No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Redundancy Control of IPSec Tunnels

Example for Configuring Redundancy Control of IPSec Tunnels

Networking Requirements

As shown in Figure 4-55, the branch communicates with the headquarters over the public network. To improve reliability, the headquarters uses two gateways RouterA and RouterB to connect to the branch gateway RouterC. RouterC sets up IPSec Tunnel1 with RouterA through GE0/0/1 and IPSec Tunnel2 with RouterB through GE0/0/2.

The enterprise wants to protect traffic exchanged between the headquarters and branch and requires that traffic be switched to the other IPSec tunnel when one IPSec tunnel fails and back to the faulty IPSec tunnel when the faulty IPSec tunnel recovers.

Figure 4-55  Networking diagram for configuring redundancy control of IPSec tunnels

Configuration Roadmap

Since the branch and headquarters communicate over the public network, you can set up an IPSec tunnel between them to provide security protection. The configuration roadmap is as follows:

  1. Configure the IP address on each interface and static routes to the peer to implement communication between interfaces.

  2. Configure an NQA group and an NQA test instance to monitor the link between the branch gateway and headquarters gateway A.

  3. Configure ACLs to define the data flows to be protected by the IPSec tunnel.

  4. Configure IPSec proposals to define the traffic protection methods.

  5. Configure IKE peers.

  6. Configure IPSec security policies to define the data protection methods. Configure the device to control IPSec tunnel setup and teardown according to the NQA group status and enable the device to switch traffic to the other IPSec tunnel when one IPSec tunnel becomes faulty.

  7. Apply the IPSec policies to interfaces so that the interfaces can protect traffic.

NOTE:

VRRP backup is configured on the two gateways in the headquarters. For detailed configuration, see VRRP Configuration.

Procedure

  1. Configure an IP address for each interface and static routes to the peer on RouterA, RouterB, and RouterC to ensure that there are reachable routes among them.

    # Configure an IP address for each interface and static routes to the peer on RouterA. This example assumes that the next hop address in the route to the branch gateway is 60.1.1.2.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/1] quit
    [RouterA] interface gigabitethernet 0/0/2
    [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0
    [RouterA-GigabitEthernet0/0/2] quit
    [RouterA] ip route-static 70.1.1.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 70.1.2.0 255.255.255.0 60.1.1.2
    [RouterA] ip route-static 192.168.2.0 255.255.255.0 60.1.1.2

    # Configure an IP address for each interface and static routes to the peer on RouterB. This example assumes that the next hop address in the route to the branch gateway is 60.1.2.2.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 0/0/1 
    [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet0/0/1] quit
    [RouterB] interface gigabitethernet 0/0/2
    [RouterB-GigabitEthernet0/0/2] ip address 192.168.1.3 255.255.255.0
    [RouterB-GigabitEthernet0/0/2] quit
    [RouterB] ip route-static 70.1.1.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 70.1.2.0 255.255.255.0 60.1.2.2
    [RouterB] ip route-static 192.168.2.0 255.255.255.0 60.1.2.2

    # Configure an IP address for each interface and static routes to the peer on RouterC. This example assumes that the next hop addresses in the route to the headquarters gateways A and B are 70.1.1.2 and 70.1.2.2, respectively.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] interface gigabitethernet 0/0/1 
    [RouterC-GigabitEthernet0/0/1] ip address 70.1.1.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ip address 70.1.2.1 255.255.255.0
    [RouterC-GigabitEthernet0/0/2] quit
    [RouterC] interface gigabitethernet 0/0/0
    [RouterC-GigabitEthernet0/0/0] ip address 192.168.2.2 255.255.255.0
    [RouterC-GigabitEthernet0/0/0] quit
    [RouterC] ip route-static 60.1.1.0 255.255.255.0 70.1.1.2
    [RouterC] ip route-static 60.1.2.0 255.255.255.0 70.1.2.2
    [RouterC] ip route-static 192.168.1.0 255.255.255.0 70.1.1.2
    [RouterC] ip route-static 192.168.1.0 255.255.255.0 70.1.2.2

  2. Configure an NQA test instance on RouterC.

    # Configure an NQA test instance of ICMP type (administrator name admin and instance name test) on RouterC to detect faults on the link 70.1.1.1/24 -> 60.1.1.1/24.

