No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IPSec Policy

Configuring an IPSec Policy

Context

An IPSec policy defines the IPSec proposals used to protect data flows of different types, and is the prerequisite for creating an SA. An IPSec policy binds an ACL to an IPSec proposal, and specifies the SA negotiation mode, source and destination of the IPSec tunnel, key, and SA lifetime.

An IPSec policy is identified by its name and sequence number, and multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group. An IPSec policy can be established manually, in ISAKMP mode, or using an IPSec policy template. For IPSec policies that are established in ISAKMP mode and using an IPSec policy template, parameters are generated through IKE negotiation.

Select an IPSec policy establishment mode as needed:

NOTE:
  • When a GRE over IPSec tunnel is established using an ACL, an IPSec policy in ISAKMP mode can only be configured on gateways at both ends.

Configuring an IPSec Policy in Manual Mode

Context

All security parameters of an IPSec policy configuring in manual mode need to be configured manually. The configuration workload is heavy, so the IPSec policy applies to a small-scale network environment.

When configuring an IPSec policy in manual mode, ensure that:
  • Inbound and outbound SAs' parameters, including the authentication/encryption key and security parameter index (SPI), are configured on IPSec peers.
  • The inbound SA's parameters on the local end is the same as the outbound SA's parameters on the remote end, and the outbound SA's parameters on the local end is the same as the inbound SA's parameters on the remote end.

After an IPSec policy group is applied to an interface, to add or delete an IPSec policy in the IPSec policy group or modify parameters of the IPSec policy, unbind the IPSec policy group from the interface and then apply the IPSec policy group to the interface again so that IPSec policies in the IPSec policy group take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy policy-name seq-number manual

    An IPSec policy is created in manual mode and the IPSec policy view is displayed.

    By default, no IPSec policy is created.

  3. Run security acl acl-number

    An ACL is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an ACL.

    acl-number is an advanced ACL that has been created.

    An IPSec policy can reference only one ACL. Before referencing a new ACL, you must delete the original ACL that has been referenced.

  4. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an IPSec proposal.

    proposal-name is an IPSec proposal that has been created.

    One IPSec policy can reference only one IPSec proposal. Before referencing a new IPSec proposal, you must delete the original IPSec proposal that has been referenced.

  5. Configure the local and remote IP addresses of an IPSec tunnel.

    1. Run tunnel local ip-address

      A local IP address is configured.

    2. Run tunnel remote ip-address

      A remote IP address is configured.

    By default, the local and remote IP addresses of an IPSec tunnel are not configured.

    The remote IP address at the local end must be the same as the local IP address at the remote end.

  6. Configure the SPI for the inbound or outbound SA.

    1. Run sa spi outbound { ah | esp } spi-number

      An SPI is configured for the outbound SA.

    2. Run sa spi inbound { ah | esp } spi-number

      An SPI is configured for the inbound SA.

    The security protocol must be the same as that specified in the transform command in Configuring an IPSec Proposal. If the security protocol specified in the transform command is ah-esp, both ah and esp must be specified in the sa spi command.

    To retain a unique SA, SPIs for inbound and outbound SAs must be different.

  7. Configure authentication and encryption keys for the inbound or outbound SA.

    NOTE:
    • The security protocol specified in authentication and encryption key configuration commands must be the same as that specified in the transform command in Configuring an IPSec Proposal. If the security protocol specified in the transform command is ah-esp, both ah and esp authentication and encryption keys must be specified.
    • The two ends of an IPSec tunnel must use the authentication keys in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established.

    • If simple is specified, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you specify cipher to save the password in cipher text.

    • If the inbound authentication keys in a character string and hexadecimal notation are configured, the one configured later overwrites the original one.

    If AH is used, configure an authentication key.

    • Run sa string-key { inbound | outbound } ah { simple | cipher } string-key

      An authentication key in a character string is configured for AH.

