No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec over GRE Tunnel Between the Headquarters and Branch (Based on ACL)

Example for Establishing an IPSec over GRE Tunnel Between the Headquarters and Branch (Based on ACL)

Networking Requirements

In Figure 4-50, Router1 is the gateway of an enterprise branch, and Router2 is the gateway of the headquarters. Router1 and Router2 communicate through the public network.

On the live network, the enterprise branch communicates with the headquarters through a GRE tunnel. The enterprise wants to protect traffic excluding multicast data between the headquarters and branch. An IPSec over GRE tunnel can be established based on ACL to protect traffic between the headquarters and branch.

Figure 4-50  Establishing an IPSec over GRE tunnel between the headquarters and branch

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the IP address and static route on each physical interface to ensure reachable routes between the interfaces.
  2. Configure GRE tunnel interfaces.
  3. Configure static routes for tunnel interfaces so that data flows are imported to the tunnel interfaces.
  4. Configure an ACL to define the data flows to be protected by IPSec.
  5. Configure an IPSec proposal to define the traffic protection method.
  6. Configure an IKE peer and IKE proposal to define the attributes used for IKE negotiation.
  7. Configure a security policy and apply the IKE proposal, IKE peer, and ACL.
  8. Apply the security policy to the tunnel interfaces to enable IPSec protection.

Procedure

  1. Configure an IP address and a static route for each physical interface on the routers.

    # Configure Router1.

    <Huawei> system-view
    [Huawei] sysname Router1
    [Router1] interface gigabitethernet 1/0/0 
    [Router1-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [Router1-GigabitEthernet1/0/0] quit
    [Router1] interface gigabitethernet 2/0/0
    [Router1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [Router1-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the remote end on Router1. This example assumes that the next hop address of the route is 1.1.1.2.

    [Router1] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2

    # Configure Router2.

    <Huawei> system-view
    [Huawei] sysname Router2
    [Router2] interface gigabitethernet 1/0/0 
    [Router2-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0
    [Router2-GigabitEthernet1/0/0] quit
    [Router2] interface gigabitethernet 2/0/0
    [Router2-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [Router2-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the remote end on Router2. This example assumes that the next hop address of the route is 2.1.1.2.

    [Router2] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2

  2. Configure GRE tunnel interfaces.

    # Configure Router1.

    [Router1] interface tunnel 0/0/0
    [Router1-Tunnel0/0/0] ip address 10.2.1.1 255.255.255.0
    [Router1-Tunnel0/0/0] tunnel-protocol gre
    [Router1-Tunnel0/0/0] source 1.1.1.1
    [Router1-Tunnel0/0/0] destination 2.1.1.1
    [Router1-Tunnel0/0/0] quit 
    

    # Configure Router2.

    [Router2] interface tunnel 0/0/0
    [Router2-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0
    [Router2-Tunnel0/0/0] tunnel-protocol gre
    [Router2-Tunnel0/0/0] source 2.1.1.1
    [Router2-Tunnel0/0/0] destination 1.1.1.1
    [Router2-Tunnel0/0/0] quit 
    

  3. Configure static routes for tunnel interfaces so that data flows are imported to the tunnel interfaces.

    # Configure Router1.

    [Router1] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/0 

    # Configure Router2.

    [Router2] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/0 

    After the configuration is complete, run the display tunnel-info all command on the routers to view GRE tunnel establishment information. The command output on Router1 is used as an example.

    [Router1] display tunnel-info all
     * -> Allocated VC Token                                                        
    Tunnel ID           Type                 Destination           Token            
    ----------------------------------------------------------------------          
    0x1                 gre                   2.1.1.1                1      

  4. Create an ACL on the routers to define the data flows to be protected.

    # Configure Router1.

    [Router1]  acl number 3101
    [Router1-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Router1-acl-adv-3101] quit
    

    # Configure Router2.

    [Router2]  acl number 3101
    [Router2-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Router2-acl-adv-3101] quit
    

  5. Create an IPSec proposal on the routers.

    # Configure Router1.

    [Router1] ipsec proposal tran1
    [Router1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [Router1-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [Router1-ipsec-proposal-tran1] quit

    # Configure Router2.

    [Router2] ipsec proposal tran1
    [Router2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [Router2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [Router2-ipsec-proposal-tran1] quit

