No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec NAT Traversal Scenario

IPsec NAT Traversal Scenario

Example for Configuring IPsec NAT Traversal

Networking Requirements

When a NAT gateway exists between the local and remote devices used for IPsec negotiation, NAT traversal capabilities need to be negotiated between the local and remote ends of the IPsec tunnel. Therefore, the local and remote devices must be able to support NAT traversal.

On the network shown in Figure 12-15, the headquarters egress gateway Device A and the branch egress gateway Device B translate addresses using the NATER, and they establish an IPsec tunnel that supports NAT traversal in aggressive mode.

Figure 12-15 Configuring IPsec NAT traversal
NOTE:

Interface 1 and interface 2 in this example stand for GE 0/1/1 and GE 0/1/2, respectively.



Procedure

  1. Configure Device A.

    #
     sysname DeviceA  //Configure the host name of the device.
    #                                         
    service-location 1
     location slot 1
    #
    service-instance-group 1
     service-location 1
    #  
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000  //Configure an ACL. 
     rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
    # 
    ipsec proposal rta  //Configure an IPsec proposal.
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 192
    #                  
    ike proposal 1  //Configure an IKE proposal.    
     dh group2
    #
    ike peer rta   //Configure an IKE peer.
     ike-proposal 1
     exchange-mode aggressive  //Configure the IKE negotiation mode as aggressive.
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as huawei in ciphertext.
     local-id-type ip  //Configure the IKE ID in the IP format.                                                            
     nat traversal   //Configure NAT traversal.
    #                       
    ipsec policy-template rta_temp 1  //Configure the firt IPsec policy template.
     ike-peer rta                             
     proposal rta                             
     security acl 3000
    #
    ipsec policy rta 1 isakmp template rta_temp  //Configure an SA for the IPsec policy template.
    # 
    interface Tunnel1
    ip address 1.2.0.1 24
    tunnel-protocol ipsec
    ipsec policy rta service-instance-group 1
    
    
    interface gigabitethernet0/1/1 
     ip address 1.2.1.1 255.255.255.0 
    #
    interface gigabitethernet0/1/2
     ip address 10.1.0.1 255.255.255.0
    #
    ospf 1
    area 0.0.0.0
      network 1.2.1.0 0.0.0.255
    #
    return 

  2. Configure Device B.

    #
     sysname DeviceB  //Configure a host name for the device.
    #                                         
    service-location 1
     location slot 1
    #
    service-instance-group 1
     service-location 1
    # 
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000  //Configure an ACL.
     rule 0 permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
    #                                         
    ipsec proposal rtb  //Configure an IPsec proposal.
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 192
    #                  
    ike proposal 1  //Configure an IKE proposal.     
     dh group2
    #                           
    ike peer rtb   //Configure an IKE peer.
     ike-proposal 1
     exchange-mode aggressive  //Configure the IKE negotiation mode as aggressive.
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as huawei in ciphertext.
     local-id-type ip  //Configure the IKE ID in the IP format.   
     remote-address 1.2.0.1  //Configure the IP address of the IKE peer.
     nat traversal   //Configure NAT traversal.
    #
    ipsec policy rtb 1 isakmp  //Configure an IPsec policy.
     security acl 3000
     ike-peer rtb
     proposal rtb
    #
    interface Tunnel1
    ip address 192.168.0.2 24
    tunnel-protocol ipsec
    ipsec policy rtb service-instance-group 1
                            
    interface gigabitethernet0/1/1                    
     ip address 192.168.1.2 255.255.255.0 
    #                                         
    interface gigabitethernet0/1/2                   
     ip address 10.2.0.1 255.255.255.0
    #
    ospf 1
    area 0.0.0.0
      network 192.168.1.0 0.0.0.255
    #                                         
    ip route-static 10.1.0.0 255.255.255.0 Tunnel1 1.2.0.1  //Configure a static route destined to the network segment 10.1.0.0.
    ip route-static 1.2.0.1 255.255.255.255 192.168.1.1  //Configure the static route destined to DeviceA Tunnel interface.
    #
    return 

