No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - IP Routing 01

This is ME60 V800R010C10SPC500 Configuration Guide - IP Routing
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPSec for OSPFv3

Example for Configuring IPSec for OSPFv3

Networking Requirements

As shown in Figure 6-11, DeviceA and DeviceB run Open Shortest Path First version 3 (OSPFv3) and are reachable. If no authentication mechanism is configured, IP protocol packets along the route between DeviceA and DeviceB may be modified or faked, causing neighbor relationships between DeviceA and DeviceB to be interrupted or incorrect routes to be imported.

To prevent such attacks, IPsec can be configured between DeviceA and DeviceB to protect OSPFv3 protocol packets during transmission. ESP is configured as the security protocol, and SHA2-256 is configured as the authentication algorithm.

Figure 6-11 Configuring IPsec
NOTE:

Interfaces 1 in this example are GE 1/0/1.


Precautions

  • The encapsulation modes and security protocols on both IPsec peers must be identical.
  • The authentication modes and encryption algorithms on both IPsec peers must be identical.
  • The SPIs and authentication keys on both IPsec peers must be identical.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic OSPFv3 functions on DeviceA and DeviceB.

  2. Configure a security proposal and define the security protocol and authentication algorithm and encapsulation mode.

  3. Configure an SA and apply a proposal to SA, define inbound and outbound parameters which include SPI and keys.

  4. Apply the SA to the OSPFv3 process to protect OSPFv3 protocol packets between DeviceA and DeviceB.

Data Preparation

To complete the configuration, you need the following data:
Device Name Router ID Process ID SPI Authentication Key in the String Format
Device A 1.1.1.1 1 12345 abcdef
Device B 2.2.2.2 1 12345 abcdef

Procedure

  1. Configure OSPFv3 on DeviceA and DeviceB.

    # Configure DeviceA.

    <HUAWEI> system-view
    [~HUAWEI] sysname DeviceA
    [*HUAWEI] commit
    [~DeviceA] ospfv3 1
    [*DeviceA-ospfv3-1] router-id 1.1.1.1
    [*DeviceA-ospfv3-1] area 1
    [*DeviceA-ospfv3-1-area-0.0.0.1] commit
    [~DeviceA-ospfv3-1-area-0.0.0.1] quit

    # Configure DeviceB.

    <HUAWEI> system-view
    [~HUAWEI] sysname DeviceB
    [*HUAWEI] commit
    [~DeviceB] ospfv3 1
    [*DeviceB-ospfv3-1] router-id 2.2.2.2
    [*DeviceB-ospfv3-1] area 1
    [*DeviceB-ospfv3-1-area-0.0.0.1] commit
    [~DeviceB-ospfv3-1-area-0.0.0.1] quit

  2. Configure IPv6 addresses and enable OSPFv3 on interfaces.

    # Configure DeviceA.

    [~DeviceA] interface gigabitethernet1/0/1
    [~DeviceA-GigabitEthernet1/0/1] ipv6 enable
    [*DeviceA-GigabitEthernet1/0/1] ipv6 address 2001:db8::1 64
    [*DeviceA-GigabitEthernet1/0/1] ospfv3 1 area 1
    [*DeviceA-GigabitEthernet1/0/1] commit
    [~DeviceA-GigabitEthernet1/0/1] quit

    # Configure DeviceB.

    [~DeviceB] interface gigabitethernet1/0/1
    [~DeviceB-GigabitEthernet1/0/1] ipv6 enable
    [*DeviceB-GigabitEthernet1/0/1] ipv6 address 2001:db8::2 64
    [*DeviceB-GigabitEthernet1/0/1] ospfv3 1 area 1
    [*DeviceB-GigabitEthernet1/0/1] commit
    [~DeviceB-GigabitEthernet1/0/1] quit

