No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Manually Establishing an IPSec Tunnel

Example for Manually Establishing an IPSec Tunnel

Networking Requirements

As shown in Figure 4-35, RouterA (branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be manually set up between the branch gateway and headquarters gateway because they communicate over the Internet and only a few branches gateway need to be maintained.

Figure 4-35  Manually establishing an IPSec tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Configure ACLs to define data flows to be protected.

  3. Configure IPSec proposals to define the method used to protect IPSec traffic.

  4. Configure IPSec policies and reference ACLs and IPSec proposals in the IPSec policies to determine the methods used to protect data flows.

  5. Apply IPSec policy groups to interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
    [RouterA-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 1.1.1.2.

    [RouterA] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
    [RouterA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] interface gigabitethernet 1/0/0 
    [RouterB-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] quit
    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
    [RouterB-GigabitEthernet2/0/0] quit
    

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 2.1.1.2.

    [RouterB] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
    [RouterB] ip route-static 10.1.1.0 255.255.255.0 2.1.1.2

  2. Configure ACLs on RouterA and RouterB to define data flows to be protected.

    # Configure an ACL on RouterA to define data flows sent from 10.1.1.0/24 to 10.1.2.0/24.

    [RouterA] acl number 3101
    [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [RouterA-acl-adv-3101] quit

    # Configure an ACL on RouterB to define data flows sent from 10.1.2.0/24 to 10.1.1.0/24.

    [RouterB] acl number 3101
    [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [RouterB-acl-adv-3101] quit

  3. Create IPSec proposals on RouterA and RouterB.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
    [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
    [RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
    [RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [RouterB-ipsec-proposal-tran1] quit

    Run the display ipsec proposal command on RouterA and RouterB to view the IPSec proposal configuration.

  4. Create IPSec policies on RouterA and RouterB.

    # Manually create an IPSec policy on RouterA.

    [RouterA] ipsec policy map1 10 manual
    [RouterA-ipsec-policy-manual-map1-10] security acl 3101
    [RouterA-ipsec-policy-manual-map1-10] proposal tran1
    [RouterA-ipsec-policy-manual-map1-10] tunnel remote 2.1.1.1
    [RouterA-ipsec-policy-manual-map1-10] tunnel local 1.1.1.1
    [RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
    [RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
    [RouterA-ipsec-policy-manual-map1-10] sa string-key outbound esp cipher huawei
    [RouterA-ipsec-policy-manual-map1-10] sa string-key inbound esp cipher huawei
    [RouterA-ipsec-policy-manual-map1-10] quit

    # Manually create an IPSec policy on RouterB.

    [RouterB] ipsec policy use1 10 manual
    [RouterB-ipsec-policy-manual-use1-10] security acl 3101
    [RouterB-ipsec-policy-manual-use1-10] proposal tran1
    [RouterB-ipsec-policy-manual-use1-10] tunnel remote 1.1.1.1
    [RouterB-ipsec-policy-manual-use1-10] tunnel local 2.1.1.1
    [RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
    [RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
    [RouterB-ipsec-policy-manual-use1-10] sa string-key outbound esp cipher huawei
    [RouterB-ipsec-policy-manual-use1-10] sa string-key inbound esp cipher huawei
    [RouterB-ipsec-policy-manual-use1-10] quit

    Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies.

  5. Apply IPSec policy groups to interfaces on RouterA and RouterB.

    # Apply the IPSec policy group to the interface of RouterA

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ipsec policy map1
    [RouterA-GigabitEthernet1/0/0] quit

    # Apply the IPSec policy group to the interface of RouterB.

    [RouterB] interface gigabitethernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ipsec policy use1
    [RouterB-GigabitEthernet1/0/0] quit

  6. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ipsec sa command on RouterA and RouterB to view the IPSec configuration. The display on RouterA is used as an example.

    [RouterA] display ipsec sa
    ipsec sa information: 
    ===============================
    Interface: GigabitEthernet1/0/0
    ===============================
    
      -----------------------------
      IPSec policy name: "map1"
      Sequence number: 10
      Acl group: 3101
      Acl rule: -
      Mode: Manual
      -----------------------------
        Encapsulation mode: Tunnel
        Tunnel local      : 1.1.1.1
        Tunnel remote     : 2.1.1.1
    
        [Outbound ESP SAs]
          SPI: 12345 (0x3039)
          Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 
          No duration limit for this SA
    
        [Inbound ESP SAs]
          SPI: 54321 (0xd431)
          Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 
          No duration limit for this SA
          Anti-replay : Disable
    

Configuration Files

  • Configuration file of RouterA

    #
     sysname RouterA
    #
    acl number 3101
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128 
    #
    ipsec policy map1 10 manual
     security acl 3101
     proposal tran1
     tunnel local 1.1.1.1
     tunnel remote 2.1.1.1
     sa spi inbound esp 54321
     sa string-key inbound esp cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
     sa spi outbound esp 12345
     sa string-key outbound esp cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.1.1 255.255.255.0
     ipsec policy map1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
    #
    ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
    ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
    #
    return
    
  • Configuration file of RouterB

    #
     sysname RouterB
    #
    acl number 3101
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes-128 
    #
    ipsec policy use1 10 manual
     security acl 3101
     proposal tran1
     tunnel local 2.1.1.1
     tunnel remote 1.1.1.1
     sa spi inbound esp 12345
     sa string-key inbound esp cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#
     sa spi outbound esp 54321
     sa string-key outbound esp cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%#
    #
    interface GigabitEthernet1/0/0
     ip address 2.1.1.1 255.255.255.0
     ipsec policy use1
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.2.1 255.255.255.0
    #
    ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
    ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
    #
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31183

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next