Documente Academic
Documente Profesional
Documente Cultură
V200R001C01
01
Date
2012-01-06
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2012-01-06)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2012-01-06)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Issue 01 (2012-01-06)
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 GRE Configuration.......................................................................................................................1
1.1 Introduction to GRE...........................................................................................................................................2
1.2 GRE Features Supported by the AR2200-S.......................................................................................................2
1.3 Configuring GRE................................................................................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Configuring Routes for the Tunnel............................................................................................................5
1.3.4 (Optional) Configuring GRE Security Options.........................................................................................6
1.3.5 Checking the Configuration.......................................................................................................................7
1.4 Configuring the Keepalive Function..................................................................................................................8
1.4.1 Establishing the Configuration Task.........................................................................................................8
1.4.2 Enabling the Keepalive Function..............................................................................................................9
1.4.3 Checking the Configuration.....................................................................................................................10
1.5 Maintaining GRE..............................................................................................................................................11
1.5.1 Resetting the Statistics of a Tunnel Interface..........................................................................................11
1.5.2 Monitoring the Running Status of GRE..................................................................................................12
1.5.3 Debugging GRE......................................................................................................................................12
1.6 Configuration Examples...................................................................................................................................12
1.6.1 Example for Configuring a Static Route for GRE...................................................................................12
1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................17
1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........20
1.6.4 Example for Configuring the Keepalive Function for GRE....................................................................26
2 MCE Configuration.....................................................................................................................29
2.1 Introduction to MCE.........................................................................................................................................30
2.1.1 MCE Overview........................................................................................................................................30
2.1.2 MCE Functions Supported by the AR2200-S.........................................................................................31
2.2 Configuring a VPN Instance.............................................................................................................................31
2.2.1 Establishing the Configuration Task.......................................................................................................32
2.2.2 Creating a VPN instance..........................................................................................................................32
2.2.3 Binding an Interface with a VPN Instance..............................................................................................33
2.2.4 Checking the Configuration.....................................................................................................................34
Issue 01 (2012-01-06)
iv
Contents
3 IPSec Configuration....................................................................................................................49
3.1 IPSec Overview................................................................................................................................................50
3.2 IPSec Features Supported by the AR2200-S....................................................................................................51
3.3 Establishing an IPSec Tunnel Manually...........................................................................................................52
3.3.1 Establishing the Configuration Task.......................................................................................................52
3.3.2 Defining Protected Data Flows................................................................................................................53
3.3.3 Configuring an IPSec Proposal................................................................................................................53
3.3.4 Configuring an IPSec Policy...................................................................................................................54
3.3.5 Applying an IPSec Policy to an Interface................................................................................................56
3.3.6 Checking the Configuration.....................................................................................................................56
3.4 Establishing an IPSec Tunnel Through IKE Negotiation.................................................................................57
3.4.1 Establishing the Configuration Task.......................................................................................................57
3.4.2 Defining Protected Data Flows................................................................................................................58
3.4.3 Configuring an IKE Proposal..................................................................................................................58
3.4.4 Configuring an IKE Peer.........................................................................................................................59
3.4.5 Configuring an IPSec Proposal................................................................................................................61
3.4.6 Configuring an IPSec Policy...................................................................................................................62
3.4.7 (Optional) Configuring an IPSec Policy Template..................................................................................63
3.4.8 (Optional) Setting Optional Parameters..................................................................................................64
3.4.9 Applying an IPSec policy to an interface................................................................................................65
3.4.10 Checking the Configuration...................................................................................................................66
3.5 Maintaining IPSec............................................................................................................................................66
3.5.1 Displaying the IPSec Configuration........................................................................................................66
3.5.2 Clearing IPSec Information.....................................................................................................................67
3.6 Configuration Examples...................................................................................................................................67
3.6.1 Example for Establishing an SA Manually.............................................................................................67
Issue 01 (2012-01-06)
Contents
Issue 01 (2012-01-06)
vi
1 GRE Configuration
GRE Configuration
Issue 01 (2012-01-06)
1 GRE Configuration
IP
network
IP
network
IP
network
Tunnel
PC
PC
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Working in Combination with IPSec to Compensate for the IPSec Flaw in Multicast
Data Protection
Based on GRE, multicast data can be encapsulated and transmitted in the GRE tunnel. Based on
IPSec, only the unicast data can realize encrypted protection.
Issue 01 (2012-01-06)
1 GRE Configuration
Internet
IPSec tunnel
GRE tunnel
Corporate
intranet
Remote
office
network
As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the
GRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulated
multicast data with IPSec. When these tasks are performed, the encrypted multicast data can be
transmitted in the IPSec tunnel.
Applicable Environment
To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on the
tunnel interface. If the tunnel interface is deleted, all the configurations on the interface are
deleted.
Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following task:
l
Data Preparation
To configure an ordinary GRE tunnel, you need the following data.
Issue 01 (2012-01-06)
No.
Data
No.
Data
1 GRE Configuration
Context
Perform the following steps on the routers at the two ends of a tunnel.
Procedure
Step 1 Run:
system-view
{ gre | none }
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
Step 5 Run:
destination ip-address
1 GRE Configuration
The new MTU takes effect only after you run the shutdown command and the undo
shutdown command on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
To support dynamic routing protocols on a tunnel, configure a network address for the tunnel
interface. The network address of the tunnel interface may not be a public address, but should
be in the same network segment on both ends of the tunnel.
By default, the network address of a tunnel interface is not set.
----End
Context
Perform the following steps on the devices at two ends of a tunnel.
NOTE
The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination routers.
Procedure
Step 1 Run:
system-view
1 GRE Configuration
protocol is used, the protocol must be configured on the tunnel interface and the GE interface
connected to the PC. Moreover, in the routing table of Router A, the egress with the
destination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel
0/0/1.