  6. Configure an IKE proposal and an IKE peer on the routers.

    # Configure Router1.
    [Router1] ike proposal 5
    [Router1-ike-proposal-5] authentication-algorithm sha2-256
    [Router1-ike-proposal-5] encryption-algorithm aes-128
    [Router1-ike-proposal-5] dh group14
    [Router1-ike-proposal-5] quit
    [Router1] ike peer spub
    [Router1-ike-peer-spub] undo version 2
    [Router1-ike-peer-spub] ike-proposal 5
    [Router1-ike-peer-spub] pre-shared-key cipher Huawei@1234
    [Router1-ike-peer-spub] remote-address 10.2.1.2
    [Router1-ike-peer-spub] quit

    # Configure Router2.

    [Router2] ike proposal 5
    [Router2-ike-proposal-5] authentication-algorithm sha2-256
    [Router2-ike-proposal-5] encryption-algorithm aes-128
    [Router2-ike-proposal-5] dh group14
    [Router2-ike-proposal-5] quit
    [Router2] ike peer spua
    [Router2-ike-peer-spua] undo version 2
    [Router2-ike-peer-spua] ike-proposal 5
    [Router2-ike-peer-spua] pre-shared-key cipher Huawei@1234
    [Router2-ike-peer-spua] remote-address 10.2.1.1
    [Router2-ike-peer-spua] quit

  7. Create a security policy on the routers.

    # Configure Router1.

    [Router1] ipsec policy map1 10 isakmp
    [Router1-ipsec-policy-isakmp-map1-10] proposal tran1
    [Router1-ipsec-policy-isakmp-map1-10] ike-peer spub
    [Router1-ipsec-policy-isakmp-map1-10] security acl 3101
    [Router1-ipsec-policy-isakmp-map1-10] quit

    # Configure Router2.

    [Router2] ipsec policy use1 10 isakmp
    [Router2-ipsec-policy-isakmp-use1-10] proposal tran1
    [Router2-ipsec-policy-isakmp-use1-10] ike-peer spua
    [Router2-ipsec-policy-isakmp-use1-10] security acl 3101
    [Router2-ipsec-policy-isakmp-use1-10] quit

  8. Apply the security policy to the router interfaces.

    # Configure Router1.

    [Router1] interface tunnel 0/0/0
    [Router1-Tunnel0/0/0] ipsec policy map1
    [Router1-Tunnel0/0/0] quit

    # Configure Router2.

    [Router2] interface tunnel 0/0/0
    [Router2-Tunnel0/0/0] ipsec policy use1
    [Router2-Tunnel0/0/0] quit

  9. Verify the configuration.

    # After the configuration is complete, run the display ike sa command on the routers to view the SA establishment information. The command output on Router1 is used as an example.

    [Router1] display ike sa
    IKE SA information :
       Conn-ID    Peer             VPN   Flag(s)   Phase   RemoteType  RemoteID
      ------------------------------------------------------------------------------
       20         10.2.1.2:500           RD|A      v1:2    IP          10.2.1.2
       19         10.2.1.2:500           RD|A      v1:1    IP          10.2.1.2
                                                                                    
      Number of IKE SA : 2                                                          
      ------------------------------------------------------------------------------
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING     

    After an SA is successfully established, data transmitted between the headquarters and branch is encrypted.

Configuration Files

  • Router1 configuration file

    #
     sysname Router1
    #
    acl number 3101
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     remote-address 10.2.1.2
    #
    ipsec policy map1 10 isakmp
     security acl 3101
     ike-peer spub
     proposal tran1
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    interface Tunnel0/0/0
     ip address 10.2.1.1 255.255.255.0
     tunnel-protocol gre
     source 1.1.1.1
     destination 2.1.1.1
     ipsec policy map1
    #
    ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
    ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0
    #
    return
    
  • Router2 configuration file

    #
     sysname Router2
    #
    acl number 3101
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
    #
    ike peer spua
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     remote-address 10.2.1.1
    #
    ipsec policy use1 10 isakmp
     security acl 3101
     ike-peer spua
     proposal tran1
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    interface Tunnel0/0/0
     ip address 10.2.1.2 255.255.255.0
     tunnel-protocol gre
     source 2.1.1.1
     destination 1.1.1.1
     ipsec policy use1
    #
    ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
    ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0
    #
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31641

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next