No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
NE20E-S V800R011C10 Configuration Guide - IPv6 Transition 02
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Both Centralized NAT and a Common IPsec Tunnel

Example for Configuring Both Centralized NAT and a Common IPsec Tunnel

This section provides an example for configuring both centralized NAT and a common IPsec tunnel. A NAT device converts private IP addresses to public IP addresses before sending packets to an IPsec tunnel established using a security policy.

Networking Requirements

In Figure 2-4, networks A and B exchange resources in a gateway-to-gateway mode. Networks A and B connect to the Internet through devices A and B, respectively. Device A can processes NAT and IPsec.

The networking is as follows:
  • Network A belongs to the 10.1.1.0/24 subnet and connects to device A through GE 1/0/1.
  • Network B belongs to the 10.1.2.0/24 subnet and connects to device B through GE 1/0/1.
  • Device A and device B are routable to each other.
  • There are eight public IP addresses, including 11.11.11.0/32 through 11.11.11.7/32.
  • IPsec is enabled on both devices A and B.

NAT and an IPsec tunnel need to be configured to perform multiple-to-multiple conversion between private and public IP addresses. PCs A and B need to communicate with each other.

Figure 2-4 shows the network on which both NAT and IPsec are configured.
Figure 2-4 Network with both NAT and an IPsec tunnel established using a security policy

Interfaces 1 and 2 in this example represent GE 0/2/1 and GE 0/2/2, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces.
  2. Configure basic NAT functions.
  3. Configure a NAT distribution policy.
  4. Configure public network routes. In this example, static routes are used.
  5. Configure an access control list (ACL) rule group to allow specific data flows to be protected.
  6. Configure an IPsec security proposal.
  7. Configure an IKE security proposal.
  8. Configure IKE peers.
  9. Configure an IPSec policy.
  10. Configure an IPsec service instance group.
  11. Apply the IPsec policy to a tunnel interface.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of interfaces

  • service-location backup group index ID (1)

  • Name of a service-instance-group service instance group (group1)

  • NAT instance name (nat1) and index (1)

  • Device A's NAT address pool name (address-group1), address pool number (1), a range of public IP addresses (11.11.11.0 through 11.11.11.7)

  • NAT ACL name (3000)

  • Traffic classifier (classifier1)

  • Traffic behavior (behavior1)

  • Traffic policy (policy1)

  • Number of an interface to which a NAT traffic distribution policy applies

  • Tunnel interface IP address

  • Pre-shared key

  • Security protocols, encryption algorithms, and authentication algorithms to be used by IPsec proposals

  • Authentication algorithm used in an IKE security proposal

Procedure

  1. Configure device A.
    1. Assign an IP address to each interface.

      # Configure an IP address for GE 0/2/1.

      <DeviceA> system-view 
      [~DeviceA] interface GigabitEthernet 0/2/1
      [~DeviceA-GigabitEthernet0/2/1] ip address 10.1.1.1 24
      [*DeviceA-GigabitEthernet0/2/1] quit
      [*DeviceA] commit

      # Configure an IP address for GE 0/2/2.

      [~DeviceA] interface GigabitEthernet 0/2/2 
      [~DeviceA-GigabitEthernet0/2/2] ip address 12.12.1.1 24 
      [*DeviceA-GigabitEthernet0/2/2] quit 
      [*DeviceA] commit

    2. Configure an IPsec service instance group named group1.

      On-board scenario:
      • Configure the NSP-A/NSP-B/NSP-C/NSP-D.
        [~DeviceA] service-location 1
        [*DeviceA -service-location-1] location slot 9
        [*DeviceA -service-location-1] commit
        [~DeviceA -service-location-1] quit
        [~DeviceA] service-instance-group group1
        [*DeviceA-service-instance-group-group1] service-location 1
        [*DeviceA-service-instance-group-group1] commit
        [~DeviceA-service-instance-group-group1] quit
      • Configure the NSP-A/NSP-B/NSP-C/NSP-D.
        [~DeviceA] service-location 1
        [*DeviceA -service-location-1] location follow-forwarding-mode
        [*DeviceA -service-location-1] commit
        [~DeviceA -service-location-1] quit
        [~DeviceA] service-instance-group group1
        [*DeviceA-service-instance-group-group1] service-location 1
        [*DeviceA-service-instance-group-group1] commit
        [~DeviceA-service-instance-group-group1] quit

