No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring VXLAN over IPsec

Example for Configuring VXLAN over IPsec

Example for Configuring VXLAN over IPsec

VXLAN packets are unencrypted and vulnerable if being simply transmitted on networks. You can configure VXLAN over IPsec to ensure secure transmission of VXLAN packets.

Networking Requirements

Figure 12-13 shows the networking diagram.

  • Network A belongs to subnetwork 10.1.1.0/24 and is connected to Device A through GE 0/1/2.

  • Network B belongs to subnetwork 10.1.2.0/24 and is connected to Device B through GE 0/1/2.

  • Device A and Device B are routable.

The network must meet the following requirements:

  • VMs in different data centers can communicate with each other.

  • Data transmitted between PCA and PCB is encrypted.

Figure 12-13 VXLAN over IPsec networking
NOTE:

In this case, interfaces 1 and 2 represent GE 0/1/1 and GE 0/1/2.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a VXLAN IP address.
  2. Configure a VXLAN service access point.
  3. Configure a VXLAN tunnel.
  4. Configure an ACL rule.
  5. Configure an IKE proposal.
  6. Configure an IPsec proposal.
  7. Configure an IKE peer.
  8. Configure an IPsec policy.
  9. Configure an IPsec service instance group.
  10. Create and configure an IPsec tunnel.
  11. Configure a static route that imports traffic into the tunnel.
Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of the interfaces
  • VLAN ID and VXLAN gateway address of the VM
  • The tunnel mode, IP address, source address, and destination address of the tunnel interface
  • IP address segment of each network
  • Pre-shared key
  • Security protocols, encryption algorithms, and authentication algorithms used in the IPsec proposal
  • Encryption algorithm and authentication algorithm that an IKE proposal uses

Procedure

  • Configure Device A.
    1. Configure IP addresses for interfaces.

      Configure Device A.

      <HUAWEI> system-view
      [~HUAWEI] sysname DeviceA
      [*HUAWEI] commit
      [~DeviceA] interface loopback 1
      [*DeviceA-LoopBack1] ip address 1.1.1.1 32
      [*DeviceA-LoopBack1] quit
      [*DeviceA] interface gigabitethernet 0/1/1
      [*DeviceA-GigabitEthernet0/1/1] ip address 192.168.1.1 16
      [*DeviceA-GigabitEthernet0/1/1] quit
      [*DeviceA] commit

    2. Configure a service access point.

      [~DeviceA] bridge-domain 10
      [*DeviceA-bd10] quit
      [*DeviceA] interface gigabitethernet0/1/2.1 mode l2
      [*DeviceA-GigabitEthernet0/1/2.1] encapsulation dot1q vid 10
      [*DeviceA-GigabitEthernet0/1/2.1] rewrite pop single
      [*DeviceA-GigabitEthernet0/1/2.1] bridge-domain 10
      [*DeviceA-GigabitEthernet0/1/2.1] quit
      [*DeviceA] commit

    3. Configure a VXLAN tunnel

      [~DeviceA] bridge-domain 10
      [~DeviceA-bd10] vxlan vni 1
      [*DeviceA-bd10] quit
      [~DeviceA] interface loopback 2
      [*DeviceA-LoopBack2] ip address 3.3.3.3 32
      [*DeviceA-LoopBack2] quit
      [*DeviceA] interface nve 1
      [*DeviceA-Nve1] source 3.3.3.3
      [*DeviceA-Nve1] vni 1 head-end peer-list 4.4.4.4
      [*DeviceA-Nve1] quit
      [*DeviceA] commit

    4. Configure advanced ACL 3000.

      [~DeviceA] acl 3000
      [*DeviceA-acl-adv-3000] rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
      [*DeviceA-acl-adv-3000] quit
      [*DeviceA] commit

    5. Configure an IPsec proposal named tran1.

      [~DeviceA] ipsec proposal tran1
      [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceA-ipsec-proposal-tran1] transform esp
      [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceA-ipsec-proposal-tran1] quit
      [*DeviceA] commit

    6. Configure an IKE proposal numbered 10.

      [~DeviceA] ike proposal 10
      [*DeviceA-ike-proposal-10] authentication-method pre-share
      [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
      [*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
      [*DeviceA-ike-proposal-10] dh group14
      [*DeviceA-ike-proposal-10] quit
      [*DeviceA] commit

    7. Configure an IKE peer named b.

      [~DeviceA] ike peer b
      [*DeviceA-ike-peer-b] ike-proposal 10
      [*DeviceA-ike-peer-b] remote-address 2.2.2.2
      [*DeviceA-ike-peer-b] pre-shared-key abcde
      [*DeviceA-ike-peer-b] quit
      [*DeviceA] commit
      NOTE:

      By default, both IKEv1 and IKEv2 are enabled on the NE20E. If IKEv2 is not enabled on the IKE peer, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

      The pre-shared key configuration must be the same as the configuration on the peer device.

