No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
GRE over IPsec Scenario

GRE over IPsec Scenario

Example for Configuring GRE over IPsec

GRE over IPsec is a technology for encrypting and encapsulating packets that cannot be encrypted or encapsulated by IPsec, such as multicast and broadcast packets. IPsec is used for encrypting and encapsulating IP packets only.

Networking Requirements

Figure 12-9 shows the networking diagram.

  • Network A is on the 10.1.1.0/24 subnet. Device uses GigabitEthernet0/1/1 to connect to network A.

  • Network B is on the 10.1.2.0/24 subnet. Device B uses GigabitEthernet0/1/1 to connect to network B.

  • Routes between Device A and Device B are reachable.

The GRE over IPsec network is required to implement the following functions:

  • Transmits packets that are not supported by IPsec between PCA and PCB, such as multicast and broadcast packets.

  • Encrypts packets transmitted between PCA and PCB.

Figure 12-9 Networking diagram of GRE over IPsec
NOTE:

Interfaces 1 and 2 in this example are GE 0/1/1 and GE 0/1/2, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Set a GRE tunnel between Device A and Device B so that multicast and broadcast packets can be encapsulated in the GRE tunnel.

  2. Set an IPsec tunnel between Device A and Device B so that GRE-encapsulated packets can be encrypted in the IPsec tunnel.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of each interface
  • Tunneling modes, IP addresses, source IP addresses, and destination IP addresses of tunnel interfaces
  • IP address segment of each network
  • Preshared key
  • Security protocol, encryption algorithm, and authentication algorithm of an IPsec proposal
  • Authentication algorithm of an IKE proposal

Procedure

  • Configure Device A.
    1. Set IP addresses for interfaces.

      1. Set an IP address for GigabitEthernet 0/1/1.

        <DeviceA> system-view
        [~DeviceA] interface GigabitEthernet 0/1/1
        [~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
        [*DeviceA-GigabitEthernet0/1/1] quit
        [*DeviceA] commit
      2. Set an IP address for GigabitEthernet 0/1/2.

        [~DeviceA] interface GigabitEthernet 0/1/2
        [~DeviceA-GigabitEthernet0/1/2] ip address 172.16.163.1 24
        [*DeviceA-GigabitEthernet0/1/2] quit
        [*DeviceA] commit
      3. Set an IP address for Loopback 1.

        [~DeviceA] interface loopback1
        [*DeviceA-Loopback1] ip address 1.1.1.1 255.255.255.255 
        [*DeviceA-Loopback1] quit
        [*DeviceA] commit

    2. Configure an IPsec service instance group named group1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~A] service-location 1
        [*A-service-location-1] location slot 2
        [*A-service-location-1] commit
        [~A-service-location-1] quit
      [~DeviceA] service-instance-group group1
      [*DeviceA-service-instance-group-group1] service-location 1
      [*DeviceA-service-instance-group-group1] quit
      [*DeviceA] commit

    3. Create and configure tunnel interfaces.

      [~DeviceA] interface loopback1
      [*DeviceA-Loopback1] binding tunnel gre
      [*DeviceA-Loopback1] quit
      [~DeviceA] interface Tunnel 2
      [*DeviceA-Tunnel2] tunnel-protocol gre
      [*DeviceA-Tunnel2] ip address 172.21.1.1 24
      [*DeviceA-Tunnel2] source loopback1
      [*DeviceA-Tunnel2] destination 2.2.2.2
      [*DeviceA-Tunnel2] quit
      [*DeviceA] commit
      [~DeviceA] interface Tunnel 1
      [*DeviceA-Tunnel1] tunnel-protocol ipsec
      [*DeviceA-Tunnel1] ip address 172.19.1.1 24
      [*DeviceA-Tunnel1] quit
      [*DeviceA] commit

    4. Configure static routes to network B. This configuration example assumes that the next hop of Device A is 172.16.163.2/24.

      NOTE:

      When configuring static routes to direct IPsec traffic into IPsec tunnels, specify an IPsec tunnel interface as the outbound interface of the static routes and specify a next hop address.

      [~DeviceA] ip route-static 10.1.2.2 255.255.255.255 Tunnel 2 2.2.2.2
      [*DeviceA] ip route-static 2.2.2.2 255.255.255.255 Tunnel 1 172.22.1.2
      [*DeviceA] ip route-static 172.22.1.2 255.255.255.255 172.16.163.2
      [*DeviceA] commit

    5. Configure an advanced ACL with the ID of 3000.

      [~DeviceA] acl 3000
      [*DeviceA-acl-adv-3000] rule permit gre source 1.1.1.1 0.0.0.0 destination 2.2.2.2 0.0.0.0
      [*DeviceA-acl-adv-3000] quit
      [*DeviceA] commit

    6. Configure an IPsec proposal with the name of tran1.

      [~DeviceA] ipsec proposal tran1
      [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceA-ipsec-proposal-tran1] transform esp
      [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceA-ipsec-proposal-tran1] quit
      [*DeviceA] commit

    7. Configure an IKE proposal with the ID of 10.

      [~DeviceA] ike proposal 10
      [*DeviceA-ike-proposal-10] authentication-method pre-share
      [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
      [*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
      [*DeviceA-ike-proposal-10] dh group14
      [*DeviceA-ike-proposal-10] quit
      [*DeviceA] commit

    8. Configure an IKE peer with the name of b.

      [~DeviceA] ike peer b 
      [*DeviceA-ike-peer-b] ike-proposal 10 
      [*DeviceA-ike-peer-b] remote-address 172.22.1.2 
      [*DeviceA-ike-peer-b] pre-shared-key abcde 
      [*DeviceA-ike-peer-b] quit
      [*DeviceA] commit
      NOTE:

      Both IKEv1 and IKEv2 are enabled on the NE20E. If the peer device does not support IKEv2, you must disable IKEv2 on the NE20E so that IKEv1 will be used.

      The authenticators on the NE20E and the peer device must be the same.

    9. Configure an IPsec policy with the name of map1 and ID of 10.

      [~DeviceA] ipsec policy map1 10 isakmp
      [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
      [*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
      [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
      [*DeviceA-ipsec-policy-isakmp-map1-10] quit
      [*DeviceA] commit

    10. Apply map1 to the tunnel interface.

      [~DeviceA] interface Tunnel 1
      [*DeviceA-Tunnel1] ipsec policy map1 service-instance-group group1
      [*DeviceA-Tunnel1] quit
      [*DeviceA] commit

  • Configure Device B.
    1. Set IP addresses for interfaces.

      1. Set an IP address for GigabitEthernet 0/1/1.

        <DeviceB> system-view
        [~DeviceB] interface GigabitEthernet 0/1/1
        [~DeviceB-GigabitEthernet0/1/1] ip address 10.1.2.1 24
        [*DeviceB-GigabitEthernet0/1/1] quit
        [*DeviceB] commit
      2. Set an IP address for GigabitEthernet 0/1/2.

        [~DeviceB] interface GigabitEthernet 0/1/2
        [~DeviceB-GigabitEthernet0/1/2] ip address 172.16.169.1 24
        [*DeviceB-GigabitEthernet0/1/2] quit
        [*DeviceB] commit
      3. Set an IP address for Loopback 1.

