No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing an IPSec Tunnel in IKE Negotiation Mode by Specifying DNs

Example for Establishing an IPSec Tunnel in IKE Negotiation Mode by Specifying DNs

Networking Requirements

As shown in Figure 4-45, RouterA (branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The headquarters gateway and branch gateway apply for digital certificates from the CA server. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.

The enterprise wants to use distinguished names (DNs) to identify identities and creat SAs to protect data flows between the branch subnet and the headquarters subnet.

Figure 4-45  Establishing an IPSec tunnel in IKE negotiation mode by specifying DNs

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Apply for digital certificates from the CA server. The digital certificates are used for RSA signature authentication.

  3. Configure ACLs to define data flows to be protected.

  4. Configure IPSec proposals to define the method used to protect IPSec traffic.

  5. Configure IKE peers to define IKE negotiation attributes.

  6. Configure IPSec policies and reference ACLs, IPSec proposals, and IKE peers in the IPSec policies to define protection methods for data flows between RouterA and RouterB.

  7. Apply IPSec policy groups to interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 60.1.1.2.

    [RouterA] ip route-static 60.1.2.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 10.1.2.0 255.255.255.0 60.1.1.2

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 60.1.2.2.

    [RouterB] ip route-static 60.1.1.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 10.1.1.0 255.255.255.0 60.1.2.2

  2. Configure ACLs on RouterA and RouterB to define data flows to be protected.

    # Configure an ACL on RouterA to define data flows sent from 10.1.1.0/24 to 10.1.2.0/24.

    [RouterA] acl number 3001
    [RouterA-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [RouterA-acl-adv-3001] quit

    # Configure an ACL on RouterB to define data flows sent from 10.1.2.0/24 to 10.1.1.0/24.

    [RouterB] acl number 3001
    [RouterB-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [RouterB-acl-adv-3001] quit

  3. Configure PKI entities and PKI domains on RouterA and RouterB, which are used to apply for digital certificates from the CA server.

    # Create an RSA key pair on RouterA.

    [RouterA] pki rsa local-key-pair create rsa_scep exportable
     Info: The name of the new key-pair will be: rsa_scep
     The size of the public key ranges from 512 to 4096.                                   
     Input the bits in the modules:2048                              
     Generating key-pairs...                                                             
    ......+++                                                              
    .......+++

    # Configure a PKI entity on RouterA.

    [RouterA] pki entity rta
    [RouterA-pki-entity-rta] country CN
    [RouterA-pki-entity-rta] state jiangsu
    [RouterA-pki-entity-rta] locality nanjing
    [RouterA-pki-entity-rta] organization huawei
    [RouterA-pki-entity-rta] organization-unit VPN
    [RouterA-pki-entity-rta] common-name ipsec
    [RouterA-pki-entity-rta] quit

    # Configure a PKI domain on RouterA.

    [RouterA] pki realm rta
    [RouterA-pki-realm-rta] ca id ca_root
    [RouterA-pki-realm-rta] enrollment-url http://70.1.1.7:8080/certsrv/mscep/mscep.dll times 4 ra
    [RouterA-pki-realm-rta] entity rta
    [RouterA-pki-realm-rta] rsa local-key-pair rsa_scep
    [RouterA-pki-realm-rta] fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
    [RouterA-pki-realm-rta] password cipher 6AE73F21E6D3571D
    

    # Create an RSA key pair on RouterB.

    [RouterB] pki rsa local-key-pair create rsa_scep exportable
     Info: The name of the new key-pair will be: rsa_scep
     The size of the public key ranges from 512 to 4096.                                   
     Input the bits in the modules:2048                              
     Generating key-pairs...                                                             
    ......+++                                                              
    .......+++

    # Configure a PKI entity on RouterB.

    [RouterB] pki entity rtb
    [RouterB-pki-entity-rtb] country CN
    [RouterB-pki-entity-rtb] state jiangsu
    [RouterB-pki-entity-rtb] locality nanjing
    [RouterB-pki-entity-rtb] organization huawei
    [RouterB-pki-entity-rtb] organization-unit VPN
    [RouterB-pki-entity-rtb] common-name ipsec
    [RouterB-pki-entity-rtb] quit

    # Configure a PKI domain on RouterB.

    [RouterB] pki realm rtb
    [RouterB-pki-realm-rtb] ca id ca_root
    [RouterB-pki-realm-rtb] enrollment-url http://70.1.1.7:8080/certsrv/mscep/mscep.dll times 4 ra
    [RouterB-pki-realm-rtb] entity rtb
    [RouterB-pki-realm-rtb] rsa local-key-pair rsa_scep
    [RouterB-pki-realm-rtb] fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
    [RouterB-pki-realm-rtb] password cipher 6AE73F21E6D3571D

  4. Request digital certificates on RouterA and RouterB.

    # Request a local certificate on RouterA.

    [RouterA-pki-realm-rta] auto-enroll 60 regenerate 2048
    [RouterA-pki-realm-rta] quit
    

    Before obtaining and installing a local certificate, the device obtains and installs a CA certificate first. The CA and local certificates are named rta_ca.cer and rta_local.cer.

    # Request a local certificate on RouterB.

    [RouterB-pki-realm-rtb] auto-enroll 60 regenerate 2048
    [RouterB-pki-realm-rtb] quit
    

    Before obtaining and installing a local certificate, the device obtains and installs a CA certificate first. The CA and local certificates are named rtb_ca.cer and rtb_local.cer.