    [RouterC] nqa test-instance admin test
    [RouterC-nqa-admin-test] test-type icmp
    [RouterC-nqa-admin-test] destination-address ipv4 60.1.1.1
    [RouterC-nqa-admin-test] frequency 10
    [RouterC-nqa-admin-test] probe-count 2
    [RouterC-nqa-admin-test] start now
    [RouterC-nqa-admin-test] quit

  3. Configure an ACL on RouterC to define the data flows to be protected.

    NOTE:

    An IPSec policy is created on RouterA and RouterB using the IPSec policy template; therefore, this step is optional. If you configure an ACL on RouterA and RouterB, you must specify the destination address in the ACL rule.

    # Configure an ACL on RouterC to define the data flows from subnet 192.168.2.0/24 to subnet 192.168.1.0/24.

    [RouterC] acl number 3002
    [RouterC-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    [RouterC-acl-adv-3002] quit

  4. Create an IPSec proposal on RouterA, RouterB, and RouterC respectively.

    # Create an IPSec proposal on RouterA. The configurations of RouterB and RouterC are similar to that of RouterA, and are not provided here.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterA-ipsec-proposal-tran1] quit

  5. Configure an IKE proposal and an IKE peer on RouterA, RouterB, and RouterC respectively.

    NOTE:

    RouterA and RouterB function as responders to respond to an IKE negotiation request; therefore, IPSec policies are created on them through IPSec policy templates. You do not need to set remote-address.

    # Configure an IKE proposal and an IKE peer on RouterA.

    [RouterA] ike proposal 5
    [RouterA-ike-proposal-5] encryption-algorithm aes-128
    [RouterA-ike-proposal-5] authentication-algorithm sha2-256
    [RouterA-ike-proposal-5] dh group14
    [RouterA-ike-proposal-5] quit
    [RouterA] ike peer rut1
    [RouterA-ike-peer-rut1] undo version 2
    [RouterA-ike-peer-rut1] ike-proposal 5
    [RouterA-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterA-ike-peer-rut1] quit

    # Configure an IKE proposal and an IKE peer on RouterB.

    [RouterB] ike proposal 5
    [RouterB-ike-proposal-5] encryption-algorithm aes-128
    [RouterB-ike-proposal-5] authentication-algorithm sha2-256
    [RouterB-ike-proposal-5] dh group14
    [RouterB-ike-proposal-5] quit
    [RouterB] ike peer rut1
    [RouterB-ike-peer-rut1] undo version 2
    [RouterB-ike-peer-rut1] ike-proposal 5
    [RouterB-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterB-ike-peer-rut1] quit

    # Configure an IKE proposal and IKE peer rut1 and rut2 on RouterC.

    [RouterC] ike proposal 5
    [RouterC-ike-proposal-5] encryption-algorithm aes-128
    [RouterC-ike-proposal-5] authentication-algorithm sha2-256
    [RouterC-ike-proposal-5] dh group14
    [RouterC-ike-proposal-5] quit
    [RouterC] ike peer rut1
    [RouterC-ike-peer-rut1] undo version 2
    [RouterC-ike-peer-rut1] ike-proposal 5
    [RouterC-ike-peer-rut1] pre-shared-key cipher Huawei@123
    [RouterC-ike-peer-rut1] remote-address 60.1.1.1
    [RouterC-ike-peer-rut1] quit
    [RouterC] ike peer rut2
    [RouterC-ike-peer-rut2] undo version 2
    [RouterC-ike-peer-rut2] ike-proposal 5
    [RouterC-ike-peer-rut2] pre-shared-key cipher Huawei@123
    [RouterC-ike-peer-rut2] remote-address 60.1.2.1
    [RouterC-ike-peer-rut2] quit

  6. Create an IPSec policy on RouterA, RouterB, and RouterC respectively.

    # Create an IPSec policy through an IPSec policy template on RouterA.

    [RouterA] ipsec policy-template temp1 10
    [RouterA-ipsec-policy-templet-temp1-10] ike-peer rut1
    [RouterA-ipsec-policy-templet-temp1-10] proposal tran1
    [RouterA-ipsec-policy-templet-temp1-10] quit
    [RouterA] ipsec policy policy1 10 isakmp template temp1

