NetEngine AR600, AR6100, AR6200, and AR6300 V300R019 CLI-based Configuration Guide - VPN
Example for Configuring a Tunnel Template Interface for IPSec Tunnel Setup
Networking Requirements
As shown in Figure 5-59, enterprise's branch and headquarters communicate through the public network. However, the topologies of headquarters and branch networks change frequently. The enterprise requires to protect traffic transmitted over the public network between the branch and headquarters, and the enterprise hopes that the IPSec configuration does not change when the network topologies change.
- The branch gateway RouterA and headquarters gateway RouterB can set up an IPSec tunnel over the public network to protect traffic between them.
- The topologies of headquarters and branch networks change frequently, the IPSec tunnel needs to be set up using tunnel interfaces, and information about the subnet and interface to be protected by IPSec needs to be configured locally.
Configuration Roadmap
The configuration roadmap is as follows:
Configure IP addresses and static routes on the interfaces to implement communication between them.
Configure ACLs to define the subnet that the local device needs to protect.
Configure AAA service schemes to define the subnet route information and the ip-address interface that the local device needs to send.
Configure IPSec proposals to define the data flow protection method.
Configure IKE peers and define the attributes used for IKE negotiation.
Configure IPSec profiles, and apply the IPSec proposal and IKE peers to the IPSec profile to define the data flows to be protected and protection method.
Apply the IPSec profiles to the tunnel template interface and tunnel interface respectively to enable IPSec protection on the interfaces.
Procedure
- Configure IP addresses and static routes on the interfaces of RouterA and RouterB.
# Configure an IP address for each interface of RouterA.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0 [RouterA-GigabitEthernet2/0/0] quit
# Configure a static route from RouterA to RouterB. This example assumes that the next hop address of the route is 1.1.1.2.
[RouterA] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2# Configure an IP address for each interface of RouterB.
<Huawei> system-view [Huawei] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 2.1.1.1 255.255.255.0 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ip address 10.1.2.1 255.255.255.0 [RouterB-GigabitEthernet2/0/0] quit
# Configure a static route from RouterB to RouterA. This example assumes that the next hop address of the route is 2.1.1.2.
[RouterB] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 - Configure ACLs to define the subnet that the local device needs to protect.
# Configure an ACL on RouterA to permit data flows with the source address 10.1.1.0/24 to pass through.
[RouterA] acl number 3001 [RouterA-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 [RouterA-acl-adv-3001] quit
# Configure an ACL on RouterB to permit data flows with the source address 10.1.2.0/24 to pass through.
[RouterB] acl number 3001 [RouterB-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 [RouterB-acl-adv-3001] quit
- Configure AAA service schemes to define the subnet route information that the local device needs to send.
# Configure an AAA service scheme on RouterA.
[RouterA] aaa [RouterA-aaa] service-scheme schemetest [RouterA-aaa-service-schemetest] route set acl 3001 [RouterA-aaa-service-schemetest] route set interface [RouterA-aaa-service-schemetest] quit [RouterA-aaa] quit
# Configure an AAA service scheme on RouterB.
[RouterB] aaa [RouterB-aaa] service-scheme schemetest [RouterB-aaa-service-schemetest] route set acl 3001 [RouterB-aaa-service-schemetest] route set interface [RouterB-aaa-service-schemetest] quit [RouterB-aaa] quit
- Create IPSec proposals on RouterA and RouterB.
# Create an IPSec proposal on RouterA.
[RouterA] ipsec proposal prop1 [RouterA-ipsec-proposal-prop1] esp authentication-algorithm sha2-256 [RouterA-ipsec-proposal-prop1] esp encryption-algorithm aes-128 [RouterA-ipsec-proposal-prop1] quit
# Create an IPSec proposal on RouterB.
[RouterB] ipsec proposal prop1 [RouterB-ipsec-proposal-prop1] esp authentication-algorithm sha2-256 [RouterB-ipsec-proposal-prop1] esp encryption-algorithm aes-128 [RouterB-ipsec-proposal-prop1] quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration of the IPSec proposal.
- Create IKE peers on RouterA and RouterB.# Create an IKE proposal on RouterA.
[RouterA] ike proposal 5 [RouterA-ike-proposal-5] authentication-algorithm sha2-256 [RouterA-ike-proposal-5] encryption-algorithm aes-128 [RouterA-ike-proposal-5] dh group14 [RouterA-ike-proposal-5] quit
# Create an IKE peer on RouterA.
[RouterA] ike peer peer2 [RouterA-ike-peer-peer2] undo version 1 [RouterA-ike-peer-peer2] ike-proposal 5 [RouterA-ike-peer-peer2] pre-shared-key cipher YsHsjx_202206 [RouterA-ike-peer-peer2] service-scheme schemetest [RouterA-ike-peer-peer2] config-exchange request [RouterA-ike-peer-peer2] config-exchange set accept [RouterA-ike-peer-peer2] config-exchange set send [RouterA-ike-peer-peer2] route accept [RouterA-ike-peer-peer2] quit