    3. Configure basic NAT functions.

      # Configure a NAT instance named nat1 and bind it to a NAT service board.

      [~DeviceA] nat instance nat1 id 1
      [*DeviceA-nat-instance-nat1] service-instance-group group1
      [*DeviceA-nat-instance-nat1] commit
      [~DeviceA-nat-instance-nat1] quit

      # Configure a NAT address pool and specify a range of public IP addresses 11.11.11.0 through 11.11.11.7 in the pool.

      [~DeviceA] nat instance nat1 
      [~DeviceA-nat-instance-nat1] nat address-group address-group1 group-id 1 11.11.11.0 mask 29
      [*DeviceA-nat-instance-nat1] commit
      [~DeviceA-nat-instance-nat1] quit

    4. Configure a NAT traffic distribution policy on an inbound interface.

      # Configure an ACL numbered 3000 and an ACL rule numbered 5. Allow only hosts with a network segment address of 10.1.1.0/24 to access the Internet.

      [~DeviceA] acl 3000
      [*DeviceA-acl4-advance-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255
      [*DeviceA-acl4-advance-3000] commit
      [~DeviceA-acl4-advance-3000] quit

      # Configure a traffic classifier.

      [~DeviceA] traffic classifier classifier1
      [*DeviceA-classifier-classifier1] if-match acl 3000
      [*DeviceA-classifier-classifier1] commit
      [~DeviceA-classifier-classifier1] quit

      # Configure a traffic behavior named behavior1 and bind it to the NAT instance nat1.

      [~DeviceA] traffic behavior behavior1
      [*DeviceA-behavior-behavior1] nat bind instance nat1
      [*DeviceA-behavior-behavior1] commit
      [~DeviceA-behavior-behavior1] quit

      # Configure a NAT traffic policy named policy1 and associate the ACL-based traffic classification rules with the traffic behavior.

      [~DeviceA] traffic policy policy1
      [*DeviceA-trafficpolicy-policy1] classifier classifier1 behavior behavior1
      [*DeviceA-trafficpolicy-policy1] commit
      [~DeviceA-trafficpolicy-policy1] quit

      # Apply the NAT traffic distribution policy in the interface view of GE 0/2/1.

      [~DeviceA] interface gigabitEthernet 0/2/1
      [*DeviceA-GigabitEthernet0/2/1] traffic-policy policy1 inbound
      [*DeviceA-GigabitEthernet0/2/1] commit
      [~DeviceA-GigabitEthernet0/2/1] quit

    5. Create a tunnel interface and configure attributes for it.

      [~DeviceA] interface Tunnel 10 
      [*DeviceA-Tunnel10] tunnel-protocol ipsec 
      [*DeviceA-Tunnel10] ip address 192.168.1.1 32 
      [*DeviceA-Tunnel10] quit 
      [*DeviceA] commit

    6. Configure a static route to network B for traffic processed by NAT and set the static route's outbound interface name and nexthop IP address to Tunnel10 and 192.168.1.2, respectively. Assume that the next-hop IP address and mask of device A is 12.12.1.2/24.

      When you configure the static route to direct traffic processed by NAT to an IPsec tunnel, set the outbound interface in the static route to the IPsec tunnel interface and specify a next-hop IP address.

      [~DeviceA] ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 192.168.1.2 
      [*DeviceA] ip route-static 192.168.1.2 255.255.255.255 12.12.1.2  
      [*DeviceA] commit

    7. Configure an advanced ACL numbered 3010 to allow PC-A to access PC-B.

      [~DeviceA] acl 3010  
      [*DeviceA-acl-adv-3010] rule permit ip source 11.11.11.0 0.0.0.7 destination 10.1.2.2 0.0.0.0
      [*DeviceA-acl-adv-3010] quit
      [*DeviceA] commit

    8. Configure an IPsec security proposal named tran1.

      [~DeviceA] ipsec proposal tran1  
      [*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel 
      [*DeviceA-ipsec-proposal-tran1] transform esp 
      [*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
      [*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256 
      [*DeviceA-ipsec-proposal-tran1] quit 
      [*DeviceA] commit

    9. Configure an IKE proposal numbered 10.

      [~DeviceA] ike proposal 10 
      [*DeviceA-ike-proposal-10] authentication-method pre-share 
      [*DeviceA-ike-proposal-10] authentication-algorithm sha2-256 
      [*DeviceA-ike-proposal-10] dh group14 
      [*DeviceA-ike-proposal-10] quit 
      [*DeviceA] commit

    10. Configure an IKE peer named b.

      [~DeviceA] ike peer b 
      [*DeviceA-ike-peer-b] ike-proposal 10 
      [*DeviceA-ike-peer-b] remote-address 192.168.1.2 
      [*DeviceA-ike-peer-b] pre-shared-key abcde  
      [*DeviceA-ike-peer-b] quit 
      [*DeviceA] commit

      • Enable both IKEv1 and IKEv2 on an NE20E. If the peer device does not support IKEv2, disable IKEv2 and use IKEv1 in negotiation.