        [~DeviceB] interface loopback1
        [*DeviceB-Loopback1] ip address 2.2.2.2 255.255.255.255 
        [*DeviceB-Loopback1] quit
        [*DeviceB] commit

    2. Configure an IPsec service instance group named group1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~DeviceB] service-location 1
        [*DeviceB-service-location-1] location slot 2
        [*DeviceB-service-location-1] commit
        [~DeviceB-service-location-1] quit
      [~DeviceB] service-instance-group group1
      [*DeviceB-service-instance-group-group1] service-location 1
      [*DeviceB-service-instance-group-group1] quit
      [*DeviceB] commit

    3. Create and configure tunnel interfaces.

      [~DeviceB] interface loopback1
      [*DeviceB-Loopback1] binding tunnel gre
      [*DeviceB-Loopback1] quit
      [~DeviceB] interface Tunnel 2
      [*DeviceB-Tunnel2] tunnel-protocol gre
      [*DeviceB-Tunnel2] ip address 172.22.1.2 24
      [*DeviceB-Tunnel2] source loopback1
      [*DeviceB-Tunnel2] destination 1.1.1.1
      [*DeviceB-Tunnel2] quit
      [*DeviceB] commit
      [~DeviceB] interface Tunnel 1
      [*DeviceB-Tunnel1] tunnel-protocol ipsec
      [*DeviceB-Tunnel1] ip address 172.20.1.2 24
      [*DeviceB-Tunnel1] quit
      [*DeviceB] commit

    4. Configure static routes to network A. This configuration example assumes that the next hop of Device B is 172.16.169.2/24.

      NOTE:

      When configuring static routes to direct IPsec traffic into IPsec tunnels, specify an IPsec tunnel interface as the outbound interface of the static routes and specify a next hop address.

      [~DeviceB] ip route-static 10.1.1.2 255.255.255.255 Tunnel 2 1.1.1.1
      [*DeviceB] ip route-static 1.1.1.1 255.255.255.255 Tunnel 1 172.19.1.1 
      [*DeviceB] ip route-static 172.19.1.1 255.255.255.255 172.16.169.2
      [*DeviceB] commit

    5. Configure an advanced ACL with the ID of 3000.

      [~DeviceB] acl 3000
      [*DeviceB-acl-adv-3000] rule permit gre source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0.0.0.0
      [*DeviceB-acl-adv-3000] quit
      [*DeviceB] commit

    6. Configure an IPsec proposal with the name of tran1.

      [~DeviceB] ipsec proposal tran1
      [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceB-ipsec-proposal-tran1] transform esp
      [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceB-ipsec-proposal-tran1] quit
      [*DeviceB] commit

    7. Configure an IKE proposal with the ID of 10.

      [~DeviceB] ike proposal 10 
      [*DeviceB-ike-proposal-10] authentication-method pre-share 
      [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256 
      [*DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256
      [*DeviceB-ike-proposal-10] dh group14
      [*DeviceB-ike-proposal-10] quit
      [*DeviceB] commit

    8. Configure an IKE peer with the name of a.

      [~DeviceB] ike peer a 
      [*DeviceB-ike-peer-a] ike-proposal 10 
      [*DeviceB-ike-peer-a] remote-address 172.19.1.1 
      [*DeviceB-ike-peer-a] pre-shared-key abcde 
      [*DeviceB-ike-peer-a] quit
      [*DeviceB] commit
      NOTE:

      Both IKEv1 and IKEv2 are enabled on the NE20E. If the peer device does not support IKEv2, you must disable IKEv2 on the NE20E so that IKEv1 will be used.

      The authenticators on the NE20E and the peer device must be the same.

    9. Configure an IPsec policy with the name of map1 and ID of 10.

      [~DeviceB] ipsec policy map1 10 isakmp 
      [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000 
      [*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1 
      [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a 
      [*DeviceB-ipsec-policy-isakmp-map1-10] quit
      [*DeviceB] commit

    10. Apply map1 to the tunnel interface.

      [~DeviceB] interface Tunnel1 
      [*DeviceB-Tunnel1] ipsec policy map1 service-instance-group group1
      [*DeviceB-Tunnel1] quit
      [*DeviceB] commit

Configuration Files
  • Configurations on Device A

    #
     sysname DeviceA
    #
    acl number 3000
      rule 5 permit gre source 1.1.1.1 0 destination 2.2.2.2 0
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 10
     remote-address 172.22.1.2
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
    #                                                                               
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 10.1.1.1 255.255.255.0                                                
    #                                                                               
    interface GigabitEthernet0/1/2
     undo shutdown                                                  
     ip address 172.16.163.1 255.255.255.0                                                 
    #                                                                               
    interface loopback1
     ip address 1.1.1.1 255.255.255.255 
     binding tunnel gre
    #
    interface Tunnel1 
     ip address 172.19.1.1 255.255.255.0                                             
     tunnel-protocol ipsec
     ipsec policy map1 service-instance-group group1     
    #                                                                       
    interface Tunnel2 
     ip address 172.21.1.1 255.255.255.0                                             
     tunnel-protocol gre
     source loopback1
     destination 2.2.2.2
    #
     ip route-static 10.1.2.2 255.255.255.255 Tunnel 2 2.2.2.2
     ip route-static 2.2.2.2 255.255.255.255 Tunnel 1 172.22.1.2
     ip route-static 172.22.1.2 255.255.255.255 172.16.163.2
    #
    return
    
  • Configurations on Device B.

    #
     sysname DeviceB
    #
    acl number 3000
      rule 5 permit gre source 2.2.2.2 0 destination 1.1.1.1 0
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer a
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 10
     remote-address 172.19.1.1
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer a
     proposal tran1
    #                                                                               
    interface GigabitEthernet0/1/1
     undo shutdown
     ip address 10.1.2.1 255.255.255.0                                                
    #                                                                               
    interface GigabitEthernet0/1/2                                                 
     undo shutdown
     ip address 172.16.169.1 255.255.255.0                                                 
    #                                                                               
    interface loopback1
     ip address 2.2.2.2 255.255.255.255 
     binding tunnel gre
    #
    interface Tunnel1 
     ip address 172.22.1.2 255.255.255.0                                             
     tunnel-protocol ipsec 
     ipsec policy map1 service-instance-group group1         
    #              
    interface Tunnel2 
     ip address 172.20.1.2 255.255.255.0                                             
     tunnel-protocol gre 
     source loopback1
     destination 1.1.1.1
    #
     ip route-static 10.1.1.2 255.255.255.255 Tunnel 2 1.1.1.1
     ip route-static 1.1.1.1 255.255.255.255 Tunnel 1 172.19.1.1 
     ip route-static 172.19.1.1 255.255.255.255 172.16.169.2
    #
    return
    

Example for Configuring Inter-Board IPv6 over GRE over IPsec

IPsec applies only to IPv4 unicast packets. To cover IPv6 unicast, IPv4 multicast, IPv4 broadcast, and L2VPN/L3VPN IPv4 packets, configure IPv6 over GRE over IPsec.

Networking Requirements

Figure 12-10 shows the networking diagram.

  • Network A is connected to Device A through GE 0/3/1.

  • Network B is connected to Device B through GE 0/1/2.