In practical configurations, configure a multi-process routing protocol or change the metric
value of the tunnel interface. This prevents the tunnel interface from being selected as the
outbound interface of routes to the destination physical interface of the tunnel.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. With one of these procedures in place, you can avoid selecting a tunnel interface
as an outbound interface for packets destined for the destination of the tunnel. In addition, a
physical interface is prevented from forwarding user packets that should be forwarded
through the tunnel.
Figure 1-3 Diagram of configuring the GRE dynamic routing protocol
Backbone
GE1/0/0
RouterA
GE2/0/0
RouterC
Tunnel
GE2/0/0 Tunnel0/0/1
Tunnel0/0/2 GE1/0/0
PC1
PC2
----End
Context
Perform the following steps on the routers at two ends of a tunnel.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-01-06)
1 GRE Configuration
----End
Context
The configurations of the GRE function are complete.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check tunnel interface
information.
Run the display ip routing-table command to check the IPv4 routing table.
Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End
Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
succeeds. For example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Issue 01 (2012-01-06)
1 GRE Configuration
Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/2
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/2
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the ping -a source-ip-address host command to see that the ping from the local tunnel
interface to the destination tunnel succeeds.
<Huawei> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
1 GRE Configuration
Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel
status. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data
black hole.
Figure 1-4 GRE tunnel supporting Keepalive
Internet
Source
Destination
GRE tunnel
RouterA
RouterB
Pre-configuration Tasks
Before configuring the Keepalive function, complete the following tasks:
l
Data Preparation
To configure the Keepalive function, you need the following data.
No.
Data
Context
Perform the following steps on the router that requires the Keepalive function.
Procedure
Step 1 Run:
system-view
1 GRE Configuration
Step 2 Run:
interface tunnel interface-number
Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the GRE tunnel Keepalive
function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote
end, and the data loss can be avoided. The reasons for enabling the Keepalive function are listed below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.
----End
Prerequisite
The Keepalive function is enabled on the GRE tunnel.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-01-06)
10
1 GRE Configuration
Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.
----End
Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command to ascertain the number of sent Keepalive packets and received
Keepalive Response packets on both the local end and the remote end. If the Keepalive function
is successfully configured on the local tunnel interface, the number of sent Keepalive packets
or received Keepalive Response packets on the local end is not 0.
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol gre
[Huawei-Tunnel0/0/1] keepalive
[Huawei-Tunnel0/0/1] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers
Procedure
l
Run the reset counters interface tunnel [ interface-number ] command in the system view
to reset statistics about the tunnel interface.
Run:
system-view
Run:
interface tunnel interface-number
Run:
reset keepalive packets count
You can run the reset keepalive packets count command only in the tunnel interface view,
and the interface tunnel protocol must be GRE.
----End
Issue 01 (2012-01-06)
11
1 GRE Configuration
Context
In routine maintenance, you can run the following commands to view the GRE running status.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the tunnel
interface running status.
Run the display ip routing-table command to check the routing table on the CE.
----End
Context
NOTE
The debugging process affects system performance. Therefore, after finishing the debugging process, run
the undo debugging all command immediately to disable the debugging.
When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.
Procedure
l
Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.
----End
12
1 GRE Configuration
Networking Requirements
In Figure 1-5, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC
2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
Figure 1-5 Networking diagram of configuring a static route for GRE
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
Tunnel
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
PC1
10.1.1.1/24
RouterC
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
PC2
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Specify the source address of the tunnel interface as the IP address of the interface that
sends the packet.
4.
Specify the destination address of the tunnel interface as the IP address of the interface that
receives the packet.
5.
Assign network addresses to the tunnel interfaces to enable the tunnel to support the
dynamic routing protocol.
6.
Configure the static route between Router A and its connected PC, and the static route
between Router C and its connected PC to make the traffic between PC1 and PC2
transmitted through the GRE tunnel.
7.
Configure the egress of the static route as the local tunnel interface.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2012-01-06)
13
1 GRE Configuration
Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
# Configure Router A.
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure Router B.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure Router C.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find that they both learn the OSPF route to the network segment of the remote interface.
Take Router A as an example.
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Issue 01 (2012-01-06)
14
1 GRE Configuration
[RouterA-Tunnel0/0/1] quit
# Configure Router C.
[RouterC] interface tunnel 0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 24
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can
ping each other successfully.
Take Router A as an example:
[RouterA] ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/1
After the configuration, run the displayip routing-table command on Router A and Router C.
You can find the static route to the network segment of the remote user end through the tunnel
interface.
Take Router A as an example:
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/1
20.1.1.0/24 Direct 0
0
D 20.1.1.1
GigabitEthernet1/0/0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.2/32 Direct 0
0
D 20.1.1.2
GigabitEthernet1/0/0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
GigabitEthernet1/0/0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/1
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
15
1 GRE Configuration
Configuration Files
l
Issue 01 (2012-01-06)
16
1 GRE Configuration
Networking Requirements
In Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network
and OSPF process 2 is used for user access.
Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE
RouterB
GE1/0/0
GE2/0/0
20.1.1.2/24
30.1.1.1/24
OSPF 1
RouterA
RouterC
Tunnel
GE2/0/0
10.1.1.2/24
10.1.1.1/24
GE1/0/0
30.1.1.2/24
GE1/0/0
20.1.1.1/24
Tunnel0/0/1 OSPF 2
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
GE2/0/0
10.2.1.2/24
10.2.1.1/24
PC1
PC2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IGP on each router in the backbone network to realize the interworking between
these devices. Here OSPF process 1 is used.
2.
Create the GRE tunnel between routers that are connected to PCs.Then routers can
communicate through the GRE runnel.
Issue 01 (2012-01-06)
17
3.
1 GRE Configuration
Configure the dynamic routing protocol on the network segments through which PCs access
the backbone network. Here OSPF process 2 is used.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-6. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
The specific configuration procedures are the same as those in 1.6.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 3 Configuring the tunnel interfaces
The specific configuration procedures are the same as those in 1.6.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 4 Configure OSPF on the tunnel interfaces.
