NetEngine AR600, AR6100, AR6200, and AR6300 V300R019 CLI-based Configuration Guide - VPN
Example for Configuring Redundancy Control of IPSec Tunnels
Networking Requirements
As shown in Figure 5-66, the branch communicates with the headquarters over the public network. To improve reliability, the headquarters uses two gateways RouterA and RouterB to connect to the branch gateway RouterC. RouterC sets up IPSec Tunnel1 with RouterA through GE0/0/1 and IPSec Tunnel2 with RouterB through GE0/0/2.
The enterprise wants to protect traffic exchanged between the headquarters and branch and requires that traffic be switched to the other IPSec tunnel when one IPSec tunnel fails and back to the faulty IPSec tunnel when the faulty IPSec tunnel recovers.
Configuration Roadmap
Since the branch and headquarters communicate over the public network, you can set up an IPSec tunnel between them to provide security protection. The configuration roadmap is as follows:
Configure the IP address on each interface and static routes to the peer to implement communication between interfaces.
Configure an NQA group and an NQA test instance to monitor the link between the branch gateway and headquarters gateway A.
Configure ACLs to define the data flows to be protected by the IPSec tunnel.
Configure IPSec proposals to define the traffic protection methods.
Configure IKE peers.
Configure IPSec policies to define the data protection methods. Configure the device to control IPSec tunnel setup and teardown according to the NQA group status and enable the device to switch traffic to the other IPSec tunnel when one IPSec tunnel becomes faulty.
Apply the IPSec policies to interfaces so that the interfaces can protect traffic.
VRRP backup is configured on the two gateways in the headquarters. For detailed configuration, see VRRP Configuration.
Procedure
- Configure an IP address for each interface and static routes to the peer on RouterA, RouterB, and RouterC to ensure that there are reachable routes among them.
# Configure an IP address for each interface and static routes to the peer on RouterA. This example assumes that the next hop address in the route to the branch gateway is 60.1.1.2.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 0/0/1 [RouterA-GigabitEthernet0/0/1] ip address 60.1.1.1 255.255.255.0 [RouterA-GigabitEthernet0/0/1] quit [RouterA] interface gigabitethernet 0/0/2 [RouterA-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0 [RouterA-GigabitEthernet0/0/2] quit [RouterA] ip route-static 70.1.1.0 255.255.255.0 60.1.1.2 [RouterA] ip route-static 70.1.2.0 255.255.255.0 60.1.1.2 [RouterA] ip route-static 192.168.2.0 255.255.255.0 60.1.1.2
# Configure an IP address for each interface and static routes to the peer on RouterB. This example assumes that the next hop address in the route to the branch gateway is 60.1.2.2.
<Huawei> system-view [Huawei] sysname RouterB [RouterB] interface gigabitethernet 0/0/1 [RouterB-GigabitEthernet0/0/1] ip address 60.1.2.1 255.255.255.0 [RouterB-GigabitEthernet0/0/1] quit [RouterB] interface gigabitethernet 0/0/2 [RouterB-GigabitEthernet0/0/2] ip address 192.168.1.3 255.255.255.0 [RouterB-GigabitEthernet0/0/2] quit [RouterB] ip route-static 70.1.1.0 255.255.255.0 60.1.2.2 [RouterB] ip route-static 70.1.2.0 255.255.255.0 60.1.2.2 [RouterB] ip route-static 192.168.2.0 255.255.255.0 60.1.2.2
# Configure an IP address for each interface and static routes to the peer on RouterC. This example assumes that the next hop addresses in the route to the headquarters gateways A and B are 70.1.1.2 and 70.1.2.2, respectively.
