No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Establishing IPSec over GRE Using a Tunnel Interface

Example for Establishing IPSec over GRE Using a Tunnel Interface

Networking Requirements

As shown in Figure 4-49, Router_1 (branch gateway) and Router_2 (headquarters gateway) communicate through the Internet.

The branch communicates with the headquarters through a GRE tunnel. The enterprise wants to protect traffic excluding multicast data between the headquarters and branch. IPSec over GRE can be established between virtual tunnel interfaces to protect traffic between the headquarters and branch.

Figure 4-49  Establishing IPSec over GRE using a tunnel interface

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for physical interfaces on Router_1 and Router_2 so that routes between Router_1 and Router_2 are reachable.

  2. Configure a GRE tunnel interface.

  3. Configure IPSec proposals to define the method used to protect IPSec traffic.

  4. Configure IKE peers to define IKE negotiation attributes.

  5. Configure IPSec profiles and reference IPSec policies and IKE peers in the IPSec profiles.

  6. Configure IPSec tunnel interfaces and specify a GRE tunnel interface as the source interface of the IPSec tunnel and the other GRE tunnel interface as the outbound interface for routes to the destination address of the IPSec tunnel.

  7. Apply IPSec profiles to the IPSec tunnel interfaces to enable IPSec on the interfaces.

  8. Configure static routes for the IPSec tunnel interfaces to import data flows to be protected by IPSec to the interfaces.

Procedure

  1. Configure IP addresses and static routes for physical interfaces on Router_1 and Router_2.

    # Assign an IP address to an interface on Router_1.

    <Huawei> system-view
    [Huawei] sysname Router_1
    [Router_1] interface gigabitethernet 1/0/0 
    [Router_1-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [Router_1-GigabitEthernet1/0/0] quit
    [Router_1] interface gigabitethernet 2/0/0
    [Router_1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [Router_1-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on Router_1. This example assumes that the next hop address in the route to Router_2 is 1.1.1.2.

    [Router_1] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2

    # Assign an IP address to an interface on Router_2.

    <Huawei> system-view
    [Huawei] sysname Router_2
    [Router_2] interface gigabitethernet 1/0/0 
    [Router_2-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0
    [Router_2-GigabitEthernet1/0/0] quit
    [Router_2] interface gigabitethernet 2/0/0
    [Router_2-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [Router_2-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on Router_2. This example assumes that the next hop address in the route to Router_1 is 2.1.1.2.

    [Router_2] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2

  2. Configure a GRE tunnel interface.

    # Configure Router_1.

    [Router_1] interface tunnel 0/0/0
    [Router_1-Tunnel0/0/0] ip address 192.168.1.1 255.255.255.0
    [Router_1-Tunnel0/0/0] tunnel-protocol gre
    [Router_1-Tunnel0/0/0] source 1.1.1.1
    [Router_1-Tunnel0/0/0] destination 2.1.1.1
    [Router_1-Tunnel0/0/0] quit

    # Configure Router_2.

    [Router_2] interface tunnel 0/0/0
    [Router_2-Tunnel0/0/0] ip address 192.168.1.2 255.255.255.0
    [Router_2-Tunnel0/0/0] tunnel-protocol gre
    [Router_2-Tunnel0/0/0] source 2.1.1.1
    [Router_2-Tunnel0/0/0] destination 1.1.1.1
    [Router_2-Tunnel0/0/0] quit

  3. Create IPSec proposals on Router_1 and Router_2.

    # Create an IPSec proposal on Router_1.

    [Router_1] ipsec proposal tran1
    [Router_1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [Router_1-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [Router_1-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on Router_2.

    [Router_2] ipsec proposal tran1
    [Router_2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [Router_2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [Router_2-ipsec-proposal-tran1] quit

  4. Configure IKE peers on Router_1 and Router_2.

    # Create an IKE proposal on Router_1.
    [Router_1] ike proposal 5
    [Router_1-ike-proposal-5] authentication-algorithm sha2-256
    [Router_1-ike-proposal-5] encryption-algorithm aes-128
    [Router_1-ike-proposal-5] dh group14
    [Router_1-ike-proposal-5] quit

    # Configure an IKE peer on Router_1.

    [Router_1] ike peer spub
    [Router_1-ike-peer-spub] undo version 2
    [Router_1-ike-peer-spub] ike-proposal 5
    [Router_1-ike-peer-spub] pre-shared-key cipher Huawei@1234
    [Router_1-ike-peer-spub] quit

    # Create an IPSec proposal on Router_2.

    [Router_2] ike proposal 5
    [Router_2-ike-proposal-5] authentication-algorithm sha2-256
    [Router_2-ike-proposal-5] encryption-algorithm aes-128
    [Router_2-ike-proposal-5] dh group14
    [Router_2-ike-proposal-5] quit

    # Configure an IKE peer on Router_2.

    [Router_2] ike peer spua
    [Router_2-ike-peer-spua] undo version 2
    [Router_2-ike-peer-spua] ike-proposal 5
    [Router_2-ike-peer-spua] pre-shared-key cipher Huawei@1234
    [Router_2-ike-peer-spua] quit

  5. Create IPSec profiles on Router_1 and Router_2.

    # Create an IPSec profile on Router_1.

    [Router_1] ipsec profile profile1
    [Router_1-ipsec-profile-profile1] proposal tran1
    [Router_1-ipsec-profile-profile1] ike-peer spub
    [Router_1-ipsec-profile-profile1] quit

    # Create an IPSec profile on Router_2.

    [Router_2] ipsec profile profile1
    [Router_2-ipsec-profile-profile1] proposal tran1
    [Router_2-ipsec-profile-profile1] ike-peer spua
    [Router_2-ipsec-profile-profile1] quit

  6. Configure an IPSec tunnel interface on Router_1 and Router_2 respectively. Specify a GRE tunnel interface as the source interface of the IPSec tunnel and the other GRE tunnel interface as the outbound interface for routes to the destination address of the IPSec tunnel.

    # Configure Router_1.

    [Router_1] interface tunnel 0/0/1
    [Router_1-Tunnel0/0/1] ip address 192.168.2.1 255.255.255.0
    [Router_1-Tunnel0/0/1] tunnel-protocol ipsec
    [Router_1-Tunnel0/0/1] source tunnel 0/0/0
    [Router_1-Tunnel0/0/1] destination 192.168.1.2
    [Router_1-Tunnel0/0/1] quit

    # Configure Router_2.

    [Router_2] interface tunnel 0/0/1
    [Router_2-Tunnel0/0/1] ip address 192.168.2.2 255.255.255.0
    [Router_2-Tunnel0/0/1] tunnel-protocol ipsec
    [Router_2-Tunnel0/0/1] source tunnel 0/0/0
    [Router_2-Tunnel0/0/1] destination 192.168.1.1
    [Router_2-Tunnel0/0/1] quit

  7. Apply IPSec profiles to the IPSec tunnel interfaces.

    # Apply the IPSec profile to the interface of Router_1.

    [Router_1] interface tunnel 0/0/1
    [Router_1-Tunnel0/0/1] ipsec profile profile1
    [Router_1-Tunnel0/0/1] quit

    # Apply the IPSec policy to the interface of Router_2.

    [Router_2] interface tunnel 0/0/1
    [Router_2-Tunnel0/0/1] ipsec profile profile1
    [Router_2-Tunnel0/0/1] quit

    Run the display ipsec profile command on Router_1 and Router_2 to view the IPSec profile configuration.

  8. Configure static routes on IPSec tunnel interfaces and import data flows to be protected by IPSec to the tunnel interfaces.

    # Configure a static route on the tunnel interface of Router_1.

    [Router_1] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/1 

    # Configure a static route on the tunnel interface of Router_2.

    [Router_2] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1 

  9. Verify the configuration.

    # After the configurations are complete, run the display ike sa command on Router_1 and Router_2 to view the IKE SA configuration. The display on Router_1 is used as an example.

    [Router_1] display ike sa
    IKE SA information :
       Conn-ID   Peer                VPN   Flag(s)   Phase   RemoteType  RemoteID
      --------------------------------------------------------------------------------
       16        2.1.1.1:500               RD|ST     v1:2    IP          2.1.1.1
       14        2.1.1.1:500               RD|ST     v1:1    IP          2.1.1.1
                                                   
       Number of IKE SA : 2
      --------------------------------------------------------------------------------
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

Configuration Files

  • Configuration file of Router_1

    #
     sysname Router_1
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer spub
     undo version 2
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     ike-proposal 5
    #
    ipsec profile profile1
     ike-peer spub
     proposal tran1
    #
    interface Tunnel0/0/0
     ip address 192.168.1.1 255.255.255.0
     tunnel-protocol gre
     source 1.1.1.1
     destination 2.1.1.1
    #
    interface Tunnel0/0/1
     ip address 192.168.2.1 255.255.255.0
     tunnel-protocol ipsec
     source Tunnel0/0/0
     destination 192.168.1.2
     ipsec profile profile1
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/1
    ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
    #
    return
    
  • Configuration file of Router_2

    #
     sysname Router_2
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128
    #
    ike proposal 5
     encryption-algorithm aes-128
     dh group14
     authentication-algorithm sha2-256
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf hmac-sha2-256
    #
    ike peer spua
     undo version 2
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
     ike-proposal 5
    #
    ipsec profile profile1
     ike-peer spua
     proposal tran1
    #
    interface Tunnel0/0/0
     ip address 192.168.1.2 255.255.255.0
     tunnel-protocol gre
     source 1.1.1.2
     destination 1.1.1.1
    #
    interface Tunnel0/0/1
     ip address 192.168.2.2 255.255.255.0
     tunnel-protocol ipsec
     source Tunnel0/0/0
     destination 192.168.1.1
     ipsec profile profile1
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/1
    ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
    #
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31783

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next