No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing an IPSec Tunnel Using PKI

Establishing an IPSec Tunnel Using PKI

This section describes how to establish an IPSec tunnel using certificate-based authentication.

Networking Requirements

As shown in Figure 13-6, network A and network B connect to the Internet through Device A and Device B. The networking environment is as follows:

  • Network A is in the 10.1.1.0/24 subnet. Device A is connected to Network A through GE 0/1/1.

  • Network B is in the 10.1.2.0/24 subnet. Device B is connected to Network B through GE 0/1/1.

  • Routes are reachable between Device A and Device B.

If an IPSec tunnel needs to be established using IKE automatic negotiation to protect data flows between Network A and B, the following requirements must be met:

  • Certificate based authentication is used between Device A and Device B.

  • The tunnel encapsulation mode is used.

  • ESP is used as the security protocol.

  • The encryption algorithm AES is used by ESP.

  • The verification algorithm SHA2-256 is used by ESP.

  • The integrity algorithm HMAC-SHA2-256 is used.

Figure 13-6 Networking for establishing an IPSec tunnel using certificate-based authentication
NOTE:

Interface 1 and 2 in this example are GE 0/1/1 and GE 0/1/2, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for each interface.

  2. Create and configure tunnel interfaces.

  3. Configure public network routes (static routes).

  4. Configure ACL rules to permit data flows that need to be protected.

  5. Configure PKI, and configure PKI certificate access-control-policy using default certificate attributes.

    1. Create a key pair consisting of a public key and a private key.

    2. Configure entity information.

    3. Obtain certificates.

    4. Configure the default access control policy based on certificate attributes.

  6. Establish an IPSec tunnel using security policy auto-negotiation.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of each interface
  • ACL rules
  • Entity information, PKI domain, manual downloading of certificates and access control policy based on certificate attributes
  • Security protocols in the IPSec proposal, encryption algorithm and authentication algorithm, and authentication algorithm in the IKE security proposal

Procedure

  1. Configure Device A.

    # Disable CRL check.

    <DeviceA> system-view
    [~DeviceA] undo pki crl check enable

    # Configure an IP address for GigabitEthernet 0/1/1.

    [~DeviceA] interface GigabitEthernet 0/1/1
    [~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
    [*DeviceA-GigabitEthernet0/1/1] quit
    [*DeviceA] commit

    # Configure an IP address for GigabitEthernet 0/1/2.

    [~DeviceA] interface GigabitEthernet 0/1/2
    [~DeviceA-GigabitEthernet0/1/2] ip address 172.16.163.1 24
    [*DeviceA-GigabitEthernet0/1/2] quit
    [*DeviceA] commit

    # Enable IPSec.

    [~DeviceA] ipsec enable slot 1
    [*DeviceA] commit

    # Create and configure a tunnel interface.

    [~DeviceA] interface Tunnel 10
    [*DeviceA-Tunnel10] tunnel-protocol ipsec
    [*DeviceA-Tunnel10] ip address 172.19.1.1 24
    [*DeviceA-Tunnel10] quit
    [*DeviceA] commit

    # Configure a static route to network B, with the outbound interface Tunnel 10 and the next hop 172.19.1.2. The physical address of the next hop of Device A is 172.16.163.2/24.

    [~DeviceA] ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 172.19.1.2
    [*DeviceA] ip route-static 172.20.1.2 255.255.255.255 172.16.163.2
    [*DeviceA] commit

    # Create the advanced ACL 3000, and configure the rules to filter packets with the source IP address 10.1.1.0/24 and destination IP address 10.1.2.0/24. Packets matching the rules will be encrypted.

    [~DeviceA] acl 3000
    [*DeviceA-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [*DeviceA-acl-adv-3000] quit
    [*DeviceA] commit

    # Create a public and private key pair.

    [~DeviceA] rsa pki local-key-pair create
    [*DeviceA] commit

    # Configure entity information.

    [~DeviceA] pki entity entitya
    [*DeviceA-entitya] common-name DeviceA
    [*DeviceA-entitya] quit
    [*DeviceA] commit

    # Configure a PKI domain.

    [~DeviceA] pki domain domaina
    [*DeviceA-domaina] certificate request entity entitya
    [*DeviceA-domaina] quit
    [*DeviceA] commit

    # Generate the certificate request file named domaina.req.

    [~DeviceA] pki request-certificate domain domaina pkcs10
    [*DeviceA] commit

    # Send the certificate request file to the CA to generate certificates. Assume that the generated local certificate is named local.cer and root CA certificate is named ca.cer.