  • The IPv4 and IPv6 addresses of Device A are 10.1.2.2 and 3005::2 respectively. The IPsec service board and tunnel service board of Device A are installed in slot 2 and slot 2 respectively.

  • The IPv4 and IPv6 addresses of Device B are 10.1.3.2 and 3006::2 respectively. The IPsec service board and tunnel service board of Device B are installed in slot 2 and slot 2 respectively.

  • Device A and Device B are routable.

Figure 12-10 Networking of IPv6 over GRE over IPsec

IPv4 unicast, IPv6 unicast, IPv4 multicast, IPv4 broadcast, L2VPN/L3VPN IPv4 packets must be encrypted before being sent between PCA and PCB.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign an IP address to each interface.

  2. Create a loopback interface and bind it to GRE.

  3. Create a tunnel interface and configure GRE for the tunnel interface.

  4. Configure an ACL rule.

  5. Configure an IPsec proposal.

  6. Configure an IKE proposal.

  7. Configure IKE peers.

  8. Configure an IPsec policy.

  9. Configure the IPSec service instance group.

  10. Create a tunnel interface and configure IPsec for the tunnel interface.

  11. Configure a static route to the destination network.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • Tunnel mode, IP address, source address, and destination address for each tunnel interface
  • IP address segments
  • Pre-shared key
  • Security protocol, encapsulation mode, encryption algorithm, and authentication algorithm that an IPsec proposal uses
  • Encryption algorithm and authentication algorithm that an IKE proposal uses

Procedure

  • Configure Device A.
    1. Allocate IP addresses to interfaces.

      1. Configure an IP address for GE 0/3/2.10.

        <DeviceA> system-view
        [~DeviceA] interface GigabitEthernet 0/3/2.10
        [*DeviceA-GigabitEthernet0/3/2.10] vlan-type dot1q 200
        [*DeviceA-GigabitEthernet0/3/2.10] ip address 10.1.1.6 24
        [*DeviceA-GigabitEthernet0/3/2.10] quit
        [*DeviceA] commit
      2. Configure an IP address for GE 0/3/1.

        [~DeviceA] interface GigabitEthernet 0/3/1
        [~DeviceA-GigabitEthernet0/3/1] ip address 10.1.2.1 24
        [*DeviceA-GigabitEthernet0/3/1] ipv6 enable
        [*DeviceA-GigabitEthernet0/3/1] ipv6 address 3005::1/64
        [*DeviceA-GigabitEthernet0/3/1] ipv6 neighbor 3005::2 11-11-11
        [*DeviceA-GigabitEthernet0/3/1] quit
        [*DeviceA] commit

    2. Create a loopback interface and bind it to GRE.

      [~DeviceA] interface loopback 111
      [*DeviceA-Loopback111] ip address 1.1.1.6 32
      [*DeviceA-Loopback111] binding tunnel gre
      [*DeviceA-Loopback111] quit
      [*DeviceA] commit

    3. Configure a GRE tunnel.

      [~DeviceA] interface tunnel 200
      [*DeviceA-tunnel200] tunnel-protocol gre
      [*DeviceA-tunnel200] ip address 10.1.4.1 24
      [*DeviceA-tunnel200] source loopback 111
      [*DeviceA-tunnel200] destination 1.1.1.7
      [*DeviceA-tunnel200] ipv6 enable
      [*DeviceA-tunnel200] ipv6 address 3011::1/64
      [*DeviceA-tunnel200] quit
      [*DeviceA] commit

    4. Configure an ACL rule.

      [~DeviceA] acl 3018
      [*DeviceA-acl4-advance-3018] rule permit gre source 1.1.1.6 0 destination 1.1.1.7 0
      [*DeviceA-acl4-advance-3018] quit
      [*DeviceA] commit

    5. Configure an IPsec proposal named pro1.

      [~DeviceA] ipsec proposal pro1 
      [*DeviceA-ipsec-proposal-pro1] encapsulation-mode tunnel
      [*DeviceA-ipsec-proposal-pro1] transform esp
      [*DeviceA-ipsec-proposal-pro1] esp authentication-algorithm sha1
      [*DeviceA-ipsec-proposal-pro1] esp encryption-algorithm aes 256
      [*DeviceA-ipsec-proposal-pro1] quit
      [*DeviceA] commit

    6. Configure an IKE proposal numbered 1.

      [~DeviceA] ike proposal 1
      [*DeviceA-ike-proposal-1] authentication-method pre-share
      [*DeviceA-ike-proposal-1] authentication-algorithm sha1
      [*DeviceA-ike-proposal-1] dh group14
      [*DeviceA-ike-proposal-1] quit
      [*DeviceA] commit

    7. Configure an IKE peer named peer1.

      [~DeviceA] ike peer peer1
      [*DeviceA-ike-peer-peer1] ike-proposal 1
      [*DeviceA-ike-peer-peer1] remote-address 10.1.5.2
      [*DeviceA-ike-peer-peer1] pre-shared-key 1234567890
      [*DeviceA-ike-peer-peer1] quit
      [*DeviceA] commit
      NOTE:

      The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

    8. Configure an IPsec policy named policy1 and numbered 1.

      [~DeviceA] ipsec policy policy1 1 isakmp
      [*DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3018
      [*DeviceA-ipsec-policy-isakmp-policy1-1] proposal pro1
      [*DeviceA-ipsec-policy-isakmp-policy1-1] ike-peer peer1
      [*DeviceA-ipsec-policy-isakmp-policy1-1] quit
      [*DeviceA] commit

    9. Configure the IPSec service instance group group1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~A] service-location 1
        [*A-service-location-1] location slot 2
        [*A-service-location-1] commit
        [~A-service-location-1] quit
      [~DeviceA] service-instance-group group1
      [*DeviceA-service-instance-group-group1] service-location 1
      [*DeviceA-service-instance-group-group1] quit
      [*DeviceA] commit

    10. Create a tunnel interface and configure IPsec for the tunnel interface.

      [~DeviceA] interface Tunnel 1600
      [*DeviceA-Tunnel1600] ip address 10.1.5.1 24
      [*DeviceA-Tunnel1600] tunnel-protocol ipsec
      [*DeviceA-Tunnel1600] ipsec policy policy1 service-instance-group group1
      [*DeviceA-Tunnel1600] quit
      [*DeviceA] commit
      

    11. Configure a static route to network B.

      [~DeviceA] ip route-static 1.1.1.7 255.255.255.255 Tunnel1600  10.1.5.2
      [*DeviceA] ip route-static 10.1.5.2 255.255.255.255 GigabitEthernet0/3/2.10  10.1.1.7
      [*DeviceA] ip route-static 10.1.3.1 255.255.255.0 Tunnel200 1.1.1.7
      [*DeviceA] ipv6 route-static 3006::2 64 Tunnel200
      [*DeviceA] commit
      

  • Configure Device B.
    1. Allocate IP addresses to interfaces.

      1. Configure an IP address for GE 0/1/1.10.

        <DeviceB> system-view
        [~DeviceB] interface GigabitEthernet0/1/1.10
        [*DeviceB-GigabitEthernet0/1/1.10] vlan-type dot1q 200
        [*DeviceB-GigabitEthernet0/1/1.10] ip address 10.1.1.7 24
        [*DeviceB-GigabitEthernet0/1/1.10] quit
        [*DeviceB] commit
      2. Configure an IP address for GE 0/1/2.

