No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing Multiple IPSec Tunnels Between the Enterprise Headquarters and Branches Using IPSec Policy Groups

Example for Establishing Multiple IPSec Tunnels Between the Enterprise Headquarters and Branches Using IPSec Policy Groups

Networking Requirements

As shown in Figure 4-38, RouterA and RouterB are branch gateways, and RouterC is the headquarters gateway. The headquarters and branches communicate through the Internet. The gateways' IP addresses are fixed. The subnets of branch A, branch B, and headquarters are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 respectively.

The enterprise wants to protect data flows between the branch subnets and the headquarters subnet. IPSec tunnels can be set up between the branch gateways and headquarters gateway because they communicate over the Internet. Because branch gateways' IP addresses can be specified on the headquarters gateway, an IPSec policy group can be configured on RouterC. Then the headquarters gateway can initiate IPSec negotiation to each branch gateway or receive IPSec negotiation requests from each branch gateway to complete setup of multiple IPSec tunnels.

Figure 4-38  Establishing multiple IPSec tunnels between the enterprise headquarters and branches using IPSec policies

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces so that routes among the three gateways are reachable.

  2. Configure ACLs to define data flows to be protected.

  3. Configure IPSec proposals to define the method used to protect IPSec traffic.

  4. Configure IKE peers to define IKE negotiation attributes.

  5. Configure IPSec policies on RouterA and RouterB. Create IPSec policy groups on RouterC to define protection methods for data flows between RouterA and RouterC, and between RouterB and RouterC.

  6. Apply IPSec policy groups to interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA, RouterB, and RouterC so that routes among them are reachable.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterC is 60.1.1.2.

    [RouterA] ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 192.168.3.0 255.255.255.0 60.1.1.2

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1 
    [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterC is 60.1.2.2.

    [RouterB] ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 192.168.3.0 255.255.255.0 60.1.2.2

    # Assign an IP address to an interface on RouterC.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1 
    [RouterC-GigabitEthernet0/0/1] ip address 60.1.3.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ip address 192.168.3.2 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterC. This example assumes that the next hop address in the route to RouterA and RouterB is 60.1.3.2.

    [RouterC] ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
    [RouterC] ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
    [RouterC] ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
    [RouterC] ip route-static 192.168.2.0 255.255.255.0 60.1.3.2

  2. Configure ACLs on RouterA, RouterB, and RouterC to define data flows to be protected.

    # Configure an ACL on RouterA to define data flows sent from 192.168.1.0/24 to 192.168.3.0/24.

    [RouterA] acl number 3002
    [RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterA-acl-adv-3002] quit

    # Configure an ACL on RouterB to define data flows sent from 192.168.2.0/24 to 192.168.3.0/24.

    [RouterB] acl number 3002
    [RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterB-acl-adv-3002] quit

    # Configure an ACL on RouterC to define data flows sent from 192.168.3.0/24 to 192.168.1.0/24 and 192.168.2.0/24.

    [RouterC] acl number 3002
    [RouterC-acl-adv-3002] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    [RouterC-acl-adv-3002] quit
    [RouterC] acl number 3003
    [RouterC-acl-adv-3003] rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    [RouterC-acl-adv-3003] quit

  3. Create IPSec proposals on RouterA, RouterB, and RouterC.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterC.

    [RouterC] ipsec proposal tran1
    [RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterC-ipsec-proposal-tran1] quit

    Run the display ipsec proposal command on RouterA, RouterB, and RouterC to view the IPSec proposal configuration. The display on RouterA is used as an example.