    • Run sa authentication-hex { inbound | outbound } ah { simple | cipher } hex-string

      An authentication key in hexadecimal notation is configured for AH.

    If ESP is used, configure an authentication key.
    • Run sa string-key { inbound | outbound } esp { simple | cipher } string-key

      An authentication key in a character string is configured for ESP.

      NOTE:

      When ESP is used and the authentication key in a character string is used, the device automatically generates the encryption key of ESP. You do not need to configure the encryption key of ESP.

    If ESP is used, configure authentication and encryption keys.

    1. (Optional) Run sa authentication-hex { inbound | outbound } esp { simple | cipher } hex-string

      An authentication key in hexadecimal notation is configured for ESP.

    2. (Optional) Run sa encryption-hex { inbound | outbound } esp { simple | cipher } hex-string

      An encryption key in hexadecimal notation is configured for ESP.

    You must run at least one of the preceding commands.

Configuring an IPSec Policy in ISAKMP Mode

Context

An IPSec policy configured in Internet Security Association and Key Management Protocol (ISAKMP) mode applies to a scenario where the remote IP address is fixed, and is often used in branch configuration.

Negotiated IPSec parameters of an IPSec policy are defined in the IPSec policy view, and the negotiation initiator and responder must use the same IPSec parameters. The end that has an ISAKMP IPSec policy configured can initiate IKE negotiation.

After an IPSec policy group to which an IPSec policy belongs is applied to an interface, the following situations occur:
  • To modify the IPSec proposal parameters, unbind the IPSec policy group from the interface and then apply the IPSec policy group to the interface again.
  • If other parameters are modified, these parameters will take effect during the next negotiation and are invalid for the tunnels that have been established through negotiation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy policy-name seq-number isakmp

    An IPSec policy is created in ISAKMP mode and the IPSec policy view is displayed.

    By default, no IPSec policy is created.

  3. (Optional) Run alias alias

    The alias of the IPSec policy is specified.

    By default, the system uses the combination of the name and sequence number of an IPSec policy as the alias. If the default alias has been used by another IPSec policy, the system uses the combination of the name, sequence number, and current time of an IPSec policy as the alias.

  4. Run security acl acl-number [ dynamic-source ]

    An ACL is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an ACL.

    acl-number is an advanced ACL that has been created.

    An IPSec policy can reference only one ACL. Before referencing a new ACL, you must delete the original ACL that has been referenced.

  5. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an IPSec proposal.

    proposal-number specifies a created IPSec proposal.

    An IPSec policy configured in ISAKMP mode can reference a maximum of 12 IPSec proposals. During IKE negotiation, the two ends of an IPSec tunnel first use the IPSec proposals with the same parameter settings. If IPSec proposals with the same parameter settings cannot be found, an SA cannot be set up.

    NOTE:

    When referencing multiple IPSec proposals in an IPSec policy, ensure that the encapsulation modes of all IPSec proposals referenced by the IPSec policy at both ends are the same. That is, the encapsulation modes are all transport or tunnel modes.

  6. Run ike-peer peer-name

    An IKE peer is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an IKE peer.

    peer-name specifies a created IKE peer. For the detailed configuration of an IKE peer, see Configuring an IKE Peer.

    IPSec policies with different sequence numbers in the same IPSec policy group cannot reference IKE peers with the same IP address.

  7. (Optional) Run tunnel local { ipv4-address | applied-interface }

    A local IP address of an IPSec tunnel is configured.

    By default, the local IP address of an IPSec tunnel is not configured.

    For the IKE negotiation mode, you do not need to configure an IP address for the local end of an IPSec tunnel. During SA negotiation, the device will select a proper address based on route information. The local address needs to be configured in the following situations:
    • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local ipv4-address command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the IP address of the interface to which an IPSec policy is applied as the local address of an IPSec tunnel.
    • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local ipv4-address command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the primary IP address of the interface as the local address of an IPSec tunnel.
    • If equal-cost routes exist between the local and remote ends, run the tunnel local command to specify a local IP address for an IPSec tunnel.
    NOTE:
    • If an IPSec policy is created in IKE negotiation mode, the tunnel local on the local end must be the same as remote-address (IKE peer view) that the remote end references from the IKE peer.

    • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local do not take effect.

    • When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.

    • In an IPSec hot standby scenario, tunnel local must be set to a virtual IP address.

  8. (Optional) Run tunnel remote { applied-interface | interface interface-type interface-number }

    An outbound interface on the IPSec tunnel for IKE negotiation packets is configured.

    By default, no outbound interface is configured on the IPSec tunnel for IKE negotiation packets.

    When there are multiple outbound interfaces, the device determines the outbound interface for IKE negotiation packets based on routes. If the outbound interface for IKE negotiation packets differs from that for IPSec service packets, IKE negotiation may fail. In this case, perform this step to specify a correct outbound interface.

  9. (Optional) Run sa trigger-mode { auto | traffic-based }

    An IPSec tunnel trigger mode is configured.

    By default, the IPSec tunnel trigger mode is auto.

  10. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

    The device is configured to use perfect forward secrecy (PFS) when the local end initiates negotiation.

    By default, PFS is not used when the local end initiates negotiation.

    When the local end initiates negotiation, there is an additional Diffie-Hellman (DH) exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

    If PFS is specified on the local end, you also need to specify PFS on the remote end. The DH group specified on the two ends must be the same; otherwise, negotiation fails. When an IPSec policy in ISAKMP mode is used on the local end while an IPSec policy configured using an IPSec policy template is used on the remote end, no DH group needs to be configured on the remote end. The DH group on the responder is used for negotiation.

  11. (Optional) Run respond-only enable

    The local end is configured not to initiate negotiation.

    By default, if the local end establishes an IPSec tunnel based on the IPSec policy configured in ISAKMP mode, the local end initiates an IPSec negotiation.

    If two IPSec peers establish an IPSec tunnel based on the IPSec policy configured in ISAKMP mode, both ends initiate negotiation. You can configure one end as the responder that does not initiate negotiation, which can help you check packet processing and locate IPSec faults.

  12. (Optional) Run policy enable

    The IPSec policy is enabled.

    By default, IPSec policies in an IPSec policy group are enabled.

Configuring an IPSec Policy Using an IPSec Policy Template

Context

When an IPSec policy template is used to configure IPSec policies, the configuration workload for establishing multiple IPSec tunnels can be reduced. This IPSec policy configuration mode is often used in the headquarters in scenarios where the remote IP address is not fixed (for example, the remote end obtains an IP address through PPPoE) or there are multiple remote devices.

When an IPSec tunnel is set up using an IPSec policy through an IPSec policy template, the initiator determines optional parameters, and the responder accepts the parameters delivered by the initiator. The end that has an IPSec policy configured using an IPSec policy template can only function as the responder to receive negotiation requests.

When using an IPSec policy template to configure an IPSec policy, note the following points:

  • If one end (responder) of an IPSec tunnel has an IPSec policy configured using an IPSec policy template, the other end (initiator) must have an IPSec policy configured in ISAKMP mode.
  • In an IPSec policy template, an IPSec proposal and IKE peer must be referenced, and other parameters are optional. The initiator determines optional parameters in the IPSec policy template, and the responder accepts the parameters delivered by the initiator.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy-template template-name seq-number

    An IPSec policy template is created and the IPSec policy template view is displayed.

    By default, no IPSec policy template is created.

  3. (Optional) Run alias alias

    The alias name of the IPSec policy template is specified.

    By default, the system uses the combination of the name and sequence number of an IPSec policy template as the alias. If the default alias has been used by another IPSec policy template, the system uses the combination of the current time as well as the name and sequence number of an IPSec policy template as the alias.

  4. (Optional) Run security acl acl-number

    An ACL is referenced in the IPSec policy.

    By default, an IPSec policy does not reference an ACL.

    acl-number is an advanced ACL that has been created.

