No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL)

Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL)

Networking Requirements

In Figure 4-51, a large-sized enterprise has the headquarters (Hub) and multiple branches (Spoke1 and Spoke2 in this example) located in different areas, and the Spokes connect to public networks using dynamic IP addresses obtained through DHCP. DSVPN is deployed to enable communication between Spokes as well as between Spoke and Hub.

The enterprise requires that data transmitted between Spokes as well as between Spoke and Hub be encrypted. IPSec over DSVPN can be configured on Hub and Spokes to provide traffic protection.

Figure 4-51  Establishing IPSec over DSVPN tunnels between Hub and Spokes
NOTE:

Assume that the dynamic addresses obtained by Spoke1 and Spoke2 are 1.1.2.10 and 1.1.3.10, respectively.

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure DSVPN to implement VPN interconnection between the Spokes because the Spokes connect to the public network using dynamic IP addresses and the Spokes do not know the public IP addresses of each other.

  2. Deploy DSVPN in shortcut mode because there are a large number of Spokes.

  3. Configure OSPF to simplify maintenance because subnets of the Hub and Spokes frequently change.

  4. Configure IPSec over DSVPN to encrypt data transmitted between the Hub and Spokes using IPSec before transmitting the data using DSVPN.

Procedure

  1. Configure IP addresses for interfaces.

    # Configure the Hub.

    <Huawei> system-view
    [Huawei] sysname Hub
    [Hub] interface gigabitethernet 1/0/0
    [Hub-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
    [Hub-GigabitEthernet1/0/0] quit
    [Hub] interface gigabitethernet 1/0/1
    [Hub-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
    [Hub-GigabitEthernet1/0/1] quit
    [Hub] interface tunnel 0/0/0
    [Hub-Tunnel0/0/0] ip address 10.2.1.1 255.255.255.0
    [Hub-Tunnel0/0/0] quit
    

    # Configure Spoke1.

    <Huawei> system-view
    [Huawei] sysname Spoke1
    [Spoke1] interface gigabitethernet 1/0/0
    [Spoke1-GigabitEthernet1/0/0] ip address dhcp-alloc
    [Spoke1-GigabitEthernet1/0/0] quit
    [Spoke1] interface gigabitethernet 1/0/1
    [Spoke1-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
    [Spoke1-GigabitEthernet1/0/1] quit
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0
    [Spoke1-Tunnel0/0/0] quit
    

    # Configure Spoke2.

    <Huawei> system-view
    [Huawei] sysname Spoke2
    [Spoke2] interface gigabitethernet 1/0/0
    [Spoke2-GigabitEthernet1/0/0] ip address dhcp-alloc
    [Spoke2-GigabitEthernet1/0/0] quit
    [Spoke2] interface gigabitethernet 1/0/1
    [Spoke2-GigabitEthernet1/0/1] ip address 10.1.3.1 255.255.255.0
    [Spoke2-GigabitEthernet1/0/1] quit
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] ip address 10.2.1.3 255.255.255.0
    [Spoke2-Tunnel0/0/0] quit
    

  2. Configure OSPF to ensure reachable routes over the public network.

    # Configure the Hub.

    [Hub] ospf 2
    [Hub-ospf-2] area 0.0.0.1
    [Hub-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255
    [Hub-ospf-2-area-0.0.0.1] quit
    [Hub-ospf-2] quit
    

    # Configure Spoke1.

    [Spoke1] ospf 2
    [Spoke1-ospf-2] area 0.0.0.1
    [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255
    [Spoke1-ospf-2-area-0.0.0.1] quit
    [Spoke1-ospf-2] quit
    

    # Configure Spoke2.

    [Spoke2] ospf 2
    [Spoke2-ospf-2] area 0.0.0.1
    [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255
    [Spoke2-ospf-2-area-0.0.0.1] quit
    [Spoke2-ospf-2] quit
    

  3. Configure OSPF to ensure reachable routes between private networks.

    # Configure the Hub.

    [Hub] ospf 1 router-id 10.2.1.1
    [Hub-ospf-1] area 0.0.0.0
    [Hub-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [Hub-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Hub-ospf-1-area-0.0.0.0] quit
    [Hub-ospf-1] quit
    