    # Create an IPSec policy through an IPSec policy template on RouterB.

    [RouterB] ipsec policy-template temp1 10
    [RouterB-ipsec-policy-templet-temp1-10] ike-peer rut1
    [RouterB-ipsec-policy-templet-temp1-10] proposal tran1
    [RouterB-ipsec-policy-templet-temp1-10] quit
    [RouterB] ipsec policy policy1 10 isakmp template temp1

    # Create IPSec policies policy1 and policy2 in ISAKMP mode on RouterC.

    [RouterC] ipsec policy policy1 10 isakmp
    [RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1
    [RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002
    [RouterC-ipsec-policy-isakmp-policy1-10] connect track nqa admin test up
    [RouterC-ipsec-policy-isakmp-policy1-10] disconnect track nqa admin test down
    [RouterC-ipsec-policy-isakmp-policy1-10] quit
    [RouterC] ipsec policy policy2 20 isakmp
    [RouterC-ipsec-policy-isakmp-policy2-20] ike-peer rut2
    [RouterC-ipsec-policy-isakmp-policy2-20] proposal tran1
    [RouterC-ipsec-policy-isakmp-policy2-20] security acl 3002
    [RouterC-ipsec-policy-isakmp-policy2-20] connect track nqa admin test down
    [RouterC-ipsec-policy-isakmp-policy2-20] disconnect track nqa admin test up
    [RouterC-ipsec-policy-isakmp-policy2-20] quit

  7. Apply the IPSec policies to the corresponding interfaces on RouterA, RouterB, and RouterC to make the interfaces able to protect traffic.

    # Apply the IPSec policy to the interface of RouterA.

    [RouterA] interface gigabitethernet 0/0/1
    [RouterA-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterA-GigabitEthernet0/0/1] quit

    # Apply the IPSec policy to the interface of RouterB.

    [RouterB] interface gigabitethernet 0/0/1
    [RouterB-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterB-GigabitEthernet0/0/1] quit

    # Apply the IPSec policies to the interfaces of RouterC.

    [RouterC] interface gigabitethernet 0/0/1
    [RouterC-GigabitEthernet0/0/1] ipsec policy policy1
    [RouterC-GigabitEthernet0/0/1] quit
    [RouterC] interface gigabitethernet 0/0/2
    [RouterC-GigabitEthernet0/0/2] ipsec policy policy2
    [RouterC-GigabitEthernet0/0/2] quit

  8. Verify the configuration.

    After completing the configuration:

    1. PC_1 can ping PC_2 successfully and data transmitted between them is encrypted.

      # Run the display ipsec sa command on RouterC to check the IPSec configuration.

      [RouterC] display ipsec sa
                                                                                      
      ===============================                                                 
      Interface: GigabitEthernet0/0/1                                                 
       Path MTU: 1500                                                                 
      ===============================                                                 
                                                                                      
        -----------------------------                                                 
        IPSec policy name: "policy1"                                                  
        Sequence number  : 10                                                         
        Acl group        : 3002                                                       
        Acl rule         : 5                                                          
        Mode             : ISAKMP                                                     
        -----------------------------                                                 
          Connection ID     : 21812                                                   
          Encapsulation mode: Tunnel                                                  
          Tunnel local      : 70.1.1.1                                                
          Tunnel remote     : 60.1.1.1                                                
          Flow source       : 192.168.2.0/255.255.255.0 0/0                           
          Flow destination  : 192.168.1.0/255.255.255.0 0/0                           
          Qos pre-classify  : Disable                                                 
          Qos group         : -                                                       
                                                                                      
          [Outbound ESP SAs]                                                          
            SPI: 870098030 (0x33dca46e)                                               
            Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128                                
            SA remaining key duration (bytes/sec): 1887436800/3395                    
            Max sent sequence-number: 0                                               
            UDP encapsulation used for NAT traversal: N                               
                                                                                      
          [Inbound ESP SAs]                                                           
            SPI: 2558349639 (0x987d5147)                                              
            Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128                                
            SA remaining key duration (bytes/sec): 1887436800/3395                    
            Max received sequence-number: 0                                           
            Anti-replay window size: 32                                               
            UDP encapsulation used for NAT traversal: N

      The command output shows that traffic from PC_1 to PC_2 is transmitted over IPSec Tunnel1 (source IP address: 70.1.1.1, destination IP address: 60.1.1.1).

