No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel Between the Headquarters and Branch (One Tunnel Interface Corresponds to One Branch)

Example for Establishing an IPSec Tunnel Between the Headquarters and Branch (One Tunnel Interface Corresponds to One Branch)

Networking Requirements

As shown in Figure 4-40, Router_B and Router_C are the gateways of enterprise branches, and Router_A is the gateway of the headquarters. The headquarters and branches communicate through the public network.

The enterprise requires IPSec protection for the traffic between the headquarters and branches. Multiple tunnel interfaces of the headquarters borrow the same physical interface IP address, and one tunnel interface corresponds to one branch.

Figure 4-40  Networking diagram

Configuration Roadmap

  1. Configure the IP address and static route on each interface to implement communication between interfaces.
  2. Configure security policies in ISAKMP mode, including the data flows to be protected and proposal parameters.

    Multiple tunnel interfaces of the headquarters borrow the same physical interface IP address to establish an IPSec tunnel with a branch. Therefore, the headquarters uses the peer IP address of the IKE peer to identify the tunnel interface connected to the branch. In this instance, multiple IKE peers need to be configured and multiple IPSec policies created at the headquarters. In addition, different IPSec policies are applied to the tunnel interfaces.

NOTE:

When multiple branches connect to the headquarters, multiple tunnel interfaces in the headquarters borrow the same physical interface IP address. In this scenario, the headquarters can identify the tunnel interface connected to a branch through the peer IP address or peer ID of the IKE peer (Only IKEv1 in aggressive mode supports the peer ID mode.).

Procedure

  1. Configure Router_A.
    1. Configure interface IP addresses and static routes.

      1. Configure interface IP addresses.

        <Huawei> system-view
        [Huawei] sysname Router_A
        [Router_A] interface gigabitethernet 1/0/3
        [Router_A-GigabitEthernet1/0/3] ip address 10.1.1.1 24
        [Router_A-GigabitEthernet1/0/3] quit
        [Router_A] interface gigabitethernet 1/0/1
        [Router_A-GigabitEthernet1/0/1] ip address 1.1.3.1 24
        [Router_A-GigabitEthernet1/0/1] quit
        [Router_A] interface tunnel 0/0/0
        [Router_A-Tunnel0/0/0] tunnel-protocol ipsec
        [Router_A-Tunnel0/0/0] ip address unnumbered interface gigabitethernet 1/0/1
        [Router_A-Tunnel0/0/0] quit
        [Router_A] interface tunnel 0/0/1
        [Router_A-Tunnel0/0/1] tunnel-protocol ipsec
        [Router_A-Tunnel0/0/1] ip address unnumbered interface gigabitethernet 1/0/1
        [Router_A-Tunnel0/0/1] quit
      2. Configure static routes to the branches. Assume that the next hop of the static routes is 1.1.3.2.

        [Router_A] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
        [Router_A] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/0
        [Router_A] ip route-static 10.1.3.0 255.255.255.0 tunnel 0/0/1

    2. Configure IPSec policies.

      1. Define data flows to be protected.

        [Router_A] acl 3000
        [Router_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
        [Router_A-acl-adv-3000] quit
        [Router_A] acl 3001
        [Router_A-acl-adv-3001] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
        [Router_A-acl-adv-3001] quit
      2. Configure an IPSec proposal.

        [Router_A] ipsec proposal tran1
        [Router_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
        [Router_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
        [Router_A-ipsec-proposal-tran1] quit
      3. Configure an IKE proposal.

        [Router_A] ike proposal 10
        [Router_A-ike-proposal-10] authentication-method pre-share
        [Router_A-ike-proposal-10] prf hmac-sha2-256
        [Router_A-ike-proposal-10] encryption-algorithm aes-256
        [Router_A-ike-proposal-10] dh group14
        [Router_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
        [Router_A-ike-proposal-10] quit
      4. Configure IKE peers.

        [Router_A] ike peer b
        [Router_A-ike-peer-b] ike-proposal 10
        [Router_A-ike-peer-b] remote-address 1.1.5.1
        [Router_A-ike-peer-b] pre-shared-key cipher Test!123
        [Router_A-ike-peer-b] quit
        [Router_A] ike peer c
        [Router_A-ike-peer-c] ike-proposal 10
        [Router_A-ike-peer-c] remote-address 1.1.6.1
        [Router_A-ike-peer-c] pre-shared-key cipher Test!123
        [Router_A-ike-peer-c] quit
      5. Create security policies.

        [Router_A] ipsec policy map1 10 isakmp
        [Router_A-ipsec-policy-isakmp-map1-10] proposal tran1
        [Router_A-ipsec-policy-isakmp-map1-10] ike-peer b
        [Router_A-ipsec-policy-isakmp-map1-10] security acl 3000
        [Router_A-ipsec-policy-isakmp-map1-10] quit
        [Router_A] ipsec policy map2 10 isakmp
        [Router_A-ipsec-policy-isakmp-map2-10] proposal tran1
        [Router_A-ipsec-policy-isakmp-map2-10] ike-peer c
        [Router_A-ipsec-policy-isakmp-map2-10] security acl 3001
        [Router_A-ipsec-policy-isakmp-map2-10] quit
        
      6. Apply the security policies to the corresponding interface.

        [Router_A] interface tunnel 0/0/0
        [Router_A-Tunnel0/0/0] ipsec policy map1
        [Router_A-Tunnel0/0/0] quit
        [Router_A] interface tunnel 0/0/1
        [Router_A-Tunnel0/0/1] ipsec policy map2
        [Router_A-Tunnel0/0/1] quit
        

  2. Configure Router_B. The configuration of Router_C is similar and will not be mentioned here.
    1. Configure interface IP addresses and static routes.

      1. Configure interface IP addresses.

        <Huawei> system-view
        [Huawei] sysname Router_B
        [Router_B] interface gigabitethernet 1/0/3
        [Router_B-GigabitEthernet1/0/3] ip address 10.1.2.1 24
        [Router_B-GigabitEthernet1/0/3] quit
        [Router_B] interface gigabitethernet 1/0/1
        [Router_B-GigabitEthernet1/0/1] ip address 1.1.5.1 24
        [Router_B-GigabitEthernet1/0/1] quit
        [Router_B] interface tunnel 0/0/0
        [Router_B-Tunnel0/0/0] tunnel-protocol ipsec
        [Router_B-Tunnel0/0/0] ip address unnumbered interface gigabitethernet 1/0/1
        [Router_B-Tunnel0/0/0] quit
        
      2. Configure the static route to the branches. Assume that the next hop of the static route is 1.1.5.2.

        [Router_B] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2
        [Router_B] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/0
        

    2. Configure IPSec policies.

      1. Define data flows to be protected.

        [Router_B] acl 3000
        [Router_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
        [Router_B-acl-adv-3000] quit
      2. Configure an IPSec proposal.

        [Router_B] ipsec proposal tran1
        [Router_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
        [Router_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
        [Router_B-ipsec-proposal-tran1] quit
      3. Configure an IKE proposal.

        [Router_B] ike proposal 10
        [Router_B-ike-proposal-10] authentication-method pre-share
        [Router_B-ike-proposal-10] prf hmac-sha2-256
        [Router_B-ike-proposal-10] encryption-algorithm aes-256
        [Router_B-ike-proposal-10] dh group14
        [Router_B-ike-proposal-10] integrity-algorithm hmac-sha2-256
        [Router_B-ike-proposal-10] quit
      4. Configure an IKE peer.

        [Router_B] ike peer a
        [Router_B-ike-peer-a] ike-proposal 10
        [Router_B-ike-peer-a] remote-address 1.1.3.1
        [Router_B-ike-peer-a] pre-shared-key cipher Test!1234
        [Router_B-ike-peer-a] quit
      5. Create an IPSec policy.

        [Router_B] ipsec policy map1 10 isakmp
        [Router_B-ipsec-policy-isakmp-map1-10] security acl 3000
        [Router_B-ipsec-policy-isakmp-map1-10] proposal tran1
        [Router_B-ipsec-policy-isakmp-map1-10] ike-peer a
        [Router_B-ipsec-policy-isakmp-map1-10] quit
      6. Apply the IPSec policy to the corresponding interface.

        [Router_B] interface tunnel 0/0/0
        [Router_B-Tunnel0/0/0] ipsec policy map1
        [Router_B-Tunnel0/0/0] quit
        

  3. Verify the configuration.

    # Run the ping -a source-ip-address host command to ping the private network addresses. If the headquarters and branches can ping each other, services between them are reachable. The following uses Router_A as an example:

    [Router_A] ping -a 10.1.1.1 10.1.2.2
      PING 10.1.2.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.2.2: bytes=56 Sequence=1 ttl=255 time=89 ms
        Reply from 10.1.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.1.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms
    
      --- 10.1.2.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/18/89 ms
    [Router_A] ping -a 10.1.1.1 10.1.3.2
      PING 10.1.3.2: 56  data bytes, press CTRL_C to break
        Reply from 10.1.3.2: bytes=56 Sequence=1 ttl=255 time=89 ms
        Reply from 10.1.3.2: bytes=56 Sequence=2 ttl=255 time=1 ms
        Reply from 10.1.3.2: bytes=56 Sequence=3 ttl=255 time=1 ms
        Reply from 10.1.3.2: bytes=56 Sequence=4 ttl=255 time=1 ms
        Reply from 10.1.3.2: bytes=56 Sequence=5 ttl=255 time=1 ms
    
      --- 10.1.3.2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/18/89 ms

    # Run the display ike sa command. If information about the IKE SA and IPSec SA is displayed, the IPSec tunnel is established successfully. The following uses Router_A as an example:

    [Router_A] display ike sa       
                                                                                    
    IKE SA information :                                                            
        Conn-ID       Peer        VPN      Flag(s)       Phase    RemoteType  RemoteID
      ------------------------------------------------------------------------------
        50336907      1.1.5.1:500          RD|ST|A       v2:2     IP          1.1.5.1
        50336906      1.1.5.1:500          RD|ST|A       v2:1     IP          1.1.5.1
        33554436      1.1.6.1:500          RD|ST|A       v2:2     IP          1.1.6.1
        33554435      1.1.6.1:500          RD|ST|A       v2:1     IP          1.1.6.1
                                       
      Number of IKE SA : 4     
      ------------------------------------------------------------------------------
    
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING 

Configuration Files

  • Router_A configuration file

    #
     sysname Router_A
    #
    acl number 3000
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    acl number 3001
     rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
    #
    ipsec proposal tran1   
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    #
    ike proposal 10
      encryption-algorithm aes-256    
      dh group14        
      authentication-algorithm sha2-256        
      authentication-method pre-share    
      integrity-algorithm hmac-sha2-256     
      prf hmac-sha2-256 
    #
    ike peer b
     pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%#
     ike-proposal 10
     remote-address 1.1.5.1
    ike peer c
     pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%#
     ike-proposal 10
     remote-address 1.1.6.1
    #
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
    ipsec policy map2 10 isakmp
     security acl 3001
     ike-peer c
     proposal tran1
    #
    interface GigabitEthernet1/0/1
     ip address 1.1.3.1 255.255.255.0
    #
    interface GigabitEthernet1/0/3
     ip address 10.1.1.1 255.255.255.0
    #
    interface Tunnel0/0/0
     ip address unnumbered interface GigabitEthernet1/0/1
     tunnel-protocol ipsec
     ipsec policy map1
    # 
    interface Tunnel0/0/1
     ip address unnumbered interface GigabitEthernet1/0/1
     tunnel-protocol ipsec
     ipsec policy map2
    # 
    ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
    ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 
    ip route-static 10.1.3.0 255.255.255.0 Tunnel0/0/1
    #
    return
  • Router_B configuration file

    #
     sysname Router_B
    #
    acl number 3000
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #              
    ipsec proposal tran1   
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    #
    ike proposal 10
      encryption-algorithm aes-256    
      dh group14        
      authentication-algorithm sha2-256        
      authentication-method pre-share    
      integrity-algorithm hmac-sha2-256     
      prf hmac-sha2-256 
    #
    ike peer a
     pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%#
     ike-proposal 10
     remote-address 1.1.3.1
    #
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #
    interface GigabitEthernet1/0/1
     ip address 1.1.5.1 255.255.255.0
    #
    interface GigabitEthernet1/0/3
     ip address 10.1.2.1 255.255.255.0
    #
    interface Tunnel0/0/0
     ip address unnumbered interface GigabitEthernet1/0/1
     tunnel-protocol ipsec
     ipsec policy map1
    # 
    ip route-static 0.0.0.0 0.0.0.0 1.1.5.2
    ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0 
    #
    return
  • Configuration file of Router_C

    #
     sysname Router_C
    #
    acl number 3000
     rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #              
    ipsec proposal tran1   
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    #
    ike proposal 10
      encryption-algorithm aes-256    
      dh group14        
      authentication-algorithm sha2-256        
      authentication-method pre-share    
      integrity-algorithm hmac-sha2-256     
      prf hmac-sha2-256 
    #
    ike peer a
     pre-shared-key cipher %^%#W)04NhZ:bP=~"=KQu\CN6KcK#NE5:(Os2L57]r5I%^%#
     ike-proposal 10
     remote-address 1.1.3.1
    #
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #
    interface GigabitEthernet1/0/1
     ip address 1.1.6.1 255.255.255.0
    #
    interface GigabitEthernet1/0/3
     ip address 10.1.3.1 255.255.255.0
    #
    interface Tunnel0/0/1
     ip address unnumbered interface GigabitEthernet1/0/1
     tunnel-protocol ipsec
     ipsec policy map1
    # 
    ip route-static 0.0.0.0 0.0.0.0 1.1.6.2
    ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 
    #
    return
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31698

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next