No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Dual-Hub DSVPN Protected by IPSec

Example for Configuring a Dual-Hub DSVPN Protected by IPSec

Networking Requirements

In a large-size enterprise, two hubs (Hub1 and Hub2) in the headquarters communicate with multiple branches (Spoke1 and Spoke2 in this example) over the Internet. Spokes in branches use dynamic addresses to connect to the Internet.

The enterprise wants to protect traffic exchanged between the headquarters and branch and has the following requirements: Normally, the branch should communicate with the headquarters through Hub1. Traffic should be switched to Hub2 when Hub1 becomes faulty but back to Hub1 when Hub1 recovers.

Figure 3-24  Configuring a dual-hub DSVPN protected by IPSec

Configuration Roadmap

The configuration roadmap is as follows:
  1. Branches use dynamic addresses to connect to the Internet; therefore, they do not know the public addresses of each other. Configure DSVPN to implement direct communication between branches.

  2. Use the shortcut DSVPN because there are a large number of branches.

  3. Subnets of the headquarters and branches frequently change. To simplify maintenance, configure OSPF based on the enterprise network plan to enable communication between the headquarters and branches.

  4. To protect data transmitted between the headquarters and branch as well as between branches, configure IPSec for DSVPN.

Procedure

  1. Configure IP addresses for interfaces.

    Configure IP addresses for the interfaces of each Router. The configurations of Spoke1, Spoke2, and Hub2 are similar to that of Hub1, and are not mentioned here.

    # Configure an IP address for each interface on Hub1.

    <Huawei> system-view
    [Huawei] sysname Hub1
    [Hub1] interface GigabitEthernet 1/0/0
    [Hub1-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
    [Hub1-GigabitEthernet1/0/0] quit
    [Hub1] interface tunnel 0/0/0
    [Hub1-Tunnel0/0/0] ip address 10.2.1.1 255.255.255.0
    [Hub1-Tunnel0/0/0] quit
    [Hub1] interface loopback 0
    [Hub1-LoopBack0] ip address 10.1.0.1 255.255.255.0
    [Hub1-LoopBack0] quit
    

  2. Configure routes between the Routers.

    Configure OSPF on each Router to enable reachable routes over the Internet.

    # Configure OSPF on Hub1.

    [Hub1] ospf 2 router-id 1.1.1.10
    [Hub1-ospf-2] area 0.0.0.1
    [Hub1-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255
    [Hub1-ospf-2-area-0.0.0.1] quit
    [Hub1-ospf-2] quit
    

    # Configure OSPF on Hub2.

    [Hub2] ospf 2 router-id 1.1.254.10
    [Hub2-ospf-2] area 0.0.0.1
    [Hub2-ospf-2-area-0.0.0.1] network 1.1.254.0 0.0.0.255
    [Hub2-ospf-2-area-0.0.0.1] quit
    [Hub2-ospf-2] quit
    

    # Configure OSPF on Spoke1.

    [Spoke1] ospf 2 router-id 1.1.2.10
    [Spoke1-ospf-2] area 0.0.0.1
    [Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255
    [Spoke1-ospf-2-area-0.0.0.1] quit
    [Spoke1-ospf-2] quit
    

    # Configure OSPF on Spoke2.

    [Spoke2] ospf 2 router-id 1.1.3.10
    [Spoke2-ospf-2] area 0.0.0.1
    [Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255
    [Spoke2-ospf-2-area-0.0.0.1] quit
    [Spoke2-ospf-2] quit
    

  3. Configure basic OSPF functions.

    # Configure Hub1.

    [Hub1] ospf 1 router-id 10.2.1.1
    [Hub1-ospf-1] area 0.0.0.0
    [Hub1-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Hub1-ospf-1-area-0.0.0.0] network 10.1.0.0 0.0.0.255
    [Hub1-ospf-1-area-0.0.0.0] quit
    [Hub1-ospf-1] quit
    

    # Configure Hub2.

    [Hub2] ospf 1 router-id 10.2.1.4
    [Hub2-ospf-1] area 0.0.0.0
    [Hub2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Hub2-ospf-1-area-0.0.0.0] network 10.1.0.0 0.0.0.255
    [Hub2-ospf-1-area-0.0.0.0] quit
    [Hub2-ospf-1] quit
    

