No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Interface Management

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

This document provides the basic concepts, configuration procedures, and configuration examples of the interfaces supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Branch to Access the Internet Using a 3G Cellular Interface and Establishing an IPSec Tunnel Between Headquarters and Branch Using an IPSec Policy Template

Example for Configuring a Branch to Access the Internet Using a 3G Cellular Interface and Establishing an IPSec Tunnel Between Headquarters and Branch Using an IPSec Policy Template

Networking Requirements

Because some branches are located in remote areas, it is difficult to deploy fixed networks. As shown in Figure 11-10, to meet service transmission requirements, the branch uses the Router as the egress gateway and uses a 3G cellular interface to connect to the Internet through the WCDMA network.

To ensure secure data exchanges between the headquarters and branch, the branch needs to use an IPSec tunnel. The headquarters gateway RouterB uses a static public address, and the branch gateway RouterA uses a 3G interface to dynamically obtain an IP address from the provider to access a public network.

Figure 11-10  Networking diagram for configuring 3G and IPSec

Configuration Roadmap

To deploy an IPSec policy, the headquarters need to obtain the branch IP address. The branch IP address changes frequently and is difficult to maintain. You can use an IPSec policy template on the headquarters gateway so that the headquarters gateway and branch gateway can perform IPSec negotiation without knowing the branch IP address. In addition, the configuration is simple.

The configuration roadmap for RouterA is as follows:

  • Configure an ACL to define data flows to be protected by the IPSec tunnel.
  • Configure an IPSec proposal to define the traffic protection method.
  • Configure an IKE peer and define attributes used for IKE negotiation.
  • Configure an IPSec policy to determine methods used to protect different types of data flows.
  • Create an APN profile used to connect to the Internet.
  • Configure a 3G cellular interface, bind the APN profile to the 3G cellular interface, and apply the IPSec policy to the 3G cellular interface.
  • Configure a default route and specify the 3G cellular interface as the outbound interface so that traffic from the branch intranet is forwarded to the Internet through the 3G cellular interface.

The configuration roadmap for RouterB is as follows:

  • Configure an ACL to define data flows to be protected by the IPSec tunnel.
  • Configure an IPSec proposal to define the traffic protection method.
  • Configure an IKE peer. The IKE peer does not require a remote IP address and can perform negotiation with other branches.
  • Configure an IPSec policy to determine methods used to protect different types of data flows and allow the remote device to initiate negotiation requests to the local device.
  • Configure an IPSec policy and reference the IPSec policy template in the IPSec policy.
  • Configure a public network interface to use a fixed IP address and apply the IPSec policy to the public network interface.
  • Configure a default route and specify the public network interface as the outbound interface so that traffic from the branch intranet is forwarded to the Internet through the public network interface.

Procedure

  1. Configure RouterA.

    # Configure an ACL to define data flows to be protected by the IPSec tunnel.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] acl number 3000
    [RouterA-acl-adv-3000] rule 5 permit ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
    [RouterA-acl-adv-3000] quit

    # Configure an IPSec proposal.

    [RouterA] ipsec proposal rta
    [RouterA-ipsec-proposal-rta] quit

    # Configure an IKE peer for establishing an IPSec connection with RouterB through automatic negotiation.

    [RouterA] ike peer rta v1
    [RouterA-ike-peer-rta] pre-shared-key cipher huawei@123
    [RouterA-ike-peer-rta] remote-address 1.1.1.1
    [RouterA-ike-peer-rta] quit

    # Configure an IPSec policy.

    [RouterA] ipsec policy rta 1 isakmp
    [RouterA-ipsec-policy-isakmp-rta-1] security acl 3000
    [RouterA-ipsec-policy-isakmp-rta-1] ike-peer rta
    [RouterA-ipsec-policy-isakmp-rta-1] proposal rta
    [RouterA-ipsec-policy-isakmp-rta-1] quit

    # Create an APN profile.

    [RouterA] apn profile 3gprofile
    [RouterA-apn-profile-3gprofile] apn 3GNET
    [RouterA-apn-profile-3gprofile] user name 3guser password cipher Password@123 authentication-mode auto
    [RouterA-apn-profile-3gprofile] quit

