Example for Configuring a Branch to Access the Internet Using a 3G Cellular Interface and Establishing an IPSec Tunnel Between Headquarters and Branch Using an IPSec Policy Template
Networking Requirements
Because some branches are located in remote areas, it is difficult to deploy fixed networks. As shown in Figure 11-8, to meet service transmission requirements, the branch uses the Router as the egress gateway and uses a 3G cellular interface to connect to the Internet through the WCDMA network.
To ensure secure data exchanges between the headquarters and branch, the branch needs to use an IPSec tunnel. The headquarters gateway RouterB uses a static public address, and the branch gateway RouterA uses a 3G cellular interface to dynamically obtain an IP address from the provider to access a public network.
The branch has obtained the following information from the carrier:
- User name and password: 3guser and YsHsjx_202206
- APN: 3GNET
- Dialer number: *99#
Configuration Roadmap
To deploy an IPSec policy, the headquarters need to obtain the branch IP address. The branch IP address changes frequently and is difficult to maintain. You can use an IPSec policy template on the headquarters gateway so that the headquarters gateway and branch gateway can perform IPSec negotiation without knowing the branch IP address. In addition, the configuration is simple.
The configuration roadmap for RouterA is as follows:
- Configure an ACL to define data flows to be protected by the IPSec tunnel.
- Configure an IPSec proposal to define the traffic protection method.
- Configure an IKE peer and define attributes used for IKE negotiation.
- Configure an IPSec policy to determine methods used to protect different types of data flows.
- Create an APN profile used to connect to the Internet.
- Configure a 3G cellular interface, bind the APN profile to the 3G cellular interface, and apply the IPSec policy to the 3G cellular interface.
- Configure a default route and specify the 3G cellular interface as the outbound interface so that traffic from the branch intranet is forwarded to the Internet through the 3G cellular interface.
The configuration roadmap for RouterB is as follows:
- Configure an ACL to define data flows to be protected by the IPSec tunnel.
- Configure an IPSec proposal to define the traffic protection method.
- Configure an IKE peer. The IKE peer does not require a remote IP address and can perform negotiation with other branches.
- Configure an IPSec policy to determine methods used to protect different types of data flows and allow the remote device to initiate negotiation requests to the local device.
- Configure an IPSec policy and reference the IPSec policy template in the IPSec policy.
- Configure a public network interface to use a fixed IP address and apply the IPSec policy to the public network interface.
- Configure a default route and specify the public network interface as the outbound interface so that traffic from the branch intranet is forwarded to the Internet through the public network interface.
Procedure
- Configure RouterA.
# Configure an ACL to define data flows to be protected by the IPSec tunnel.
<Huawei> system-view[Huawei] sysname RouterA
[RouterA] acl number 3000[RouterA-acl-adv-3000] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.2.0 0.0.0.255[RouterA-acl-adv-3000] quit# Configure an IPSec proposal.
[RouterA] ipsec proposal rta[RouterA-ipsec-proposal-rta] quit# Configure an IKE peer for establishing an IPSec connection with RouterB through automatic negotiation.
[RouterA] ike peer rta v1[RouterA-ike-peer-rta] pre-shared-key cipher YsHsjx_202206
[RouterA-ike-peer-rta] remote-address 1.1.1.1[RouterA-ike-peer-rta] quit# Configure an IPSec policy.
[RouterA] ipsec policy rta 1 isakmp[RouterA-ipsec-policy-isakmp-rta-1] security acl 3000[RouterA-ipsec-policy-isakmp-rta-1] ike-peer rta[RouterA-ipsec-policy-isakmp-rta-1] proposal rta[RouterA-ipsec-policy-isakmp-rta-1] quit# Create an APN profile.
[RouterA] apn profile 3gprofile[RouterA-apn-profile-3gprofile] apn 3GNET[RouterA-apn-profile-3gprofile] user name 3guser password cipher YsHsjx_202206 authentication-mode auto
[RouterA-apn-profile-3gprofile] quit# Configure a 3G cellular interface.