# Configure Router A.
[RouterA] ospf 2
[RouterA-ospf-2] area 0
[RouterA-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] quit
[RouterA-ospf-2] quit
# Configure Router C.
[RouterC] ospf 2
[RouterC-ospf-2] area 0
[RouterC-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[RouterC-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[RouterC-ospf-2-area-0.0.0.0] quit
[RouterC-ospf-2] quit
Issue 01 (2012-01-06)
18
1 GRE Configuration
0
10.1.1.2
0
10
0
0
2
0
D
D
D
127.0.0.1
40.1.1.2
20.1.1.1
InLoopBack0
Tunnel0/0/1
0
10
0
2
D
D
127.0.0.1
20.1.1.2
InLoopBack0
0
0
0
0
0
0
0
0
D
D
D
D
40.1.1.1
127.0.0.1
127.0.0.1
127.0.0.1
Tunnel0/0/1
InLoopBack0
InLoopBack0
InLoopBack0
Configuration Files
l
Issue 01 (2012-01-06)
19
1 GRE Configuration
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
Networking Requirements
In Figure 1-7, Router A and Router C are required to transmit multicast packets, and the multicast
packets must be encrypted through IPSec. Before being encrypted through IPSec, multicast
packets must be encapsulated with GRE because IPSec cannot directly encrypt multicast packets.
Figure 1-7 Networking diagram of transmitting IPSec-encrypted multicast packets through a
GRE tunnel
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
GRE with IPSec
RouterC
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
10.1.1.1/24
10.2.1.1/24
Issue 01 (2012-01-06)
20
1 GRE Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure OSPF on the backbone network devices, namely, Router A, Router B, and
Router C, to realize the interworking between these devices.
2.
Create a GRE tunnel between Router A and Router C to encapsulate multicast packets.
3.
Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated
multicast packets.
Data Preparation
To complete the configuration, you need the following data:
l
Data for configuring the routing protocol for the backbone network
Data for configuring IPSec such as IPSec proposal name and ACL
Procedure
Step 1 Configure the routing protocol.
Configure a routing protocol on Router A, Router B, and Router C to implement the interworking
between these devices. OSPF is configured in this example. The configuration details are not
mentioned here.
After the configuration,
l Router A and Router C are routable.
l Router A can successfully ping GE1/0/0 of Router C.
l Router C can successfully ping GE1/0/0 of Router A.
Step 2 Configure the interfaces of the GRE tunnel.
# Configure Router A.
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] quit
# Configure Router C.
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
21
1 GRE Configuration
# Configure Router C.
[RouterC] multicast routing-enable
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] pim dm
[RouterC-GigabitEthernet2/0/0] igmp enable
[RouterC-GigabitEthernet2/0/0] quit
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] pim dm
[RouterC-Tunnel0/0/1] quit
# After multicast is enabled, the multicast data between Router A and Router C is transmitted
through the GRE tunnel.
Step 4 Configure aggressive IKE negotiation between Router A and Router C.
NOTE
To encapsulate multicast packets with GRE and then encrypt the multicast packets with IPSec, the remote
address in IKE peer mode must be the destination address of the local tunnel.
# Configure Router A.
[RouterA] ike local-name rta
[RouterA] ike peer RouterC v1
[RouterA-ike-peer-routerc] exchange-mode aggressive
[RouterA-ike-peer-routerc] local-id-type name
[RouterA-ike-peer-routerc] pre-shared-key 12345
[RouterA-ike-peer-routerc] remote-name rtc
[RouterA-ike-peer-routerc] remote-address 30.1.1.2
[RouterA-ike-peer-routerc] quit
# Configure Router C.
[RouterC] ike local-name rtc
[RouterC] ike peer RouterA v1
[RouterC-ike-peer-routera] exchange-mode aggressive
[RouterC-ike-peer-routera] local-id-type name
[RouterC-ike-peer-routera] pre-shared-key 12345
[RouterC-ike-peer-routera] remote-name rta
[RouterC-ike-peer-routera] remote-address 20.1.1.1
[RouterC-ike-peer-routera] quit
Encapsulate multicast packets with GRE and then encrypt these packets with IPSec. Note that the source
and destination addresses for the local end of the tunnel must match the ACL of the IPSec policy, and the
IPSec policy must be applied to the physical interface transmitting data.
Issue 01 (2012-01-06)
22
1 GRE Configuration
# Configure IPSec on Router A and Router C. The default parameters of the IPSec proposal is
used in this example.
# Configure Router A.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit gre source 20.1.1.1 0 destination 30.1.1.2 0
[RouterA-acl-adv-3000] quit
[RouterA] ipsec proposal p1
[RouterA-ipsec-proposal-p1] quit
[RouterA] ipsec policy policy1 1 isakmp
[RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-1] ike-peer RouterC
[RouterA-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterA-ipsec-policy-isakmp-policy1-1] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy policy1
[RouterA-GigabitEthernet1/0/0] quit
# Configure Router C.
[RouterC] acl number 3000
[RouterC-acl-adv-3000] rule permit gre source 30.1.1.2 0 destination 20.1.1.1 0
[RouterC-acl-adv-3000] quit
[RouterC] ipsec proposal p1
[RouterC-ipsec-proposal-p1] quit
[RouterC] ipsec policy policy1 1 isakmp
[RouterC-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterC-ipsec-policy-isakmp-policy1-1] ike-peer RouterA
[RouterC-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterC-ipsec-policy-isakmp-policy1-1] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy policy1
[RouterC-GigabitEthernet1/0/0] quit
# After the configuration, the multicast data between Router A and Router C can be transmitted
through the GRE tunnel encrypted with IPSec.
Step 6 On the source device and the destination device of the tunnel, configure the tunnel to forward
routes.