        [~DeviceB] interface GigabitEthernet 0/1/2
        [*DeviceB-GigabitEthernet0/1/2] ip address 10.1.3.1 24
        [*DeviceB-GigabitEthernet0/1/2] ipv6 enable
        [*DeviceB-GigabitEthernet0/1/2] ipv6 address 3006::1/64
        [*DeviceB-GigabitEthernet0/1/2] ipv6 neighbor 3006::2 22-22-22
        [*DeviceB-GigabitEthernet0/1/2] quit
        [*DeviceB] commit

    2. Create a loopback interface and bind it to GRE.

      [~DeviceB] interface loopback 111
      [*DeviceB-Loopback111] ip address 1.1.1.7 255.255.255.255
      [*DeviceB-Loopback111] binding tunnel gre
      [*DeviceB-Loopback111] quit
      [*DeviceB] commit
      

    3. Configure a GRE tunnel.

      [~DeviceB] interface tunnel 200
      [*DeviceB-tunnel200] tunnel-protocol gre
      [*DeviceB-tunnel200] ip address 10.1.4.2 255.255.255.0
      [*DeviceB-tunnel200] ipv6 enable
      [*DeviceB-tunnel200] ipv6 address 3011::2/64
      [*DeviceB-tunnel200] source LoopBack 111
      [*DeviceB-tunnel200] destination 1.1.1.6
      [*DeviceB-tunnel200] quit
      [*DeviceB] commit
      

    4. Configure an ACL rule.

      [~DeviceB] acl 3018
      [*DeviceB-acl4-advance-3018] rule permit gre source 1.1.1.7 0 destination 1.1.1.6 0
      [*DeviceB-acl4-advance-3018] quit
      [*DeviceB] commit
      

    5. Configure an IPsec proposal named pro1.

      [~DeviceB] ipsec proposal pro1
      [*DeviceB-ipsec-proposal-pro1] encapsulation-mode tunnel
      [*DeviceB-ipsec-proposal-pro1] transform esp
      [*DeviceB-ipsec-proposal-pro1] esp authentication-algorithm sha1
      [*DeviceB-ipsec-proposal-pro1] esp encryption-algorithm aes 256
      [*DeviceB-ipsec-proposal-pro1] quit
      [*DeviceB] commit

    6. Configure an IKE proposal numbered 1.

      [~DeviceB] ike proposal 1 
      [*DeviceB-ike-proposal-1] authentication-method pre-share 
      [*DeviceB-ike-proposal-1] authentication-algorithm sha1
      [*DeviceB-ike-proposal-1] dh group14
      [*DeviceB-ike-proposal-1] quit
      [*DeviceB] commit

    7. Configure an IKE peer named peer1.

      [~DeviceB] ike peer peer1 
      [*DeviceB-ike-peer-peer1] ike-proposal 1 
      [*DeviceB-ike-peer-peer1] remote-address 10.1.5.1 
      [*DeviceB-ike-peer-peer1] pre-shared-key 1234567890 
      [*DeviceB-ike-peer-peer1] quit
      [*DeviceB] commit
      

    8. Configure an IPsec policy named policy1 and numbered 1.

      [~DeviceB] ipsec policy policy1 1 isakmp
      [*DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3018
      [*DeviceB-ipsec-policy-isakmp-policy1-1] proposal pro1
      [*DeviceB-ipsec-policy-isakmp-policy1-1] ike-peer peer1
      [*DeviceB-ipsec-policy-isakmp-policy1-1] quit
      [*DeviceB] commit
      

    9. Configure the IPSec service instance group group1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~DeviceB] service-location 1
        [*DeviceB-service-location-1] location slot 2
        [*DeviceB-service-location-1] commit
        [~DeviceB-service-location-1] quit
      [~DeviceB] service-instance-group group1
      [*DeviceB-service-instance-group-group1] service-location 1
      [*DeviceB-service-instance-group-group1] quit
      [*DeviceB] commit

    10. Create a tunnel interface and configure IPsec for the tunnel interface.

      [~DeviceB] interface Tunnel 1600
      [*DeviceB-Tunnel1600] ip address 10.1.5.2 24
      [*DeviceB-Tunnel1600] tunnel-protocol ipsec
      [*DeviceB-Tunnel1600] ipsec policy policy1 service-instance-group group1
      [*DeviceB-Tunnel1600] quit
      [*DeviceA] commit
      

    11. Configure a static route to network A.

      [~DeviceB] ip route-static 10.1.2.1 255.255.255.0 Tunnel200  1.1.1.6
      [*DeviceB] ip route-static 10.1.5.1 255.255.255.255 GigabitEthernet0/1/1.10  10.1.1.6
      [*DeviceB] ip route-static 1.1.1.6 255.255.255.255 Tunnel1600 10.1.5.1
      [*DeviceB] ipv6 route-static 3005::2 64 Tunnel200
      [*DeviceB] commit

Configuration Files
  • Device A configuration file

    #
     sysname DeviceA
    #
    ipv6
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    acl number 3018 
     rule 5 permit gre source 1.1.1.6 0 destination 1.1.1.7 0 
    #
    ike proposal 1
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha1
     integrity-algorithm hmac-sha2-256 
    #
    ike peer peer1
     pre-shared-key %$%$0\WT%.iDi6%K-f)_^mQ6,.2n%$%$
     ike-proposal 1
     remote-address 10.1.5.2
    #
    ipsec proposal pro1
     esp authentication-algorithm sha1
     esp encryption-algorithm aes 256
    #
    ipsec policy policy1 1 isakmp
     security acl 3018
     ike-peer peer1
     proposal pro1
    #
    interface GigabitEthernet0/3/1
     undo shutdown
     ipv6 enable
     ip address 10.1.2.1 255.255.255.0
     ipv6 address 3005::1/64
     ipv6 neighbor 3005::2 0011-0011-0011
     undo dcn 
    #
    interface GigabitEthernet0/3/2.10
     vlan-type dot1q 200
     ip address 10.1.1.6 255.255.255.0
    #
    interface LoopBack111
     ip address 1.1.1.6 255.255.255.255
     binding tunnel gre
    #
    interface Tunnel1600
     ip address 10.1.5.1 255.255.255.0
     tunnel-protocol ipsec
     ipsec policy policy1 service-instance-group group1
    #
    interface Tunnel200
     ipv6 enable
     ip address 10.1.4.1 255.255.255.0
     ipv6 address 3011::1/64
     tunnel-protocol gre
     source LoopBack111
     destination 1.1.1.7
    #
    ip route-static 10.1.3.0 255.255.255.0 Tunnel200 1.1.1.7
    ip route-static 10.1.5.2 255.255.255.255 GigabitEthernet0/3/2.10 10.1.1.7
    ip route-static 1.1.1.7 255.255.255.255 Tunnel1600 10.1.5.2
    #
    ipv6 route-static 3006:: 64 Tunnel200
    #
    
