No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Common IPsec Tunnel Scenario

Common IPsec Tunnel Scenario

Example for Configuring the Point-to-Point IPSec Tunnel in IKE IPsec Policy Mode

To establish an IPsec tunnel in IKE mode, you need to configure the necessary parameter for the IKE negotiation, and then the IKE negotiation automatically creates and maintains the SA.

Networking Requirements

As shown in Figure 12-6, network A and network B connect to the Internet through Device A and Device B respectively. The network environment is as follows:

  • Network A is in the network segment of 10.1.1.0/24. This network connects to Device A through GE 0/1/1.

  • Network B is in the network segment of 10.1.2.0/24. This network connects to Device B through GE 0/1/1.

  • Routes between Device A and Device B are available.

  • The IPsec function of Device A and Device B reside in slot 1.

Figure 12-6 shows the typical networking of the gateway to gateway mode.

Figure 12-6 Typical networking of the gateway to gateway mode
NOTE:

Interfaces 1 and 2 in this example are GE 0/1/1 and GE 0/1/2, respectively.


Configuration Notes

After an IPsec tunnel is configured, ensure that both ends of the tunnel are routable.

Configuration Roadmap

This example describes how to configure the IPsec tunnel through IKE in gateway to gateway networking mode. The encapsulation mode is the tunnelling mode.

  1. Set the IP addresses for the interfaces.

  2. Create and configure the tunnel interface.

  3. Configure the route of the Internet. Generally, static routes are configured.

  4. Configure the ACL to define the data flows that need to be protected.

  5. Configure the IPsec proposal.

  6. Configure the IKE proposal.

  7. Configure the IKE peer.

  8. Configure the IPsec policy.

  9. Configure the IPsec service instance group

  10. Apply the IPsec policy to Tunnel interface.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of the interfaces
  • IP addresses of the tunnel interfaces
  • IP address segments of each network
  • Pre-shared key
  • Security protocol, encryption algorithm, and authentication algorithm adopted in an IPsec proposal
  • Authentication algorithm adopted in an IKE proposal

Procedure

  • Configure Device A.
    1. Set the IP addresses of interfaces.

      1. Set the IP address of GE 0/1/1.

        <DeviceA> system-view
        [~DeviceA] interface GigabitEthernet 0/1/1
        [~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
        [*DeviceA-GigabitEthernet0/1/1] quit
        [*DeviceA] commit
      2. Set the IP address of GE 0/1/2

        [~DeviceA] interface GigabitEthernet 0/1/2
        [~DeviceA-GigabitEthernet0/1/2] ip address 172.16.163.1 24
        [*DeviceA-GigabitEthernet0/1/2] quit
        [*DeviceA] commit

    2. Create and configure the tunnel interface.

      [~DeviceA] interface Tunnel 10
      [*DeviceA-Tunnel10] tunnel-protocol ipsec
      [*DeviceA-Tunnel10] ip address 192.168.1.1 32
      [*DeviceA-Tunnel10] quit
      [*DeviceA] commit

    3. Configure the static route to reach network B. The outbound interface is Tunnel 10 and the next hop to 192.168.1.2 (the IP address of the tunnel interface of the peer). Assume that the next hop of Device A is 172.16.163.2/24.

      [~DeviceA] ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 192.168.1.2
      [*DeviceA] ip route-static 192.168.1.2 255.255.255.255 172.16.163.2
      [*DeviceA] commit

    4. Configure advanced ACL 3000 to permit PCA to access PCB.

      [~DeviceA] acl 3000
      [*DeviceA-acl-adv-3000] rule permit ip source 10.1.1.2 0.0.0.0 destination 10.1.2.2 0.0.0.0
      [*DeviceA-acl-adv-3000] quit
      [*DeviceA] commit

    5. Configure the IPSec proposal with the name as tran1.

      [~DeviceA] ipsec proposal tran1
      [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceA-ipsec-proposal-tran1] transform esp
      [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceA-ipsec-proposal-tran1] quit
      [*DeviceA] commit

