Configuration Guide - VPN (V200R001C01 - 01)

Huawei AR2200-S Series Enterprise Routers
V200R001C01
Configuration Guide - VPN

Issue
01
Date
2012-01-06
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2012-01-06)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN supported by the AR2200-S device.
This document describes how to configure the VPN.
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2012-01-06)
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save

time.
NOTE
Provides additional information to emphasize or supplement

important points of the main text.

ii

About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by vertical

bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by vertical

bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by vertical

bars. A minimum of one item or a maximum of all items can be
selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by vertical

bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 01 (2012-01-06)

Initial commercial release.
Issue 01 (2012-01-06)

iii

Contents
Contents
About This Document.....................................................................................................................ii
1 GRE Configuration.......................................................................................................................1
1.1 Introduction to GRE...........................................................................................................................................2
1.2 GRE Features Supported by the AR2200-S.......................................................................................................2
1.3 Configuring GRE................................................................................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Configuring Routes for the Tunnel............................................................................................................5
1.3.4 (Optional) Configuring GRE Security Options.........................................................................................6
1.3.5 Checking the Configuration.......................................................................................................................7
1.4 Configuring the Keepalive Function..................................................................................................................8
1.4.1 Establishing the Configuration Task.........................................................................................................8
1.4.2 Enabling the Keepalive Function..............................................................................................................9
1.4.3 Checking the Configuration.....................................................................................................................10
1.5 Maintaining GRE..............................................................................................................................................11
1.5.1 Resetting the Statistics of a Tunnel Interface..........................................................................................11
1.5.2 Monitoring the Running Status of GRE..................................................................................................12
1.5.3 Debugging GRE......................................................................................................................................12
1.6 Configuration Examples...................................................................................................................................12
1.6.1 Example for Configuring a Static Route for GRE...................................................................................12
1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................17
1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........20
1.6.4 Example for Configuring the Keepalive Function for GRE....................................................................26
2 MCE Configuration.....................................................................................................................29
2.1 Introduction to MCE.........................................................................................................................................30
2.1.1 MCE Overview........................................................................................................................................30
2.1.2 MCE Functions Supported by the AR2200-S.........................................................................................31
2.2 Configuring a VPN Instance.............................................................................................................................31
2.2.1 Establishing the Configuration Task.......................................................................................................32
2.2.2 Creating a VPN instance..........................................................................................................................32
2.2.3 Binding an Interface with a VPN Instance..............................................................................................33
Issue 01 (2012-01-06)

iv

Contents
2.3 Configuring a Route Multi-Instance Between an MCE and a Site...................................................................34

2.3.2 (Optional) Configuring a Static Route Between an MCE and a Site......................................................35
2.3.3 (Optional) Configuring RIP Between an MCE and a Site.......................................................................36
2.3.4 (Optional) Configuring OSPF Between an MCE and a Site...................................................................36
2.3.5 (Optional) Configuring IS-IS Between an MCE and a Site....................................................................37
2.4 Configuring a Route Multi-Instance Between an MCE and a PE....................................................................38
2.4.2 (Optional) Configuring a Static Route Between an MCE and a PE........................................................39
2.4.3 (Optional) Configuring RIP Between an MCE and a PE........................................................................39
2.4.4 (Optional) Configuring OSPF Between an MCE and a PE.....................................................................40
2.4.5 (Optional) Configuring IS-IS Between an MCE and a PE......................................................................41
2.5 MCE Configuration Examples.........................................................................................................................42
2.5.1 Example for Configuring MCE...............................................................................................................42
3 IPSec Configuration....................................................................................................................49
3.1 IPSec Overview................................................................................................................................................50
3.2 IPSec Features Supported by the AR2200-S....................................................................................................51
3.3 Establishing an IPSec Tunnel Manually...........................................................................................................52
3.3.2 Defining Protected Data Flows................................................................................................................53
3.3.3 Configuring an IPSec Proposal................................................................................................................53
3.3.4 Configuring an IPSec Policy...................................................................................................................54
3.3.5 Applying an IPSec Policy to an Interface................................................................................................56
3.4 Establishing an IPSec Tunnel Through IKE Negotiation.................................................................................57
3.4.2 Defining Protected Data Flows................................................................................................................58
3.4.3 Configuring an IKE Proposal..................................................................................................................58
3.4.4 Configuring an IKE Peer.........................................................................................................................59
3.4.5 Configuring an IPSec Proposal................................................................................................................61
3.4.6 Configuring an IPSec Policy...................................................................................................................62
3.4.7 (Optional) Configuring an IPSec Policy Template..................................................................................63
3.4.8 (Optional) Setting Optional Parameters..................................................................................................64
3.4.9 Applying an IPSec policy to an interface................................................................................................65
3.4.10 Checking the Configuration...................................................................................................................66
3.5 Maintaining IPSec............................................................................................................................................66
3.5.1 Displaying the IPSec Configuration........................................................................................................66
3.5.2 Clearing IPSec Information.....................................................................................................................67
3.6 Configuration Examples...................................................................................................................................67
3.6.1 Example for Establishing an SA Manually.............................................................................................67
Issue 01 (2012-01-06)