    2. Disable GE0/0/1 of RouterC. Traffic is switched to IPSec Tunnel2 (source IP address: 70.1.2.1/24, destination IP address: 60.1.2.1/24).

      # Run the shutdown command on GE0/0/1 of RouterC, and then run the display nqa results test-instance admin test command. The command output is as follows:
      [RouterC] display nqa results test-instance admin test
                                                                                       
       NQA entry(admin, test) :testflag is active ,testtype is icmp                   
        1 . Test 46392 result   The test is finished                                  
         Send operation times: 2              Receive response times: 0               
         Completion:failed                    RTD OverThresholds number: 0            
         Attempts number:1                    Drop operation number:2                 
         Disconnect operation number:0        Operation timeout number:0              
         System busy operation number:0       Connection fail number:0                
         Operation sequence errors number:0   RTT Status errors number:0              
         Destination ip address:60.1.1.1                                              
         Min/Max/Average Completion Time: 0/0/0                                       
         Sum/Square-Sum  Completion Time: 0/0                                         
         Last Good Probe Time: 0000-00-00 00:00:00.0                                  
         Lost packet ratio: 100 %
         ......

      The command output shows that the NQA test result is failed, indicating that the status of the NQA test instance is Down.

      # Run the display ipsec sa command on RouterC to check the IPSec configuration.

      [RouterC] display ipsec sa
                                                                                      
      ===============================                                                 
      Interface: GigabitEthernet0/0/2                                                 
       Path MTU: 1500                                                                 
      ===============================                                                 
                                                                                      
        -----------------------------                                                 
        IPSec policy name: "policy2"                                                  
        Sequence number  : 20                                                         
        Acl group        : 3002                                                       
        Acl rule         : 5                                                          
        Mode             : ISAKMP                                                     
        -----------------------------                                                 
          Connection ID     : 21839                                                   
          Encapsulation mode: Tunnel                                                  
          Tunnel local      : 70.1.2.1                                                
          Tunnel remote     : 60.1.2.1                                                
          Flow source       : 192.168.2.0/255.255.255.0 0/0                           
          Flow destination  : 192.168.1.0/255.255.255.0 0/0                           
          Qos pre-classify  : Disable                                                 
          Qos group         : -                                                       
                                                                                      
          [Outbound ESP SAs]                                                          
            SPI: 437762941 (0x1a17bb7d)                                               
            Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128                                
            SA remaining key duration (bytes/sec): 1887436800/3575                    
            Max sent sequence-number: 0                                               
            UDP encapsulation used for NAT traversal: N                               
                                                                                      
          [Inbound ESP SAs]                                                           
            SPI: 1765690761 (0x693e4d89)                                              
            Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128                                
            SA remaining key duration (bytes/sec): 1887436800/3575                    
            Max received sequence-number: 0                                           
            Anti-replay window size: 32                                               
            UDP encapsulation used for NAT traversal: N

      The command output shows that traffic is switched to IPSec Tunnel2 (source IP address: 70.1.2.1, destination IP address: 60.1.2.1).

    3. Enable GE0/0/1 of RouterC again. Traffic is switched back to IPSec Tunnel1 (source IP address: 70.1.1.1, destination IP address: 60.1.1.1).

      # Run the undo shutdown command on GE0/0/1 of RouterC, and then run the display nqa results test-instance admin test command. The command output is as follows:
      [RouterC] display nqa results test-instance admin test
                                                                                       
       NQA entry(admin, test) :testflag is active ,testtype is icmp                   
        1 . Test 46694 result   The test is finished                                  
         Send operation times: 2              Receive response times: 2               
         Completion:success                   RTD OverThresholds number: 0            
         Attempts number:1                    Drop operation number:0                 
         Disconnect operation number:0        Operation timeout number:0              
         System busy operation number:0       Connection fail number:0                
         Operation sequence errors number:0   RTT Status errors number:0              
         Destination ip address:60.1.1.1                                              
         Min/Max/Average Completion Time: 4/4/4                                       
         Sum/Square-Sum  Completion Time: 8/32                                        
         Last Good Probe Time: 2014-09-29 20:43:23.2                                  
         Lost packet ratio: 0 % 
         ......

      The command output shows that the NQA detection result is success, indicating that the status of the NQA test instance is Up.