[RouterA] interface cellular 0/0/0[RouterA-Cellular0/0/0] ip address negotiate[RouterA-Cellular0/0/0] ppp ipcp dns request[RouterA-Cellular0/0/0] dialer enable-circular[RouterA-Cellular0/0/0] dialer number *99# autodial[RouterA-Cellular0/0/0] mode wcdma wcdma-precedence[RouterA-Cellular0/0/0] apn-profile 3gprofile[RouterA-Cellular0/0/0] ipsec policy rta[RouterA-Cellular0/0/0] shutdown[RouterA-Cellular0/0/0] undo shutdown[RouterA-Cellular0/0/0] quit# Configure a default route.
[RouterB] ip route-static 0.0.0.0 0.0.0.0 cellular 0/0/0 - Configure RouterB.
# Configure an ACL to define data flows to be protected by the IPSec tunnel.
<Huawei> system-view[Huawei] sysname RouterB
[RouterB] acl number 3000[RouterB-acl-adv-3000] rule 5 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255[RouterB-acl-adv-3000] quit# Configure an IPSec proposal.
[RouterB] ipsec proposal rtb[RouterB-ipsec-proposal-rtb] quit# Configure an IKE peer. The IKE peer does not require a remote IP address and can perform negotiation with other branches.
[RouterB] ike peer rtb v1[RouterB-ike-peer-rtb] pre-shared-key cipher YsHsjx_202206
[RouterB-ike-peer-rtb] quit# Configure an IPSec policy template.
[RouterB] ipsec policy-template temp 1[RouterB-ipsec-policy-templet-temp-1] security acl 3000[RouterB-ipsec-policy-templet-temp-1] ike-peer rtb[RouterB-ipsec-policy-templet-temp-1] proposal rtb[RouterB-ipsec-policy-templet-temp-1] quit# Configure an IPSec policy and reference the IPSec policy template in the IPSec policy.
[RouterB] ipsec policy rtb1 1 isakmp template temp# Configure a public network interface to use a fixed IP address.
[RouterB] interface gigabitEthernet 1/0/0[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0[RouterB-GigabitEthernet1/0/0] ipsec policy rtb1[RouterB-GigabitEthernet1/0/0] quit# Configure a default route.
[RouterB] ip route-static 0.0.0.0 0.0.0.0 gigabitEthernet 1/0/0 - Verify the configuration.
# After the configuration is completed, data between the headquarters and branch is transmitted through the IPSec tunnel.
Configuration Files
- RouterA configuration file
# sysname RouterA # acl number 3000 rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.2.0 0.0.0.255 # ipsec proposal rta esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike peer rta v1 pre-shared-key cipher %^%#mZ"B;"Nf(Jg::AW)P3J@r)Zm-B"o$A2.C/E7bY80%^% remote-address 1.1.1.1 # ipsec policy rta 1 isakmp security acl 3000 ike-peer rta proposal rta # interface Cellular0/0/0 link-protocol ppp ppp ipcp dns request dialer enable-circular apn-profile 3gprofile dialer timer autodial 10 dialer number *99# autodial ipsec policy rta ip address negotiate # apn profile 3gprofile user name 3guser password cipher %@%@,)AK/L"R0'^5%YUBDqKP#^y>%@%@ authentication-mode auto apn 3GNET # ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 # return
- RouterB configuration file
# sysname RouterB # acl number 3000 rule 5 permit ip source 10.10.2.0 0.0.0.255 destination 10.10.10.0 0.0.0.255 # ipsec proposal rtb esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike peer rtb v1 pre-shared-key cipher %^%#mZ"D;"Nf(Jg::AW)P4J@r)Zm-B"o$A4.C/E7bY91%^% # ipsec policy-template temp 1 security acl 3000 ike-peer rtb proposal rtb # ipsec policy rtb1 1 isakmp template temp # interface GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 ipsec policy rtb1 # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 # return