Contents
3.6.2 Example for Configuring IKE Negotiation Using Default Settings........................................................72

3.6.3 Example for Configuring IKE Negotiation.............................................................................................77
Issue 01 (2012-01-06)

vi

1 GRE Configuration
GRE Configuration
About This Chapter

Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer
protocols so that the encapsulated packets can be transmitted over the IPv4 network.
1.1 Introduction to GRE
The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol that needs to be
encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the
packet into a packet of another protocol, such as IP.
1.2 GRE Features Supported by the AR2200-S
GRE features supported by the AR2200-S include the following: enlargement of the operation
scope of the network running a hop-limited protocol, and working in conjunction with the IP
Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.
1.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
1.4 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel
Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that
cannot reach the remote end, and data loss can be avoided.
1.5 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface and monitor the GRE
running status.
1.6 Configuration Examples
Familiarize yourself with the configuration procedures against the networking diagrams. This
section provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
Issue 01 (2012-01-06)


1 GRE Configuration
1.1 Introduction to GRE

The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol that needs to be
encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the
packet into a packet of another protocol, such as IP.
GRE encapsulates the packets of certain network layer protocols. After encapsulation, these
packets can be transmitted over the network by another network layer protocol, such as IP.
GRE can serve as a Layer 3 tunneling protocol for VPNs. A tunnel is a virtual point-to-point
connection and can be regarded as a virtual interface that supports only point-to-point
connections. This interface provides a path to transmit encapsulated datagrams. GRE
encapsulates and decapsulates datagrams at both ends of the tunnel.
1.2 GRE Features Supported by the AR2200-S

GRE features supported by the AR2200-S include the following: enlargement of the operation
scope of the network running a hop-limited protocol, and working in conjunction with the IP
Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.
Enlarging the Operation Scope of the Network Running a Hop-Limited Protocol

If the hop count between two terminals in Figure 1-1 is more than 15, the two terminals cannot
communicate with each other.
Figure 1-1 Networking diagram of enlarged network operation scope
IP
network
IP
network
IP
network
Tunnel
PC
PC
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Working in Combination with IPSec to Compensate for the IPSec Flaw in Multicast
Data Protection
Based on GRE, multicast data can be encapsulated and transmitted in the GRE tunnel. Based on
IPSec, only the unicast data can realize encrypted protection.
Issue 01 (2012-01-06)


1 GRE Configuration
Figure 1-2 Networking diagram of GRE-IPSec tunnel application
Internet
IPSec tunnel
GRE tunnel
Corporate
intranet
Remote
office
network
As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the
GRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulated
multicast data with IPSec. When these tasks are performed, the encrypted multicast data can be
transmitted in the IPSec tunnel.
1.3 Configuring GRE

You can configure GRE only after a GRE tunnel is configured.
1.3.1 Establishing the Configuration Task

Before configuring a GRE tunnel, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration.
Applicable Environment
To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on the
tunnel interface. If the tunnel interface is deleted, all the configurations on the interface are
deleted.
Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following task:
l
Configuring reachable routes between the source and destination interfaces
Data Preparation
To configure an ordinary GRE tunnel, you need the following data.
Issue 01 (2012-01-06)
No.
Data
Number of the tunnel interface
Source address and destination address of the tunnel