      • The authentication keyword on a local device must be the same as that on the peer device.

    11. Configure peer Keepalive detection.

      [~DeviceA] ike dpd 100  
      [*DeviceA] quit 
      [*DeviceA] commit

    12. Configure an IPsec security policy named map1 and numbered 10.

      [~DeviceA] ipsec policy map1 10 isakmp 
      [*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3010 
      [*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1 
      [*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b 
      [*DeviceA-ipsec-policy-isakmp-map1-10] quit 
      [*DeviceA] commit

    13. Apply the IPsec policy named map1 to the tunnel interface.

      [~DeviceA] interface Tunnel 10 
      [~DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceA-Tunnel10] quit  
      [*DeviceA] commit

  2. # Configure device B.
    1. Assign an IP address to each interface.

      # Configure an IP address for GE 0/2/1.

      <DeviceB> system-view 
      [~DeviceB] interface gigabitethernet 0/2/1 
      [~DeviceB-GigabitEthernet0/2/1] ip address 10.1.2.1 24 
      [*DeviceB-GigabitEthernet0/2/1] quit 
      [*DeviceB] commit

      # Configure an IP address for GE 0/2/2.

      [~DeviceB] interface gigabitethernet 0/2/2  
      [~DeviceB-GigabitEthernet0/2/2] ip address 12.12.2.1 24  
      [*DeviceB-GigabitEthernet0/2/2] quit 
      [*DeviceB] commit

    2. Create a tunnel interface and configure attributes for it.

      [~DeviceB] interface Tunnel 10 
      [~DeviceB-Tunnel10] tunnel-protocol ipsec 
      [*DeviceB-Tunnel10] ip address 192.168.1.2 32
      [*DeviceB-Tunnel10] quit 
      [*DeviceB] commit

    3. Configure a static route to network A for traffic processed by NAT and set the static route's outbound interface name and next-hop IP address to Tunnel10 and 192.168.1.1, respectively. Assume that the next-hop IP address of device B is 12.12.2.2/24.

      When you configure the static route to direct traffic processed by NAT to an IPsec tunnel, set the outbound interface in the static route to the IPsect tunnel interface and specify a next-hop IP address.

      [~DeviceB] ip route-static 11.11.11.0 255.255.255.248 Tunnel 10 192.168.1.1 
      [*DeviceB] ip route-static 192.168.1.1 255.255.255.255 12.12.2.2 
      [*DeviceB] commit

    4. Configure an advanced ACL numbered 3010 to allow PC-B to access PC-A.

      [~DeviceB] acl 3010 
      [*DeviceB-acl-adv-3010] rule permit ip source 10.1.2.2 0.0.0.0 destination 11.11.11.0 0.0.0.7 
      [*DeviceB-acl-adv-3010] quit 
      [*DeviceB] commit

    5. # Configure an IPsec security proposal named tran1.

      [~DeviceB] ipsec proposal tran1 
      [*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel 
      [*DeviceB-ipsec-proposal-tran1] transform esp 
      [*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
      [*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256 
      [*DeviceB-ipsec-proposal-tran1] quit 
      [*DeviceB] commit

    6. Configure an IKE proposal numbered 10.

      [~DeviceB] ike proposal 10 
      [*DeviceB-ike-proposal-10] authentication-method pre-share  
      [*DeviceB-ike-proposal-10] authentication-algorithm sha2-256  
      [*DeviceB-ike-proposal-10] dh group14 
      [*DeviceB-ike-proposal-10] quit 
      [*DeviceB] commit

    7. Configure an IKE peer named a.

      [~DeviceB] ike peer a  
      [*DeviceB-ike-peer-a] ike-proposal 10  
      [*DeviceB-ike-peer-a] remote-address 192.168.1.1 
      [*DeviceB-ike-peer-a] pre-shared-key abcde 
      [*DeviceB-ike-peer-a] quit 
      [*DeviceB] commit

    8. Configure peer Keepalive detection.

      [~DeviceB] ike dpd 100 
      [*DeviceB] quit 
      [*DeviceB] commit

    9. Configure an IPsec security policy named map1 and numbered 10.

      [~DeviceB] ipsec policy map1 10 isakmp 
      [*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3010  
      [*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1  
      [*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a 
      [*DeviceB-ipsec-policy-isakmp-map1-10] quit 
      [*DeviceB] commit