    # Configure Spoke1.

    [Spoke1] ospf 1 router-id 10.2.1.2
    [Spoke1-ospf-1] area 0.0.0.0
    [Spoke1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] quit
    [Spoke1-ospf-1] quit
    

    # Configure Spoke2.

    [Spoke2] ospf 1 router-id 10.2.1.3
    [Spoke2-ospf-1] area 0.0.0.0
    [Spoke2-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] quit
    [Spoke2-ospf-1] quit
    

  4. Configure tunnel interfaces.

    On the Hub and Spokes, set the OSPF network type to broadcast to enable the Spokes to learn routes from each other. On Spoke1 and Spoke2, configure static NHRP peer entries of the Hub.

    # Configure the Hub.
    [Hub] interface tunnel 0/0/0
    [Hub-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Hub-Tunnel0/0/0] source gigabitethernet 1/0/0
    [Hub-Tunnel0/0/0] nhrp entry multicast dynamic
    [Hub-Tunnel0/0/0] ospf network-type p2mp
    [Hub-Tunnel0/0/0] quit
    
    # Configure Spoke1.
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0
    [Spoke1-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register
    [Spoke1-Tunnel0/0/0] ospf network-type p2mp
    [Spoke1-Tunnel0/0/0] quit
    
    # Configure Spoke2.
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke2-Tunnel0/0/0] source gigabitethernet 1/0/0
    [Spoke2-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register
    [Spoke2-Tunnel0/0/0] ospf network-type p2mp
    [Spoke2-Tunnel0/0/0] quit
    

  5. Configure an ACL to define the data flows to be protected by IPSec.

    # Configure Spoke1.

    [Spoke1] acl number 3101
    [Spoke1-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Spoke1-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
    [Spoke1-acl-adv-3101] quit

    # Configure Spoke2.

    [Spoke2] acl number 3101
    [Spoke2-acl-adv-3101] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Spoke2-acl-adv-3101] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Spoke2-acl-adv-3101] quit

  6. Configure an IKE proposal.

    # Configure the Hub.

    [Hub] ike proposal 1
    [Hub-ike-proposal-1] dh group14
    [Hub-ike-proposal-1] encryption-algorithm aes-256
    [Hub-ike-proposal-1] authentication-algorithm sha2-256
    [Hub-ike-proposal-1] prf aes-xcbc-128
    [Hub-ike-proposal-1] quit
    

    # Configure Spoke1.

    [Spoke1] ike proposal 1
    [Spoke1-ike-proposal-1] dh group14
    [Spoke1-ike-proposal-1] encryption-algorithm aes-256
    [Spoke1-ike-proposal-1] authentication-algorithm sha2-256
    [Spoke1-ike-proposal-1] prf aes-xcbc-128
    [Spoke1-ike-proposal-1] quit
    

    # Configure Spoke2.

    [Spoke2] ike proposal 1
    [Spoke2-ike-proposal-1] dh group14
    [Spoke2-ike-proposal-1] encryption-algorithm aes-256
    [Spoke2-ike-proposal-1] authentication-algorithm sha2-256
    [Spoke2-ike-proposal-1] prf aes-xcbc-128
    [Spoke2-ike-proposal-1] quit
    

  7. Configure an IKE peer.

    # Configure the Hub.

    [Hub] ike peer hub
    [Hub-ike-peer-hub] undo version 2
    [Hub-ike-peer-hub] ike-proposal 1
    [Hub-ike-peer-hub] pre-shared-key cipher Huawei@1234
    [Hub-ike-peer-hub] dpd type periodic
    [Hub-ike-peer-hub] dpd idle-time 40
    [Hub-ike-peer-hub] quit
    

    # Configure Spoke1.

    [Spoke1] ike peer spoke1
    [Spoke1-ike-peer-spoke1] undo version 2
    [Spoke1-ike-peer-spoke1] ike-proposal 1
    [Spoke1-ike-peer-spoke1] pre-shared-key cipher Huawei@1234
    [Spoke1-ike-peer-spoke1] remote-address 10.2.1.1
    [Spoke1-ike-peer-spoke1] dpd type periodic
    [Spoke1-ike-peer-spoke1] dpd idle-time 40
    [Spoke1-ike-peer-spoke1] quit
    

    # Configure Spoke2.

    [Spoke2] ike peer spoke2
    [Spoke2-ike-peer-spoke2] undo version 2
    [Spoke2-ike-peer-spoke2] ike-proposal 1
    [Spoke2-ike-peer-spoke2] pre-shared-key cipher Huawei@1234
    [Spoke2-ike-peer-spoke2] remote-address 10.2.1.1
    [Spoke2-ike-peer-spoke2] dpd type periodic
    [Spoke2-ike-peer-spoke2] dpd idle-time 40
    [Spoke2-ike-peer-spoke2] quit
    

  8. Create an IPSec proposal.

    On the Hub and Spokes, create an IPSec proposal.

    # Configure the Hub.

    [Hub] ipsec proposal pro1
    [Hub-ipsec-proposal-pro1] transform esp
    [Hub-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Hub-ipsec-proposal-pro1] esp encryption-algorithm aes-256
    [Hub-ipsec-proposal-pro1] quit
    

    # Configure Spoke1.

    [Spoke1] ipsec proposal pro1
    [Spoke1-ipsec-proposal-pro1] transform esp
    [Spoke1-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Spoke1-ipsec-proposal-pro1] esp encryption-algorithm aes-256
    [Spoke1-ipsec-proposal-pro1] quit
    

    # Configure Spoke2.

    [Spoke2] ipsec proposal pro1
    [Spoke2-ipsec-proposal-pro1] transform esp
    [Spoke2-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Spoke2-ipsec-proposal-pro1] esp encryption-algorithm aes-256
    [Spoke2-ipsec-proposal-pro1] quit
    

  9. Configure a security policy.

    # Configure the Hub.

    [Hub] ipsec policy-template use1 10
    [Hub-ipsec-policy-templet-use1-10] ike-peer hub
    [Hub-ipsec-policy-templet-use1-10] proposal pro1
    [Hub-ipsec-policy-templet-use1-10] quit
    [Hub] ipsec policy policy1 10 isakmp template use1
    

    # Configure Spoke1.

    [Spoke1] ipsec policy policy1 10 isakmp
    [Spoke1-ipsec-policy-isakmp-policy1-10] ike-peer spoke1
    [Spoke1-ipsec-policy-isakmp-policy1-10] proposal pro1
    [Spoke1-ipsec-policy-isakmp-policy1-10] security acl 3101
    [Spoke1-ipsec-policy-isakmp-policy1-10] quit
    

    # Configure Spoke2.

    [Spoke2] ipsec policy policy1 10 isakmp
    [Spoke2-ipsec-policy-isakmp-policy1-10] ike-peer spoke2
    [Spoke2-ipsec-policy-isakmp-policy1-10] proposal pro1
    [Spoke2-ipsec-policy-isakmp-policy1-10] security acl 3101
    [Spoke2-ipsec-policy-isakmp-policy1-10] quit
    

  10. Apply the security policy to the tunnel interfaces to enable IPSec protection.

    # Configure the Hub.
    [Hub] interface tunnel 0/0/0
    [Hub-Tunnel0/0/0] ipsec policy policy1
    [Hub-Tunnel0/0/0] quit
    
    # Configure Spoke1.
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] ipsec policy policy1
    [Spoke1-Tunnel0/0/0] quit
    
    # Configure Spoke2.
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] ipsec policy policy1
    [Spoke2-Tunnel0/0/0] quit
    

  11. Verify the configuration.

    # After the configuration is complete, run the display ike sa command on the Spokes to view the SA establishment information. The command output on Spoke1 is used as an example.

    [Spoke1] display ike sa
    IKE SA information :
       Conn-ID    Peer             VPN   Flag(s)   Phase   RemoteType  RemoteID
      ------------------------------------------------------------------------------
       20         10.2.1.1:500           RD|A      v1:2    IP          10.2.1.1
       19         10.2.1.1:500           RD|A      v1:1    IP          10.2.1.1
                                                                                    
      Number of IKE SA : 2                                                          
      ------------------------------------------------------------------------------
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING     

    The command output shows that an SA is successfully established between Spoke1 and the Hub to encrypt data transmitted between them.

    After pinging 10.1.3.1 from Spoke1, run the display ike sa command to view the SA establishment information. The command output on Spoke1 is used as an example.

    [Spoke1] display ike sa
    IKE SA information :
       Conn-ID    Peer             VPN   Flag(s)   Phase   RemoteType  RemoteID
      ------------------------------------------------------------------------------
       22         10.2.1.3:500           RD|A      v1:2    IP          10.2.1.3
       21         10.2.1.3:500           RD|A      v1:1    IP          10.2.1.3
       20         10.2.1.1:500           RD|A      v1:2    IP          10.2.1.1
       19         10.2.1.1:500           RD|A      v1:1    IP          10.2.1.1
                                                                                    
      Number of IKE SA : 2                                                          
      ------------------------------------------------------------------------------
                                                                                    
      Flag Description:                                                             
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING     

    The command output shows that an SA is successfully established between Spoke1 and Spoke2 to encrypt data transmitted between them.

Configuration Files

  • Hub configuration file

    #
     sysname Hub
    # 
    ipsec proposal pro1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    # 
    ike proposal 1
     encryption-algorithm aes-256                                                   
     dh group14                                                                      
     authentication-algorithm sha2-256                                       
     prf aes-xcbc-128  
    # 
    ike peer hub
     undo version 2
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1
     dpd type periodic
     dpd idle-time 40   
    # 
    ipsec policy-template use1 10
     ike-peer hub
     proposal pro1
    #
    ipsec policy policy1 10 isakmp template use1
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.10 255.255.255.0
    # 
    interface GigabitEthernet1/0/1
     ip address 10.1.1.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.1 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf network-type p2mp
     ipsec policy policy1
     nhrp entry multicast dynamic
    # 
    ospf 1 router-id 10.2.1.1
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255
      network 10.2.1.0 0.0.0.255
    # 
    ospf 2
     area 0.0.0.1
      network 1.1.1.0 0.0.0.255
    # 
    return
    
  • Spoke1 configuration file

    #
     sysname Spoke1
    # 
    acl number 3101
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
     rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
    #
    ipsec proposal pro1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    # 
    ike proposal 1
     encryption-algorithm aes-256 
     dh group14     
     authentication-algorithm sha2-256
     prf aes-xcbc-128  
    # 
    ike peer spoke1
     undo version 2
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1
     dpd type periodic
     dpd idle-time 40   
     remote-address 10.2.1.1
    # 
    ipsec policy policy1 10 isakmp
     security acl 3101
     ike-peer spoke1
     proposal pro1
    # 
    interface GigabitEthernet1/0/0
     ip address dhcp-alloc
    # 
    interface GigabitEthernet1/0/1
     ip address 10.1.2.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.2 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf network-type p2mp
     ipsec policy policy1
     nhrp entry 10.2.1.1 1.1.1.10 register
    # 
    ospf 1 router-id 10.2.1.2
     area 0.0.0.0
      network 10.1.2.0 0.0.0.255
      network 10.2.1.0 0.0.0.255
    # 
    ospf 2
     area 0.0.0.1
      network 1.1.2.0 0.0.0.255
    # 
    return
    
  • Spoke2 configuration file

    #
     sysname Spoke2
    # 
    acl number 3101
     rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
     rule 10 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    ipsec proposal pro1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-256
    # 
    ike proposal 1
     encryption-algorithm aes-256                                                   
     dh group14                                                                      
     authentication-algorithm sha2-256                                       
     prf aes-xcbc-128  
    # 
    ike peer spoke2
     undo version 2
     pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
     ike-proposal 1
     dpd type periodic
     dpd idle-time 40   
     remote-address 10.2.1.1
    # 
    ipsec policy policy1 10 isakmp
     security acl 3101
     ike-peer spoke2
     proposal pro1
    # 
    interface GigabitEthernet1/0/0
     ip address dhcp-alloc
    # 
    interface GigabitEthernet1/0/1
     ip address 10.1.3.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.3 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     ospf network-type p2mp
     ipsec policy policy1   
     nhrp entry 10.2.1.1 1.1.1.10 register
    # 
    ospf 1 router-id 10.2.1.3
     area 0.0.0.0
      network 10.1.3.0 0.0.0.255
      network 10.2.1.0 0.0.0.255
    # 
    ospf 2
     area 0.0.0.1
      network 1.1.3.0 0.0.0.255
    # 
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31649

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next