    # Configure Spoke1.

    [Spoke1] ospf 1 router-id 10.2.1.2
    [Spoke1-ospf-1] area 0.0.0.0
    [Spoke1-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
    [Spoke1-ospf-1-area-0.0.0.0] quit
    [Spoke1-ospf-1] quit
    

    # Configure Spoke2.

    [Spoke2] ospf 1 router-id 10.2.1.3
    [Spoke2-ospf-1] area 0.0.0.0
    [Spoke2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
    [Spoke2-ospf-1-area-0.0.0.0] quit
    [Spoke2-ospf-1] quit
    

  4. Configure tunnel interfaces.

    Set the OSPF network type to p2mp on the hubs and spokes. Enable NHRP redirect on Hub1 and Hub2. Configure static NHRP peer entries of Hub1 and Hub2 and enable NHRP shortcut on Spoke1 and Spoke2.

    # Configure a tunnel interface and OSPF attributes and enable NHRP redirect on Hub1.
    [Hub1] interface tunnel 0/0/0
    [Hub1-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Hub1-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Hub1-Tunnel0/0/0] nhrp entry multicast dynamic
    [Hub1-Tunnel0/0/0] ospf network-type p2mp
    [Hub1-Tunnel0/0/0] nhrp authentication cipher huawei@1
    [Hub1-Tunnel0/0/0] gre key cipher 1999
    [Hub1-Tunnel0/0/0] nhrp redirect
    [Hub1-Tunnel0/0/0] quit
    
    # Configure a tunnel interface and OSPF attributes and enable NHRP redirect on Hub2.
    [Hub2] interface tunnel 0/0/0
    [Hub2-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Hub2-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Hub2-Tunnel0/0/0] nhrp entry multicast dynamic
    [Hub2-Tunnel0/0/0] ospf network-type p2mp
    [Hub2-Tunnel0/0/0] nhrp authentication cipher huawei@1
    [Hub2-Tunnel0/0/0] nhrp redirect
    [Hub2-Tunnel0/0/0] gre key cipher 1999
    [Hub2-Tunnel0/0/0] quit
    
    # Configure tunnel interfaces, OSPF attributes, and static NHRP peer entries of Hub1 and Hub2, and enable NHRP shortcut on Spoke1.
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke1-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Spoke1-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register
    [Spoke1-Tunnel0/0/0] nhrp entry 10.2.1.4 1.1.254.10 register
    [Spoke1-Tunnel0/0/0] ospf network-type p2mp
    [Spoke1-Tunnel0/0/0] nhrp authentication cipher huawei@1
    [Spoke1-Tunnel0/0/0] nhrp shortcut
    [Spoke1-Tunnel0/0/0] nhrp registration interval 300
    [Spoke1-Tunnel0/0/0] gre key cipher 1999
    [Spoke1-Tunnel0/0/0] quit
    
    # Configure tunnel interfaces, OSPF attributes, and static NHRP peer entries of Hub1 and Hub2, and enable NHRP shortcut on Spoke2.
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
    [Spoke2-Tunnel0/0/0] source GigabitEthernet 1/0/0
    [Spoke2-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register
    [Spoke2-Tunnel0/0/0] nhrp entry 10.2.1.4 1.1.254.10 register
    [Spoke2-Tunnel0/0/0] ospf network-type p2mp
    [Spoke2-Tunnel0/0/0] nhrp authentication cipher huawei@1
    [Spoke2-Tunnel0/0/0] nhrp shortcut
    [Spoke2-Tunnel0/0/0] nhrp registration interval 300
    [Spoke2-Tunnel0/0/0] gre key cipher 1999
    [Spoke2-Tunnel0/0/0] quit
    

  5. Configure an IKE proposal.

    Configure an IKE proposal on the hubs and spokes. Ensure that the authentication mode is the same on all the devices.