    8. Configure an IPsec policy named map1 and numbered 10.

      [~DeviceA] ipsec policy map1 10 isakmp
      [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
      [*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
      [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
      [~DeviceA-ipsec-policy-isakmp-map1-10] local-address 1.1.1.1
      [*DeviceA-ipsec-policy-isakmp-map1-10] quit
      [*DeviceA] commit

    9. Configure an IPsec service instance group named group1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~A] service-location 1
        [*A-service-location-1] location slot 2
        [*A-service-location-1] commit
        [~A-service-location-1] quit
      [~DeviceA] service-instance-group group1
      [*DeviceA-service-instance-group-group1] service-location 1
      [*DeviceA-service-instance-group-group1] quit
      [*DeviceA] commit

    10. Create and configure an IPsec tunnel.

      [~DeviceA] interface Tunnel 1
      [*DeviceA-Tunnel1] ip address 1.1.1.1 255.255.255.255
      [*DeviceA-Tunnel1] tunnel-protocol ipsec
      [*DeviceA-Tunnel1] ipsec policy map1 service-instance-group group1
      [*DeviceA-Tunnel1] quit
      [*DeviceA] commit

    11. Configure a static route that imports traffic into the tunnel.

      [~DeviceA] ip route-static 2.2.2.2 255.255.255.255 GigabitEthernet0/1/1 192.168.2.1
      [*DeviceA] ip route-static 4.4.4.4 255.255.255.255 Tunnel1 2.2.2.2
      [*DeviceA] commit

  • Configure Device B.
    1. Configure IP addresses for interfaces.

      Configure Device B.

      <HUAWEI> system-view
      [~HUAWEI] sysname DeviceB
      [*HUAWEI] commit
      [~DeviceB] interface loopback 1
      [*DeviceB-LoopBack1] ip address 2.2.2.2 32
      [*DeviceB-LoopBack1] quit
      [*DeviceB] interface gigabitethernet 0/1/1
      [*DeviceB-GigabitEthernet0/1/1] ip address 192.168.2.1 16
      [*DeviceA-GigabitEthernet0/1/1] quit
      [*DeviceB] commit

    2. Configure a service access point.

      [~DeviceB] bridge-domain 10
      [*DeviceB-bd10] quit
      [*DeviceB] interface gigabitethernet0/1/2.1 mode l2
      [*DeviceB-GigabitEthernet0/1/2.1] encapsulation dot1q vid 10
      [*DeviceB-GigabitEthernet0/1/2.1] rewrite pop single
      [*DeviceB-GigabitEthernet0/1/2.1] bridge-domain 10
      [*DeviceB-GigabitEthernet0/1/2.1] quit
      [*DeviceB] commit

    3. Configure a VXLAN tunnel.

      [~DeviceB] bridge-domain 10
      [~DeviceB-bd10] vxlan vni 1
      [*DeviceB-bd10] quit
      [~DeviceB] interface loopback 2
      [*DeviceB-LoopBack2] ip address 4.4.4.4 32
      [*DeviceB-LoopBack2] quit
      [*DeviceB] interface nve 1
      [*DeviceB-Nve1] source 4.4.4.4
      [*DeviceB-Nve1] vni 1 head-end peer-list 3.3.3.3
      [*DeviceB-Nve1] quit
      [*DeviceB] commit

    4. Configure advanced ACL 3000.

      [~DeviceB] acl 3000
      [*DeviceB-acl-adv-3000] rule 5 permit ip
      [*DeviceB-acl-adv-3000] quit
      [*DeviceB] commit

    5. Configure an IPsec proposal named tran1.

      [~DeviceB] ipsec proposal tran1
      [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
      [*DeviceB-ipsec-proposal-tran1] transform esp
      [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
      [*DeviceB-ipsec-proposal-tran1] quit
      [*DeviceB] commit

    6. Configure an IKE proposal numbered 10.

      [~DeviceB] ike proposal 10
      [*DeviceB-ike-proposal-10] authentication-method pre-share
      [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256
      [*DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256
      [*DeviceB-ike-proposal-10] dh group14
      [*DeviceB-ike-proposal-10] quit
      [*DeviceB] commit

    7. Configure an IKE peer named 1.

      [~DeviceB] ike peer 1
      [*DeviceB-ike-peer-1] ike-proposal 10
      [*DeviceB-ike-peer-1] remote-address 1.1.1.1
      [*DeviceB-ike-peer-1] pre-shared-key abcde
      [*DeviceB-ike-peer-1] quit
      [*DeviceB] commit
      NOTE:

      By default, both IKEv1 and IKEv2 are enabled on the NE20E. If IKEv2 is not enabled on the IKE peer, disable IKEv2 on the local device and use IKEv1 to perform the IKE negotiation.

      The pre-shared key configuration must be the same as the configuration on the peer device.