    # Configure a 3G interface.

    [RouterA] interface cellular 0/0/0
    [RouterA-Cellular0/0/0] ip address negotiate
    [RouterA-Cellular0/0/0] ppp ipcp dns request
    [RouterA-Cellular0/0/0] dialer enable-circular
    [RouterA-Cellular0/0/0] dialer number *99# autodial
    [RouterA-Cellular0/0/0] mode wcdma wcdma-precedence
    [RouterA-Cellular0/0/0] apn-profile 3gprofile
    [RouterA-Cellular0/0/0] ipsec policy rta
    [RouterA-Cellular0/0/0] shutdown
    [RouterA-Cellular0/0/0] undo shutdown
    [RouterA-Cellular0/0/0] quit

    # Configure a default route.

    [RouterB] ip route-static 0.0.0.0 0.0.0.0 cellular 0/0/0

  2. Configure RouterB.

    # Configure an ACL to define data flows to be protected by the IPSec tunnel.

    <Huawei> system-view
    [Huawei] sysname RouterB
    [RouterB] acl number 3000
    [RouterB-acl-adv-3000] rule 5 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255
    [RouterB-acl-adv-3000] quit

    # Configure an IPSec proposal.

    [RouterB] ipsec proposal rtb
    [RouterB-ipsec-proposal-rtb] quit

    # Configure an IKE peer. The IKE peer does not require a remote IP address and can perform negotiation with other branches.

    [RouterB] ike peer rtb v1
    [RouterB-ike-peer-rtb] pre-shared-key cipher huawei@123
    [RouterB-ike-peer-rtb] quit

    # Configure an IPSec policy template.

    [RouterB] ipsec policy-template temp 1
    [RouterB-ipsec-policy-templet-temp-1] security acl 3000
    [RouterB-ipsec-policy-templet-temp-1] ike-peer rtb
    [RouterB-ipsec-policy-templet-temp-1] proposal rtb
    [RouterB-ipsec-policy-templet-temp-1] quit

    # Configure an IPSec policy and reference the IPSec policy template in the IPSec policy.

    [RouterB] ipsec policy rtb1 1 isakmp template temp

    # Configure a public network interface to use a fixed IP address.

    [RouterB] interface gigabitEthernet 1/0/0
    [RouterB-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
    [RouterB-GigabitEthernet1/0/0] ipsec policy rtb1
    [RouterB-GigabitEthernet1/0/0] quit

    # Configure a default route.

    [RouterB] ip route-static 0.0.0.0 0.0.0.0 gigabitEthernet 1/0/0

  3. Verify the configuration.

    # After the configuration is completed, data between the headquarters and branch is transmitted through the IPSec tunnel.

Configuration Files

  • Configuration file of RouterA
    #                                                                               
     sysname RouterA  
    #                                                                               
    acl number 3000   
     rule 5 permit ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255 
    #   
    ipsec proposal rta 
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-256  
    #                                                                               
    ike peer rta v1                                                                 
     pre-shared-key cipher %^%#mZ"B;"Nf(Jg::AW)P3J@r)Zm-B"o$A2.C/E7bY80%^%                         
     remote-address 1.1.1.1  
    #                                                                               
    ipsec policy rta 1 isakmp                                                       
     security acl 3000                                                              
     ike-peer rta                                                                   
     proposal rta  
    #                                                                               
    interface Cellular0/0/0                                                         
     link-protocol ppp  
     ppp ipcp dns request  
     dialer enable-circular    
     apn-profile 3gprofile         
     dialer timer autodial 10                                                       
     dialer number *99# autodial                                                             
     ipsec policy rta                                                               
     ip address negotiate  
    #                                                                               
    apn profile 3gprofile                                                           
     user name 3guser password cipher %@%@,)AK/L"R0'^5%YUBDqKP#^y>%@%@ authentication-mode auto                
     apn 3GNET 
    #
    ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
    #
    return
  • Configuration file of RouterB
    #                                                                               
     sysname RouterB
    #                                                                               
    acl number 3000   
     rule 5 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255 
    #                                                                               
    ipsec proposal rtb                                                              
     esp authentication-algorithm sha2-256                                          
     esp encryption-algorithm aes-256      
    #                                                                               
    ike peer rtb v1                                                                 
     pre-shared-key cipher %^%#mZ"D;"Nf(Jg::AW)P4J@r)Zm-B"o$A4.C/E7bY91%^%   
    #                                                                               
    ipsec policy-template temp 1                                                    
     security acl 3000                                                              
     ike-peer rtb                                                                   
     proposal rtb  
    #                                                                               
    ipsec policy rtb1 1 isakmp template temp 
    #                                                                               
    interface GigabitEthernet1/0/0                                                  
     ip address 1.1.1.1 255.255.255.0                                               
     ipsec policy rtb1   
    #
    ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0  
    #
    return
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100069331

Views: 20737

Downloads: 89

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next