  • Device B configuration file
    #
     sysname DeviceB
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    acl number 3018 
     rule 5 permit gre source 1.1.1.7 0 destination 1.1.1.6 0 
    #
    ike proposal 1
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha1
     integrity-algorithm hmac-sha2-256 
    #
    ike peer peer1
     pre-shared-key %$%$0\WT%.iDi6%K-f)_^mQ6,.2n%$%$
     ike-proposal 1
     remote-address 10.1.5.1
    #
    ipsec proposal pro1
     esp authentication-algorithm sha1
     esp encryption-algorithm aes 256
    #
    ipsec policy policy1 1 isakmp
     security acl 3018
     ike-peer peer1
     proposal pro1
    #
    interface GigabitEthernet0/1/1.10
     vlan-type dot1q 200
     ip address 10.1.1.7 255.255.255.0
    #
    interface LoopBack111
     ip address 1.1.1.7 255.255.255.255
     binding tunnel gre
    #
    interface Tunnel1600
     ip address 10.1.5.2 255.255.255.0
     tunnel-protocol ipsec
     ipsec policy policy1 service-instance-group group1
    #
    interface Tunnel200
     ipv6 enable
     ip address 10.1.4.2 255.255.255.0
     ipv6 address 3011::2/64
     tunnel-protocol gre
     source LoopBack111
     destination 1.1.1.6
    #
    ip route-static 10.1.2.0 255.255.255.0 Tunnel200 1.1.1.6
    ip route-static 10.1.5.1 255.255.255.255 GigabitEthernet0/1/1.10 10.1.1.6
    ip route-static 1.1.1.6 255.255.255.255 Tunnel1600 10.1.5.1
    #
    ipv6 route-static 3005:: 64 Tunnel200
    #
    

Example for Configuring Inter-Board BGP over GRE over IPsec

Networking Requirements

As shown in Figure 12-11, a GRE over IPsec tunnel is created between Device A and Device B. The IPsec service board is installed in slot 2 on both CE-side Device A and PE-side Device B. The GRE tunnel board is installed in slot 2 on Device A and in slot 2 on Device B. Packets are transmitted through the MPLS LDP network before being encrypted and after being decrypted on Device B, and the Device B-side GRE tunnel is bound to a L3VPN.

Figure 12-11 Networking of BGP over GRE over IPsec

Configuration Roadmap

The configuration roadmap on Device A is as follows:

  1. Allocate IP addresses to interfaces.

  2. Create a loopback interface and bind it to GRE.

  3. Create a tunnel interface and configure attributes for the tunnel interface.

  4. Configure an ACL rule.

  5. Configure an IKE proposal.

  6. Configure an IPsec proposal.

  7. Configure an IKE peer.

  8. Configure an IPsec policy.

  9. Configure an IPsec service instance group.

  10. Create a tunnel interface and configure IPsec for the tunnel interface.

  11. Configure a static route that imports traffic into the tunnel.

  12. Configure a static route that imports GRE packets into the IPsec tunnel.

  13. Configure a static route that imports encrypted packets to a physical link's outbound interface.

  14. Configure BGP.

The configuration roadmap on Device B is as follows:

  1. Allocate IP addresses to interfaces.

  2. Create a loopback interface and bind it to GRE.

  3. Create and configure a VPN instance.

  4. Create a tunnel interface and configure attributes for the tunnel interface.

  5. Configure an ACL rule.

  6. Configure an IKE proposal.

  7. Configure an IPsec proposal.

  8. Configure an IKE peer.

  9. Configure an IPsec policy.

  10. Configure an IPsec service instance group.

  11. Create a tunnel interface and configure IPsec for the tunnel interface.

  12. Configure a static route that imports traffic into the tunnel.

  13. Configure a static route that imports GRE packets into the IPsec tunnel.

  14. Configure a static route that imports encrypted packets to a physical link's outbound interface.

  15. Configure IS-IS.

  16. Configure an MPLS session.

  17. Configure BGP.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces

  • Security protocol, encapsulation mode, encryption and authentication algorithms that security protocols use

  • Pre-shared authentication key

Configuration Procedure
  • Configure Device A.

  1. Allocate IP addresses to interfaces.

    • Configure an IP address for GE 0/2/1.

      <DeviceA> system-view
      [~DeviceA] interface GigabitEthernet 0/2/1
      [*DeviceA-GigabitEthernet0/2/1] ip address 10.0.0.1 24
      [*DeviceA-GigabitEthernet0/2/1] quit
      [*DeviceA] commit
    • Configure an IP address for GE 0/1/1.

      [~DeviceA] interface GigabitEthernet 0/1/1
      [*DeviceA-GigabitEthernet0/1/1] ip address 10.1.0.1 24
      [*DeviceA-GigabitEthernet0/1/1] quit
      [*DeviceA] commit
  2. Create a loopback interface and bind it to GRE.

    [~DeviceA] interface LoopBack 1
    [*DeviceA-LoopBack1] ip address 60.60.60.60 32
    [*DeviceA-LoopBack1] binding tunnel gre
    [*DeviceA-LoopBack1] quit
    [*DeviceA] commit
  3. Create a tunnel interface and configure GRE for the tunnel interface.

    [~DeviceA] interface Tunnel 100
    [*DeviceA-Tunnel100] ip address 10.0.1.1 24
    [*DeviceA-Tunnel100] tunnel-protocol gre
    [*DeviceA-Tunnel100] source LoopBack 1
    [*DeviceA-Tunnel100] destination 108.108.108.108
    [*DeviceA-Tunnel100] quit
    [*DeviceA] commit
  4. Configure an ACL rule.

    [~DeviceA] acl 3001
    [*DeviceA-acl4-advance-3001] rule permit gre source 60.60.60.60 0 destination 108.108.108.108 0
    [*DeviceA-acl4-advance-3001] quit
    [*DeviceA] commit
  5. Configure an IKE proposal numbered 1.

    [~DeviceA] ike proposal 1
    [*DeviceA-ike-proposal-1] quit
    [*DeviceA] commit
  6. Configure an IPsec proposal named pro1.

    [~DeviceA] ipsec proposal pro1
    [*DeviceA-ipsec-proposal-pro1] quit
    [*DeviceA] commit
  7. Configure an IKE peer named peer1.

    [~DeviceA] ike peer peer1
    [*DeviceA-ike-peer-peer1] pre-shared-key 1234567890
    [*DeviceA-ike-peer-peer1] ike-proposal 1
    [*DeviceA-ike-peer-peer1] remote-address 12.1.0.2 
    [*DeviceA-ike-peer-peer1] quit
    [*DeviceA] commit
  8. Configure an IPsec policy named policy1 and numbered 1.

    [~DeviceA] ipsec policy policy1 1 isakmp
    [*DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3001
    [*DeviceA-ipsec-policy-isakmp-policy1-1] proposal pro1
    [*DeviceA-ipsec-policy-isakmp-policy1-1] ike-peer peer1
    [*DeviceA-ipsec-policy-isakmp-policy1-1] quit
    [*DeviceA] commit
  9. Configure an IPsec service instance group named group1.

    • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
      [~A] service-location 1
      [*A-service-location-1] location slot 2
      [*A-service-location-1] commit
      [~A-service-location-1] quit
    [~DeviceA] service-instance-group group1
    [*DeviceA-service-instance-group-group1] service-location 1
    [*DeviceA-service-instance-group-group1] quit
    [*DeviceA] commit
  10. Create a tunnel interface and configure IPsec for the tunnel interface.