    # Configure Hub1.

    [Hub1] ike proposal 1
    [Hub1-ike-proposal-1] dh group5
    [Hub1-ike-proposal-1] encryption-algorithm aes-256
    [Hub1-ike-proposal-1] authentication-algorithm sha2-256
    [Hub1-ike-proposal-1] prf aes-xcbc-128
    [Hub1-ike-proposal-1] quit
    

    # Configure Hub2.

    [Hub2] ike proposal 1
    [Hub2-ike-proposal-1] dh group5
    [Hub2-ike-proposal-1] encryption-algorithm aes-256
    [Hub2-ike-proposal-1] authentication-algorithm sha2-256
    [Hub2-ike-proposal-1] prf aes-xcbc-128
    [Hub2-ike-proposal-1] quit
    

    # Configure Spoke1.

    [Spoke1] ike proposal 1
    [Spoke1-ike-proposal-1] dh group5
    [Spoke1-ike-proposal-1] encryption-algorithm aes-256
    [Spoke1-ike-proposal-1] authentication-algorithm sha2-256
    [Spoke1-ike-proposal-1] prf aes-xcbc-128
    [Spoke1-ike-proposal-1] quit
    

    # Configure Spoke2.

    [Spoke2] ike proposal 1
    [Spoke2-ike-proposal-1] dh group5
    [Spoke2-ike-proposal-1] encryption-algorithm aes-256
    [Spoke2-ike-proposal-1] authentication-algorithm sha2-256
    [Spoke2-ike-proposal-1] prf aes-xcbc-128
    [Spoke2-ike-proposal-1] quit
    

  6. Configure an IKE peer.

    Configure an IKE peer for IKE negotiation on the hubs and spokes.

    # Configure Hub1.

    [Hub1] ike peer hub1
    [Hub1-ike-peer-hub1] undo version 2
    [Hub1-ike-peer-hub1] ike-proposal 1
    [Hub1-ike-peer-hub1] pre-shared-key cipher Huawei@1234
    [Hub1-ike-peer-hub1] dpd type periodic
    [Hub1-ike-peer-hub1] dpd idle-time 40
    [Hub1-ike-peer-hub1] quit
    

    # Configure Hub2.

    [Hub2] ike peer hub2
    [Hub2-ike-peer-hub2] undo version 2
    [Hub2-ike-peer-hub2] ike-proposal 1
    [Hub2-ike-peer-hub2] pre-shared-key cipher Huawei@1234
    [Hub2-ike-peer-hub2] dpd type periodic
    [Hub2-ike-peer-hub2] dpd idle-time 40
    [Hub2-ike-peer-hub2] quit
    

    # Configure Spoke1.

    [Spoke1] ike peer spoke1
    [Spoke1-ike-peer-spoke1] undo version 2
    [Spoke1-ike-peer-spoke1] ike-proposal 1
    [Spoke1-ike-peer-spoke1] pre-shared-key cipher Huawei@1234
    [Spoke1-ike-peer-spoke1] dpd type periodic
    [Spoke1-ike-peer-spoke1] dpd idle-time 40
    [Spoke1-ike-peer-spoke1] quit
    

    # Configure Spoke2.

    [Spoke2] ike peer spoke2
    [Spoke2-ike-peer-spoke2] undo version 2
    [Spoke2-ike-peer-spoke2] ike-proposal 1
    [Spoke2-ike-peer-spoke2] pre-shared-key cipher Huawei@1234
    [Spoke2-ike-peer-spoke2] dpd type periodic
    [Spoke2-ike-peer-spoke2] dpd idle-time 40
    [Spoke2-ike-peer-spoke2] quit
    

  7. Create an IPSec proposal.

    Create an IPSec proposal on the hubs and spokes.

    # Configure Hub1.

    [Hub1] ipsec proposal pro1
    [Hub1-ipsec-proposal-pro1] transform ah-esp
    [Hub1-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
    [Hub1-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Hub1-ipsec-proposal-pro1] esp encryption-algorithm aes-192
    [Hub1-ipsec-proposal-pro1] quit
    

    # Configure Hub2.

    [Hub2] ipsec proposal pro1
    [Hub2-ipsec-proposal-pro1] transform ah-esp
    [Hub2-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
    [Hub2-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Hub2-ipsec-proposal-pro1] esp encryption-algorithm aes-192
    [Hub2-ipsec-proposal-pro1] quit
    

    # Configure Spoke1.

    [Spoke1] ipsec proposal pro1
    [Spoke1-ipsec-proposal-pro1] transform ah-esp
    [Spoke1-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
    [Spoke1-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Spoke1-ipsec-proposal-pro1] esp encryption-algorithm aes-192
    [Spoke1-ipsec-proposal-pro1] quit
    

    # Configure Spoke2.

    [Spoke2] ipsec proposal pro1
    [Spoke2-ipsec-proposal-pro1] transform ah-esp
    [Spoke2-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
    [Spoke2-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
    [Spoke2-ipsec-proposal-pro1] esp encryption-algorithm aes-192
    [Spoke2-ipsec-proposal-pro1] quit
    

  8. Create an IPSec profile.

    Create an IPSec profile on the hubs and spokes.

