No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing IPSec Tunnels for Branch Access to the Headquarters Using Different Pre-shared Keys

Example for Establishing IPSec Tunnels for Branch Access to the Headquarters Using Different Pre-shared Keys

Networking Requirements

In Figure 4-39, RouterA and RouterB are the branch gateways of an enterprise, and RouterC is the gateway of the headquarters. They communicate over the Internet.

The enterprise wants to protect traffic transmitted between the branches and headquarters. To improve security, branch gateways are required to use different pre-shared keys to connect to the headquarters gateway.

IPSec tunnels can be established between the headquarters gateway and branch gateways to protect communication between the headquarters and branches over the Internet.

Figure 4-39  Establishing IPSec tunnels for branch access to the headquarters using different pre-shared keys

Configuration Roadmap

The headquarters gateway can only respond to IPSec negotiation requests initiated by branch gateways because it is difficult to specify IP addresses for branch gateways on the headquarters gateway. As a result, you can deploy a policy template on RouterC and reference this template in an IPSec policy. To allow branch gateways to connect to the headquarters using different pre-shared keys, configure an IKE user table on RouterC to allocate pre-shared keys for branches. The branches initiate IPSec negotiation using allocated pre-shared keys to establish IPSec tunnels.

  1. Configure an IP address and a static route on each interface to implement communication between both ends.

  2. Configure an ACL to define the data flows to be protected by IPSec.

  3. Configure an IPSec proposal to define the traffic protection method.

  4. Configure an IKE peer and define the attributes used for IKE negotiation. The IKE user table on RouterC allocates pre-shared keys for branches.

  5. Create an IPSec policy on RouterA, RouterB, and RouterC respectively to determine protection methods used for protecting different types of data flows. On RouterC, an IPSec policy is created through a policy template.

  6. Apply the IPSec policy group to an interface so that the interface can protect traffic.

Procedure

  1. Configure an IP address and a static route for each interface on RouterA, RouterB, and RouterC to ensure that there are reachable routes among them.

    # Configure an IP address for each interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.2 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to the headquarters is 60.1.1.2.

    [RouterA] ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 192.168.3.0 255.255.255.0 60.1.1.2

    # Configure an IP address for each interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1 
    [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] ip address 192.168.2.2 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to the headquarters is 60.1.2.2.

    [RouterB] ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 192.168.3.0 255.255.255.0 60.1.2.2

    # Configure an IP address for each interface on RouterC.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1 
    [RouterC-GigabitEthernet0/0/1] ip address 60.1.3.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ip address 192.168.3.2 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit
    

    # Configure a static route to the peer on RouterC. This example assumes that the next hop address in the route to the branch gateways A and B is 60.1.3.2.

    [RouterC] ip route-static 0.0.0.0 0.0.0.0 60.1.3.2
    

  2. Configure an ACL on RouterA and RouterB to define the data flows to be protected.

    NOTE:

    RouterC creates an IPSec policy through the IPSec policy template; therefore, this step is optional. If you configure an ACL on RouterC, you must specify the destination address in the ACL rule.

    # Configure an ACL on RouterA to define the data flows from 192.168.1.0/24 to 192.168.3.0/24.

    [RouterA] acl number 3002
    [RouterA-acl-adv-3002] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterA-acl-adv-3002] quit

    # Configure an ACL on RouterB to define the data flows from 192.168.2.0/24 to 192.168.3.0/24.

    [RouterB] acl number 3002
    [RouterB-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    [RouterB-acl-adv-3002] quit

  3. Create an IPSec proposal on RouterA, RouterB, and RouterC respectively.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterC.

    [RouterC] ipsec proposal tran1
    [RouterC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterC-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterC-ipsec-proposal-tran1] quit

  4. Create an IKE peer on RouterA, RouterB, and RouterC respectively.

    # Create an IKE proposal on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Create an IKE peer on RouterA.

    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher huawei@123
    [RouterA-ike-peer-rut1] remote-address 60.1.3.1
    [RouterA-ike-peer-rut1] quit

    # Configure an IKE proposal on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Create an IKE peer on RouterB.

    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher huawei@124
    [RouterB-ike-peer-rut1] remote-address 60.1.3.1
    [RouterB-ike-peer-rut1] quit

    # Create an IKE proposal on RouterC.

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-128
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit

    # Configure an IKE user table on RouterC to allocate pre-shared keys for branches.

    NOTE:

    When the IKEv1 main mode and pre-shared key authentication are used, id-type can only be set to ip, and in NAT traversal scenarios, the IP address must be set to the post-NAT address. If a branch dynamically obtains an IP address, you must use the IKEv1 aggressive mode or IKEv2 and advised to set id-type to fqdn.