    [~DeviceA] interface Tunnel 1
    [*DeviceA-Tunnel1] ip address 12.1.0.1 24
    [*DeviceA-Tunnel1] tunnel-protocol ipsec
    [*DeviceA-Tunnel1] ipsec policy policy1 service-instance-group group1
    [*DeviceA-Tunnel1] quit
    [*DeviceA] commit
  11. Configure static routes that import traffic into the tunnel.

    [~DeviceA] ip route-static 10.0.1.2 255.255.255.255 Tunnel100
    [*DeviceA] commit
  12. Configure a static route that imports GRE packets into the IPsec tunnel.

    [*DeviceA] ip route-static 108.108.108.108 32 Tunnel 1 12.1.0.2
    [*DeviceA] commit
  13. Configure a static route that imports encrypted packets to a physical link's outbound interface.

    [*DeviceA] ip route-static 12.1.0.2 32 GigabitEthernet 0/2/1 10.0.0.2
    [*DeviceA] commit
  14. Configure BGP.

    [~DeviceA] bgp 200
    [*DeviceA-bgp] peer 10.0.1.2 as-number 100 
    [*DeviceA-bgp] peer 10.0.1.2 ebgp-max-hop 255
    [*DeviceA-bgp] peer 10.0.1.2 connect-interface Tunnel 100
    [*DeviceA-bgp] ipv4-family unicast
    [*DeviceA-bgp-af-ipv4] network 10.1.0.0
    [*DeviceA-bgp-af-ipv4] quit
    [*DeviceA] commit
  • Configure Device B.

  1. Allocate IP addresses to interfaces.

    [~DeviceB] interface GigabitEthernet0/1/3
    [*DeviceB-GigabitEthernet0/1/3] ip address 10.0.0.2 24
    [*DeviceB-GigabitEthernet0/1/3] quit
    [*DeviceB] commit
  2. Create a loopback interface and bind it to GRE.

    [~DeviceB] interface LoopBack 1
    [*DeviceB-LoopBack1] ip address 108.108.108.108 32
    [*DeviceB-LoopBack1] binding tunnel gre
    [*DeviceB-LoopBack1] quit
    [*DeviceB] commit
  3. Configure a VPN instance.

    [~DeviceB] ip vpn-instance vpn1
    [*DeviceB-vpn-instance-vpn1] route-distinguisher 1:1
    [*DeviceB-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
    [*DeviceB-vpn-instance-vpn1-af-ipv4] quit
    [*DeviceB-vpn-instance-vpn1] quit
    [*DeviceB] commit
  4. Configure a GRE tunnel.

    [~DeviceB] interface Tunnel 100
    [*DeviceB-Tunnel100] ip binding vpn-instance vpn1
    [*DeviceB-Tunnel100] ip address 10.0.1.2 24
    [*DeviceB-Tunnel100] tunnel-protocol gre
    [*DeviceB-Tunnel100] source LoopBack 1
    [*DeviceB-Tunnel100] destination 60.60.60.60
    [*DeviceB-Tunnel100] quit
    [*DeviceB] commit
  5. Configure an ACL rule.

    [~DeviceB] acl 3001
    [*DeviceB-acl4-advance-3001] rule permit gre source 108.108.108.108 0 destination 60.60.60.60 0
    [*DeviceB-acl4-advance-3001] quit
    [*DeviceB] commit
  6. Configure an IKE proposal numbered 1.

    [~DeviceB] ike proposal 1
    [*DeviceB-ike-proposal-1] quit
    [*DeviceB] commit
  7. Configure an IPsec proposal named pro1.

    [~DeviceB] ipsec proposal pro1
    [*DeviceB-ipsec-proposal-pro1] quit
    [*DeviceB] commit
  8. Configure an IKE peer named peer1.

    [~DeviceB] ike peer peer1
    [*DeviceB-ike-peer-peer1] pre-shared-key 1234567890
    [*DeviceB-ike-peer-peer1] ike-proposal 1
    [*DeviceB-ike-peer-peer1] remote-address 12.1.0.1
    [*DeviceB-ike-peer-peer1] quit
    [*DeviceB] commit
  9. Configure an IPsec policy named policy1 and numbered 1.

    [~DeviceB] ipsec policy policy1 1 isakmp
    [*DeviceB-ipsec-policy-isakmp-policy1-1] security acl 3001
    [*DeviceB-ipsec-policy-isakmp-policy1-1] proposal pro1
    [*DeviceB-ipsec-policy-isakmp-policy1-1] ike-peer peer1
    [*DeviceB-ipsec-policy-isakmp-policy1-1] quit
    [*DeviceB] commit
  10. Configure an IPsec service instance group named group1.

    • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
      [~DeviceB] service-location 1
      [*DeviceB-service-location-1] location slot 2
      [*DeviceB-service-location-1] commit
      [~DeviceB-service-location-1] quit
    [~DeviceB] service-instance-group group1
    [*DeviceB-service-instance-group-group1] service-location 1
    [*DeviceB-service-instance-group-group1] quit
    [*DeviceB] commit
  11. Create a tunnel interface and configure IPsec for the tunnel interface.

    [~DeviceB] interface Tunnel 1
    [*DeviceB-Tunnel1] ip address 12.1.0.2 24
    [*DeviceB-Tunnel1] tunnel-protocol ipsec
    [*DeviceB-Tunnel1] ipsec policy policy1 service-instance-group group1
    [*DeviceB-Tunnel1] quit
    [*DeviceB] commit
  12. Configure static routes that import traffic into the tunnel.

    [~DeviceB] ip route-static vpn-instance vpn1 10.0.1.1 255.255.255.255 Tunnel100
    [*DeviceB] commit
  13. Configure a static route that imports GRE packets into the IPsec tunnel.

    [*DeviceB] ip route-static 60.60.60.60 32 Tunnel 1 12.1.0.1
    [*DeviceB] commit
  14. Configure a static route that imports encrypted packets to a physical link's outbound interface.

    [*DeviceB] ip route-static 12.1.0.1 32 GigabitEthernet 0/1/3 10.0.0.1
    [*DeviceB] commit
  15. Configure IS-IS.

    [~DeviceB] isis 1
    [*DeviceB-isis-1] network-entity 00.0000.0000.0108.00
    [*DeviceB-isis-1] quit
    [*DeviceB] commit
  16. Configure MPLS LDP sessions.

    [~DeviceB] interface LoopBack 0
    [*DeviceB-LoopBack0] ip address 108.1.1.1 32
    [*DeviceB-LoopBack0] isis enable 1
    [*DeviceB-LoopBack0] quit
    [*DeviceB] mpls lsr-id 108.1.1.1
    [*DeviceB] mpls
    [*DeviceB-mpls] quit
    [*DeviceB] mpls ldp
    [*DeviceB-mpls-ldp] quit
    [*DeviceB] interface GigabitEthernet0/1/2
    [*DeviceB-GigabitEthernet0/1/2] ip address 10.2.0.1 24
    [*DeviceB-GigabitEthernet0/1/2] isis enable 1
    [*DeviceB-GigabitEthernet0/1/2] mpls
    [*DeviceB-GigabitEthernet0/1/2] mpls ldp
    [*DeviceB-GigabitEthernet0/1/2] quit
    [*DeviceB] commit
  17. Configure BGP.