    # Configure Hub1.

    [Hub1] ipsec profile profile1
    [Hub1-ipsec-profile-profile1] ike-peer hub1
    [Hub1-ipsec-profile-profile1] proposal pro1
    [Hub1-ipsec-profile-profile1] quit
    

    # Configure Hub2.

    [Hub2] ipsec profile profile1
    [Hub2-ipsec-profile-profile1] ike-peer hub2
    [Hub2-ipsec-profile-profile1] proposal pro1
    [Hub2-ipsec-profile-profile1] quit
    

    # Configure Spoke1.

    [Spoke1] ipsec profile profile1
    [Spoke1-ipsec-profile-profile1] ike-peer spoke1
    [Spoke1-ipsec-profile-profile1] proposal pro1
    [Spoke1-ipsec-profile-profile1] quit
    

    # Configure Spoke2.

    [Spoke2] ipsec profile profile1
    [Spoke2-ipsec-profile-profile1] ike-peer spoke2
    [Spoke2-ipsec-profile-profile1] proposal pro1
    [Spoke2-ipsec-profile-profile1] quit
    

  9. Apply the IPSec profile to interfaces.

    # Configure Hub1.
    [Hub1] interface tunnel 0/0/0
    [Hub1-Tunnel0/0/0] ipsec profile profile1
    [Hub1-Tunnel0/0/0] quit
    
    # Configure Hub2.
    [Hub2] interface tunnel 0/0/0
    [Hub2-Tunnel0/0/0] ipsec profile profile1
    [Hub2-Tunnel0/0/0] quit
    
    # Configure Spoke1.
    [Spoke1] interface tunnel 0/0/0
    [Spoke1-Tunnel0/0/0] ipsec profile profile1
    [Spoke1-Tunnel0/0/0] quit
    
    # Configure Spoke2.
    [Spoke2] interface tunnel 0/0/0
    [Spoke2-Tunnel0/0/0] ipsec profile profile1
    [Spoke2-Tunnel0/0/0] quit
    

  10. Verify the configuration.

    The headquarters and branch as well as branches can communicate with each other, and data flows between them are protected by IPSec.

    1. Check whether IKE SAs are established.

      Run the display ike sa command to check whether IKE SAs are established. The command output on Hub1 and Spoke1 is used as an example.

      [Spoke1] display ike sa
          Conn-ID  Peer            VPN   Flag(s)                Phase                 
        ---------------------------------------------------------------               
            442    1.1.1.10        0     RD|ST                  v1:2                     
            138    1.1.1.10        0     RD|ST                  v1:1                     
            409    1.1.254.10      0     RD|ST                  v1:2                     
              5    1.1.254.10      0     RD|ST                  v1:1                     
                                                                                      
         Number of IKE SA : 4    
        --------------------------------------------------------------------     
      
        Flag Description:           
        RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
        HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
        M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING  

      You can find that Spoke1 establishes IPSec tunnels with Hub1 and Hub2 successfully.

      # Run the ping -a 10.1.1.1 10.1.2.1 command on Spoke1, and the command output is as follows.

      [Spoke1] ping -a 10.1.1.1 10.1.2.1
        PING 10.1.2.1: 56  data bytes, press CTRL_C to break
          Reply from 10.1.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
          Reply from 10.1.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
          Reply from 10.1.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
          Reply from 10.1.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
          Reply from 10.1.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
      
        --- 10.1.2.1 ping statistics ---
          5 packet(s) transmitted
          5 packet(s) received
          0.00% packet loss
          round-trip min/avg/max = 2/2/3 ms
      
      [Spoke1] display ike sa
          Conn-ID  Peer            VPN   Flag(s)                Phase                 
        ---------------------------------------------------------------               
            442    1.1.1.10        0     RD|ST                  v1:2                     
            138    1.1.1.10        0     RD|ST                  v1:1                     
            342    1.1.3.10        0     RD|ST                  v1:2                     
            284    1.1.3.10        0     RD|ST                  v1:1                     
            409    1.1.254.10      0     RD|ST                  v1:2                     
              5    1.1.254.10      0     RD|ST                  v1:1                     
                                                                                      
         Number of IKE SA : 6
        --------------------------------------------------------------------     
      
        Flag Description:           
        RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
        HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
        M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING  

      When branches communicate with each other, Spoke1 and Spoke2 establish an IPSec tunnel.