    [RouterC] ike user-table 10
    [RouterC-ike-user-table-10] user routera
    [RouterC-ike-user-table-10-routera] id-type ip 60.1.1.1
    [RouterC-ike-user-table-10-routera] pre-shared-key huawei@123
    [RouterC-ike-user-table-10-routera] quit
    [RouterC-ike-user-table-10] user routerb
    [RouterC-ike-user-table-10-routerb] id-type ip 60.1.2.1
    [RouterC-ike-user-table-10-routerb] pre-shared-key huawei@124
    [RouterC-ike-user-table-10-routerb] quit

    # Create an IKE peer on RouterC.

    NOTE:
    As the responder to IKE negotiation requests, RouterC creates an IPSec policy through the IPSec policy template. You do not need to set remote-address.
    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] user-table 10
    [RouterC-ike-peer-rut1] quit

  5. Create an IPSec policy on RouterA, RouterB, and RouterC respectively. RouterC creates an IPSec policy through the IPSec policy template.

    # Create an IPSec policy on RouterA.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    # Create an IPSec policy on RouterB.

    [RouterB] ipsec policy policy1 10 isakmp
    [RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterB-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterB-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterB-ipsec-policy-isakmp-policy1-10] quit

    # Create a policy template on RouterC and apply the policy template to an IPSec policy.

    [RouterC] ipsec policy-template use1 10
    [RouterC-ipsec-policy-templet-use1-10] ike-peer rut1
    [RouterC-ipsec-policy-templet-use1-10] proposal tran1
    [RouterC-ipsec-policy-templet-use1-10] quit
    [RouterC] ipsec policy policy1 10 isakmp template use1

  6. Apply an IPSec policy group to the interface of RouterA, RouterB, and RouterC.

    # Apply an IPSec policy group to an interface of RouterA.

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    # Apply an IPSec policy group to an interface of RouterB.

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    # Apply an IPSec policy group to an interface of RouterC.

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit

  7. Verify the configuration.

    # After the configurations are complete, PC A and PC B can ping PC C successfully. The data transmitted among them is encrypted.

    # Run the display ike sa command on RouterA and RouterB to view the IKE configuration. The command output on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
      ---------------------------------------------------------------------------
      24366    60.1.3.1:500        RD|ST     v1:2    IP          60.1.3.1
      24274    60.1.3.1:500        RD|ST     v1:1    IP          60.1.3.1
                                       
      Number of IKE SA : 2     
      ---------------------------------------------------------------------------
    
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    # Run the display ike sa command on RouterC. The command output is displayed as follows:

    [RouterC] display ike sa
    IKE SA information :
      Conn-ID  Peer           VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------
       961    60.1.2.1:500          RD        v1:2    IP          60.1.2.1
       933    60.1.2.1:500          RD        v1:1    IP          60.1.2.1
       937    60.1.1.1:500          RD        v1:2    IP          60.1.1.1
       936    60.1.1.1:500          RD        v1:1    IP          60.1.1.1
                                       
      Number of IKE SA : 4     
      --------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • RouterA configuration file

    #
     sysname RouterA
    #
    acl number 3002
     rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
     remote-address 60.1.3.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.2 255.255.255.0
    #
    ip route-static 60.1.3.0 255.255.255.0 60.1.1.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.1.2
    #
    return
    
  • RouterB configuration file

    #
     sysname RouterB
    #
    acl number 3002
     rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
     remote-address 60.1.3.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.2.2 255.255.255.0
    #
    ip route-static 60.1.3.0 255.255.255.0 60.1.2.2
    ip route-static 192.168.3.0 255.255.255.0 60.1.2.2
    #
    return
    
  • RouterC configuration file

    #
     sysname RouterC
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
    #
    ike user-table 10                                                               
     user routerb
      id-type ip 60.1.2.1
      pre-shared-key %^%#@q!5$RKXkQN'Sc&0D}$.T}vBUy,=TYy]rBOZl|04%^%#               
     user routera
      id-type ip 60.1.1.1
      pre-shared-key %^%#C&&/)4psiA%=7T"/!J)B|CuiH4$us1x3muJpnTr&%^%# 
    #
    ike peer rut1
     undo version 2
     ike-proposal 5
     user-table 10  
    #
    ipsec policy-template use1 10
     ike-peer rut1
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template use1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.3.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.3.2 255.255.255.0
    #
    ip route-static 0.0.0.0 0.0.0.0 60.1.3.2
    #
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31182

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next