    6. Configure the IKE proposal with the number as 10.

      [~DeviceA] ike proposal 10
      [*DeviceA-ike-proposal-10] authentication-method pre-share
      [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
      [*DeviceA-ike-proposal-10] dh group14
      [*DeviceA-ike-proposal-10] quit
      [*DeviceA] commit

    7. Configure the IKE peer with the name as b.

      [~DeviceA] ike peer b
      [*DeviceA-ike-peer-b] ike-proposal 10
      [*DeviceA-ike-peer-b] remote-address 192.168.1.2
      [*DeviceA-ike-peer-b] pre-shared-key abcde
      [*DeviceA-ike-peer-b] quit
      [*DeviceA] commit
      NOTE:

      The NE20E enables IKEv1 and IKEv2 at the same time. If the peer end does not support IKEv2, you need to disable IKEv2 and adopt IKEv1 for the negotiation.

      The setting of the pre-shared key should be identical with that on the peer device.

    8. Configure IKE DPD.

      [~DeviceA] ike dpd 100
      [*DeviceA] quit
      [*DeviceA] commit

    9. Configure the IPSec policy with the name being map1 and number being 10.

      [~DeviceA] ipsec policy map1 10 isakmp
      [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
      [*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
      [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
      [*DeviceA-ipsec-policy-isakmp-map1-10] quit
      [*DeviceA] commit

    10. Configure the IPSec service instance group 1

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~A] service-location 1
        [*A-service-location-1] location slot 2
        [*A-service-location-1] commit
        [~A-service-location-1] quit
      [~DeviceA] service-instance-group group1
      [*DeviceA-service-instance-group-group1] service-location 1
      [*DeviceA-service-instance-group-group1] commit
      [~DeviceA-service-instance-group-group1] quit
      

    11. Apply IPSec policy map1 to Tunnel 10.

      [~DeviceA] interface Tunnel 10
      [~DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceA-Tunnel10] quit
      [*DeviceA] commit

  • Configure Device B.
    1. Set the IP addresses of interfaces.

      1. Set the IP address of GE 0/1/1.

        <DeviceB> system-view
        [~DeviceB] interface gigabitethernet 0/1/1
        [~DeviceB-GigabitEthernet0/1/1] ip address 10.1.2.1 24
        [*DeviceB-GigabitEthernet0/1/1] quit
        [*DeviceB] commit
      2. Set the IP address of GE 0/1/2

        [~DeviceB] interface gigabitethernet 0/1/2
        [~DeviceB-GigabitEthernet0/1/2] ip address 172.16.169.1 24
        [*DeviceB-GigabitEthernet0/1/2] quit
        [*DeviceB] commit

    2. Create and configure the tunnel interface.

      [~DeviceB] interface Tunnel 10
      [~DeviceB-Tunnel10] tunnel-protocol ipsec
      [*DeviceB-Tunnel10] ip address 192.168.1.2 32
      [*DeviceB-Tunnel10] quit
      [*DeviceB] commit

    3. Configure the static route to reach network A. The outbound interface is Tunnel 10 and the next hop to 192.168.1.1 (the ip address of the tunnel interface of the peer). Assume that the next hop of Device B is 172.16.169.2/24.

      NOTE:

      When configuring static routes to direct IPsec traffic into IPsec tunnels, specify an IPsec tunnel interface as the outbound interface of the static routes and specify a next hop address.