    [RouterA] display ipsec proposal name tran1
    
    IPSec proposal name: tran1
     Encapsulation mode: Tunnel
     Transform         : esp-new
     ESP protocol      : Authentication SHA2-HMAC-256
                         Encryption     AES-128
    

  4. Configure IKE peers on RouterA, RouterB, and RouterC.

    # Create an IKE proposal on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Configure an IKE peer on RouterA.

    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterA-ike-peer-rut1] remote-address 60.1.3.1
    [RouterA-ike-peer-rut1] quit

    # Create an IKE proposal on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Configure an IKE peer on RouterB.

    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterB-ike-peer-rut1] remote-address 60.1.3.1
    [RouterB-ike-peer-rut1] quit

    # Create an IKE proposal on RouterC.

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-128
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit

    # Configure an IKE peer on RouterC.

    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterC-ike-peer-rut1] remote-address 60.1.1.1
    [RouterC-ike-peer-rut1] quit
    [RouterC] ike peer rut2
    [RouterC-ike-peer-rut2] undo version 2
    [RouterC-ike-peer-rut2] ike-proposal 5
    [RouterC-ike-peer-rut2] pre-shared-key cipher huawei@123
    [RouterC-ike-peer-rut2] remote-address 60.1.2.1
    [RouterC-ike-peer-rut2] quit

  5. Configure IPSec policies on RouterA and RouterB, and configure an IPSec policy group on RouterC.

    # Create an IPSec policy on RouterA.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    # Create an IPSec policy on RouterB.

    [RouterB] ipsec policy policy1 10 isakmp
    [RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterB-ipsec-policy-isakmp-policy1-10] quit

    # Create an IPSec policy group on RouterC.

    [RouterC] ipsec policy policy1 10 isakmp
    [RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterC-ipsec-policy-isakmp-policy1-10] quit
    [RouterC] ipsec policy policy1 11 isakmp
    [RouterC-ipsec-policy-isakmp-policy1-11] ike-peer rut2
    [RouterC-ipsec-policy-isakmp-policy1-11] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy1-11] security acl 3003
    [RouterC-ipsec-policy-isakmp-policy1-11] quit

    Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies.

    Run the display ipsec policy command on RouterC.

  6. Apply IPSec policy groups to interfaces on RouterA, RouterB, and RouterC.

    # Apply the IPSec policy group to the interface of RouterA

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy group to the interface of RouterB.

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy group to the interface of RouterC.

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit

  7. Verify the configuration.

    # After the configurations are complete, PC A and PC B can ping PC C successfully. The data transmitted between PC A, PC B, and PC C is encrypted.

    # Run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
      ---------------------------------------------------------------------------
      24366    60.1.3.1:500        RD|ST     v1:2    IP          60.1.3.1
      24274    60.1.3.1:500        RD|ST     v1:1    IP          60.1.3.1
                                       
      Number of IKE SA : 2     
      ---------------------------------------------------------------------------
    
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    # Run the display ike sa command on RouterC. The following information is displayed:

    [RouterC] display ike sa
    IKE SA information :
      Conn-ID  Peer           VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------
       961    60.1.2.1:500          RD        v1:2    IP          60.1.2.1
       933    60.1.2.1:500          RD        v1:1    IP          60.1.2.1
       937    60.1.1.1:500          RD        v1:2    IP          60.1.1.1
       936    60.1.1.1:500          RD        v1:1    IP          60.1.1.1
                                       
      Number of IKE SA : 4     
      --------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    acl number 3002
     rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     remote-address 60.1.3.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.2 255.255.255.0
    #
    ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    acl number 3002
     rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     remote-address 60.1.3.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.2.2 255.255.255.0
    #
    ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.2.2
    #
    return
    
  • Configuration file of RouterC

    #
     sysname RouterC
    #
    acl number 3002
     rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    acl number 3003
     rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#
     ike-proposal 5
     remote-address 60.1.1.1
    #
    ike peer rut2
     undo version 2
     pre-shared-key cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%#
     ike-proposal 5
     remote-address 60.1.2.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    ipsec policy policy1 11 isakmp
     security acl 3003
     ike-peer rut2
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.3.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.3.2 255.255.255.0
    #
    ip route-static 60.1.1.0 255.255.255.0 60.1.3.2
    ip route-static 60.1.2.0 255.255.255.0 60.1.3.2
    ip route-static 192.168.1.0 255.255.255.0 60.1.3.2
    ip route-static 192.168.2.0 255.255.255.0 60.1.3.2
    #
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31217

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next