  3. Configure NATER.

    #
     sysname NATER  //Configure the host name of the device.
    #                                         
    service-location 1
     location slot 1
    #
    service-instance-group 1
     service-location 1
    #
    nat instance nat1 id 1
     service-instance-group 1
     nat address-group address-group1 group-id 1 10.34.160.101 10.34.160.105
    #
    acl number 3000  //Configure ACL 3000.
     rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 1.2.0.0 0.0.0.255
    #                                         
    interface gigabitethernet0/1/1                   
     ip address 1.2.1.2 255.255.255.0         
     nat bind acl 3000 instance nat1  //Configure NAT outbound on the interface.
    #                                         
    interface gigabitethernet0/1/2            
     ip address 192.168.1.1 255.255.255.0  
    #
    ospf 1
     import-route unr
     area 0.0.0.0
      network 1.2.1.0 0.0.0.255
      network 192.168.1.0 0.0.0.255
    #
    ip route-static 1.2.0.1 32  1.2.1.1  //Configure the static route destined to DeviceA Tunnel interface.
    ip route-static 192.168.0.2 32  192.168.1.2  //Configure the static route destined to DeviceB Tunnel interface. 
    #
    return 

  4. Verify the configuration.

    After an IPsec session is established upon the ping operation, run the display ike sa verbose remote ip-address and display ipsec sa commands on Device A. The command output displays configurations of the IPsec tunnel.

Precautions
  • Configure the NATER, to ensure the communication between DeviceA and DeviceB.
  • Device A, the responder of IPsec negotiation, must use a security policy template.
  • Both Device A and Device B must be enabled with NAT traversal.
  • The encapsulation mode can be set to tunnel only.
  • IKE negotiation in main mode does not support IPsec NAT traversal.
  • Configure DPD.

Configuring GRE over IPsec + OSPF for NAT Traversal

Networking Requirements

On the network shown in Figure 12-16, the headquarters provides IPsec VPN access to multiple branches, and NAT is configured on egress routers of the branches. The headquarters and branches perform NAT traversal negotiation in aggressive mode. The headquarters uses a security template to establish GRE tunnels with the branches through loopback interfaces. The branches use ACL to establish GRE over IPsec tunnels with the headquarters and branches through loopback interfaces.

Figure 12-16 Configuring GRE over IPsec + OSPF for NAT traversal
NOTE:

Interface 1 and interface 2 in this example stand for GE 0/1/1 and GE 0/1/2, respectively.



Procedure

  1. Configure DeviceA.

    #                                                                               
     sysname DeviceA                                   
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #                                                                               
    router id 172.16.0.1  //Configure a router ID for OSPF.
    #  
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000  //Configure ACL 3000
     rule 0 permit gre source 172.16.0.1 0 destination 192.168.1.1 0                 
     rule 0 permit gre source 172.16.0.1 0 destination 192.168.2.1 0                 
    #                                                                               
    ipsec proposal default  //Configure the default IPsec proposal.
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes 192                                        
    #                  
    ike proposal 1  //Configure the IKE proposal.    
     dh group2
    #                                                
    ike peer branch   //Configure the IKE peer for the branch.          
     ike-proposal 1
     exchange-mode aggressive  //Configure the aggressive mode.                                       
     pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Configure the PSK as 123-branch in ciphertext.
     local-id-type ip   
     nat traversal   
    #                                                                               
    ipsec policy-template branch 1  //Configure an IPsec policy template with the number of 1 for the branch.                      
     ike-peer branch                                                               
     proposal default                                                               
    #                                                                               
    ipsec policy policy1 1 isakmp template branch    //Create IPsec policy 1 for the IPsec policy template of the branch.                        
    #                                     
    interface gigabitethernet0/1/2  //Configure the external network interface of the headquarters.    
     ip address 1.1.1.60 255.255.255.0                                              
    #                                                                               
    interface gigabitethernet0/1/1  //Configure the IP address of the internal network interface of the headquarters.   
     ip address 172.16.1.1 255.255.255.0                                             
    #                                                                               
    interface LoopBack0  //Configure the loopback interface used for establishing a GRE connection.   
     ip address 172.16.0.1 255.255.255.255                                          
    #                                                                               
    interface Tunnel0  //Configure a GRE tunnel for branch 1.                        
     ip address 192.168.0.1 255.255.255.252                                         
     tunnel-protocol gre                                                            
     source LoopBack0                                                               
     destination 192.168.1.1                                                        
    #                                                                               
    interface Tunnel1  //Configure a GRE tunnel for branch 2.                   
     ip address 192.168.0.5 255.255.255.252                                         
     tunnel-protocol gre                                                            
     source LoopBack0                                                               
     destination 192.168.2.1                                                        
    #
    interface Tunnel2
    ip address 1.0.1.60 24
    tunnel-protocol ipsec
    ipsec policy policy1 service-instance-group group1
    #                                                                               
    ospf 1  //Configure routes.                                              
     area 0.0.0.0                                                                   
      network 192.168.0.1 0.0.0.3                                                   
      network 172.16.1.0 0.0.0.255                                                   
      network 192.168.0.5 0.0.0.3                                                   
    #                                                                               
    ip route-static 10.0.1.2 255.255.255.255 1.1.1.61      
    ip route-static 10.0.2.2 255.255.255.255 1.1.1.61
    #                                                                               
    return 