    2. When Hub1 fails, the headquarters and branch as well as branches can still communicate with each other.

      # Run the ping -a 10.1.1.1 10.1.2.1 command on Spoke1, and the command output is as follows.

      [Spoke1] ping -a 10.1.1.1 10.1.2.1
        PING 10.1.2.1: 56  data bytes, press CTRL_C to break
          Reply from 10.1.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
          Reply from 10.1.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
          Reply from 10.1.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
          Reply from 10.1.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
          Reply from 10.1.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
      
        --- 10.1.2.1 ping statistics ---
          5 packet(s) transmitted
          5 packet(s) received
          0.00% packet loss
          round-trip min/avg/max = 2/2/3 ms
      

Configuration Files

  • Hub1 configuration file

    #
    sysname Hub1
    #                                                                               
    ipsec proposal pro1                                                             
     transform ah-esp                                                               
     ah authentication-algorithm sha2-256                                           
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                               
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group5                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf aes-xcbc-128   
    #                                                                               
    ike peer hub1  
     undo version 2    
     pre-shared-key cipher %^%#r]yCG7r(%Obe2oGBu,[XG'[76vVusGq|D9KF,7K@%^%#
     ike-proposal 1                                                                 
     dpd type periodic                                                              
     dpd idle-time 40                                                               
    #                                                                               
    ipsec profile profile1                                                          
     ike-peer hub1                                                                  
     proposal pro1                                                                  
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.1.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 10.1.0.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.1 255.255.255.0
     tunnel-protocol gre p2mp
     source GigabitEthernet1/0/0
     gre key cipher %^%#q'~GF"30`<g3mxV46;`!_&1{>'e5ALQLkU6~+T>C%^%#
     ospf network-type p2mp
     ipsec profile profile1 
     nhrp authentication cipher %^%#!Noa/<I+/WhpAwVfx`QI=vcV),t#@Ihg=PQeN]%C%^%#
     nhrp redirect
     nhrp entry multicast dynamic
    # 
    ospf 1 router-id 10.2.1.1
     area 0.0.0.0
      network 10.2.1.0 0.0.0.255
      network 10.1.0.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.1.10
     area 0.0.0.1
      network 1.1.1.0 0.0.0.255
    # 
    return
    
  • Hub2 configuration file

    #
    sysname Hub2
    # 
    ipsec proposal pro1                                                             
     transform ah-esp                                                               
     ah authentication-algorithm sha2-256                                           
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192   
    # 
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group5                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf aes-xcbc-128   
    #  
    ike peer hub2                                        
     undo version 2                        
     pre-shared-key cipher %^%#W8t$Ji82`Y-RX')iNvw9dZ3.K8bxvKioU4LNKx*7%^%#
     ike-proposal 1                                                                 
     dpd type periodic                                                              
     dpd idle-time 40                                                               
    #                 
    ipsec profile profile1                                                          
     ike-peer hub2                                                                  
     proposal pro1                                                                  
    # 
    interface GigabitEthernet1/0/0
     ip address 1.1.254.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 10.1.0.2 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.4 255.255.255.0
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet1/0/0
     gre key cipher %^%#[*8)P`\Ra>LdAI7Hamn2t=W5D$M]kMjMEH:9^tr-%^%#
     ospf network-type p2mp                                                         
     ipsec profile profile1                                                         
     nhrp authentication cipher %^%#T(U)=!7|/2^zbH",\BxIKTySV/5xQ*n+<U,dc!36%^%#
     nhrp redirect
     nhrp entry multicast dynamic
    # 
    ospf 1 router-id 10.2.1.254
     area 0.0.0.0
      network 10.2.1.0 0.0.0.255
      network 10.1.0.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.254.10
     area 0.0.0.1
      network 1.1.254.0 0.0.0.255
    # 
    return
    