      [~DeviceB] ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 192.168.1.1
      [*DeviceB] ip route-static 192.168.1.1 255.255.255.255 172.16.169.2
      [*DeviceB] commit

    4. Configure advanced ACL 3000 to permit PCB to access PCA.

      [~DeviceB] acl 3000
      [*DeviceB-acl-adv-3000] rule permit ip source 10.1.2.2 0.0.0.0 destination 10.1.1.2 0.0.0.0
      [*DeviceB-acl-adv-3000] quit
      [*DeviceB] commit

    5. Configure the IPSec proposal with the name as tran1.

      [~DeviceB] ipsec proposal tran1
      [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceB-ipsec-proposal-tran1] transform esp
      [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceB-ipsec-proposal-tran1] quit
      [*DeviceB] commit

    6. Configure the IKE proposal with the number as 10.

      [~DeviceB] ike proposal 10 
      [*DeviceB-ike-proposal-10] authentication-method pre-share 
      [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256 
      [*DeviceB-ike-proposal-10] dh group14
      [*DeviceB-ike-proposal-10] quit
      [*DeviceB] commit

    7. Configure the IKE peer with the name as a.

      [~DeviceB] ike peer a 
      [*DeviceB-ike-peer-a] ike-proposal 10 
      [*DeviceB-ike-peer-a] remote-address 192.168.1.1 
      [*DeviceB-ike-peer-a] pre-shared-key abcde 
      [*DeviceB-ike-peer-a] quit
      [*DeviceB] commit

    8. Configure IKE DPD.

      [~DeviceB] ike dpd 100
      [*DeviceB] quit
      [*DeviceB] commit

    9. Configure the IPSec policy with the name as map1 and number as 10.

      [~DeviceB] ipsec policy map1 10 isakmp 
      [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000 
      [*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1 
      [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a 
      [*DeviceB-ipsec-policy-isakmp-map1-10] quit
      [*DeviceB] commit

    10. Configure the IPSec service instance group 1

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~DeviceB] service-location 1
        [*DeviceB-service-location-1] location slot 2
        [*DeviceB-service-location-1] commit
        [~DeviceB-service-location-1] quit
      [~DeviceB] service-instance-group group1
      [*DeviceB-service-instance-group-group1] service-location 1
      [*DeviceB-service-instance-group-group1] commit
      [~DeviceB-service-instance-group-group1] quit
      

    11. Apply security policy map1 to Tunnel 10.

      [~DeviceB] interface Tunnel10 
      [~DeviceB-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceB-Tunnel10] quit
      [*DeviceB] commit

Configuration Files
  • Configuration file of Device A.

    #
     sysname DeviceA
    #
    ike dpd 100
    acl number 3000
      rule 5 permit ip source 10.1.1.2 0 destination 10.1.2.2 0
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     pre-shared-key cipher %^%#CScZ$9Z&w+@:5+7>\{;7UI~3"Wcx/P#,,FT<6t!8%^%#
     ike-proposal 10
     remote-address 192.168.1.2
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
    #    
    interface GigabitEthernet0/1/1 
     ip address 10.1.1.1 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     ip address 172.16.163.1 255.255.255.0
    #    
    interface Tunnel10 
     ip address 192.168.1.1 255.255.255.255                                             
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1
    #
     ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 192.168.1.2
     ip route-static 192.168.1.2 255.255.255.255 172.16.163.2
    #
    return
  • Configuration file of Device B.

    #
     sysname DeviceB
    #
    ike dpd 100
    acl number 3000
      rule 5 permit ip source 10.1.2.2 0 destination 10.1.1.2 0
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer a
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
     ike-proposal 10
     remote-address 192.168.1.1
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #    
    interface GigabitEthernet0/1/1 
     ip address 10.1.2.1 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     ip address 172.16.169.1 255.255.255.0
    #    
    interface Tunnel10 
     ip address 192.168.1.2 255.255.255.255                                             
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1
    #
     ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 192.168.1.1
     ip route-static 192.168.1.1 255.255.255.255 172.16.169.2
    #
    return

Example for Configuring the IPSec Tunnel in IKE IPSec Policy Template Mode

The NE20E is mainly to establish IPSec tunnels with the Base Transceiver Station (BTS). Therefore, mobile devices on the network of the base station can access an internal network. You can configure IPSec tunnels for multiple BTSs in IPSec policy template mode, therefore adding or reducing BTSs conveniently. The IPSec policy template is configured on the NE20E to receive connections passively; however, the IPSec policy is configured on the device of the BTS to initiate connections.