  2. Configure DeviceB.

    #                                                                               
     sysname DeviceB                                                                
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
     router id 192.168.1.1  //Configure a router ID for OSPF.
    #                                                                               
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000                                                                 
     rule 0 permit gre source 192.168.1.1 0 destination 172.16.0.1 0                 
    #                                                                               
    ipsec proposal default  //Configure the default IPsec proposal.
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes 192                                      
    #                  
    ike proposal 1  //Configure the IKE proposal.   
     dh group2
    #                                                                               
    ike peer center   //Configure the IKE peer for the headquarters.                                     
     ike-proposal 1
     exchange-mode aggressive  //Configure the aggressive mode.                                     
     pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#  //Configure the PSK as 123-branch in ciphertext.
     local-id-type ip   
     nat traversal   
     remote-address 1.0.1.60                                                        
    #                                                                               
    ipsec policy center 1 isakmp  //Configure an IPsec policy with the number of 1 for the headquarters.                            
     security acl 3000                                                              
     ike-peer center                                                                
     proposal default                                                               
    #                                                                               
    interface gigabitethernet0/1/1  //Configure the external network interface for branch 1.  
     ip address 10.1.1.2 255.255.255.0                                              
    #                                                                               
    interface gigabitethernet0/1/2  //Configure the internal network interface for branch 1.  
     ip address 192.168.11.1 255.255.255.0                                          
    #                                                                               
    interface LoopBack0  //Configure a loopback interface used for creating a GRE source and OSPF router ID for the headquarters.        
     ip address 192.168.1.1 255.255.255.255                                         
    #                                                                               
    interface Tunnel0  //Configure a GRE tunnel for the headquarters.                                     
     ip address 192.168.0.2 255.255.255.252                                         
     tunnel-protocol gre                                                            
     source LoopBack0                                                               
     destination 172.16.0.1                                                          
    #
    interface Tunnel1
     ip address 10.0.1.2 24
     tunnel-protocol ipsec
     ipsec policy center service-instance-group group1
    #  //Configure OSPF routes.                    
    ospf 1                                                                          
     area 0.0.0.0                                                                   
      network 192.168.11.0 0.0.0.255                                                
      network 192.168.0.2 0.0.0.3                                                   
    #                                                                               
    ip route-static 1.0.1.60 255.255.255.255 10.1.1.1
    ip route-static 0.0.0.0 0.0.0.0 Tunnel1 10.0.1.1  //Configure the default route.  
    #                                                                               
    return  