# Configure Router A.
[RouterA] ip route-static 10.2.1.0 255.255.255.0 tunnel 0/0/1
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1
Issue 01 (2012-01-06)
23
1 GRE Configuration
----End
Configuration Files
l
Issue 01 (2012-01-06)
24
1 GRE Configuration
Issue 01 (2012-01-06)
25
1 GRE Configuration
pre-shared-key 12345
local-id-type name
remote-name rta
remote-address 20.1.1.1
#
ipsec proposal p1
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer Routera
proposal p1
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet2/0/0
ip address 10.2.1.2 255.255.255.0
pim dm
igmp enable
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
pim dm
#
ospf 1
area 0.0.0.0
network 30.1.1.2 0.0.0.0
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1
#
return
Networking Requirements
As shown in Figure 1-8, Router A and Router B are configured with the GRE protocol. The two
ends of the GRE tunnel need be configured with the Keepalive function.
Figure 1-8 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel
GE1/0/0
20.1.1.1/24
RouterA
Issue 01 (2012-01-06)
Internet
GE1/0/0
30.1.1.2/24
GRE Tunnel
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
RouterB
26
1 GRE Configuration
Configuration Roadmap
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP
If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.
Data Preparation
To complete the configuration, you need the following data:
l
Data for configuring the routing protocol for the backbone network
Procedure
Step 1 Configure Router A and Router B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Router A and enable the Keepalive function.
<RouterA> system-view
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3
[RouterA-Tunnel0/0/1] quit
ms
ms
ms
ms
ms
# Enable the debugging of the Keepalive messages on Router A and view information about the
Keepalive messages.
Issue 01 (2012-01-06)
27
1 GRE Configuration
----End
Configuration Files
l
Issue 01 (2012-01-06)
28
2 MCE Configuration
MCE Configuration
Issue 01 (2012-01-06)
29
2 MCE Configuration
Background
With increasing diversification of user services and higher requirements on the security, multiple
VPNs are required in a private network in most cases and services of different VPNs need to be
isolated. In this case, using a CE for each VPN increases the device expenditure and maintenance
cost; the security of data cannot be ensured if multiple VPNs share a CE and a route forwarding
table.
As shown in Figure 2-1, MCE can effectively solve issues of security of the data and network
costs in a VPN. MCE isolates services of different VPNs by binding VLANIF interfaces to
VPNs, and creating and maintaining an independent multi-VRF table for each VPN.
Figure 2-1 Typical MCE networking diagram
VPN 1
Site
P
MCE
Service
provider's
backbone
VPN 2
Site
CE
P
PE
PE
PE
VPN 2
Site
CE
VPN 1
Site
Basic Concepts
l
CE
An edge device that is located in a user network. A CE provides interfaces that are directly
connected to the Service Provider (SP) network. A CE can be a router, a switch, or a host.
In most situations, a CE neither senses a VPN nor supports MPLS.
MCE
A CE configured with MCE functions. An MCE can connect to multiple VPNs whose
services are isolated completely.
Issue 01 (2012-01-06)
30
2 MCE Configuration
PE
An edge router that is located in an SP network. A PE is an edge device in the SP network
and is directly connected to the CE and MCE. In an MPLS network, PEs process all VPN
services.
Provider (P)
A backbone router that is located in an SP network. A P device is not directly connected
to CEs. The P devices only need the basic MPLS forwarding capability, without
maintaining information about a VPN.
Site
A group of IP systems with IP connectivity between each other. Their connectivity need
not be implemented through an SP network. The site is connected to the SP network through
a CE or an MCE.
Static routes
RIP
OSPF
IS-IS
BGP
Static routes
RIP
OSPF
IS-IS
BGP
Issue 01 (2012-01-06)
31
2 MCE Configuration
Pre-configuration Tasks
Before configuring a VPN instance, complete the following tasks:
l
Creating a VLAN on the MCE and adding the interface connecting the site and PE to the
VLAN
Creating a VLAN on the PE and adding the sub-interface connecting the MCE to the VLAN
Creating a VLAN on the device connected to the MCE in a site and adding the interface
connected to the MCE on the device to the VLAN
Data Preparation
To configure a VPN instance, you need the following data.
No.
Data
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip vpn-instance vpn-instance-name command to create a VPN instance and enter the
VPN instance view.
Issue 01 (2012-01-06)
32
2 MCE Configuration
NOTE
The name of a VPN instance is case-sensitive. For example, "vpn1" and "VPN1" are taken as different
VPN instances.
Step 3 Run the route-distinguisher route-distinguisher command to configure an RD for the VPN
instance.
The RD does not have a default value; therefore, you must configure an RD when creating a
VPN instance.
A VPN instance takes effect only after it is configured with an RD. The RDs of different VPN
instances on a device should be different.
Before configuring an RD, you can configure only the description.
Step 4 (Optional) Run the description description command to configure the description for the VPN
instance.
By default, no description is configured for a VPN instance.
The description is similar to that of the host name and interface, which can be used to record
information about the relationship between a VPN instance and a VPN.
Step 5 (Optional) Run the routing-table limit number { alert-percent | simply-alert } command to set
the maximum number of routes supported by the VPN instance.
By default, the maximum number of routes supported by a VPN instance is not set.
To prevent excessive routes from being imported, set the maximum number of routes supported
by a VPN instance.
----End
Context
Do as follows on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
Issue 01 (2012-01-06)
33
2 MCE Configuration
The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to
configure them again.
An interface cannot be bound to any VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and
routing protocol of the interface bound to the VPN instance. Disabling all address families of a VPN instance
unbinds all bound interfaces from the VPN instance.
Step 4 Run:
ip address ip-address { mask | mask-length }
RD
Description
34
2 MCE Configuration
Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance
between an MCE and a site.
Pre-configuration Tasks
Before configuring a route multi-instance between an MCE and a site, complete the following
task:
l
Data Preparation
To configure a route multi-instance between an MCE and a site, you need the following data.
No.