      # Run the display ipsec sa command on RouterC to check the IPSec configuration.

      [RouterC] display ipsec sa
                                                                                      
      ===============================                                                 
      Interface: GigabitEthernet0/0/1                                                 
       Path MTU: 1500                                                                 
      ===============================                                                 
                                                                                      
        -----------------------------                                                 
        IPSec policy name: "policy1"                                                  
        Sequence number  : 10                                                         
        Acl group        : 3002                                                       
        Acl rule         : 5                                                          
        Mode             : ISAKMP                                                     
        -----------------------------                                                 
          Connection ID     : 21992                                                   
          Encapsulation mode: Tunnel                                                  
          Tunnel local      : 70.1.1.1                                                
          Tunnel remote     : 60.1.1.1                                                
          Flow source       : 192.168.2.0/255.255.255.0 0/0                           
          Flow destination  : 192.168.1.0/255.255.255.0 0/0                           
          Qos pre-classify  : Disable                                                 
          Qos group         : -                                                       
                                                                                      
          [Outbound ESP SAs]                                                          
            SPI: 2749069243 (0xa3db77bb)                                              
            Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128                                
            SA remaining key duration (bytes/sec): 1887436800/3583                    
            Max sent sequence-number: 0                                               
            UDP encapsulation used for NAT traversal: N                               
                                                                                      
          [Inbound ESP SAs]                                                           
            SPI: 21830677 (0x14d1c15)                                                 
            Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128                                
            SA remaining key duration (bytes/sec): 1887436800/3583                    
            Max received sequence-number: 0                                           
            Anti-replay window size: 32                                               
            UDP encapsulation used for NAT traversal: N

      The command output shows that traffic is switched back to IPSec Tunnel1 (source IP address: 70.1.1.1, destination IP address: 60.1.1.1). The configuration succeeds.

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
    #
    ipsec policy-template temp1 10
     ike-peer rut1
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.1 255.255.255.0
    #
    ip route-static 70.1.1.0 255.255.255.0 60.1.1.2
    ip route-static 70.1.2.0 255.255.255.0 60.1.1.2
    ip route-static 192.168.2.0 255.255.255.0 60.1.1.2
    #
    return
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256   
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
    #
    ipsec policy-template temp1 10
     ike-peer rut1
     proposal tran1
    #
    ipsec policy policy1 10 isakmp template temp1
    #
    interface GigabitEthernet0/0/1
     ip address 60.1.2.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 192.168.1.3 255.255.255.0
    #
    ip route-static 70.1.1.0 255.255.255.0 60.1.2.2
    ip route-static 70.1.2.0 255.255.255.0 60.1.2.2
    ip route-static 192.168.2.0 255.255.255.0 60.1.2.2
    #
    return
  • Configuration file of RouterC

    #
     sysname RouterC
    #
    acl number 3002
     rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer rut1
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
     remote-address 60.1.1.1
    #
    ike peer rut2
     undo version 2
     pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%#
     ike-proposal 5
     remote-address 60.1.2.1
    #
    ipsec policy policy1 10 isakmp
     security acl 3002
     ike-peer rut1
     proposal tran1
     connect track nqa admin test up
     disconnect track nqa admin test down
    #
    ipsec policy policy2 20 isakmp
     security acl 3002
     ike-peer rut2
     proposal tran1
     connect track nqa admin test down
     disconnect track nqa admin test up
    #
    interface GigabitEthernet0/0/0
     ip address 192.168.2.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     ip address 70.1.1.1 255.255.255.0
     ipsec policy policy1
    #
    interface GigabitEthernet0/0/2
     ip address 70.1.2.1 255.255.255.0
     ipsec policy policy2
    #
    ip route-static 60.1.1.0 255.255.255.0 70.1.1.2
    ip route-static 60.1.2.0 255.255.255.0 70.1.2.2
    ip route-static 192.168.1.0 255.255.255.0 70.1.1.2
    ip route-static 192.168.1.0 255.255.255.0 70.1.2.2
    #                                                                               
    nqa test-instance admin test
     test-type icmp                                                                 
     destination-address ipv4 60.1.1.1                                              
     frequency 10                                                                   
     probe-count 2                                                                  
     start now
    #
    nqa-group group1
     nqa admin test
    #
    return
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31400

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next