  3. Configure DeviceC.

    #                                                                               
     sysname DeviceC                                                                
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
     router id 192.168.2.1  //Configure a router ID for OSPF.
    #                                                                               
    ike dpd interval 10 10     //You are suggested to deploy the DPD function.
    #
    acl number 3000                                                                 
     rule 0 permit gre source 192.168.2.1 0 destination 172.16.0.1 0                 
    #                                                                               
    ipsec proposal default  //Configure the default IPsec prposal.
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes 192                                        
    #                  
    ike proposal 1  //Configure the IKE prposal. 
     dh group2
    #                                                                               
    ike peer center   //Configure the IKE peer for the headquarters.                                         
     ike-proposal 1
     exchange-mode aggressive  //Configure the aggressive mode.                                          
     pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#  //Configure the PSK as 123-branch in ciphertext.
     local-id-type ip   
     nat traversal   
     remote-address 1.0.1.60                                                        
    #                                                                               
    ipsec policy center 1 isakmp  //Configure an IPsec policy with the number of 1 for the headquarters.                             
     security acl 3000                                                              
     ike-peer center                                                                
     proposal default                                                               
    #                                                                               
    interface gigabitethernet0/1/1  //Configure the external network interface for branch 2.
     ip address 10.1.2.2 255.255.255.0                                              
    #                                                                               
    interface gigabitethernet0/1/2  //Configure the internal network interface for branch 2.  
     ip address 192.168.12.1 255.255.255.0                                          
    #                                                                               
    interface LoopBack0  //Configure a loopback interface used for creating a GRE source and OSPF router ID for the headquarters.  
     ip address 192.168.2.1 255.255.255.255                                         
    #                                                                               
    interface Tunnel0  //Configure a GRE tunnel for the headquarters.                                         
     ip address 192.168.0.6 255.255.255.252                                         
     tunnel-protocol gre                                                            
     source LoopBack0                                                               
     destination 172.16.0.1                                                          
    #                    
    interface Tunnel1
     ip address 10.0.2.2 24
     tunnel-protocol ipsec
     ipsec policy center service-instance-group group1
    #  //Configure OSPF routes.                     
    ospf 1                                                                          
     area 0.0.0.0                                                                   
      network 192.168.0.6 0.0.0.3                                                   
      network 192.168.12.0 0.0.0.255                                                
    #                                                                               
    ip route-static 1.0.1.60 255.255.255.255 10.1.2.1
    ip route-static 0.0.0.0 0.0.0.0 Tunnel1 10.0.2.1  //Configure the default route.   
    #                                                                               
    return  

  4. Configure NAT1.

    #                                                                               
     sysname NAT1                                                                  
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
    nat instance nat1 id 1
     service-instance-group group2
    #
    nat instance nat1 id 1
     nat address-group address-group1 group-id 1 11.0.0.1 11.0.0.10  //Configure a NAT address pool.
    #                                                                               
    acl number 2000  //Configure the IP address for NAT implementation.                                         
     rule 0 permit source 10.1.2.0 0.0.0.255                                        
    #                                                                               
    interface gigabitethernet0/1/1  //Configure an external network interface for NAT.                                         
     ip address 1.0.3.1 255.255.255.0                                               
     nat bind acl 2000 instance nat1
    #                                                                               
    interface gigabitethernet0/1/2  //Configure the interface address of the router for branch 2.    
     ip address 10.1.2.1 255.255.255.0                                              
    #                                                                               
    ip route-static 0.0.0.0 0.0.0.0 1.0.3.2  //Configure the default route. 
    #
    return   

  5. Configure NAT2.

    #                                                                               
     sysname NAT2                                                                   
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
    nat instance nat1 id 1
     service-instance-group group2
    #
    nat instance nat1 id 1
     nat address-group address-group1 group-id 1 12.0.0.1 12.0.0.10  //Configure a NAT address pool.
    #                                                                               
    acl number 2000  //Configure the IP address for NAT implementation.                                         
     rule 0 permit source 10.1.1.0 0.0.0.255                                        
    #                                                                               
    interface gigabitethernet0/1/1  //Configure an external network interface for NAT.                                 
     ip address 1.0.2.1 255.255.255.0                                               
     nat bind acl 2000 instance nat1 
    #                                                                               
    interface gigabitethernet0/1/2  //Configure the interface address of the router for branch 1.    
     ip address 10.1.1.1 255.255.255.0                                              
    #                                                                               
    ip route-static 0.0.0.0 0.0.0.0 1.0.2.2  //Configure the default route.
    #
    return   

  6. Verify the configuration.

    On Device A, Device B, or Device C, run the display ike sa command. The command output displays configurations of the IKE SA.

    On Device A or Device B, run the display ip routing-table command. The command output displays information about routes from the tunnel interface to the user-side interface.

    The headquarters and branches can communicate with each other.

Precautions
  • The deny rule cannot be configured for the ACL of the headquarters. Otherwise, data flows fail to be transmitted over the IPsec tunnel.
  • Only one IPsec policy can be created for the headquarters. Each sequence number corresponds to an IKE peer.
  • The external routes between the headquarters and branches must be reachable.
  • Configure DPD.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25717

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next