    One IPSec policy template can reference only one ACL. Before referencing a new ACL, you must delete the ACL that has been referenced.

    If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator.

  5. Run proposal proposal-name

    An IPSec proposal is referenced in the IPSec policy template.

    By default, an IPSec policy template does not reference an IPSec proposal.

    proposal-name is an IPSec proposal that has been created.

    An IPSec policy template can reference a maximum of 12 IPSec proposals. During IKE negotiation, the two ends of an IPSec tunnel first use the IPSec proposals with the same parameter settings. If IPSec proposals with the same parameter settings cannot be found, an SA cannot be set up.

    NOTE:

    When referencing multiple IPSec proposals in an IPSec policy template, ensure that the encapsulation mode of IPSec proposals referenced by the IPSec policy template at one end are the same as the encapsulation mode of IPSec proposals referenced by the IPSec policy at the other end. That is, the encapsulation mode at both ends must be transport or tunnel.

  6. Run ike-peer peer-name

    An IKE peer is referenced in the IPSec policy template.

    By default, an IPSec policy template does not reference an IKE peer.

    peer-name is an IKE peer that has been created.

  7. (Optional) Run tunnel local ipv4-address

    A local IP address of an IPSec tunnel is configured.

    By default, the local IP address of an IPSec tunnel is not configured.

    NOTE:
    • If an IPSec policy is created in IKE negotiation mode, the tunnel local on the local end must be the same as remote-address (IKE peer view) that the remote end references from the IKE peer.

    • You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local do not take effect.

    • When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.

    • In an IPSec hot standby scenario, tunnel local must be set to a virtual IP address.

  8. (Optional) Run tunnel remote { applied-interface | interface interface-type interface-number }

    An outbound interface on the IPSec tunnel for IKE negotiation packets is configured.

    By default, no outbound interface is configured on the IPSec tunnel for IKE negotiation packets.

    When there are multiple outbound interfaces, the device determines the outbound interface for IKE negotiation packets based on routes. If the outbound interface for IKE negotiation packets differs from that for IPSec service packets, IKE negotiation may fail. In this case, perform this step to specify a correct outbound interface.

  9. (Optional) Run match ike-identity identity-name

    The identity filter set is referenced.

    By default, an IPSec policy template does not reference an identity filter set.

    identity-name is an identity filter that has been created. For details on how to configure an identity filter set, see (Optional) Configuring an Identity Filter Set.

    NOTE:

    When an IPSec policy template references the identity filter set, the allowed IKE peer can be specified at the local end. An IPSec tunnel can be established successfully only when the remote end matches one or more access conditions in the identity filter set and IPSec parameters at both ends match.

  10. (Optional) Run pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

    The device is configured to use perfect forward secrecy (PFS) when the local end initiates negotiation.

    By default, PFS is not used when the local end initiates negotiation.

    When the local end initiates negotiation, there is an additional Diffie-Hellman (DH) exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

    If PFS is specified on the local end, you also need to specify PFS on the remote end. The DH group specified on the two ends must be the same; otherwise, negotiation fails. When an IPSec policy in ISAKMP mode is used on the local end while an IPSec policy configured using an IPSec policy template is used on the remote end, no DH group needs to be configured on the remote end. The DH group on the responder is used for negotiation.

  11. (Optional) Run policy enable

    The IPSec policy is enabled.

    By default, IPSec policies in an IPSec policy group are enabled.

  12. Run quit

    Return to the system view.

  13. Run ipsec policy policy-name seq-number isakmp template template-name

    An IPSec policy template is referenced in the IPSec policy.

    The referenced IPSec policy template name template-name must be different from the IPSec policy name policy-name.

    Only one IPSec policy in an IPSec policy group can reference the policy template, and number of this policy must be larger than that of other policies. If the IPSec policy created using the policy template does not have the lowest priority, other IPSec policies in the same IPSec policy group do not take effect.

Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31585

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next