    # Manually download the local certificate and CA certificate.

    # Import the local certificate and root CA certificate into the memory of the device.

    [~DeviceA] pki import-certificate local filename local.cer
    [*DeviceA] pki import-certificate ca filename ca.cer
    [*DeviceA] commit

    # Configure the IPSec security proposal tran1.

    [~DeviceA] ipsec proposal tran1
    [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
    [*DeviceA-ipsec-proposal-tran1] transform esp
    [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
    [*DeviceA-ipsec-proposal-tran1] quit
    [*DeviceA] commit

    # Configure the IKE security proposal.

    [~DeviceA] ike proposal 10
    [*DeviceA-ike-proposal-10] authentication-method rsa-sig
    [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
    [*DeviceA-ike-proposal-10] dh group14
    [*DeviceA-ike-proposal-10] quit
    [*DeviceA] commit

    # Configure IKE peers.

    [~DeviceA] ike peer b
    [*DeviceA-ike-peer-b] ike-proposal 10
    [*DeviceA-ike-peer-b] certificate local-filename local.cer
    [*DeviceA-ike-peer-b] remote-address 172.20.1.2
    [*DeviceA-ike-peer-b] quit
    [*DeviceA] commit

    # Configure the IPSec policy map1.

    [~DeviceA] ipsec policy map1 10 isakmp
    [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
    [*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
    [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
    [*DeviceA-ipsec-policy-isakmp-map1-10] quit
    [*DeviceA] commit
    # Configure the IPSec service instance group 1.
    [~DeviceA] service-location 1
    [*DeviceA-service-location-1] location slot 3
    [*DeviceA-service-location-1] commit
    [~DeviceA-service-location-1] quit
    [~DeviceA] service-instance-group 1
    [*DeviceA-service-instance-group-1] service-location 1
    [*DeviceA-service-instance-group-1] commit
    [~DeviceA-service-instance-group-1] quit
    

    # Bind map1 to the tunnel interface.

    [~DeviceA] interface Tunnel 10
    [~DeviceA-Tunnel10] ipsec policy map1 service-instance-group 1
    [*DeviceA-Tunnel10] quit
    [*DeviceA] commit

  2. Configure Device B.

    # Disable CRL check.

    <DeviceB> system-view
    [~DeviceB] undo pki crl check enable

    # Configure an IP address for GigabitEthernet 0/1/1.

    [~DeviceB] interface GigabitEthernet 0/1/1
    [~DeviceB-GigabitEthernet0/1/1] ip address 10.1.2.1 24
    [*DeviceB-GigabitEthernet0/1/1] quit
    [*DeviceB] commit

    # Configure an IP address for GigabitEthernet 0/1/2.

    [~DeviceB] interface GigabitEthernet 0/1/2
    [~DeviceB-GigabitEthernet0/1/2] ip address 172.16.169.1 24
    [*DeviceB-GigabitEthernet0/1/2] quit
    [*DeviceB] commit

    # Enable IPSec.

    [~DeviceB] ipsec enable slot 1

    # Create and configure a tunnel interface.

    [~DeviceB] interface Tunnel 10
    [*DeviceB-Tunnel10] tunnel-protocol ipsec
    [*DeviceB-Tunnel10] ip address 172.20.1.2 24
    [*DeviceB-Tunnel10] quit
    [*DeviceB] commit

    # Configure a static route to network A, with the outbound interface Tunnel 10 and the next hop 172.19.1.1. The physical address of the next hop of Device B is 172.16.169.2/24.

    [~DeviceB] ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 172.19.1.1
    [*DeviceB] ip route-static 172.19.1.1 255.255.255.255 172.16.169.2
    [*DeviceB] commit

    # Create the advanced ACL 3000, and configure an ACL rule to encrypt the packets with source IP address 10.1.2.0/24 and destination IP address 10.1.2.0/24.

    [~DeviceB] acl 3000
    [*DeviceB-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [*DeviceB-acl-adv-3000] quit
    [*DeviceB] commit

    # Create a public and private key pair.

    [~DeviceB] rsa pki local-key-pair create

    # Configure entity information.

    [~DeviceB] pki entity entityb
    [*DeviceB-entityb] common-name DeviceB
    [*DeviceB-entityb] quit
    [*DeviceB] commit

    # Configure a PKI domain.

    [~DeviceB] pki domain domainb
    [*DeviceB-domainb] certificate request entity entityb
    [*DeviceB-domainb] quit
    [*DeviceB] commit

    # Generate the certificate request file named domainb.req.

    [~DeviceB] pki request-certificate domain domainb pkcs10
    [*DeviceB] commit

    # Send the certificate request file to the CA to generate certificates. Assume that the generated local certificate is named local.cer and root CA certificate is named ca.cer.