    8. Configure an IPsec template named temp1 and numbered 1.

      [~DeviceB] ipsec policy-template temp1 1
      [*DeviceB-ipsec-policy-templet-temp1-1] security acl 3000
      [*DeviceB-ipsec-policy-templet-temp1-1] proposal tran1
      [*DeviceB-ipsec-policy-templet-temp1-1] ike-peer 1
      [*DeviceB-ipsec-policy-templet-temp1-1] local-address 2.2.2.2
      [*DeviceB-ipsec-policy-templet-temp1-1] quit
      [*DeviceB] commit

    9. Create an IPsec policy based on the IPsec template.

      [~DeviceB] ipsec policy 1 1 isakmp template temp1
      [*DeviceB] commit

    10. Configure an IPsec service instance group named group1.

      • The configuration on the NE20E-S2E/NE20E-S2F is as follows:
        [~DeviceB] service-location 1
        [*DeviceB-service-location-1] location slot 2
        [*DeviceB-service-location-1] commit
        [~DeviceB-service-location-1] quit
      [~DeviceB] service-instance-group group1
      [*DeviceB-service-instance-group-group1] service-location 1
      [*DeviceB-service-instance-group-group1] quit
      [*DeviceB] commit

    11. Create and configure an IPsec tunnel.

      [~DeviceB] interface Tunnel 1
      [*DeviceB-Tunnel1] ip address 2.2.2.2 255.255.255.255
      [*DeviceB-Tunnel1] tunnel-protocol ipsec
      [*DeviceB-Tunnel1] ipsec policy 1 service-instance-group group1
      [*DeviceB-Tunnel1] quit
      [*DeviceB] commit

    12. Configure a static route that imports traffic into the tunnel.

      [~DeviceB] ip route-static 1.1.1.1 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
      [*DeviceB] commit

Configuration Files
  • Device A configuration file

    #
     sysname DeviceA
    #
    bridge-domain 10                                                                
     vxlan vni 1                                                                    
    #  
    acl number 3000
      rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer b
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 10
     remote-address 2.2.2.2
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy map1 10 isakmp
     security acl 3000
     ike-peer b
     proposal tran1
     local-address 1.1.1.1
    #                                                                               
    interface GigabitEthernet0/1/1 
     undo shutdown
     ip address 192.168.1.1 255.255.0.0                                                
    #                                                                               
    interface GigabitEthernet0/1/2
     undo shutdown                                                  
    #                                                                               
    interface GigabitEthernet1/0/2.1 mode l2
     encapsulation dot1q vid 10
     rewrite pop single
     bridge-domain 10
    #
    interface loopback1
     ip address 1.1.1.1 255.255.255.255 
    #
    interface loopback2
     ip address 3.3.3.3 255.255.255.255 
    #
    interface Nve1                                                                  
     source 3.3.3.3                                                                 
     vni 1 head-end peer-list 4.4.4.4                                               
    # 
    interface Tunnel1 
     ip address 1.1.1.1 255.255.255.0                                              
     tunnel-protocol ipsec
     ipsec policy map1 service-instance-group group1
    #
    ip route-static 2.2.2.2 255.255.255.255 GigabitEthernet0/1/1 192.168.2.1        
    ip route-static 4.4.4.4 255.255.255.255 Tunnel1 2.2.2.2   
    #
    return
    
  • Device B configuration file
    #
     sysname DeviceB
    #
    bridge-domain 10                                                                
     vxlan vni 1                                                                    
    #
    acl number 3000
      rule 5 permit ip
    #                                                                                
    service-location 1                                                                
    location slot 2
    #                                                                                
    service-instance-group group1                                                          
     service-location 1    
    
    #
    ike proposal 10
     encryption-algorithm aes-cbc 256
     dh group14
     authentication-algorithm sha2-256 
     integrity-algorithm hmac-sha2-256
    #
    ike peer 1
     pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
     ike-proposal 1
     remote-address 1.1.1.1
    #
    ipsec proposal tran1
     esp authentication-algorithm sha2-256  
     esp encryption-algorithm aes 256
    #                                         
    ipsec policy-template temp1 1
    #
     security acl 3000
     ike-peer 1
     proposal tran1
     local-address 2.2.2.2
    #
    ipsec policy 1 1 isakmp template temp1
    #                                                                               
    interface GigabitEthernet0/1/1
     undo shutdown
     ip address 192.168.2.1 255.255.0.0                                                
    #                                                                               
    interface GigabitEthernet0/1/2                                                 
     undo shutdown
    #                                                                               
    interface GigabitEthernet1/0/2.1 mode l2
     encapsulation dot1q vid 10
     rewrite pop single
     bridge-domain 10
    #                                                                               
    interface loopback1
     ip address 2.2.2.2 255.255.255.255 
    #              
    interface loopback2
     ip address 4.4.4.4 255.255.255.255 
    #
    interface Nve1                                                                  
     source 4.4.4.4                                                                 
     vni 1 head-end peer-list 3.3.3.3                                               
    # 
    interface Tunnel1 
     ip address 2.2.2.2 255.255.255.255                                             
     tunnel-protocol ipsec 
     ipsec policy 1 service-instance-group group1                                                                         
    #
     ip route-static 1.1.1.1 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
    #
    return
    
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20400

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next