<Huawei> system-view [Huawei] sysname RouterC [RouterC] interface gigabitethernet 0/0/1 [RouterC-GigabitEthernet0/0/1] ip address 70.1.1.1 255.255.255.0 [RouterC-GigabitEthernet0/0/1] quit [RouterC] interface gigabitethernet 0/0/2 [RouterC-GigabitEthernet0/0/2] ip address 70.1.2.1 255.255.255.0 [RouterC-GigabitEthernet0/0/2] quit [RouterC] interface gigabitethernet 0/0/0 [RouterC-GigabitEthernet0/0/0] ip address 192.168.2.2 255.255.255.0 [RouterC-GigabitEthernet0/0/0] quit [RouterC] ip route-static 60.1.1.0 255.255.255.0 70.1.1.2 [RouterC] ip route-static 60.1.2.0 255.255.255.0 70.1.2.2 [RouterC] ip route-static 192.168.1.0 255.255.255.0 70.1.1.2 [RouterC] ip route-static 192.168.1.0 255.255.255.0 70.1.2.2
- Configure an NQA test instance on RouterC.
# Configure an NQA test instance of ICMP type (administrator name admin and instance name test) on RouterC to detect faults on the link 70.1.1.1/24 -> 60.1.1.1/24.
[RouterC] nqa test-instance admin test [RouterC-nqa-admin-test] test-type icmp [RouterC-nqa-admin-test] destination-address ipv4 60.1.1.1 [RouterC-nqa-admin-test] frequency 10 [RouterC-nqa-admin-test] probe-count 2 [RouterC-nqa-admin-test] start now [RouterC-nqa-admin-test] quit
- Configure an ACL on RouterC to define the data flows to be protected.
![]()
An IPSec policy is created on RouterA and RouterB using the IPSec policy template; therefore, this step is optional. If you configure an ACL on RouterA and RouterB, you must specify the destination address in the ACL rule.
# Configure an ACL on RouterC to define the data flows from subnet 192.168.2.0/24 to subnet 192.168.1.0/24.
[RouterC] acl number 3002 [RouterC-acl-adv-3002] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 [RouterC-acl-adv-3002] quit
- Create an IPSec proposal on RouterA, RouterB, and RouterC respectively.
# Create an IPSec proposal on RouterA. The configurations of RouterB and RouterC are similar to that of RouterA, and are not provided here.
[RouterA] ipsec proposal tran1 [RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [RouterA-ipsec-proposal-tran1] quit
- Configure an IKE proposal and an IKE peer on RouterA, RouterB, and RouterC respectively.
![]()
RouterA and RouterB function as responders to respond to an IKE negotiation request; therefore, IPSec policies are created on them through IPSec policy templates. You do not need to set remote-address.
# Configure an IKE proposal and an IKE peer on RouterA.
[RouterA] ike proposal 5 [RouterA-ike-proposal-5] encryption-algorithm aes-128 [RouterA-ike-proposal-5] authentication-algorithm sha2-256 [RouterA-ike-proposal-5] dh group14 [RouterA-ike-proposal-5] quit [RouterA] ike peer rut1 [RouterA-ike-peer-rut1] undo version 2 [RouterA-ike-peer-rut1] ike-proposal 5 [RouterA-ike-peer-rut1] pre-shared-key cipher YsHsjx_202206 [RouterA-ike-peer-rut1] quit
# Configure an IKE proposal and an IKE peer on RouterB.
[RouterB] ike proposal 5 [RouterB-ike-proposal-5] encryption-algorithm aes-128 [RouterB-ike-proposal-5] authentication-algorithm sha2-256 [RouterB-ike-proposal-5] dh group14 [RouterB-ike-proposal-5] quit [RouterB] ike peer rut1 [RouterB-ike-peer-rut1] undo version 2 [RouterB-ike-peer-rut1] ike-proposal 5 [RouterB-ike-peer-rut1] pre-shared-key cipher YsHsjx_202206 [RouterB-ike-peer-rut1] quit