    10. Configure an IPsec service instance group named group1.

      On-board scenario:
      • Configure the NSP-A/NSP-B/NSP-C/NSP-D.
        [DeviceB] service-location 1
        [DeviceB-service-location-1] location slot 9
        [DeviceB-service-location-1] commit
        [DeviceB-service-location-1] quit
        [~DeviceB] service-instance-group group1
        [*DeviceB-service-instance-group-1] service-location 1 
        [*DeviceB-service-instance-group-1] commit 
        [~DeviceB-service-instance-group-1] quit
      • Configure the NSP-A/NSP-B/NSP-C/NSP-D.
        [DeviceB] service-location 1
        [DeviceB-service-location-1] location follow-forwarding-mode
        [DeviceB-service-location-1] commit
        [DeviceB-service-location-1] quit
        [~DeviceB] service-instance-group group1
        [*DeviceB-service-instance-group-1] service-location 1 
        [*DeviceB-service-instance-group-1] commit 
        [~DeviceB-service-instance-group-1] quit

    11. Apply the IPsec policy named map1 to the tunnel interface.

      [~DeviceB] interface Tunnel10 
      [~DeviceB-Tunnel10] ipsec policy map1 service-instance-group group1
      [*DeviceB-Tunnel10] quit 
      [*DeviceB] commit

Configuration Files

Device A configuration file

# 
 sysname DeviceA 
# 
ike dpd 100
#
service-location 1
 location slot 9//The information is generated in the configuration file when the location slot is used.
 location follow-forwarding-mode//The information is generated in the configuration file when the location follow-forwarding-mode is used.
#
service-instance-group group1
 service-location 1
#
nat instance nat1 id 1
 service-instance-group group1
 nat address-group address-group1 group-id 1 11.11.11.0 mask 29
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255
#
acl number 3010
 rule 5 permit ip source 11.11.11.0 0.0.0.7 destination 10.1.2.2 0.0.0.0
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%# 
 ike-proposal 10
 remote-address 192.168.1.2
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
traffic classifier classifier1 operator or
 if-match acl 3000
#
traffic behavior behavior1
 nat bind instance nat1
#
traffic policy policy1
 classifier classifier1 behavior behavior1 precedence 1
#
ipsec policy map1 10 isakmp
 security acl 3010
 ike-peer b
 proposal tran1
#
interface GigabitEthernet 0/2/1
 ip address 10.1.1.1 255.255.255.0
 traffic-policy policy1 inbound
#
interface GigabitEthernet 0/2/2
 ip address 12.12.1.1 255.255.255.0
#
interface Tunnel10
 ip address 192.168.1.1 255.255.255.255
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 192.168.1.2 
ip route-static 192.168.1.2 255.255.255.255 12.12.1.2
#
return

Device B configuration file

# 
 sysname DeviceB 
# 
acl number 3010 
  rule 5 permit ip source 10.1.2.2 0 destination 11.11.11.0 0.0.0.7 
# 
ike proposal 10 
 encryption-algorithm aes-cbc 256 
 dh group14 
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256 
# 
ike peer a 
 pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%# 
 ike-proposal 10 
 remote-address 192.168.1.1 
#                                                                                 
service-location 1                                                                 
 location slot 9//The information is generated in the configuration file when the location slot is used.
 location follow-forwarding-mode//The information is generated in the configuration file when the location follow-forwarding-mode is used.
#                                                                                 
service-instance-group group1                                                           
 service-location 1     
# 
ipsec proposal tran1 
 esp authentication-algorithm sha2-256   
 esp encryption-algorithm aes 256 
#                                          
ipsec policy map1 10 isakmp 
 security acl 3010 
 ike-peer a 
 proposal tran1 
#     
interface GigabitEthernet0/2/1  
 ip address 10.1.2.1 255.255.255.0                                                 
#     
interface GigabitEthernet0/2/2  
 ip address 12.12.2.1 255.255.255.0 
#     
interface Tunnel10  
 ip address 192.168.1.2 255.255.255.255                                              
 tunnel-protocol ipsec  
 ipsec policy map1 service-instance-group 1 
# 
 ip route-static 11.11.11.0 255.255.255.248 Tunnel 10 192.168.1.1 
 ip route-static 192.168.1.1 255.255.255.255 12.12.2.2 
# 
return
Download
Updated: 2020-02-07

Document ID: EDOC1100125510

Views: 29329

Downloads: 18

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :