No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Using a Tunnel Interface

Example for Establishing an IPSec Tunnel Using a Tunnel Interface

Networking Requirements

As shown in Figure 4-47, RouterA (branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate over the Internet. There are many branch subnets and many data flows need to be protected by IPSec. You can use a tunnel interface to create an IPSec tunnel to protect IPSec packets. You do not need to configure ACLs to define traffic characteristics.

Figure 4-47  Establishing an IPSec tunnel using a tunnel interface

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Configure IPSec proposals to define the method used to protect IPSec traffic.

  3. Configure IKE peers to define IKE negotiation attributes.

  4. Configure IPSec profiles and reference IPSec proposals and IKE peers in the IPSec profiles to determine the methods used to protect data flows.

  5. Apply IPSec profiles to IPSec tunnel interfaces.

  6. Configure static routes on IPSec tunnel interfaces and import data flows to be protected by IPSec to the tunnel interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0 
    [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 1.1.1.12.

    [RouterA] ip route-static 2.1.1.0 255.255.255.0 1.1.1.12

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 2.1.1.2.

    [RouterB] ip route-static 1.1.1.10 255.255.255.0 2.1.1.2

  2. Create IPSec proposals on RouterA and RouterB.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-tran1] quit

    Run the display ipsec proposal command on RouterA and RouterB to view the IPSec proposal configuration.

  3. Configure IKE peers on RouterA and RouterB.

    # Create an IKE proposal on RouterA.
    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterAike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Configure an IKE peer on RouterA.

    [RouterA] ike peer spub
    [RouterA-ike-peer-spub] undo version 2
    [RouterA-ike-peer-spub] ike-proposal 5
    [RouterA-ike-peer-spub] pre-shared-key cipher Huawei@1234
    [RouterA-ike-peer-spub] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Configure an IKE peer on RouterB.

    [RouterB] ike peer spua
    [RouterB-ike-peer-spua] undo version 2
    [RouterB-ike-peer-spua] ike-proposal 5
    [RouterB-ike-peer-spua] pre-shared-key cipher Huawei@1234
    [RouterB-ike-peer-spua] quit

  4. Create IPSec profiles on RouterA and RouterB.

    # Create an IPSec profile on RouterA.

    [RouterA] ipsec profile profile1
    [RouterA-ipsec-profile-profile1] proposal tran1
    [RouterA-ipsec-profile-profile1] ike-peer spub
    [RouterA-ipsec-profile-profile1] quit

    # Create an IPSec profile on RouterB.

    [RouterB] ipsec profile profile1
    [RouterB-ipsec-profile-profile1] proposal tran1
    [RouterB-ipsec-profile-profile1] ike-peer spua
    [RouterB-ipsec-profile-profile1] quit

  5. Apply the IPSec profiles to IPSec tunnel interfaces on RouterA and RouterB.

    # Apply the IPSec profile to the interface of RouterA.

    [RouterA] interface tunnel 0/0/0
    [RouterA-Tunnel0/0/0] ip address 192.168.1.1 255.255.255.0
    [RouterA-Tunnel0/0/0] tunnel-protocol ipsec
    [RouterA-Tunnel0/0/0] source 1.1.1.1
    [RouterA-Tunnel0/0/0] destination 2.1.1.1
    [RouterA-Tunnel0/0/0] ipsec profile profile1
    [RouterA-Tunnel0/0/0] quit 

    # Apply the IPSec policy to the interface of RouterB.

    [RouterB] interface tunnel 0/0/0
    [RouterB-Tunnel0/0/0] ip address 192.168.1.2 255.255.255.0
    [RouterB-Tunnel0/0/0] tunnel-protocol ipsec
    [RouterB-Tunnel0/0/0] source 2.1.1.1
    [RouterB-Tunnel0/0/0] destination 1.1.1.1
    [RouterB-Tunnel0/0/0] ipsec profile profile1
    [RouterB-Tunnel0/0/0] quit 

    Run the display ipsec profile command on RouterA and RouterB to view the IPSec profile configuration.

  6. Configure static routes on IPSec tunnel interfaces and import data flows to be protected by IPSec to the tunnel interfaces.

    # Configure a static route on the tunnel interface of RouterA.

    [RouterA] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/0 

    # Configure a static route on the tunnel interface of RouterB.

    [RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/0 

  7. Verify the configuration.

    # After the configurations are complete, run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
       Conn-ID   Peer                VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------------
       16        2.1.1.1:500               RD|ST     v1:2    IP          2.1.1.1
       14        2.1.1.1:500               RD|ST     v1:1    IP          2.1.1.1
                                                   
       Number of IKE SA : 2
      --------------------------------------------------------------------------------
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
    #
    ipsec profile profile1
     ike-peer spub
     proposal tran1
    #
    interface Tunnel0/0/0
     ip address 192.168.1.1 255.255.255.0
     tunnel-protocol ipsec
     source 1.1.1.1
     destination 2.1.1.1
     ipsec profile profile1
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 2.1.1.0 255.255.255.0 1.1.1.12
    ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/0
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer spua
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
    #
    ipsec profile profile1
     ike-peer spua
     proposal tran1
    #
    interface Tunnel0/0/0
     ip address 192.168.1.2 255.255.255.0
     tunnel-protocol ipsec
     source 2.1.1.1
     destination 1.1.1.1
     ipsec profile profile1
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 1.1.1.10 255.255.255.0 2.1.1.2
    ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/0
    #
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31681

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next