# Configure an IKE proposal and IKE peer rut1 and rut2 on RouterC.
[RouterC] ike proposal 5 [RouterC-ike-proposal-5] encryption-algorithm aes-128 [RouterC-ike-proposal-5] authentication-algorithm sha2-256 [RouterC-ike-proposal-5] dh group14 [RouterC-ike-proposal-5] quit [RouterC] ike peer rut1 [RouterC-ike-peer-rut1] undo version 2 [RouterC-ike-peer-rut1] ike-proposal 5 [RouterC-ike-peer-rut1] pre-shared-key cipher YsHsjx_202206 [RouterC-ike-peer-rut1] remote-address 60.1.1.1 [RouterC-ike-peer-rut1] quit [RouterC] ike peer rut2 [RouterC-ike-peer-rut2] undo version 2 [RouterC-ike-peer-rut2] ike-proposal 5 [RouterC-ike-peer-rut2] pre-shared-key cipher YsHsjx_202206 [RouterC-ike-peer-rut2] remote-address 60.1.2.1 [RouterC-ike-peer-rut2] quit
- Create an IPSec policy on RouterA, RouterB, and RouterC respectively.
# Create an IPSec policy through an IPSec policy template on RouterA.
[RouterA] ipsec policy-template temp1 10 [RouterA-ipsec-policy-templet-temp1-10] ike-peer rut1 [RouterA-ipsec-policy-templet-temp1-10] proposal tran1 [RouterA-ipsec-policy-templet-temp1-10] quit [RouterA] ipsec policy policy1 10 isakmp template temp1
# Create an IPSec policy through an IPSec policy template on RouterB.
[RouterB] ipsec policy-template temp1 10 [RouterB-ipsec-policy-templet-temp1-10] ike-peer rut1 [RouterB-ipsec-policy-templet-temp1-10] proposal tran1 [RouterB-ipsec-policy-templet-temp1-10] quit [RouterB] ipsec policy policy1 10 isakmp template temp1
# Create IPSec policies policy1 and policy2 in ISAKMP mode on RouterC.
[RouterC] ipsec policy policy1 10 isakmp [RouterC-ipsec-policy-isakmp-policy1-10] ike-peer rut1 [RouterC-ipsec-policy-isakmp-policy1-10] proposal tran1 [RouterC-ipsec-policy-isakmp-policy1-10] security acl 3002 [RouterC-ipsec-policy-isakmp-policy1-10] connect track nqa admin test up [RouterC-ipsec-policy-isakmp-policy1-10] disconnect track nqa admin test down [RouterC-ipsec-policy-isakmp-policy1-10] quit [RouterC] ipsec policy policy2 20 isakmp [RouterC-ipsec-policy-isakmp-policy2-20] ike-peer rut2 [RouterC-ipsec-policy-isakmp-policy2-20] proposal tran1 [RouterC-ipsec-policy-isakmp-policy2-20] security acl 3002 [RouterC-ipsec-policy-isakmp-policy2-20] connect track nqa admin test down [RouterC-ipsec-policy-isakmp-policy2-20] disconnect track nqa admin test up [RouterC-ipsec-policy-isakmp-policy2-20] quit
- Apply the IPSec policies to the corresponding interfaces on RouterA, RouterB, and RouterC to make the interfaces able to protect traffic.
# Apply the IPSec policy to the interface of RouterA.
[RouterA] interface gigabitethernet 0/0/1 [RouterA-GigabitEthernet0/0/1] ipsec policy policy1 [RouterA-GigabitEthernet0/0/1] quit
# Apply the IPSec policy to the interface of RouterB.
[RouterB] interface gigabitethernet 0/0/1 [RouterB-GigabitEthernet0/0/1] ipsec policy policy1 [RouterB-GigabitEthernet0/0/1] quit
# Apply the IPSec policies to the interfaces of RouterC.
[RouterC] interface gigabitethernet 0/0/1 [RouterC-GigabitEthernet0/0/1] ipsec policy policy1 [RouterC-GigabitEthernet0/0/1] quit [RouterC] interface gigabitethernet 0/0/2 [RouterC-GigabitEthernet0/0/2] ipsec policy policy2 [RouterC-GigabitEthernet0/0/2] quit
- Verify the configuration.
After completing the configuration:
PC_1 can ping PC_2 successfully and data transmitted between them is encrypted.