  3. Configure security proposals on DeviceA and DeviceB.

    # Configure a security proposal on DeviceA.

    [~DeviceA] ipsec proposal proposal1
    [*DeviceA-ipsec-proposal-proposal1] encapsulation-mode transport
    [*DeviceA-ipsec-proposal-proposal1] transform esp
    [*DeviceA-ipsec-proposal-proposal1] undo esp encryption-algorithm
    [*DeviceA-ipsec-proposal-proposal1] esp authentication-algorithm sha2-256
    [*DeviceA-ipsec-proposal-proposal1] commit
    [~DeviceA-ipsec-proposal-proposal1] quit

    # Configure a security proposal on DeviceB.

    [~DeviceB] ipsec proposal proposal2
    [*DeviceB-ipsec-proposal-proposal2] encapsulation-mode transport
    [*DeviceB-ipsec-proposal-proposal2] transform esp
    [*DeviceB-ipsec-proposal-proposal2] undo esp encryption-algorithm
    [*DeviceB-ipsec-proposal-proposal2] esp authentication-algorithm sha2-256
    [*DeviceB-ipsec-proposal-proposal2] commit
    [~DeviceB-ipsec-proposal-proposal2] quit

    # Run the display ipsec proposal command on DeviceA and DeviceB to view configurations. Use the display on DeviceA as an example.

    [~DeviceA] display ipsec proposal
    Total IP security proposal number: 1
    IP security proposal name: proposal1
    encapsulation mode: transport
    transform: esp-new
    ESP protocol: authentication SHA2-HMAC-256, not use encryption

  4. Configure SAs and apply them to DeviceA and DeviceB.

    # Configure an SA and apply it to DeviceA.

    [~DeviceA] ipsec sa sa1
    [*DeviceA-ipsec-sa-sa1] proposal proposal1
    [*DeviceA-ipsec-sa-sa1] commit

    # Configure an SA and apply it to DeviceB.

    [~DeviceB] ipsec sa sa2
    [*DeviceB-ipsec-sa-sa2] proposal proposal2
    [*DeviceB-ipsec-sa-sa2] commit

  5. Configure SPIs and authentication keys in the string format on DeviceA and DeviceB.

    # Configure SPIs and authentication keys in the string format on DeviceA.

    [~DeviceA] ipsec sa sa1
    [*DeviceA-ipsec-sa-sa1] sa spi inbound esp 12345
    [*DeviceA-ipsec-sa-sa1] sa spi outbound esp 12345
    [*DeviceA-ipsec-sa-sa1] sa string-key inbound esp abcdef
    [*DeviceA-ipsec-sa-sa1] sa string-key outbound esp abcdef
    [*DeviceA-ipsec-sa-sa1] commit
    [~DeviceA-ipsec-sa-sa1] quit

    # Configure SPIs and authentication keys in the string format on DeviceB.

    [~DeviceB] ipsec sa sa2
    [*DeviceB-ipsec-sa-sa2] sa spi outbound esp 12345
    [*DeviceB-ipsec-sa-sa2] sa spi inbound esp 12345
    [*DeviceB-ipsec-sa-sa2] sa string-key outbound esp abcdef
    [*DeviceB-ipsec-sa-sa2] sa string-key inbound esp abcdef
    [*DeviceB-ipsec-sa-sa2] commit
    [~DeviceB-ipsec-sa-sa2] quit

  6. Configure SAs for OSPFv3 processes.

    # Configure an SA for the OSPFv3 process on DeviceA.

    [~DeviceA] ospfv3 1
    [*DeviceA-ospfv3-1] ipsec sa sa1
    [*DeviceA-ospfv3-1] commit

    # Configure an SA for the OSPFv3 process on DeviceB.

    [~DeviceB] ospfv3 1
    [*DeviceB-ospfv3-1] ipsec sa sa2
    [*DeviceB-ospfv3-1] commit

  7. Verify the configuration.

    # Run the display ipsec sa command on DeviceA and DeviceB to view configurations. Use the display on DeviceA as an example.

