SupportDocumentationRoutersAccess RoutersAR600&6100&6200&6300Configuration & CommissioningConfiguration Guide

NetEngine AR600, AR6100, AR6200, and AR6300 V300R019 CLI-based Configuration Guide - VPN

Example for Manually Establishing an IPSec Tunnel

Example for Manually Establishing an IPSec Tunnel

Networking Requirements

As shown in Figure 5-39, RouterA (branch gateway) and RouterB (headquarters gateway) communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be manually set up between the branch gateway and headquarters gateway because they communicate over the Internet and only a few branches gateway need to be maintained.

Figure 5-39 Manually establishing an IPSec tunnel

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB so that routes between RouterA and RouterB are reachable.

  2. Configure ACLs to define data flows to be protected.

  3. Configure IPSec proposals to define the method used to protect IPSec traffic.

  4. Configure IPSec policies and reference ACLs and IPSec proposals in the IPSec policies to determine the methods used to protect data flows.

  5. Apply IPSec policy groups to interfaces.

Procedure

  1. Configure IP addresses and static routes for interfaces on RouterA and RouterB.

    # Assign an IP address to an interface on RouterA.

    <Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit

    # Configure a static route to the peer on RouterA. This example assumes that the next hop address in the route to RouterB is 1.1.1.2.

    [RouterA] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
[RouterA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2

    # Assign an IP address to an interface on RouterB.

    <Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0 
[RouterB-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0
[RouterB-GigabitEthernet2/0/0] quit

    # Configure a static route to the peer on RouterB. This example assumes that the next hop address in the route to RouterA is 2.1.1.2.

    [RouterB] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
[RouterB] ip route-static 10.1.1.0 255.255.255.0 2.1.1.2

  2. Configure ACLs on RouterA and RouterB to define data flows to be protected.

    # Configure an ACL on RouterA to define data flows sent from 10.1.1.0/24 to 10.1.2.0/24.

    [RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[RouterA-acl-adv-3101] quit

    # Configure an ACL on RouterB to define data flows sent from 10.1.2.0/24 to 10.1.1.0/24.

    [RouterB] acl number 3101
[RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[RouterB-acl-adv-3101] quit

  3. Create IPSec proposals on RouterA and RouterB.

    # Create an IPSec proposal on RouterA.

    [RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[RouterA-ipsec-proposal-tran1] quit

    # Create an IPSec proposal on RouterB.

    [RouterB] ipsec proposal tran1
[RouterB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[RouterB-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[RouterB-ipsec-proposal-tran1] quit

    Run the display ipsec proposal command on RouterA and RouterB to view the IPSec proposal configuration.

  4. Create IPSec policies on RouterA and RouterB.

    # Manually create an IPSec policy on RouterA.

    [RouterA] ipsec policy map1 10 manual
[RouterA-ipsec-policy-manual-map1-10] security acl 3101
[RouterA-ipsec-policy-manual-map1-10] proposal tran1
[RouterA-ipsec-policy-manual-map1-10] tunnel remote 2.1.1.1
[RouterA-ipsec-policy-manual-map1-10] tunnel local 1.1.1.1
[RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
[RouterA-ipsec-policy-manual-map1-10] sa string-key outbound esp cipher YsHsjx_202206
[RouterA-ipsec-policy-manual-map1-10] sa string-key inbound esp cipher YsHsjx_202207
[RouterA-ipsec-policy-manual-map1-10] quit

    # Manually create an IPSec policy on RouterB.

    [RouterB] ipsec policy use1 10 manual
[RouterB-ipsec-policy-manual-use1-10] security acl 3101
[RouterB-ipsec-policy-manual-use1-10] proposal tran1
[RouterB-ipsec-policy-manual-use1-10] tunnel remote 1.1.1.1
[RouterB-ipsec-policy-manual-use1-10] tunnel local 2.1.1.1
[RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
[RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
[RouterB-ipsec-policy-manual-use1-10] sa string-key outbound esp cipher YsHsjx_202207
[RouterB-ipsec-policy-manual-use1-10] sa string-key inbound esp cipher YsHsjx_202206
[RouterB-ipsec-policy-manual-use1-10] quit

    When configuring an IPSec policy in manual mode, ensure that:

    • Inbound and outbound SAs' parameters, including the authentication/encryption key and security parameter index (SPI), are configured on IPSec peers.
    • The inbound SA's parameters on the local end is the same as the outbound SA's parameters on the remote end, and the outbound SA's parameters on the local end is the same as the inbound SA's parameters on the remote end.

    Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies.

  5. Apply IPSec policy groups to interfaces on RouterA and RouterB.

    # Apply the IPSec policy group to the interface of RouterA

    [RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy map1
[RouterA-GigabitEthernet1/0/0] quit

    # Apply the IPSec policy group to the interface of RouterB.

    [RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy use1
[RouterB-GigabitEthernet1/0/0] quit

  6. Verify the configuration.

    # After the configurations are complete, PC A can ping PC B successfully. You can run the display ipsec statistics command to view packet statistics.

    # Run the display ipsec sa command on RouterA and RouterB to view the IPSec configuration. The display on RouterA is used as an example.

    [RouterA] display ipsec sa
ipsec sa information: 
===============================
Interface: GigabitEthernet1/0/0
===============================

  -----------------------------
  IPSec policy name: "map1"
  Sequence number: 10
  Acl group: 3101
  Acl rule: -
  Mode: Manual
  -----------------------------
    Encapsulation mode: Tunnel
    Tunnel local      : 1.1.1.1
    Tunnel remote     : 2.1.1.1

    [Outbound ESP SAs]
      SPI: 12345 (0x3039)
      Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128 
      No duration limit for this SA

    [Inbound ESP SAs]
      SPI: 54321 (0xd431)
      Proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA2-256-128 
      No duration limit for this SA
      Anti-replay : Disable

Configuration Files

  • Configuration file of RouterA

    #
 sysname RouterA
#
acl number 3101
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128 
#
ipsec policy map1 10 manual
 security acl 3101
 proposal tran1
 tunnel local 1.1.1.1
 tunnel remote 2.1.1.1
 sa spi inbound esp 54321
 sa string-key inbound esp cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
 sa spi outbound esp 12345
 sa string-key outbound esp cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
#
interface GigabitEthernet1/0/0
 ip address 1.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet2/0/0
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
#
return

  • Configuration file of RouterB

    #
 sysname RouterB
#
acl number 3101
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128 
#
ipsec policy use1 10 manual
 security acl 3101
 proposal tran1
 tunnel local 2.1.1.1
 tunnel remote 1.1.1.1
 sa spi inbound esp 12345
 sa string-key inbound esp cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%#
 sa spi outbound esp 54321
 sa string-key outbound esp cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%#
#
interface GigabitEthernet1/0/0
 ip address 2.1.1.1 255.255.255.0
 ipsec policy use1
#
interface GigabitEthernet2/0/0
 ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
#
return