# Run the display ipsec sa command on RouterC to check the IPSec configuration.
[RouterC] display ipsec sa =============================== Interface: GigabitEthernet0/0/1 Path MTU: 1500 =============================== ----------------------------- IPSec policy name: "policy1" Sequence number : 10 Acl group : 3002 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 21812 Encapsulation mode: Tunnel Tunnel local : 70.1.1.1 Tunnel remote : 60.1.1.1 Flow source : 192.168.2.0/255.255.255.0 0/0 Flow destination : 192.168.1.0/255.255.255.0 0/0 Qos pre-classify : Disable Qos group : - [Outbound ESP SAs] SPI: 870098030 (0x33dca46e) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 SA remaining key duration (bytes/sec): 1887436800/3395 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 2558349639 (0x987d5147) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 SA remaining key duration (bytes/sec): 1887436800/3395 Max received sequence-number: 0 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: NThe command output shows that traffic from PC_1 to PC_2 is transmitted over IPSec Tunnel1 (source IP address: 70.1.1.1, destination IP address: 60.1.1.1).
Disable GE0/0/1 of RouterC. Traffic is switched to IPSec Tunnel2 (source IP address: 70.1.2.1, destination IP address: 60.1.2.1).
# Run the shutdown command on GE0/0/1 of RouterC, and then run the display nqa results test-instance admin test command. The command output is as follows:[RouterC] display nqa results test-instance admin test NQA entry(admin, test) :testflag is active ,testtype is icmp 1 . Test 46392 result The test is finished Send operation times: 2 Receive response times: 0 Completion:failed RTD OverThresholds number: 0 Attempts number:1 Drop operation number:2 Disconnect operation number:0 Operation timeout number:0 System busy operation number:0 Connection fail number:0 Operation sequence errors number:0 RTT Status errors number:0 Destination ip address:60.1.1.1 Min/Max/Average Completion Time: 0/0/0 Sum/Square-Sum Completion Time: 0/0 Last Good Probe Time: 0000-00-00 00:00:00.0 Lost packet ratio: 100 % ......The command output shows that the NQA test result is failed, indicating that the status of the NQA test instance is Down.
# Run the display ipsec sa command on RouterC to check the IPSec configuration.
[RouterC] display ipsec sa =============================== Interface: GigabitEthernet0/0/2 Path MTU: 1500 =============================== ----------------------------- IPSec policy name: "policy2" Sequence number : 20 Acl group : 3002 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 21839 Encapsulation mode: Tunnel Tunnel local : 70.1.2.1 Tunnel remote : 60.1.2.1 Flow source : 192.168.2.0/255.255.255.0 0/0 Flow destination : 192.168.1.0/255.255.255.0 0/0 Qos pre-classify : Disable Qos group : - [Outbound ESP SAs] SPI: 437762941 (0x1a17bb7d) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 SA remaining key duration (bytes/sec): 1887436800/3575 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 1765690761 (0x693e4d89) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 SA remaining key duration (bytes/sec): 1887436800/3575 Max received sequence-number: 0 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: NThe command output shows that traffic is switched to IPSec Tunnel2 (source IP address: 70.1.2.1, destination IP address: 60.1.2.1).
Enable GE0/0/1 of RouterC again. Traffic is switched back to IPSec Tunnel1 (source IP address: 70.1.1.1, destination IP address: 60.1.1.1).
# Run the undo shutdown command on GE0/0/1 of RouterC, and then run the display nqa results test-instance admin test command. The command output is as follows:[RouterC] display nqa results test-instance admin test NQA entry(admin, test) :testflag is active ,testtype is icmp 1 . Test 46694 result The test is finished Send operation times: 2 Receive response times: 2 Completion:success RTD OverThresholds number: 0 Attempts number:1 Drop operation number:0 Disconnect operation number:0 Operation timeout number:0 System busy operation number:0 Connection fail number:0 Operation sequence errors number:0 RTT Status errors number:0 Destination ip address:60.1.1.1 Min/Max/Average Completion Time: 4/4/4 Sum/Square-Sum Completion Time: 8/32 Last Good Probe Time: 2014-09-29 20:43:23.2 Lost packet ratio: 0 % ......The command output shows that the NQA detection result is success, indicating that the status of the NQA test instance is Up.