    [~DeviceB] bgp 100
    [*DeviceB-bgp] peer 201.1.1.1 as-number 100
    [*DeviceB-bgp] peer 201.1.1.1 connect-interface LoopBack0
    [*DeviceB-bgp] ipv4-family vpn-instance vpn1
    [*DeviceB-bgp-vpn1] peer 10.0.1.1 as-number 200
    [*DeviceB-bgp-vpn1] peer 10.0.1.1 ebgp-max-hop 255
    [*DeviceB-bgp-vpn1] peer 10.0.1.1 connect-interface Tunnel 100
    [*DeviceB-bgp-vpn1] quit
    [*DeviceB] commit
Configuration Files
  • Device A configuration file

#
 sysname DeviceA
#
#                                                                                
service-location 1                                                                
location slot 2
#                                                                                
service-instance-group group1                                                          
 service-location 1    
#
acl number 3001 
 rule 5 permit gre source 60.60.60.60 0 destination 108.108.108.108 0 
#
ike proposal 1
#
ike peer peer1
 pre-shared-key %$%$0\WT%.iDi6%K-f)_^mQ6,.2n%$%$
 ike-proposal 1
 remote-address 12.1.0.2
#
ipsec proposal pro1
#
ipsec policy policy1 1 isakmp
 security acl 3001
 ike-peer peer1
 proposal pro1
#
interface GigabitEthernet0/2/1
 undo shutdown
 ip address 10.0.0.1 255.255.255.0 
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 10.1.0.1 255.255.255.0 
#
interface LoopBack1
 ip address 60.60.60.60 255.255.255.255 
 binding tunnel gre
#
interface Tunnel1
 ip address 12.1.0.1 255.255.255.0 
 tunnel-protocol ipsec
 ipsec policy policy1 service-instance-group group1
#
interface Tunnel100
 ip address 10.0.1.1 255.255.255.0 
 tunnel-protocol gre
 source LoopBack1
 destination 108.108.108.108
#
bgp 200
 peer 10.0.1.2 as-number 100 
 peer 10.0.1.2 ebgp-max-hop 255 
 peer 10.0.1.2 connect-interface Tunnel100
 #
 ipv4-family unicast
  undo synchronization
  network 10.1.0.0 255.255.255.0 
  peer 10.0.1.2 enable
#
 ip route-static 10.0.1.2 255.255.255.255 Tunnel100
 ip route-static 12.1.0.2 255.255.255.255 GigabitEthernet0/2/1 10.0.0.2
 ip route-static 108.108.108.108 255.255.255.255 Tunnel1 12.1.0.2
#
return
  • Device B configuration file

#
 sysname DeviceB
#
#                                                                                
service-location 1                                                                
location slot 2
#                                                                                
service-instance-group group1                                                          
 service-location 1    
#
ip vpn-instance vpn1
 ipv4-family
  route-distinguisher 1:1
  vpn-target 1:1 export-extcommunity
  vpn-target 1:1 import-extcommunity
#
 mpls lsr-id 108.1.1.1
 mpls
#
mpls ldp
#
#
acl number 3001 
 rule 5 permit gre source 108.108.108.108 0 destination 60.60.60.60 0 
#
ike proposal 1
#
ike peer peer1
 pre-shared-key %$%$0\WT%.iDi6%K-f)_^mQ6,.2n%$%$
 ike-proposal 1
 remote-address 12.1.0.1
#
ipsec proposal pro1
#
ipsec policy policy1 1 isakmp
 security acl 3001
 ike-peer peer1
 proposal pro1
#
isis 1
 network-entity 00.0000.0000.0108.00
#
interface GigabitEthernet0/1/3
 undo shutdown
 ip address 10.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 10.2.0.1 255.255.255.0 
 isis enable 1
 mpls
 mpls ldp
#
interface LoopBack0
 ip address 108.1.1.1 255.255.255.255 
 isis enable 1
#
interface LoopBack1
 ip address 108.108.108.108 255.255.255.255 
 binding tunnel gre
#
interface Tunnel1
 ip address 12.1.0.2 255.255.255.0 
 tunnel-protocol ipsec
 ipsec policy policy1 service-instance-group group1
#
interface Tunnel100
 ip binding vpn-instance vpn1
 ip address 10.0.1.2 255.255.255.0 
 tunnel-protocol gre
 source LoopBack1
 destination 60.60.60.60
#
bgp 100
 peer 201.1.1.1 as-number 100 
 peer 201.1.1.1 connect-interface LoopBack0
 #
 ipv4-family unicast
  undo synchronization
  peer 201.1.1.1 enable
 # 
 ipv4-family vpnv4
  policy vpn-target
  peer 201.1.1.1 enable
 #
 ipv4-family vpn-instance vpn1 
  import-route direct
  peer 10.0.1.1 as-number 200 
  peer 10.0.1.1 ebgp-max-hop 255 
  peer 10.0.1.1 connect-interface Tunnel100
#
 ip route-static 12.1.0.1 255.255.255.255 GigabitEthernet0/1/3 10.0.0.1
 ip route-static 60.60.60.60 255.255.255.255 Tunnel1 12.1.0.1
 ip route-static vpn-instance vpn1 10.0.1.1 255.255.255.255 Tunnel100
#
return

Example for Configuring Inter-Board LDP over GRE over IPsec

Context

As shown in Figure 12-12, PEs or PE and P node communicate with each other through the GRE over IPsec tunnel over the Multiprotocol Label Switching (MPLS) network. Data transmitted on the public network is protected by IPsec. The networking is described as follows:

  • Interface GE 0/1/0 of PE1 on the public network side is connected to PE2, and interface GE 0/1/1 on the private network side is connected to CE1.

  • Interface GE 0/1/0 of PE2 on the public network side is connected to PE1, and interface GE 0/1/1 on the private network side is connected to CE2.

To improve communication security between PE1 and PE2, configure a GRE over IPSec tunnel between PE1 and PE2.

Figure 12-12 Configuring LDP over GRE over IPSec
NOTE:

Interface1 and interface2 in this example represent GE 0/1/0 and GE 0/1/1.


Configuration Roadmap

This section uses IPsec in IKE mode as an example to describe how to configure LDP over GRE over IPSec. The tunnel mode is used for encapsulation. The configuration roadmap is as follows:

  1. Allocate IP addresses to interfaces.

  2. Configure a loopback interface and configure GRE for the loopback interface.

  3. Create a tunnel interface and configure GRE for the tunnel interface.

  4. Configure IPsec. The following steps are involved:
    • Configure an ACL to define the data flow to be protected.

    • (Recommended) Configure the DPD.

    • Configure an IKE proposal.

    • Configure IKE peers.

    • Configure an IPsec proposal.

    • Configure an IPsec policy.

    • Configure an IPsec service instance group.

    • Create a tunnel interface and configure attributes for the tunnel interface.

    • Apply the IPsec policy to the tunnel interface.

    • Configure a static route to divert IPsec traffic.