Data
(Optional) Destination address of a static route to the site, name of the destination
VPN instance, mask or mask length, next hop IP address, priority of the route, and
description of the route
(Optional) RIP process number, address of the network segment where the VLANIF
interface bound to the VPN instance is located, type and process number of the routing
protocol run between an MCE and a PE, cost of the imported route, and name of the
routing policy during route importing
(Optional) IS-IS process number, Network Entity Title (NET) of the IS-IS process,
number of the VLANIF interface bound to the VPN instance, type and process number
of the routing protocol run between an MCE and a PE, type and value of the cost of
the imported route, administrative tag of the imported route, and level of the routing
table for storing the imported route
35
2 MCE Configuration
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | masklength }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destinationname gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfgname ] [ description description ] command to configure a static route to the site.
You must specify the next hop address on the local device.
----End
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the rip [ process-id ] [ vpn-instance vpn-instance-name ] command to create and enable a
RIP process used by a VPN instance and enter the RIP view.
Step 3 Run the network network-address command to enable RIP routes on the network segment where
the IP address of the interface bound to the VPN instance belongs.
Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }
[ cost cost | route-policy route-policy-name ] * command to import routes from other routing
protocols.
If another routing protocol is run between an MCE and a PE in this VPN, you need to perform
this step.
----End
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command
to create an OSPF process used by a VPN instance and enter the OSPF view.
Issue 01 (2012-01-06)
36
2 MCE Configuration
NOTE
Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost |
route-policy route-policy-name | tag tag | type type ] * } command to import routes from other
routing protocols.
If another routing protocol is run between an MCE and a PE in this VPN, you need to perform
this step.
Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view.
Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routes
on the network segment where the IP address of the interface bound to the VPN instance belongs.
----End
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the view of the interface
bound to the VPN instance.
Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface.
By default, IS-IS is disabled on a VLANIF interface.
Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS process
used by a VPN instance and enter the IS-IS view.
Step 5 Run the network-entity net command to configure an NET.
By default, no NET is configured for an IS-IS process.
Step 6 Run the import-route protocol [ process-id ] [ cost-type { external | internal } | cost cost |
tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command to import
routes from other routing protocols.
If another routing protocol is run between an MCE and a PE in this VPN, you need to perform
this step.
----End
37
2 MCE Configuration
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
Direct
RIP
0
0
0
0
0
0
100
0
0
0
0
0
0
1
Flags NextHop
D
D
D
D
D
D
D
172.16.1.2
172.16.1.1
127.0.0.1
172.18.1.2
172.18.1.1
127.0.0.1
172.16.1.1
Interface
Vlanif10
Vlanif10
InLoopBack0
Vlanif30
Vlanif30
InLoopBack0
Vlanif10
Pre-configuration Tasks
Before configuring a route multi-instance between an MCE and a PE, complete the following
task:
l
Data Preparation
To configure a route multi-instance between an MCE and a PE, you need the following data.
Issue 01 (2012-01-06)
No.
Data
38
2 MCE Configuration
No.
Data
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | masklength }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destinationname gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfgname ] [ description description ] command to configure a static route to a PE.
You must specify the next hop address on the local device.
----End
39
2 MCE Configuration
Context
Do as follows on the MCE.
You need to perform similar configurations on a PE. For details, refer to manuals of
corresponding products.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the rip [ process-id ] vpn-instance vpn-instance-name command to create and enable a
RIP process used by a VPN instance and enter the RIP view.
Step 3 Run the network network-address command to enable RIP routes on the network segment where
the IP address of the interface bound to the VPN instance belongs.
Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }
[ cost cost | route-policy route-policy-name ] * command to import routes from other routing
protocols.
If another routing protocol is run between an MCE and a site in this VPN, you need to perform
this step.
----End
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command
to create an OSPF process used by a VPN instance and enter the OSPF view.
NOTE
Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost |
route-policy route-policy-name | tag tag | type type ] * } command to import routes from other
routing protocols.
If another routing protocol is run between an MCE and a site in this VPN, you need to perform
this step.
Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view.
Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routes
on the network segment where the IP address of the interface bound to the VPN instance belongs.
----End
Issue 01 (2012-01-06)
40
2 MCE Configuration
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the view of the interface
bound to the VPN instance.
Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface.
By default, IS-IS is disabled on a VLANIF interface.
Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS process
used by a VPN instance and enter the IS-IS view.
Step 5 Run the network-entity net command to configure a NET.
By default, no NET is configured for an IS-IS process.
Step 6 (Optional) Run the import-route protocol [ process-id ] [ cost-type { external | internal } |
cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command
to import routes from other routing protocols.
If another routing protocol is run between an MCE and a site in this VPN, you need to perform
this step.
----End
Proto
172.18.0.0/16
0/0
172.18.1.1/32
172.18.255.255/32
192.168.0.0/16
0/0
255.255.255.255/32
Issue 01 (2012-01-06)
Pre
Cost
Flags NextHop
Direct 0
172.18.1.1
Ethernet0/
Direct 0
Direct 0
O_ASE 150
0
0
1
D
D
D
127.0.0.1
127.0.0.1
172.16.1.1
InLoopBack0
InLoopBack0
Ethernet0/
Direct 0
127.0.0.1
InLoopBack0
Interface
41
2 MCE Configuration
CE1, CE2, CE3, and CE4 are edge devices of the VPN.
CE1 and CE3 belong to a VPN instance named vpnb, and CE2 and CE4 belong to a VPN
instance named vpna.
PE1 and PE2 are edge routers of the backbone network. BGP or MPLS IP VPN is configured
on the backbone network between PE1 and PE2.
It is required that route isolation between VPNs be implemented on the MCE and routes of VPNs
be advertised to the PE2 through OSPF.