Networking Requirements

As shown in Figure 12-7, network A connect to the Internet through Device A, BTS1 and BTS2 are both connect to the Internet.

The routes among Device A, BTS1, and BTS2 are reachable.

Figure 12-7 Networking diagram of configuring the IPSec tunnel in IKE IPSec policy template mode
NOTE:

Interfaces 1 and 2 in this example are GE 0/1/1 and GE 0/1/2, respectively.


Mobile devices in two base stations can securely access network A.

Configuration Roadmap

The configuration procedure and roadmap are as follows:

  1. Set the IP addresses for the interfaces.

  2. Create and configure the tunnel interface.

  3. Configure the route of the Internet. Generally, static routes are configured.

  4. Configure the ACL to define the data flows that need to be protected.

  5. Configure the IPSec proposal.

  6. Configure the IKE proposal.

  7. Configure the IKE peer.

  8. Configure the IPSec policy template.

  9. Configure the IPSec service instance group

  10. Apply the IPSec policy to tunnel interface.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of the interfaces
  • IP addresses of the tunnel interfaces
  • IP address segments of each network
  • Pre-shared key
  • Security protocol, encryption algorithm, and authentication algorithm adopted in an IPSec proposal
  • Authentication algorithm adopted in an IKE proposal

Procedure

  • Configure Device A.
    1. Set the IP addresses of interfaces.

      1. Set the IP address of GE 0/1/1.

        <DeviceA> system-view
        [~DeviceA] interface GigabitEthernet 0/1/1
        [~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
        [*DeviceA-GigabitEthernet0/1/1] quit
        [*DeviceA] commit
      2. Set the IP address of GE 0/1/2.

        [~DeviceA] interface GigabitEthernet 0/1/2
        [~DeviceA-GigabitEthernet0/1/2] ip address 172.16.163.1 24
        [*DeviceA-GigabitEthernet0/1/2] quit
        [*DeviceA] commit

    2. Create and configure the tunnel interface.

      [~DeviceA] interface Tunnel 10
      [*DeviceA-Tunnel10] tunnel-protocol ipsec
      [*DeviceA-Tunnel10] ip address 10.10.1.1 32
      [*DeviceA-Tunnel10] quit
      [*DeviceA] commit

    3. Configure the static route to the internet. Assume that the next hop of the routeA to the internet is 172.16.163.2.

      [~DeviceA] ip route-static 0.0.0.0 0.0.0.0 172.16.163.2

    4. Configure the ACL to define the data flows that need to be protected.

      [~DeviceA] acl 3000
      [*DeviceA-acl-adv-3000] rule permit ip 
      [*DeviceA-acl-adv-3000] quit
      [*DeviceA] commit
      NOTE:

      The ACL rule allows all IP packets through, so that peer BTSs can be added or reduced conveniently. The ACL rule takes effect according to the route, therefore avoiding risks.

    5. Configure the IPSec proposal with the name as tran1.

      [~DeviceA] ipsec proposal tran1
      [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceA-ipsec-proposal-tran1] transform esp
      [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceA-ipsec-proposal-tran1] quit
      [*DeviceA] commit
      NOTE:

      ESP is the default security protocol, and Tunnel is the default encapsulating mode, therefore their configurations are optional.

    6. Configure the IKE proposal with the number as 10.

      [~DeviceA] ike proposal 10
      [*DeviceA-ike-proposal-10] authentication-method pre-share
      [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
      [*DeviceA-ike-proposal-10] dh group14
      [*DeviceA-ike-proposal-10] quit
      [*DeviceA] commit
      NOTE:

      The authentication method of pre-shared-key is the default authentication method of IKE, therefore their configurations are optional.

    7. Configure the IKE peer with the name as b.

      [~DeviceA] ike peer b
      [*DeviceA-ike-peer-b] ike-proposal 10
      [*DeviceA-ike-peer-b] pre-shared-key abcde
      [*DeviceA-ike-peer-b] quit
      [*DeviceA] commit
      NOTE:

      The NE20E enables IKEv1 and IKEv2 at the same time. If the peer end does not support IKEv2, you need to disable IKEv2 and adopt IKEv1 for the negotiation.

      The setting of the pre-shared key should be identical with that on the peer device.

    8. Configure the IPSec policy template with the name as map_temp and with the number as 1.

      [~DeviceA] ipsec policy-template map_temp 1
      [*DeviceA-ipsec-policy-templet-map_temp-1] security acl 3000
      [*DeviceA-ipsec-policy-templet-map_temp-1] proposal tran1
      [*DeviceA-ipsec-policy-templet-map_temp-1] ike-peer b
      [*DeviceA-ipsec-policy-templet-map_temp-1] quit
      [*DeviceA] commit

    9. Refer to IPSec policy template map_temp in IPSec policy map1.

      [~DeviceA] ipsec policy map1 10 isakmp template map_temp
      [*DeviceA] commit
      NOTE:

      The name of the policy template cannot be identical with that of the IPSec policy.

    10. Configure the IPSec service instance group 1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~A] service-location 1
        [*A-service-location-1] location slot 2
        [*A-service-location-1] commit
        [~A-service-location-1] quit
      [~DeviceA] service-instance-group group1
      [*DeviceA-service-instance-group-group1] service-location 1
      [*DeviceA-service-instance-group-group1] commit
      [~DeviceA-service-instance-group-group1] quit
      

    11. Apply IPSec policy map1 to Tunnel 10.

      [~DeviceA] interface Tunnel 10
      [~DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceA-Tunnel10] quit
      [*DeviceA] commit

Configuration Files
  • The configuration file of Device A.

    #
     sysname DeviceA
    #
    acl number 3000
      rule 5 permit ip 
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
     ike-proposal 10 
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    # 
    ipsec policy-template map_temp 1
     security acl 3000
     ike-peer b
     proposal tran1
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    # 
    ipsec policy map1 10 isakmp template map_temp
    # 
    interface GigabitEthernet0/1/1 
     ip address 10.1.1.1 255.255.255.0 
    # 
    interface GigabitEthernet0/1/2  
     ip address 172.16.163.1 255.255.255.0                       
    #           
    interface Tunnel10
     ip address 10.10.1.1 255.255.255.0
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1
    #
    ip route-static 0.0.0.0 0.0.0.0 172.16.163.2
    #
    return

Example for Configuring IPsec Tunnels Between NE20Es Using an IPsec Policy Template

You can use an IPsec policy template to configure IPsec tunnels for multiple mobile devices, thereby adding or reducing mobile devices conveniently. The IPsec policy template is configured on the NE20E to receive connections passively, and the IPsec policy is configured on the peer device to initiate connections.

Networking Requirements

As shown in Figure 12-8, network A, network B, and network C are connected to the Internet through Device A, Device B, and Device C, respectively. Device A, Device B, and Device C are routable to each other.

To ensure security, network A must be able to communicate with network B and network C, and network B and network C cannot communicate with each other.

Figure 12-8 Establishing IPsec tunnels using an IPsec policy template
NOTE:

In this case, interface 1 represents GE 0/1/1, and interface 2 represents GE 0/1/2.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces.

  2. Configure an ACL to define the data flow to be protected.

  3. Configure an IPsec proposal.

  4. Configure an Internet Key Exchange (IKE) proposal.

  5. Configure IKE peers.

  6. Configure an IPsec policy template on Device A. Configure IPsec policies on Device B and Device C.

  7. Configure an IPsec service instance group.

  8. Create and configure a tunnel interface. Apply the IPsec policy to the tunnel interface.

  9. Configure routes (static routes in most cases) on the public network.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • IP addresses of tunnel interfaces
  • IP address segments
  • Pre-shared key
  • Security protocol, encryption algorithm, and authentication algorithm to be used by the IPsec proposal
  • Authentication algorithm to be used by the IKE proposal

Procedure

  1. Configure device names and IP addresses for interfaces.

    For configuration details, see the configuration files in this section.

  2. Define the data flow to be protected.

    # Configure Device A.

    [~DeviceA] acl 3000
    [*DeviceA-acl-adv-3000] rule permit ip 
    [*DeviceA-acl-adv-3000] quit
    [*DeviceA] commit
    NOTE:

    The ACL rule allows all IP packets to pass through, so that peer base stations can be added or removed conveniently. The ACL rule takes effect according to the generated route, therefore avoiding risks.

    # Configure Device B.

    [~DeviceB] acl 3000
    [*DeviceB-acl-adv-3000] rule permit ip source 10.2.1.2 0.0.0.0 destination 10.1.1.2 0.0.0.0
    [*DeviceB-acl-adv-3000] quit
    [*DeviceB] commit

    # Configure Device C.

    [~DeviceC] acl 3000
    [*DeviceC-acl-adv-3000] rule permit ip source 10.3.1.2 0.0.0.0 destination 10.1.1.2 0.0.0.0
    [*DeviceC-acl-adv-3000] quit
    [*DeviceC] commit

  3. Configure an IPsec proposal.

    # Configure Device A.

    [~DeviceA] ipsec proposal tran1
    [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
    [*DeviceA-ipsec-proposal-tran1] transform esp
    [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
    [*DeviceA-ipsec-proposal-tran1] quit
    [*DeviceA] commit

    # Configure Device B.

    [~DeviceB] ipsec proposal tran1
    [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
    [*DeviceB-ipsec-proposal-tran1] transform esp
    [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
    [*DeviceB-ipsec-proposal-tran1] quit
    [*DeviceB] commit

    # Configure Device C.

    [~DeviceC] ipsec proposal tran1
    [*DeviceC-ipsec-proposal-tran1] encapsulation-mode tunnel
    [*DeviceC-ipsec-proposal-tran1] transform esp
    [*DeviceC-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [*DeviceC-ipsec-proposal-tran1] esp encryption-algorithm aes 256
    [*DeviceC-ipsec-proposal-tran1] quit
    [*DeviceC] commit
    NOTE:

    ESP is the default security protocol, and the tunnel mode is the default encapsulation mode. They do not need to be configured.

  4. Configure an IKE proposal.

    # Configure Device A.

    [~DeviceA] ike proposal 10
    [*DeviceA-ike-proposal-10] authentication-method pre-share
    [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceA-ike-proposal-10] dh group14
    [*DeviceA-ike-proposal-10] quit
    [*DeviceA] commit

    # Configure Device B.

    [~DeviceB] ike proposal 10
    [*DeviceB-ike-proposal-10] authentication-method pre-share
    [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceB-ike-proposal-10] dh group14
    [*DeviceB-ike-proposal-10] quit
    [*DeviceB] commit

    # Configure Device C.

    [~DeviceC] ike proposal 10
    [*DeviceC-ike-proposal-10] authentication-method pre-share
    [*DeviceC-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceC-ike-proposal-10] dh group14
    [*DeviceC-ike-proposal-10] quit
    [*DeviceC] commit
    NOTE:

    Pre-shared key is the default authentication method and does not need to be configured.

  5. Configure IKE peers.

    # Configure Device A.

    [~DeviceA] ike peer p1
    [*DeviceA-ike-peer-p1] ike-proposal 10
    [*DeviceA-ike-peer-p1] pre-shared-key abcde
    [*DeviceA-ike-peer-p1] quit
    [*DeviceA] commit

    # Configure Device B.

    [~DeviceB] ike peer a
    [*DeviceB-ike-peer-a] ike-proposal 10
    [*DeviceB-ike-peer-a] remote-address 192.168.1.1
    [*DeviceB-ike-peer-a] pre-shared-key abcde
    [*DeviceB-ike-peer-a] quit
    [*DeviceB] commit

    # Configure Device C.

    [~DeviceC] ike peer a
    [*DeviceC-ike-peer-a] ike-proposal 10
    [*DeviceC-ike-peer-a] remote-address 192.168.1.1
    [*DeviceC-ike-peer-a] pre-shared-key abcde
    [*DeviceC-ike-peer-a] quit
    [*DeviceC] commit
    NOTE:

    Both IKEv1 and IKEv2 are enabled on the NE20E. If IKEv2 is not enabled on the IKE peer, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

    The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

  6. Configure peer keepalive detection.

    # Configure Device A.

    [~DeviceA] ike dpd interval 10 10
    [*DeviceA] quit
    [*DeviceA] commit

    # Configure Device B.

    [~DeviceB] ike dpd interval 10 10
    [*DeviceB] quit
    [*DeviceB] commit

    # Configure Device C.

    [~DeviceC] ike dpd interval 10 10
    [*DeviceC] quit
    [*DeviceC] commit

  7. Configure an IPsec policy template and IPsec policy.

    # Configure an IPsec policy template on Device A and reference the IPsec policy template in the IPsec policy.

    [~DeviceA] ipsec policy-template map_temp 1
    [*DeviceA-ipsec-policy-templet-map_temp-1] security acl 3000
    [*DeviceA-ipsec-policy-templet-map_temp-1] proposal tran1
    [*DeviceA-ipsec-policy-templet-map_temp-1] ike-peer p1
    [*DeviceA-ipsec-policy-templet-map_temp-1] quit
    [*DeviceA] commit
    [~DeviceA] ipsec policy map1 10 isakmp template map_temp
    [*DeviceA] commit
    NOTE:

    The name of the IPsec policy cannot be the same as that of the referenced policy template.

    # Configure an IPsec policy on Device B.

    [~DeviceB] ipsec policy map1 10 isakmp
    [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
    [*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1
    [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a
    [*DeviceB-ipsec-policy-isakmp-map1-10] quit
    [*DeviceB] commit

    # Configure an IPsec policy on Device C.

    [~DeviceC] ipsec policy map1 10 isakmp
    [*DeviceC-ipsec-policy-isakmp-map1-10] security acl 3000
    [*DeviceC-ipsec-policy-isakmp-map1-10] proposal tran1
    [*DeviceC-ipsec-policy-isakmp-map1-10] ike-peer a
    [*DeviceC-ipsec-policy-isakmp-map1-10] quit
    [*DeviceC] commit

  8. Configure an IPsec service instance group.

    # Configure Device A.

    • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
      [~A] service-location 1
      [*A-service-location-1] location slot 2
      [*A-service-location-1] commit
      [~A-service-location-1] quit
    [~DeviceA] service-instance-group group1
    [*DeviceA-service-instance-group-group1] service-location 1
    [*DeviceA-service-instance-group-group1] commit
    [~DeviceA-service-instance-group-group1] quit
    

    # Configure Device B.

    • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
      [~A] service-location 1
      [*A-service-location-1] location slot 2
      [*A-service-location-1] commit
      [~A-service-location-1] quit
    [~DeviceB] service-instance-group group1
    [*DeviceB-service-instance-group-group1] service-location 1
    [*DeviceB-service-instance-group-group1] commit
    [~DeviceB-service-instance-group-group1] quit
    

    # Configure Device C.

    • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
      [~A] service-location 1
      [*A-service-location-1] location slot 2
      [*A-service-location-1] commit
      [~A-service-location-1] quit
    [~DeviceC] service-instance-group group1
    [*DeviceC-service-instance-group-group1] service-location 1
    [*DeviceC-service-instance-group-group1] commit
    [~DeviceC-service-instance-group-group1] quit
    

  9. Create a tunnel interface and configure attributes for the tunnel interface.

    # Configure Device A.

    [~DeviceA] interface Tunnel 10
    [*DeviceA-Tunnel10] tunnel-protocol ipsec
    [*DeviceA-Tunnel10] ip address 192.168.1.1 32
    [~DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceA-Tunnel10] quit
    [*DeviceA] commit

    # Configure Device B.

    [~DeviceB] interface Tunnel 10
    [*DeviceB-Tunnel10] tunnel-protocol ipsec
    [*DeviceB-Tunnel10] ip address 192.168.2.1 32
    [~DeviceB-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceB-Tunnel10] quit
    [*DeviceB] commit

    # Configure Device C.

    [~DeviceC] interface Tunnel 10
    [*DeviceC-Tunnel10] tunnel-protocol ipsec
    [*DeviceC-Tunnel10] ip address 192.168.3.1 32
    [~DeviceC-Tunnel10] ipsec policy map1 service-instance-group group1
    [*DeviceC-Tunnel10] quit
    [*DeviceC] commit

  10. Configure static routes.

    Static routes are used to import data traffic to the IPsec tunnel.

    # Configure Device A. Assume that the next hop IP address of Device A is 172.16.163.2.

    [~DeviceA] ip route-static 0.0.0.0 0.0.0.0 172.16.163.2
    [*DeviceA] commit

    # Configure Device B. Assume that the next hop IP address of Device B is 172.16.169.2.

    [~DeviceB] ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 192.168.1.1
    [*DeviceB] ip route-static 192.168.1.1 255.255.255.255 172.16.169.2
    [*DeviceB] commit

    # Configure Device C. Assume that the next hop IP address of Device C is 172.16.170.2.

    [~DeviceC] ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 192.168.1.1
    [*DeviceC] ip route-static 192.168.1.1 255.255.255.255 172.16.170.2
    [*DeviceC] commit

Configuration Files
  • Device A configuration file

    #
     sysname DeviceA
    #
    ike dpd interval 10 10
    #
    acl number 3000
      rule 5 permit ip 
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer p1
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
     ike-proposal 10 
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #
    ipsec policy-template map_temp 1
     security acl 3000
     ike-peer p1
     proposal tran1
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    # 
    ipsec policy map1 10 isakmp template map_temp
    # 
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.1.1 255.255.255.0 
    # 
    interface GigabitEthernet0/1/2  
     undo shutdown
     ip address 172.16.163.1 255.255.255.0                       
    #           
    interface Tunnel10 
     ip address 192.168.1.1 255.255.255.0
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1
    #
    ip route-static 0.0.0.0 0.0.0.0 172.16.163.2
    #
    return
  • Device B configuration file

    #
     sysname DeviceB
    #
    ike dpd interval 10 10
    #
    acl number 3000
      rule 5 permit ip source 10.1.2.2 0 destination 10.1.1.2 0
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer a
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
     ike-proposal 10
     remote-address 192.168.1.1
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #    
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.2.1 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     undo shutdown
     ip address 172.16.169.1 255.255.255.0
    #    
    interface Tunnel10 
     ip address 192.168.1.2 255.255.255.255                                             
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1
    #
     ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 192.168.1.1
     ip route-static 192.168.1.1 255.255.255.255 172.16.169.2
    #
    return
  • Device C configuration file.

    #
     sysname DeviceC
    #
    ike dpd interval 10 10
    #
    acl number 3000
      rule 5 permit ip source 10.1.3.2 0 destination 10.1.1.2 0
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer a
     pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
     ike-proposal 10
     remote-address 192.168.1.1
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #    
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.3.1 255.255.255.0                                                
    #    
    interface GigabitEthernet0/1/2 
     undo shutdown
     ip address 172.16.170.1 255.255.255.0
    #    
    interface Tunnel10 
     ip address 192.168.1.3 255.255.255.255                                             
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1
    #
     ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 192.168.1.1
     ip route-static 192.168.1.1 255.255.255.255 172.16.170.2
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20402

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next