  5. Create a loopback interface and configure IS-IS for the loopback interface and GRE-enabled tunnel interface.

  6. Establish an IBGP peer relationship between PE1 and PE2.

  7. Enable MPLS and MPLS LDP.

  8. Configure VPN instances.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces
  • IPsec-related data, mainly including:
    • DPD data

    • ACL number

    • IP address segments

    • Pre-shared key

    • Authentication algorithm used by the IKE proposal

    • Security protocol, encryption algorithm, and authentication algorithm to be used by the IPsec proposal

    • IP addresses of tunnel interfaces

  • L3VPN data, including the IS-IS system-ID, MPLS LSR ID, VPN instance name, RD, and VPN target

Procedure

  • Configure PE1 and PE2 as follows:

    Item

    PE1

    PE2

    1. Configure interface IP addresses.
    interface GigabitEthernet0/1/0
     undo shutdown 
     ip address 192.168.5.1 255.255.255.0  
    #
    interface LoopBack1
     ip address 1.1.1.1 255.255.255.255 
    #
    interface LoopBack2
     ip address 11.1.1.1 255.255.255.255
    
    interface GigabitEthernet0/1/0  
     undo shutdown 
     ip address 192.168.5.2 255.255.255.0 
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255 
    # 
    interface LoopBack2
     ip address 22.2.2.2 255.255.255.255
    2. Configure the GRE tunnel interfaces.
    interface LoopBack1
     target-board 1
     binding tunnel gre  
    #
    interface Tunnel 802 
     ip address 172.16.5.1 255.255.255.0   //This address has no actual meaning. It is used to enable the interface to enter the Up state. The mask cannot be configured for 32 bits in the same board deployment scenario.
     tunnel-protocol gre  
     source LoopBack1
     destination 2.2.2.2
    interface LoopBack1
     target-board 1
     binding tunnel gre  
    #
    interface Tunnel 502 
     ip address 172.16.5.2 255.255.255.0   //This address has no actual meaning. It is used to enable the interface to enter the Up state. The mask cannot be configured for 32 bits in the same board deployment scenario.
     tunnel-protocol gre  
     source LoopBack1
     destination 1.1.1.1

    4. Enable DPD.

    ike dpd interval 10 10   //You are suggested to deploy the DPD function.
    ike dpd interval 10 10   //You are suggested to deploy the DPD function.

    5. Configure an ACL to define the data flow to be protected.

    acl number 3100
     rule 5 permit gre source 1.1.1.1 0 destination 2.2.2.2 0
    acl number 3100
     rule 5 permit gre source 2.2.2.2 0 destination 1.1.1.1 0
    6. Configure the IKE proposal and IKE peer.
    ike proposal 1 
     encryption-algorithm aes-cbc 256
     dh group2
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer pe  
     pre-shared-key 1234567890
     ike-proposal 1
     remote-address 172.17.5.2
    ike proposal 1 
     encryption-algorithm aes-cbc 256
     dh group2
     authentication-algorithm sha2-256
     integrity-algorithm hmac-sha2-256
    #
    ike peer pe  
     pre-shared-key 1234567890
     ike-proposal 1
     remote-address 172.17.5.1
    7. Configure Service-instance-group.
    service-location 1
     location slot 1
    #
    service-instance-group 1
     service-location 1
    service-location 1
     location slot 1
    #
    service-instance-group 1
     service-location 1
    8. Configure the IPsec tunnel.
    ipsec proposal zh   //Configure the IPsec proposal.
     esp authentication-algorithm sha1
     esp encryption-algorithm aes 256
    #
    ipsec policy zh 10 isakmp   //Configure the IPsec policy.
     security acl 3100 
     ike-peer pe 
     proposal zh
    #
    interface Tunnel 5   //Configure the IPsec tunnel.
     ip address 172.17.5.1 255.255.255.0 
     tunnel-protocol ipsec
     ipsec policy zh service-instance-group 1
    ipsec proposal zh   //Configure the IPsec proposal.
     esp authentication-algorithm sha1
     esp encryption-algorithm aes 256
    #
    ipsec policy zh 10 isakmp   //Configure the IPsec policy.
     security acl 3100 
     ike-peer pe 
     proposal zh
    #
    interface Tunnel 5   //Configure the IPsec tunnel. 
     ip address 172.17.5.2 255.255.255.0 
     tunnel-protocol ipsec
     ipsec policy zh service-instance-group 1
    9. Configure the diversion routes.
     ip route-static 2.2.2.2 255.255.255.255 Tunnel5 172.17.5.2   //Divert traffic to the IPsec tunnel for encryption.
     ip route-static 172.17.5.2 255.255.255.255 GigabitEthernet0/1/0 192.168.5.2   //Divert the traffic encrypted by IPsec to the actual physical outbound interface.
    
     ip route-static 1.1.1.1 255.255.255.255 Tunnel5 172.17.5.1   //Divert traffic to the IPsec tunnel for encryption.
     ip route-static 172.17.5.1 255.255.255.255 GigabitEthernet0/1/0 192.168.5.1   //Divert the traffic encrypted by IPsec to the actual physical outbound interface.
    
    10. Configure IS-IS.
    isis 1 
     is-level level-2  
     network-entity 01.0000.0000.0005.00
    # 
    interface LoopBack2
     isis enable 1 
    
    #
    interface Tunnel802 
     isis enable 1
    isis 1 
     is-level level-2  
     network-entity 01.0000.0000.0005.00
    # 
    interface LoopBack2
     isis enable 1 
    
    #
    interface Tunnel502 
     isis enable 1 

    11. Configure VPNs.

    ip vpn-instance ipsec_vpn
     ipv4-family 
      route-distinguisher 100:100
      vpn-target 200:200 export-extcommunity 
      vpn-target 200:200 import-extcommunity
    #
    interface GigabitEthernet0/1/1
     undo shutdown 
     ip binding vpn-instance ipsec_vpn  
     ip address 10.1.1.1 255.255.255.0
    ip vpn-instance ipsec_vpn
     ipv4-family 
      route-distinguisher 100:100
      vpn-target 200:200 export-extcommunity 
      vpn-target 200:200 import-extcommunity
    #
    interface GigabitEthernet0/1/1
     undo shutdown 
     ip binding vpn-instance ipsec_vpn  
     ip address 10.2.1.1 255.255.255.0
    12. Configure BGP.
    bgp 100
     peer 22.2.2.2 as-number 100 
     peer 22.2.2.2 connect-interface LoopBack2
     # 
     ipv4-family unicast  
      undo synchronization
      peer 22.2.2.2 enable
     # 
     ipv4-family vpnv4 
      policy vpn-target
      peer 22.2.2.2 enable
     # 
     ipv4-family vpn-instance ipsec_vpn 
      import-route direct
    bgp 100 
     peer 11.1.1.1 as-number 100 
     peer 11.1.1.1 connect-interface LoopBack2
     # 
     ipv4-family unicast  
      undo synchronization  
      peer 11.1.1.1 enable
     # 
     ipv4-family vpnv4 
      policy vpn-target 
      peer 11.1.1.1 enable
     #
     ipv4-family vpn-instance ipsec_vpn 
      import-route direct
    13. Configure the MPLS tunnel.
     mpls lsr-id 11.1.1.1 
     mpls  
    #
    mpls ldp  
    #
    interface Tunnel802   //Enable MPLS LDP for the GRE tunnel interface.
     mpls  
     mpls ldp 
     mpls lsr-id 22.2.2.2 
     mpls  
    #
    mpls ldp  
    # 
    interface Tunnel502   //Enable MPLS LDP for the GRE tunnel interface.
     mpls  
     mpls ldp

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25145

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next