Figure 2-2 Networking diagram for configuring MCE
vpnb
vpnb
192.168.1.0/24
VLANIF10
172.16.1.1/16
CE1
CE3
Eth0/0/1
BGP MPLS
IP VPN
PE1
PE2
VLAN10
VLANIF10
172.16.1.2/16
Eth0/0/3
172.18.1.1/16
GE0/0/1
VLANIF30
172.18.1.2/16
VLAN30 Eth0/0/1
MCE
Eth0/0/4
VLANIF20
172.17.1.2/16
VLAN20
Eth0/0/1
CE2
vpna
Issue 01 (2012-01-06)
VLANIF20
172.17.1.1/16
CE4
vpna
192.168.2.0/24
42
2 MCE Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these
devices to the VLANs.
2.
3.
4.
Configure RIP between the MCE and CE3, and between the MCE and CE4.
Data Preparation
To complete the configuration, you need the following data:
l
VLANs between the MCE, PE2, CE3, and CE4, as shown in Figure 2-2
Configuration Procedure
1.
Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these
devices to the VLANs.
# Create VLANs on the MCE.
<Quidway> system-view
[Quidway] sysname MCE
[MCE] vlan batch 10 20 30 40
0/0/1
link-type access
default vlan 30
0/0/2
link-type access
default vlan 40
0/0/3
link-type trunk
trunk allow-pass vlan 10
0/0/4
link-type trunk
trunk allow-pass vlan 20
43
2.
2 MCE Configuration
# Bind VPN instances to VLANIF interfaces on the MCE and assign IP addresses to the
VLANIF interfaces.
[MCE] interface vlanif 10
[MCE-Vlanif10] ip binding
[MCE-Vlanif10] ip address
[MCE-Vlanif10] quit
[MCE] interface vlanif 20
[MCE-Vlanif20] ip binding
[MCE-Vlanif20] ip address
[MCE-Vlanif20] quit
[MCE] interface vlanif 30
[MCE-Vlanif30] ip binding
[MCE-Vlanif30] ip address
[MCE-Vlanif30] quit
[MCE] interface vlanif 40
[MCE-Vlanif40] ip binding
[MCE-Vlanif40] ip address
[MCE-Vlanif40] quit
vpn-instance vpnb
172.16.1.2 16
vpn-instance vpna
172.17.1.2 16
vpn-instance vpnb
172.18.1.2 16
vpn-instance vpna
172.19.1.2 16
# Bind VPN instances to sub-interfaces on PE2 and assign IP addresses to the subinterfaces.
[PE2] interface gigabitethernet 0/0/1
[PE2-GigabitEthernet0/0/1] ip binding
[PE2-GigabitEthernet0/0/1] ip address
[PE2-GigabitEthernet0/0/1] quit
[PE2] interface gigabitethernet 0/0/2
[PE2-GigabitEthernet0/0/2] ip binding
[PE2-GigabitEthernet0/0/2] ip address
[PE2-GigabitEthernet0/0/2] quit
3.
vpn-instance vpnb
172.18.1.1 255.255.0.0
vpn-instance vpna
172.19.1.1 255.255.0.0
Configure the OSPF route multi-instance between the MCE and PE2.
# Configure the OSPF route multi-instance on PE2.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] vpn-instance-capability simple
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 172.19.0.0 0.0.255.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-100] vpn-instance-capability simple
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 172.18.0.0 0.0.255.255
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] quit
44
2 MCE Configuration
4.
vpna
network 172.19.0.0 0.0.255.255
quit
vpnb
network 172.18.0.0 0.0.255.255
quit
Configure RIP between the MCE and CE3, and between the MCE and CE4.
# Configure RIP-2 on the MCE.
[MCE] rip 100
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE] rip 200
[MCE-rip-200]
[MCE-rip-200]
[MCE-rip-200]
vpn-instance vpna
version 2
network 172.17.0.0
import-route ospf 100
quit
vpn-instance vpnb
version 2
network 172.16.0.0
import-route ospf 200
version 2
network 172.16.0.0
network 192.168.1.0
import-route direct
version 2
network 172.17.0.0
network 192.168.2.0
import-route direct
5.
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
Direct
RIP
0
0
0
0
0
0
100
0
0
0
0
0
0
1
Flags NextHop
D
D
D
D
D
D
D
172.16.1.2
172.16.1.1
127.0.0.1
172.18.1.2
172.18.1.1
127.0.0.1
172.16.1.1
Interface
Vlanif10
Vlanif10
InLoopBack0
Vlanif30
Vlanif30
InLoopBack0
Vlanif10
# Run the display ip routing-table vpn-instance command on the PE, and you can view
the routes to the local VPN.
Take vpnb on PE2 as an example:
Issue 01 (2012-01-06)
45
2 MCE Configuration
Proto
Pre
172.18.0.0/16
Direct 0
GigabitEthernet0/0/1
172.18.1.1/32
Direct 0
192.168.0.0/16
O_ASE 150
GigabitEthernet0/0/1
Cost
Flags NextHop
172.18.1.1
0
1
D
D
127.0.0.1
172.18.1.2
Interface
InLoopBack0
Configuration Files
l
Issue 01 (2012-01-06)
46
2 MCE Configuration
The following lists only configuration files related to the MCE. For details on configuring BGP or
MPLS IP VPN, refer to manuals of corresponding devices.
Issue 01 (2012-01-06)
47
2 MCE Configuration
network 192.168.1.0
import-route direct
#
return
Issue 01 (2012-01-06)
48
3 IPSec Configuration
IPSec Configuration
Issue 01 (2012-01-06)
49
3 IPSec Configuration
Encapsulation mode
Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols or all other IPSec protocols, as shown in Figure 3-1.
Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP
header, as shown in Figure 3-2.
Figure 3-1 Packet format in transport mode
Mode
transport
Protocol
AH
ESP
AH-ESP
Issue 01 (2012-01-06)
data
ESP
Tail
IP Header AH ESP TCP Header data ESP Tail ESP Auth data
50
3 IPSec Configuration
tunnel
Protocol
AH
ESP
ESP
raw IP
Header
AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data
Negotiation mode
IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE
negotiation mode (isakmp).