  5. Create IPSec proposals on RouterA and RouterB.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal prop
    [RouterA-ipsec-proposal-prop] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-prop] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-prop] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal prop
    [RouterB-ipsec-proposal-prop] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-prop] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-prop] quit

  6. Configure IKE peers on RouterA and RouterB.

    # Configure an IKE proposal that defines RSA signature authentication on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] authentication-method rsa-signature
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit

    # Configure an IKE peer on RouterA.

    [RouterA] ike peer rta
    [RouterA-ike-peer-rta] undo version 2
    [RouterA-ike-peer-rta] ike-proposal 5
    [RouterA-ike-peer-rta] local-id-type dn
    [RouterA-ike-peer-rta] pki realm rta
    [RouterA-ike-peer-rta] remote-address 60.1.2.1
    [RouterA-ike-peer-rta] quit

    # Configure an IKE proposal that defines RSA signature authentication on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] authentication-method rsa-signature
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit

    # Configure an IKE peer on RouterB.

    [RouterB] ike peer rtb
    [RouterB-ike-peer-rtb] undo version 2
    [RouterB-ike-peer-rtb] ike-proposal 5
    [RouterB-ike-peer-rtb] local-id-type dn
    [RouterB-ike-peer-rtb] pki realm rtb
    [RouterB-ike-peer-rtb] remote-address 60.1.1.1
    [RouterB-ike-peer-rtb] quit

  7. Create IPSec policies on RouterA and RouterB.

    # Create an IPSec policy in IKE negotiation mode on RouterA.

    [RouterA] ipsec policy policy1 10 isakmp
    [RouterA-ipsec-policy-isakmp-policy1-10] ike-peer rta
    [RouterA-ipsec-policy-isakmp-policy1-10] proposal prop
    [RouterA-ipsec-policy-isakmp-policy1-10] security acl 3001
    [RouterA-ipsec-policy-isakmp-policy1-10] quit

    # Create an IPSec policy in IKE negotiation mode on RouterB.

    [RouterB] ipsec policy policy1 10 isakmp
    [RouterB-ipsec-policy-isakmp-policy1-10] ike-peer rtb
    [RouterB-ipsec-policy-isakmp-policy1-10] proposal prop
    [RouterB-ipsec-policy-isakmp-policy1-10] security acl 3001
    [RouterB-ipsec-policy-isakmp-policy1-10] quit

  8. Apply IPSec policy groups to interfaces on RouterA and RouterB.

    # Apply the IPSec policy group to the interface of RouterA

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterA-GigabitEthernet1/0/0] quit

    # Apply the IPSec policy group to the interface of RouterB.

    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ipsec policy policy1
    [RouterB-GigabitEthernet1/0/0] quit

  9. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. Data exchanged between PC A and PC B is encrypted. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.

    [RouterA] display ike sa
    IKE SA information :
      Conn-ID  Peer            VPN   Flag(s)   Phase   RemoteType  RemoteID
      ---------------------------------------------------------------------------
          4    60.1.2.1:500          RD|ST     v1:2    DN          C=CN, ST=jiangsu, L=nanjing, O=huawei, OU=VPN, CN=ipsec
          3    60.1.2.1:500          RD|ST     v1:1    DN          C=CN, ST=jiangsu, L=nanjing, O=huawei, OU=VPN, CN=ipsec
                                       
      Number of IKE SA : 2 
      ---------------------------------------------------------------------------
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   
    

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    pki entity rta
     country CN
     state jiangsu
     locality nanjing
     organization huawei
     organization-unit VPN
     common-name ipsec
    #
    pki realm rta
     ca id ca_root
     enrollment-url http://70.1.1.7:8080/certsrv/mscep/mscep.dll times 4 ra
     entity rta
     fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
     rsa local-key-pair rsa_scep                                                    
     password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$                               
     auto-enroll 60 regenerate 
    #
    acl number 3001
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    ipsec proposal prop
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method rsa-signature
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rta
     undo version 2
     ike-proposal 5
     local-id-type dn
     remote-address 60.1.2.1
     pki realm rta
    #
    ipsec policy policy1 10 isakmp
     security acl 3001
     ike-peer rta
     proposal prop
    #
    interface GigabitEthernet1/0/0
     ip address 60.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 60.1.2.0 255.255.255.0 60.1.1.2
    ip route-static 10.1.2.0 255.255.255.0 60.1.1.2
    #
    return                                                                               
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    pki entity rtb
     country CN
     state jiangsu
     locality nanjing
     organization huawei
     organization-unit VPN
     common-name ipsec
    #
    pki realm rtb
     ca id ca_root
     enrollment-url http://70.1.1.7:8080/certsrv/mscep/mscep.dll times 4 ra
     entity rtb
     fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
     rsa local-key-pair rsa_scep                                                    
     password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$                               
     auto-enroll 60 regenerate 
    #
    acl number 3001
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #
    ipsec proposal prop
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method rsa-signature
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rtb
     undo version 2
     ike-proposal 5
     local-id-type dn
     remote-address 60.1.1.1
     pki realm rtb
    #
    ipsec policy policy1 10 isakmp
     security acl 3001
     ike-peer rtb
     proposal prop
    #
    interface GigabitEthernet1/0/0
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 60.1.1.0 255.255.255.0 60.1.2.2
    ip route-static 10.1.1.0 255.255.255.0 60.1.2.2
    #
    return                                                                               
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 34754

Downloads: 48

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next