  • Spoke1 configuration file

    #
    sysname Spoke1
    # 
    ipsec proposal pro1                                                             
     transform ah-esp                                                               
     ah authentication-algorithm sha2-256                                           
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                               
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group5                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf aes-xcbc-128   
    #                                                                               
    ike peer spoke1 
     undo version 2           
     pre-shared-key cipher %^%#yRiB!lV4gKvCG_LJ&QDF'FuTPhzX,)QVajSs&M_I%^%#
     ike-proposal 1                                                                 
     dpd type periodic                                                              
     dpd idle-time 40                                                               
    #                                                                               
    ipsec profile profile1                                                          
     ike-peer spoke1                                                                
     proposal pro1                                                                  
    #
    interface GigabitEthernet1/0/0
     ip address 1.1.2.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 10.1.1.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.2 255.255.255.0                                              
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet1/0/0
     gre key cipher %^%#qi,=:z}BQCPT5D>A}20MCIEc6-SBY*d<|bE~>i;2%^%#
     ospf network-type p2mp                                                         
     ipsec profile profile1                                                         
     nhrp authentication cipher %^%#e1an+f[D*$J{NJ4ubbMM$N1L1F2O6#O/u:-[EkSJ%^%#
     nhrp shortcut                                                                  
     nhrp registration interval 300                                                   
     nhrp entry 10.2.1.1 1.1.1.10 register 
     nhrp entry 10.2.1.4 1.1.254.10 register
    # 
    ospf 1 router-id 10.2.1.2
     area 0.0.0.0
      network 10.1.1.0 0.0.0.255 
      network 10.2.1.0 0.0.0.255
    # 
    ospf 2 router-id 1.1.2.10
     area 0.0.0.1
      network 1.1.2.0 0.0.0.255
    # 
    return
    
  • Spoke2 configuration file

    #
    sysname Spoke2
    # 
    ipsec proposal pro1                                                             
     transform ah-esp                                                               
     ah authentication-algorithm sha2-256                                           
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-192                                               
    #                                                                               
    ike proposal 1                                                                  
     encryption-algorithm aes-256                                               
     dh group5                                                                      
     authentication-algorithm sha2-256                                              
     authentication-method pre-share
     integrity-algorithm hmac-sha2-256
     prf aes-xcbc-128   
    #                                                                               
    ike peer spoke2
     undo version 2
     pre-shared-key cipher %^%#yRiB!lV4gKvCG_LJ&QDF'FuTPhzX,)QVajSs&M_I%^%#
     ike-proposal 1                                                                 
     dpd type periodic                                                              
     dpd idle-time 40                                                               
    #                                                                               
    ipsec profile profile1                                                          
     ike-peer spoke2                                                                
     proposal pro1                                                                  
    #               
    interface GigabitEthernet1/0/0
     ip address 1.1.3.10 255.255.255.0
    # 
    interface LoopBack0
     ip address 10.1.2.1 255.255.255.0
    # 
    interface Tunnel0/0/0
     ip address 10.2.1.3 255.255.255.0                                              
     tunnel-protocol gre p2mp                                                       
     source GigabitEthernet1/0/0
     gre key cipher %^%#y0|R0B_>==#l"D)42/nU!;A56Zx=oDj,7O7>#:4.%^%#
     ospf network-type p2mp                                                         
     ipsec profile profile1                                                         
     nhrp authentication cipher %^%#FosR<0omi.W{)Y7gp`XP|I-V"|]+7S>{'T/(vKO0%^%#
     nhrp shortcut                                                                  
     nhrp registration interval 300                                                 
     nhrp entry 10.2.1.1 1.1.1.10 register 
     nhrp entry 10.2.1.4 1.1.254.10 register  
    #  
    ospf 1 router-id 10.2.1.3
     area 0.0.0.0
      network 10.1.2.0 0.0.0.255  
      network 10.2.1.0 0.0.0.255  
    # 
    ospf 2 router-id 1.1.3.10
     area 0.0.0.1
      network 1.1.3.0 0.0.0.255
    # 
    return
    
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31407

Downloads: 43

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next