2.
3.
Configure an IPSec policy or an IPSec policy group to specify the association between data
flows and the IPSec proposal (protection measures for the data flows), SA negotiation
mode, peer IP address (start and end points of the protection path), required key, and SA
lifetime.
4.
Issue 01 (2012-01-06)
51
3 IPSec Configuration
Applicable Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
Pre-configuration Tasks
Before establishing an IPSec tunnel manually, complete the following tasks:
l
Setting parameters of the link-layer protocol for the interfaces to ensure that the link-layer
protocol on the interfaces is Up
Data Preparation
To establish an IPSec tunnel manually, you need the following data.
No.
Data
NOTE
Issue 01 (2012-01-06)
52
3 IPSec Configuration
Procedure
Step 1 Run:
system-view
l The ACL must be configured to match the data flows accurately. It is recommended that you set the
action of the ACL rule to permit for the data flows that need to be protected.
l Create different ACLs and IPSec policies for the data flows with different security requirements.
----End
Procedure
Step 1 Run:
system-view
53
3 IPSec Configuration
Context
CAUTION
When configuring SPI, string authentication key (string-key), hexadecimal authentication key
(authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an
IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound
parameters on the remote end, and the outbound parameters on the local end are the same as the
inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view
54
3 IPSec Configuration
An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy
exists.
Step 3 Run:
security acl acl-number
Issue 01 (2012-01-06)
55
3 IPSec Configuration
CAUTION
Use the same key format on the two ends. For example, if the key on one end is a character string
but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established.
If you configure the keys in different formats, the last configured key takes effect.
Step 10 (Optional) Run:
sa encryption-hex { inbound | outbound } esp hex-key
Context
An interface can use only one IPSec policy. An IPSec policy group that establishes an SA through
IKE negotiation can be applied to multiple interfaces, whereas an IPSec policy group that is used
to establish an SA manually can be applied only to one interface. If the applied IPSec policy
establishes an SA in manual mode, the SA is generated immediately.
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations required for establishing an IPSec tunnel manually are complete.
Issue 01 (2012-01-06)
56
3 IPSec Configuration
Procedure
l
Run the display ipsec sa command to view information about the SA.
Run the display ipsec proposal [ name proposal-name ] command to view information
about the IPSec proposal.
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about the IPSec policy.
----End
Application Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
When the network topology is complex, you can establish IPSec tunnels through IKE
negotiation.
Pre-configuration Tasks
Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure
that the link-layer protocol on the interfaces is Up
Data Preparation
To establish an IPSec tunnel through IKE negotiation, you need to the following data.
Issue 01 (2012-01-06)
No.
Data
IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, (optional) VPN instance bound to the IPSec tunnel,
and remote host name
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
57
3 IPSec Configuration
No.
Data
Name and sequence number of the IPSec policy, (optional) Perfect Forward
Secrecy (PFS) feature used in IKE negotiation
Type and number of the interface to which the IPSec policy is applied
NOTE
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2012-01-06)
58
3 IPSec Configuration
59
3 IPSec Configuration
The pre-shared key used by the local end and remote peer is configured.
If pre-shared key authentication is configured, configure a pre-shared key for each remote peer.
The two ends of an IPSec tunnel must use the same pre-shared key.
When pre-shared key authentication is configured, an authenticator must be configured.
Step 10 (Optional) Run:
remote-address [ vpn-instance vpn-instance-name ] ip-address
The remote host name is configured. Perform this step only when name authentication is used
in aggressive mode.
Issue 01 (2012-01-06)
60
3 IPSec Configuration
If IKEv2 is used, set local-id-type to ip and peer-id-type to name, and configure remotename.
Step 12 Run:
quit
Procedure
Step 1 Run:
system-view
61
3 IPSec Configuration
Procedure
Step 1 Run:
system-view
62
3 IPSec Configuration
l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller
value as the IPSec SA lifetime.
l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set
SA lifetime.
l The default IPSec SA lifetime is 3600 seconds, and the default traffic volume is 1843200
kilobytes.
Step 7 Run:
ike-peer peer-name
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. If
the remote end uses the template mode, the Diffie-Hellman groups can be different.
----End
Procedure
Step 1 Run:
system-view
63
3 IPSec Configuration
Step 6 Run:
ike-peer peer-name
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
By default, the PFS feature is not used in IKE negotiation.
----End
Procedure
Step 1 Run:
system-view
64
3 IPSec Configuration
Step 6 Run:
ipsec anti-replay { enable | disable }
Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of
retransmissions are set.
l
Run:
dpd msg { seq-hash-notify | seq-notify-hash }
Run:
dpd type { on-demand | periodic }
Procedure
Step 1 Run:
system-view
65
3 IPSec Configuration
established immediately after the IKE negotiation succeeds. In traffic-based triggering mode,
the SA is established only after data flows matching the IPSec policy are sent from the interface.
After IKE negotiation succeeds and the SA is established, the data flows are encrypted and then
transmitted between two ends.
----End
Prerequisite
The configurations required to establish an IPSec tunnel through IKE negotiation are complete.
Procedure
l
Run the display ike sa command to view information about the SAs established through
IKE negotiation.
Run the display ike peer [ name peer-name ] [ verbose ] command to view the
configuration of a specified IKE peer or all IKE peers.
Run the display ike proposal command to view the configuration of a specified IKE
proposal or all IKE proposals.
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip
peer-ip-address ] command to view the configuration of a specified SA or all SAs.
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about a specified IPSec policy or all IPSec policies.
Run the display ipsec proposal [ name proposal-name ] command to view information
about a specified IPSec proposal or all IPSec proposals.
----End
Prerequisite
The configurations of IPSec are complete.
Procedure
l
Issue 01 (2012-01-06)
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip
peer-ip-address ] command to check information about the IPSec SA.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
66
3 IPSec Configuration
Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to check information about the IPSec tunnel that is
established.