# Create an IKE proposal on RouterB.
[RouterB] ike proposal 5 [RouterB-ike-proposal-5] authentication-algorithm sha2-256 [RouterB-ike-proposal-5] encryption-algorithm aes-128 [RouterB-ike-proposal-5] dh group14 [RouterB-ike-proposal-5] quit
# Create an IKE peer on RouterB.
[RouterB] ike peer peer2 [RouterB-ike-peer-peer2] undo version 1 [RouterB-ike-peer-peer2] ike-proposal 5 [RouterB-ike-peer-peer2] pre-shared-key cipher YsHsjx_202206 [RouterB-ike-peer-peer2] service-scheme schemetest [RouterB-ike-peer-peer2] config-exchange set accept [RouterB-ike-peer-peer2] config-exchange set send [RouterB-ike-peer-peer2] route accept [RouterB-ike-peer-peer2] quit
- Create IPSec profiles on RouterA and RouterB respectively.
# Create an IPSec profile on RouterA.
[RouterA] ipsec profile profile1 [RouterA-ipsec-profile-profile1] proposal prop1 [RouterA-ipsec-profile-profile1] ike-peer peer2 [RouterA-ipsec-profile-profile1] quit
# Create an IPSec profile on RouterB.
[RouterB] ipsec profile profile1 [RouterB-ipsec-profile-profile1] proposal prop1 [RouterB-ipsec-profile-profile1] ike-peer peer2 [RouterB-ipsec-profile-profile1] quit
- Apply the IPSec profiles to the interfaces of RouterA and RouterB.
# Apply the IPSec profile to the interface of RouterA.
[RouterA] interface tunnel 0/0/0 [RouterA-Tunnel0/0/0] ip address 192.168.1.1 255.255.255.0 [RouterA-Tunnel0/0/0] tunnel-protocol ipsec [RouterA-Tunnel0/0/0] source gigabitethernet1/0/0 [RouterA-Tunnel0/0/0] destination 2.1.1.1 [RouterA-Tunnel0/0/0] ipsec profile profile1 [RouterA-Tunnel0/0/0] quit
# Apply the IPSec profile to the interface of RouterB.
[RouterB] interface loopback0 [RouterB-LoopBack0] ip address 192.168.1.2 255.255.255.255 [RouterB-LoopBack0] quit [RouterB] interface tunnel-template 0 [RouterB-Tunnel-Template0] ip address unnumbered interface loopback0 [RouterB-Tunnel-Template0] tunnel-protocol ipsec [RouterB-Tunnel-Template0] source gigabitethernet1/0/0 [RouterB-Tunnel-Template0] ipsec profile profile1 [RouterB-Tunnel-Template0] quit
# Run the display ipsec profile command on RouterA and RouterB to view the IPSec profile configuration.
- Verify the configuration.
# Run the display ike sa command on RouterA and RouterB to view the IKE SA configuration. The display on RouterA is used as an example.
[RouterA] display ike sa IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------------------------------------- 16 2.1.1.1:500 RD|ST v1:2 IP 2.1.1.1 14 2.1.1.1:500 RD|ST v1:1 IP 2.1.1.1 Number of IKE SA : 2 -------------------------------------------------------------------------------- RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING# Run the display ip routing-table command on RouterA and RouterB to view route information. This example only shows information about subnet routes that are successfully sent.
[RouterA] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 16 Routes : 16 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.2.0/24 Unr 0 0 D 192.168.1.2 Tunnel0/0/0[RouterB] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 16 Routes : 16 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Unr 62 0 RD 192.168.1.1 Tunnel-Template0
Configuration Files
Configuration file of RouterA
# sysname RouterA # acl number 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 # ipsec proposal prop1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer peer2 undo version 1 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# ike-proposal 5 service-scheme schemetest route accept config-exchange request config-exchange set accept config-exchange set send # ipsec profile profile1 ike-peer peer2 proposal prop1 # aaa service-scheme schemetest route set acl 3001 route set interface # interface GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 # interface Tunnel0/0/0 ip address 192.168.1.1 255.255.255.0 tunnel-protocol ipsec source GigabitEthernet1/0/0 destination 2.1.1.1 ipsec profile profile1 # interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.255.255.0 # ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 # returnConfiguration file of RouterB
# sysname RouterB # acl number 3001 rule 5 permit ip source 10.1.2.0 0.0.0.255 # ipsec proposal prop1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer peer2 undo version 1 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# ike-proposal 5 service-scheme schemetest route accept config-exchange set accept config-exchange set send # ipsec profile profile1 ike-peer peer2 proposal prop1 # aaa service-scheme schemetest route set acl 3001 route set interface # interface GigabitEthernet1/0/0 ip address 2.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.2.1 255.255.255.0 # interface Tunnel-Template0 ip address unnumbered interface LoopBack0 tunnel-protocol ipsec source GigabitEthernet1/0/0 ipsec profile profile1 # interface LoopBack0 ip address 192.168.1.2 255.255.255.255 # ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 # return