

    [RouterB] acl number 3001
    [RouterB-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255
    [RouterB-acl-adv-3001] quit
    

  3. Configure AAA service schemes to define the subnet route information that the local device needs to send.

    # Configure an AAA service scheme on RouterA.

    [RouterA] aaa
    [RouterA-aaa] service-scheme schemetest 
    [RouterA-aaa-service-schemetest] route set acl 3001
    [RouterA-aaa-service-schemetest] route set interface
    [RouterA-aaa-service-schemetest] quit
    [RouterA-aaa] quit
    

    # Configure an AAA service scheme on RouterB.

    [RouterB] aaa
    [RouterB-aaa] service-scheme schemetest
    [RouterB-aaa-service-schemetest] route set acl 3001
    [RouterB-aaa-service-schemetest] route set interface
    [RouterB-aaa-service-schemetest] quit
    [RouterB-aaa] quit
    

  4. Create IPSec proposals on RouterA and RouterB.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal prop1
    [RouterA-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-prop1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-prop1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal prop1
    [RouterB-ipsec-proposal-prop1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-prop1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-prop1] quit

    Run the display ipsec proposal command on RouterA and RouterB to view the configuration of the IPSec proposal.

  5. Create IKE peers on RouterA and RouterB.

    # Create an IKE proposal on RouterA.
    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Create an IKE peer on RouterA.

    [RouterA] ike peer peer2
    [RouterA-ike-peer-peer2] undo version 2
    [RouterA-ike-peer-peer2] ike-proposal 5
    [RouterA-ike-peer-peer2] pre-shared-key cipher Huawei@1234
    [RouterA-ike-peer-peer2] service-scheme schemetest
    [RouterA-ike-peer-peer2] config-exchange request
    [RouterA-ike-peer-peer2] config-exchange set accept
    [RouterA-ike-peer-peer2] config-exchange set send
    [RouterA-ike-peer-peer2] route accept
    [RouterA-ike-peer-peer2] quit

    # Create an IKE proposal on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Create an IKE peer on RouterB.

    [RouterB] ike peer peer2
    [RouterB-ike-peer-peer2] undo version 2
    [RouterB-ike-peer-peer2] ike-proposal 5
    [RouterB-ike-peer-peer2] pre-shared-key cipher Huawei@1234
    [RouterB-ike-peer-peer2] service-scheme schemetest
    [RouterB-ike-peer-peer2] config-exchange set accept
    [RouterB-ike-peer-peer2] config-exchange set send
    [RouterB-ike-peer-peer2] route accept
    [RouterB-ike-peer-peer2] quit

  6. Create IPSec profiles on RouterA and RouterB respectively.

    # Create an IPSec profile on RouterA.

    [RouterA] ipsec profile profile1
    [RouterA-ipsec-profile-profile1] proposal prop1
    [RouterA-ipsec-profile-profile1] ike-peer peer2
    [RouterA-ipsec-profile-profile1] quit

    # Create an IPSec profile on RouterB.

    [RouterB] ipsec profile profile1
    [RouterB-ipsec-profile-profile1] proposal prop1
    [RouterB-ipsec-profile-profile1] ike-peer peer2
    [RouterB-ipsec-profile-profile1] quit

  7. Apply the IPSec profiles to the interfaces of RouterA and RouterB.

    # Apply the IPSec profile to the interface of RouterA.

    [RouterA] interface tunnel 0/0/0
    [RouterA-Tunnel0/0/0] ip address 192.168.1.1 255.255.255.0
    [RouterA-Tunnel0/0/0] tunnel-protocol ipsec
    [RouterA-Tunnel0/0/0] source gigabitethernet1/0/0
    [RouterA-Tunnel0/0/0] destination 2.1.1.1
    [RouterA-Tunnel0/0/0] ipsec profile profile1
    [RouterA-Tunnel0/0/0] quit 

    # Apply the IPSec profile to the interface of RouterB.

    [RouterB] interface loopback0
    [RouterB-LoopBack0] ip address 192.168.1.2 255.255.255.255
    [RouterB-LoopBack0] quit
    [RouterB] interface tunnel-template 0
    [RouterB-Tunnel-Template0] ip address unnumbered interface loopback0
    [RouterB-Tunnel-Template0] tunnel-protocol ipsec
    [RouterB-Tunnel-Template0] source gigabitethernet1/0/0
    [RouterB-Tunnel-Template0] ipsec profile profile1
    [RouterB-Tunnel-Template0] quit 

    # Run the display ipsec profile command on RouterA and RouterB to view the IPSec profile configuration.

  8. Verify the configuration.

    # Run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
       Conn-ID   Peer                VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------------
       16        2.1.1.1:500               RD|ST     v1:2    IP          2.1.1.1
       14        2.1.1.1:500               RD|ST     v1:1    IP          2.1.1.1
                                                   
       Number of IKE SA : 2
      --------------------------------------------------------------------------------
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    # Run the display ip routing-table command on RouterA and RouterB to view route information. This example only shows information about subnet routes that are successfully sent.

    [RouterA] display ip routing-table
    Route Flags: R - relay, D - download to fib                                     
    ------------------------------------------------------------------------------  
    Routing Tables: Public                                                          
             Destinations : 16       Routes : 16                                    
                                                                                    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface      
                                                                                    
           10.1.2.0/24  Unr     0    0           D   192.168.1.2   Tunnel0/0/0    
    
    [RouterB] display ip routing-table
    Route Flags: R - relay, D - download to fib                                     
    ------------------------------------------------------------------------------  
    Routing Tables: Public                                                          
             Destinations : 16       Routes : 16                                    
                                                                                    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface      
                                                                                    
           10.1.1.0/24  Unr     62   0          RD   192.168.1.1   Tunnel-Template0
    

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    acl number 3001
     rule 5 permit ip source 10.1.1.0 0.0.0.255
    #
    ipsec proposal prop1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer peer2
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     service-scheme schemetest
     route accept
     config-exchange request 
     config-exchange set accept
     config-exchange set send 
    #
    ipsec profile profile1
     ike-peer peer2
     proposal prop1
    #
    aaa
     service-scheme schemetest
      route set acl 3001
      route set interface
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
    #
    interface Tunnel0/0/0
     ip address 192.168.1.1 255.255.255.0
     tunnel-protocol ipsec
     source GigabitEthernet1/0/0
     destination 2.1.1.1
     ipsec profile profile1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    acl number 3001
     rule 5 permit ip source 10.1.2.0 0.0.0.255
    #
    ipsec proposal prop1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer peer2
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     service-scheme schemetest
     route accept
     config-exchange set accept
     config-exchange set send 
    #
    ipsec profile profile1
     ike-peer peer2
     proposal prop1
    #
    aaa
     service-scheme schemetest
      route set acl 3001
      route set interface
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    interface Tunnel-Template0
     ip address unnumbered interface LoopBack0 
     tunnel-protocol ipsec
     source GigabitEthernet1/0/0 
     ipsec profile profile1
    #
    interface LoopBack0
     ip address 192.168.1.2 255.255.255.255
    # 
    ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
    #
    return
    
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142171

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next