No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Interoperation Configuration Guide

AR Router

This document provides cases for connecting AR enterprise routers to devices of other vendors.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address in Main Mode to the Headquarters Cisco Router (Using the Host Name)

Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address in Main Mode to the Headquarters Cisco Router (Using the Host Name)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 9-1, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the host name to establish an IPSec tunnel with the branch gateway. The main mode is used for IKE negotiation and identity protection. (Although the local ID type in IKE negotiation on the AR is set to name, the key is still selected based on the IP address in main mode.)

Figure 9-1  Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

Procedure

  1. Configure RouterA.

    #
     sysname RouterA  //Configure the device name.
    #
     ipsec authentication sha2 compatible enable
    #
     ike local-name huawei
    #
    acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    ipsec proposal prop1  //Configure an IPSec proposal.
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 1  //Configure an IKE proposal.
     encryption-algorithm aes-cbc-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
     dh group14
     authentication-algorithm sha2-256
    #
    ike peer peer1 v1  //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
     pre-shared-key cipher %#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.
     ike-proposal 1
     local-id-type name   //Configure the local ID type for IKE negotiation. In V200R008 and later versions, the name parameter is changed to fqdn.
     remote-name RouterB   //Configure the IKE peer name. In V200R008 and later versions, the device does not support the remote-name command. This command provides teh same function as the remote-id command.
     nat traversal   //Enable NAT traversal. In V200R008 and later versions, the device supports NAT traversal by default, and this command is not supported.
     remote-address 60.1.2.1  
    #
    ipsec policy policy1 10 isakmp  //Configure an IPSec policy.
     security acl 3000 
     ike-peer peer1
     proposal prop1
    #
    interface GigabitEthernet0/0/1
     ipsec policy policy1     //Apply the IPSec policy to the interface.
     ip address dhcp-alloc    //Enable the DHCP client function to allow the branch gateway to dynamically obtain an IP address. In addition, you also need to configure the DHCP 
                                server function on the device directly connected or having a reachable route to RouterA. For detailed configurations, see the product documentation
                                of the device used.
    #
    interface GigabitEthernet0/0/2
     ip address 10.1.1.1 255.255.255.0
    #
    return

  2. Configure NATer.

    #
     sysname NATer  //Configure the device name.
    #
    dhcp enable
    #
    acl number 3000  //Apply NAT to all traffic.
     rule 5 permit ip
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.1.1 255.255.255.0
     nat outbound 3000
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.1 255.255.255.0
     dhcp select interface
    #
    ip route-static 0.0.0.0 0.0.0.0 60.1.1.2  //Configure a static route to ensure reachability at both ends.
    #
    return

  3. Configure RouterB.

    !
    hostname RouterB  //Configure the device name.
    !
    crypto isakmp policy 1
     encryption aes 128
     hash sha256
     authentication pre-share
     group 14
    crypto isakmp key huawei@1234 address 0.0.0.0 0.0.0.0  //Configure the pre-shared key as huawei@1234 and use the IP address to identify an IKE peer.
    !
    crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.
    !
    !
    crypto dynamic-map p1 1  //Create a dynamic crypto map entry.
     set transform-set p1
     match address 102
    ! 
    !
    crypto map p1 1 ipsec-isakmp dynamic p1  //Configure an IPSec policy.
    !
    !
    interface GigabitEthernet0/0
     ip address 60.1.2.1 255.255.255.0
     duplex auto
     speed auto
     crypto map p1     //Apply the IPSec policy to the interface.
    !
    interface GigabitEthernet0/1
     ip address 10.1.2.1 255.255.255.0
     duplex auto
     speed auto
    !
    !
    ip route 0.0.0.0 0.0.0.0 60.1.2.2  //Configure a static route to ensure reachability at both ends.
    !
    access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.
    !
    end

  4. Verify the configuration.

    # After the configuration is complete, run the ping command on PC A. PC B can be pinged.

    # Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

    # Run the display ipsec statistics command on RouterA to check data packet statistics.

Configuration Notes

In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit http://www.cisco.com/cisco/web/support.

MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

Translation
Download
Updated: 2019-05-17

Document ID: EDOC1100034005

Views: 27221

Downloads: 498

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next