    [~DeviceA] display ipsec sa
    Total IP security association number: 1
      IP security association name: sa1
      Number of references: 1
        proposal name: proposal1
        State: Complete
        inbound AH setting: 
          AH spi: 
          AH string-key: 
          AH authentication hex key: 
        inbound ESP setting:
          ESP spi: 12345 (0x3039)
          ESP string-key: %#%#<}jb{br9\zi%X+/Y@:Y>Lw(L\v#*^KsM"/8RaRe$%#%#
          ESP encryption hex key: 
          ESP authentication hex key:
        outbound AH setting: 
          AH spi: 
          AH string-key:
          AH authentication hex key: 
        outbound ESP setting:
          ESP spi: 12345 (0x3039)
          ESP string-key: %#%#<}j/@X4355SE9JZTD0>GQf"}w2@X,k6.E\Z,z\{#%#%#
          ESP encryption hex key: 
          ESP authentication hex key: 

    # Run the display ipsec statistics command to view statistics about incoming and outgoing protocol packets processed by IPsec and detailed information about dropped protocol packets. If statistics about incoming and outgoing protocol packets processed by IPsec are displayed, the configuration succeeds. For example:

    [~DeviceA] display ipsec statistics
      IPv6 security packet statistics:
        input/output security packets: 184/19
        input/output security bytes: 13216/1312
        input/output dropped security packets: 0/0
        dropped security packet detail:
          memory process problem: 0
          can't find SA: 0
          queue is full: 0
          authentication is failed: 0
          wrong length: 0
          replay packet: 0
          too long packet: 0
          invalid SA: 0
          policy deny: 0
      the normal packet statistics:
        input/output dropped normal packets: 0/0
      IPv4 security packet statistics:
        input/output security packets: 0/0
        input/output security bytes: 0/0
        input/output dropped security packets: 0/0
        dropped security packet detail:
          memory process problem: 0
          can't find SA: 0
          queue is full: 0
          authentication is failed: 0
          wrong length: 0
          replay packet: 0
          too long packet: 0
          invalid SA: 0
          policy deny: 0
      the normal packet statistics:
        input/output dropped normal packets: 0/0

Configuration Files

  • Configuration file of DeviceA

    #
    sysname DeviceA
    #
    ipsec proposal proposal1
     encapsulation-mode transport
     esp authentication-algorithm sha2-256
     undo esp encryption-algorithm
    #
    ipsec sa sa1
     proposal proposal1
     sa spi inbound esp 12345
     sa string-key inbound esp %#%#<}jb{br9\zi%X+/Y@:Y>Lw(L\v#*^KsM"/8RaRe$%#%#
     sa spi outbound esp 12345
     sa string-key outbound esp %#%#<}j/@X4355SE9JZTD0>GQf"}w2@X,k6.E\Z,z\{#%#%#
    #
    ospfv3 1
     router-id 1.1.1.1
     ipsec sa sa1
     area 0.0.0.1   
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8::1/64
     ospfv3 1 area 0.0.0.1
    #
  • Configuration file of DeviceB

    #
    sysname DeviceB
    #
    ipsec proposal proposal2
     encapsulation-mode transport
     esp authentication-algorithm sha2-256
     undo esp encryption-algorithm
    #
    ipsec sa sa2
     proposal proposal2
     sa spi inbound esp 12345
     sa string-key inbound esp %#%#<}j/@XSE9JZT5]2"T#]2"T<}j/@XSE9JZT5>%#%#
     sa spi outbound esp 12345
     sa string-key outbound esp %#%#)YTP%@nFE7bL^B&WSBiQ1[p#M"/8RaRe%$7$%#%#
    #
    ospfv3 1
     router-id 2.2.2.2
     ipsec sa sa2
     area 0.0.0.1
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8::2/64
     ospfv3 1 area 0.0.0.1
    #
    
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059437

Views: 20854

Downloads: 15

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next