Run the display ipsec statistics { ah | esp } command to check the statistics about IPSec
packets.
Run the display ike statistics { all | msg | v2 } command to check the statistics about IKE
packets.
----End
Context
CAUTION
The statistics cannot be restored after being cleared.
Procedure
l
Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics
about IPSec packets.
Run the reset ike statistics { all | msg } command in the user view to clear the statistics
about IKE packets.
Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a
specified IPSec tunnel or all established IPSec tunnels.
----End
Networking Requirements
As shown in Figure 3-3, an IPSec tunnel is established between RouterA and RouterB to protect
data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec
tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm.
Issue 01 (2012-01-06)
67
3 IPSec Configuration
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
3.
4.
5.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
6.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Step 2 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
68
3 IPSec Configuration
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Issue 01 (2012-01-06)
69
3 IPSec Configuration
tunnel remote 202.138.163.1
tunnel local 202.138.162.1
sa spi outbound esp 54321
sa spi inbound esp 12345
sa string-key outbound esp gfedcba
sa string-key inbound esp abcdefg
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Tunnel local address: 202.138.163.1
Tunnel remote address: 202.138.162.1
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
Step 6 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
Path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
Sequence number: 10
Issue 01 (2012-01-06)
70
3 IPSec Configuration
Mode: Manual
----------------------------Encapsulation mode: Tunnel
Tunnel local : 202.138.163.1
Tunnel remote: 202.138.162.1
[Outbound ESP SAs]
SPI: 12345 (0x3039)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
[Inbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
Configuration Files
l
l
Issue 01 (2012-01-06)
71
3 IPSec Configuration
#
acl number
3101
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm
sha1
#
ipsec policy use1 10
manual
security acl
3101
proposal tran1
tunnel local
202.138.162.1
tunnel remote
202.138.163.1
sa spi inbound esp
12345
sa string-key inbound esp
abcdefg
sa spi outbound esp
54321
sa string-key outbound esp
gfedcba
#
ip route-static 10.1.1.0 255.255.255.0
202.138.162.2
#
interface Ethernet1/0/0
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
return
Networking Requirements
As shown in Figure 3-4, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and MD5
authentication algorithm.
NOTE
Issue 01 (2012-01-06)
72
3 IPSec Configuration
Eth 1/0/0
202.138.163.1/24
202.138.162.1/24
RouterA
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Specify the local host ID and IKE peer for IKE negotiation.
3.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
4.
5.
6.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
7.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Step 2 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike peer spub
[Huawei-ike-peer-spub]
[Huawei-ike-peer-spub]
[Huawei-ike-peer-spub]
Issue 01 (2012-01-06)
v1
pre-shared-key huawei
remote-address 202.138.162.1
quit
73
3 IPSec Configuration
NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
v1
pre-shared-key huawei
remote-address 202.138.163.1
quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: main on phase 1
Pre-shared-key
: huawei
Local ID type
: IP
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
DPD retransmit interval : 15
DPD retry limit
: 3
Peer Ip address
VPN name
Local IP address
Remote name
Nat-traversal
Configured IKE version
: 202.138.162.1
:
:
:
: Disable
: Version one
----------------------------------------
Step 3 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
74
3 IPSec Configuration
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication MD5-HMAC-96
Encryption
DES
ike-peer spub
proposal tran1
security acl 3101
quit
ike-peer spua
proposal tran1
security acl 3101
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic
Step 7 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
Issue 01 (2012-01-06)
75
3 IPSec Configuration
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
sequence number: 10
mode: isakmp
----------------------------Connection id: 3
encapsulation mode: tunnel
tunnel local : 202.138.163.1
tunnel remote: 202.138.162.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436528/3575
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3835455224 (0xe49c66f8)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887436464/3575
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
----End
Configuration Files
l
Issue 01 (2012-01-06)
76
3 IPSec Configuration
Networking Requirements
As shown in Figure 3-5, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
Issue 01 (2012-01-06)
77
3 IPSec Configuration
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Specify the local host ID and IKE peer for IKE negotiation.
4.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
5.
6.
7.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
8.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Issue 01 (2012-01-06)
78
3 IPSec Configuration
Step 3 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike local-name huawei01
[Huawei] ike peer spub v1
[Huawei-ike-peer-spub] exchange-mode aggressive
[Huawei-ike-peer-spub] ike-proposal 1
[Huawei-ike-peer-spub] local-id-type name
[Huawei-ike-peer-spub] pre-shared-key huawei
[Huawei-ike-peer-spub] remote-name huawei02
[Huawei-ike-peer-spub] remote-address 202.138.162.1
[Huawei-ike-peer-spub] local-address 202.138.163.1
[Huawei-ike-peer-spub] quit
NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: aggressive on phase 1
Pre-shared-key
: huawei
Proposal
: 1
Local ID type
: Name
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
DPD retransmit interval : 15
DPD retry limit
: 3
Peer Ip address
VPN name
Local IP address
Remote name
Nat-traversal
Configured IKE version
:
:
:
:
:
:
202.138.162.1
202.138.163.1
huawei02
Disable
Version one
----------------------------------------
Issue 01 (2012-01-06)
79
3 IPSec Configuration
Step 4 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Issue 01 (2012-01-06)
80
3 IPSec Configuration
[Huawei-ipsec-policy-isakmp-map1-10] quit
ike-peer spua
proposal tran1
security acl 3101
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic
Step 8 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
sequence number: 10
mode: isakmp
----------------------------Connection id: 3
encapsulation mode: tunnel
tunnel local : 202.138.163.1
tunnel remote: 202.138.162.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436528/3575
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3835455224 (0xe49c66f8)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3575
Issue 01 (2012-01-06)
81
3 IPSec Configuration
----End
Configuration Files
l
Issue 01 (2012-01-06)
82
3 IPSec Configuration
Issue 01 (2012-01-06)
83