    # Manually download the local certificate and CA certificate.

    # Import the local certificate and root CA certificate into the memory of the device.

    [~DeviceB] pki import-certificate local filename local.cer
    [*DeviceB] pki import-certificate ca filename ca.cer
    [*DeviceB] commit

    # Configure the IPSec proposal tran1.

    [~DeviceB] ipsec proposal tran1
    [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
    [*DeviceB-ipsec-proposal-tran1] transform esp
    [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
    [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
    [*DeviceB-ipsec-proposal-tran1] quit
    [*DeviceB] commit

    # Configure the IKE security proposal.

    [~DeviceB] ike proposal 10
    [*DeviceB-ike-proposal-10] authentication-method rsa-sig
    [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256
    [*DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256
    [*DeviceB-ike-proposal-10] dh group14
    [*DeviceB-ike-proposal-10] quit
    [*DeviceB] commit

    # Configure IKE peers.

    [~DeviceB] ike peer a
    [*DeviceB-ike-peer-a] ike-proposal 10
    [*DeviceB-ike-peer-a] certificate local-filename local.cer
    [*DeviceB-ike-peer-a] remote-address 172.19.1.1
    [*DeviceB-ike-peer-a] quit
    [*DeviceB] commit

    # Configure the IPSec policy map1.

    [~DeviceB] ipsec policy map1 10 isakmp
    [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
    [*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1
    [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a
    [*DeviceB-ipsec-policy-isakmp-map1-10] quit
    [*DeviceB] commit
    # Configure the IPSec service instance group 1.
    [~DeviceB] service-location 1
    [*DeviceB-service-location-1] location slot 3
    [*DeviceB-service-location-1] commit
    [~DeviceB-service-location-1] quit
    [~DeviceB] service-instance-group 1
    [*DeviceB-service-instance-group-1] service-location 1
    [*DeviceB-service-instance-group-1] commit
    [~DeviceB-service-instance-group-1] quit
    

    # Bind map1 to the tunnel interface.

    [~DeviceB] interface Tunnel10 
    [~DeviceB-Tunnel10] ipsec policy map1 service-instance-group 1
    [*DeviceB-Tunnel10] quit
    [*DeviceB] commit

Configuration Files

  • Configuration file of Device A.

    #
     sysname DeviceA
    #
    undo pki crl check enable
    #
    acl number 3000
      rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    ipsec enable slot 1
    #
    ike proposal 10
     authentication-method rsa-sig
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     ike-proposal 10
     certificate local-filename local.cer
     remote-address 172.20.1.2
    #                                                                                
    service-location 1                                                                
     location slot 3                                                                 
    #                                                                                
    service-instance-group 1                                                          
     service-location 1    
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #        
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
    #
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.1.1 255.255.255.0    
    #  
    interface GigabitEthernet0/1/2
     undo shutdown
     ip address 172.16.163.1 255.255.255.0     
    #  
    interface Tunnel10 
     ip address 172.19.1.1 255.255.255.0 
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group 1
    #
     ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 172.19.1.2
     ip route-static 172.20.1.2 255.255.255.255 172.16.163.2
    #
    pki entity entitya
     common-name DeviceA
    #
    pki domain domaina
     certificate request entity entitya
    #
    return
  • Configuration file of Device B.

    #
     sysname DeviceB
    #
    undo pki crl check enable
    #
    acl number 3000
      rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    #
    ipsec enable slot 1
    #
    ike proposal 10
     authentication-method rsa-sig
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer a
     certificate local-filename local.cer
     ike-proposal 10
     remote-address 172.19.1.1
    #                                                                                
    service-location 1                                                                
     location slot 3                                                                 
    #                                                                                
    service-instance-group 1                                                          
     service-location 1    
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256
     esp encryption-algorithm aes 256
    #
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #  
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.2.1 255.255.255.0    
    #  
    interface GigabitEthernet0/1/2 
     undo shutdown
     ip address 172.16.169.1 255.255.255.0     
    #  
    interface Tunnel10 
     ip address 172.20.1.2 255.255.255.0 
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group 1
    #
     ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 172.19.1.1
     ip route-static 172.19.1.1 255.255.255.255 172.16.169.2
    #
    pki entity entityb
     common-name DeviceB
    #
    pki domain domainb
     certificate request entity entityb
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19838

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next