# Run the display ipsec sa command on RouterC to check the IPSec configuration.
[RouterC] display ipsec sa =============================== Interface: GigabitEthernet0/0/1 Path MTU: 1500 =============================== ----------------------------- IPSec policy name: "policy1" Sequence number : 10 Acl group : 3002 Acl rule : 5 Mode : ISAKMP ----------------------------- Connection ID : 21992 Encapsulation mode: Tunnel Tunnel local : 70.1.1.1 Tunnel remote : 60.1.1.1 Flow source : 192.168.2.0/255.255.255.0 0/0 Flow destination : 192.168.1.0/255.255.255.0 0/0 Qos pre-classify : Disable Qos group : - [Outbound ESP SAs] SPI: 2749069243 (0xa3db77bb) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 SA remaining key duration (bytes/sec): 1887436800/3583 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 21830677 (0x14d1c15) Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128 SA remaining key duration (bytes/sec): 1887436800/3583 Max received sequence-number: 0 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: NThe command output shows that traffic is switched back to IPSec Tunnel1 (source IP address: 70.1.1.1, destination IP address: 60.1.1.1). The configuration succeeds.
Configuration Files
Configuration file of RouterA
# sysname RouterA # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 undo version 2 pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%# ike-proposal 5 # ipsec policy-template temp1 10 ike-peer rut1 proposal tran1 # ipsec policy policy1 10 isakmp template temp1 # interface GigabitEthernet0/0/1 ip address 60.1.1.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.1.1 255.255.255.0 # ip route-static 70.1.1.0 255.255.255.0 60.1.1.2 ip route-static 70.1.2.0 255.255.255.0 60.1.1.2 ip route-static 192.168.2.0 255.255.255.0 60.1.1.2 # return
Configuration file of RouterB
# sysname RouterB # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 undo version 2 pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%# ike-proposal 5 # ipsec policy-template temp1 10 ike-peer rut1 proposal tran1 # ipsec policy policy1 10 isakmp template temp1 # interface GigabitEthernet0/0/1 ip address 60.1.2.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 192.168.1.3 255.255.255.0 # ip route-static 70.1.1.0 255.255.255.0 60.1.2.2 ip route-static 70.1.2.0 255.255.255.0 60.1.2.2 ip route-static 192.168.2.0 255.255.255.0 60.1.2.2 # return
Configuration file of RouterC
# sysname RouterC # acl number 3002 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer rut1 undo version 2 pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%# ike-proposal 5 remote-address 60.1.1.1 # ike peer rut2 undo version 2 pre-shared-key cipher %#%#u;3RGfy.^D2'oEC%wwnU](q"Y2O&b'L=,NI`-qWE%#%# ike-proposal 5 remote-address 60.1.2.1 # ipsec policy policy1 10 isakmp security acl 3002 ike-peer rut1 proposal tran1 connect track nqa admin test up disconnect track nqa admin test down # ipsec policy policy2 20 isakmp security acl 3002 ike-peer rut2 proposal tran1 connect track nqa admin test down disconnect track nqa admin test up # interface GigabitEthernet0/0/0 ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 70.1.1.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet0/0/2 ip address 70.1.2.1 255.255.255.0 ipsec policy policy2 # ip route-static 60.1.1.0 255.255.255.0 70.1.1.2 ip route-static 60.1.2.0 255.255.255.0 70.1.2.2 ip route-static 192.168.1.0 255.255.255.0 70.1.1.2 ip route-static 192.168.1.0 255.255.255.0 70.1.2.2 # nqa test-instance admin test test-type icmp destination-address ipv4 60.1.1.1 frequency 10 probe-count 2 start now # nqa-group group1 nqa admin test # return