No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Interoperation Configuration Guide

AR Router

This document provides cases for connecting AR enterprise routers to devices of other vendors.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Router

Configuring the Router

Configuration Roadmap

  1. Configure IP addresses and static routes for interfaces so that routes between the router and FW are reachable.
  2. Configure an ACL to define the data flows to be protected by the IPSec tunnel.
  3. Configure an IPSec proposal to define the method used to protect IPSec traffic.
  4. Configure an IKE proposal and an IKE peer, and define parameters used for IKE negotiation.
  5. Configure an IPSec policy, and reference the ACL, IPSec proposal, and IKE peer in the IPSec policy to determine the methods used to protect data flows.
  6. Apply the IPSec policy group to an interface.

Procedure

  1. Configure IP addresses and static routes for interfaces so that routes between the router and FW are reachable.

    # Assign an IP address to an interface on the router.

    <Huawei> system-view 
    [Huawei] sysname Router 
    [Router] interface gigabitethernet 0/0/1 
    [Router-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0 
    [Router-GigabitEthernet0/0/1] quit 
    [Router] interface gigabitethernet 0/0/2 
    [Router-GigabitEthernet0/0/2] ip address 10.1.1.1 255.255.255.0 
    [Router-GigabitEthernet0/0/2] quit

    # On the router, configure static routes to the FW. This example assumes that the next hop addresses of the routes are both 1.1.1.2.

    [Router] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 
    [Router] ip route-static 10.2.1.0 255.255.255.0 1.1.1.2

  2. Configure an ACL to define data flows to be protected.

    # Configure an ACL on the router to define the data flows sent from private network 10.1.1.0/24 to private network 10.2.1.0/24.

    [Router] acl number 3101 
    [Router-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255 
    [Router-acl-adv-3101] quit

  3. Configure an IPSec proposal to define the method used to protect IPSec traffic.

    # Create an IPSec proposal on the router.

    [Router] ipsec authentication sha2 compatible enable 
    [Router] ipsec proposal tran1 
    [Router-ipsec-proposal-tran1] transform esp 
    [Router-ipsec-proposal-tran1] esp authentication-algorithm sha2-512 
    [Router-ipsec-proposal-tran1] esp encryption-algorithm aes-256 
    [Router-ipsec-proposal-tran1] encapsulation-mode tunnel

  4. Configure an IKE proposal and an IKE peer, and define parameters used for IKE negotiation.

    # Configure an IKE proposal and define parameters in IKE negotiation phase 1.

    [Router] ike proposal 5 
    [Router-ike-proposal-5] encryption-algorithm aes-cbc-256  
    [Router-ike-proposal-5] authentication-algorithm sha2-512  
    [Router-ike-proposal-5] dh group14 
    [Router-ike-proposal-5] sa duration 28800 
    [Router-ike-proposal-5] authentication-method pre-share 
    [Router-ike-proposal-5] quit

    # Configure an IKE peer and define parameters in IKE negotiation phase 1.

    [Router] ike peer feita v1 
    [Router-ike-peer-feita] ike-proposal 5 
    [Router-ike-peer-feita] pre-shared-key cipher huawei@123 
    [Router-ike-peer-feita] remote-address 2.1.1.1 
    [Router-ike-peer-feita] exchange-mode main 
    [Router-ike-peer-feita] dpd type periodic 
    [Router-ike-peer-feita] dpd msg seq-hash-notify  
    [Router-ike-peer-feita] quit

  5. Configure an IPSec policy, and reference the ACL, IPSec proposal, and IKE peer in the IPSec policy to determine the methods used to protect data flows.

    # Create an IPSec policy in IKE negotiation mode on the router.

    [Router] ipsec policy map1 10 isakmp 
    [Router-ipsec-policy-isakmp-map1-10] ike-peer feita 
    [Router-ipsec-policy-isakmp-map1-10] proposal tran1 
    [Router-ipsec-policy-isakmp-map1-10] security acl 3101 
    [Router-ipsec-policy-isakmp-map1-10] sa duration time-based 3600 
    [Router-ipsec-policy-isakmp-map1-10] quit

  6. Apply an IPSec policy group to an interface.

    # Apply an IPSec policy group to the public interfaces of the router.

    [Router] interface gigabitethernet 0/0/1 
    [Router-GigabitEthernet0/0/1] ipsec policy map1 
    [Router-GigabitEthernet0/0/1] quit

  7. Verify the configuration.

    # Run the display ike proposal command on the router to check the IKE proposal configuration.

    [Router] display ike proposal number 5 
    ------------------------------------------- 
     IKE Proposal: 5 
     Authentication method      : pre-shared 
     Authentication algorithm : SHA2-512 
     Encryption algorithm       : AES-CBC-256 
     DH group                   : MODP-2048 
     SA duration                : 28800 
     PRF                        : PRF-HMAC-SHA2-256 
    -------------------------------------------

    # Run the display ipsec proposal command on the router to check the IPSec proposal configuration.

    [Router] display ipsec proposal 
     
    Number of proposals: 1 
     
    IPsec proposal name: tran1 
     Encapsulation mode: Tunnel 
     Transform         : esp-new 
     ESP protocol      : Authentication SHA2-HMAC-512 
                         Encryption     AES-256

Translation
Download
Updated: 2019-05-17

Document ID: EDOC1100034005

Views: 20555

Downloads: 436

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next