No.
Data
IP address of the tunnel interface
Key of the tunnel interface
1 GRE Configuration
1.3.2 Configuring a Tunnel Interface

After creating a tunnel interface, specify GRE as the encapsulation type, set the tunnel source
address or source interface, and set the tunnel destination address. In addition, set the tunnel
interface network address so that the tunnel can support dynamic routing protocols.
Context
Perform the following steps on the routers at the two ends of a tunnel.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface tunnel interface-number
A tunnel interface is created and the tunnel interface view is displayed.

Step 3 Run:
tunnel-protocol
{ gre | none }
The tunnel is encapsulated with GRE.

Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel is configured.

NOTE
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
Step 5 Run:
destination ip-address
The destination address of the tunnel is configured.

Step 6 (Optional) Run:
mtu mtu
The Maximum Transmission Unit (MTU) of the tunnel interface is modified.

Issue 01 (2012-01-06)


1 GRE Configuration
The new MTU takes effect only after you run the shutdown command and the undo
shutdown command on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
To support dynamic routing protocols on a tunnel, configure a network address for the tunnel
interface. The network address of the tunnel interface may not be a public address, but should
be in the same network segment on both ends of the tunnel.
By default, the network address of a tunnel interface is not set.
----End
1.3.3 Configuring Routes for the Tunnel

Routes for a tunnel must be available on both the source and destination devices so that packets
encapsulated with GRE can be forwarded correctly. A route passing through tunnel interfaces
can be a static route or a dynamic route.
Context
Perform the following steps on the devices at two ends of a tunnel.
NOTE
The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination routers.
Procedure
Step 1 Run:
system-view

Step 2 Choose one of the following methods to configure routes passing through the tunnel interface.
l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number
[ description text ] command to configure a static route.
The static route must be configured on both ends of the tunnel. In this command, the
destination address is neither the destination address of the tunnel nor the address of the
opposite tunnel interface, but the destination address of the packet that is not encapsulated
with GRE. The outbound interface must be the local tunnel interface.
l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here.
For the configuration of dynamic routes, see the AR2200-S Configuration Guide - IP
Routing.
When configuring a dynamic routing protocol, enable the dynamic routing protocol on both
the tunnel interface and the interface connected to the private network. To ensure correct
routing, do not choose the tunnel interface as the next hop when configuring the route to the
physical or logical interface of the destination tunnel.
Use Router A in Figure 1-3 as an example. The source interface of Tunnel 0/0/1 is GE 1/0/0
on Router A, and its destination interface is GE 2/0/0 on Router C. If a dynamic routing
Issue 01 (2012-01-06)


1 GRE Configuration
protocol is used, the protocol must be configured on the tunnel interface and the GE interface
connected to the PC. Moreover, in the routing table of Router A, the egress with the
destination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel
0/0/1.
In practical configurations, configure a multi-process routing protocol or change the metric
value of the tunnel interface. This prevents the tunnel interface from being selected as the
outbound interface of routes to the destination physical interface of the tunnel.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. With one of these procedures in place, you can avoid selecting a tunnel interface
as an outbound interface for packets destined for the destination of the tunnel. In addition, a
physical interface is prevented from forwarding user packets that should be forwarded
through the tunnel.
Figure 1-3 Diagram of configuring the GRE dynamic routing protocol
Backbone
GE1/0/0
RouterA
GE2/0/0
RouterC
Tunnel
GE2/0/0 Tunnel0/0/1
Tunnel0/0/2 GE1/0/0
PC1
PC2
----End
1.3.4 (Optional) Configuring GRE Security Options

To enhance the security of a GRE tunnel, configure end-to-end checksum authentication or key
authentication. This security mechanism can prevent the tunnel interface from incorrectly
identifying and receiving packets from other devices.
Context
Perform the following steps on the routers at two ends of a tunnel.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 01 (2012-01-06)


1 GRE Configuration
The tunnel interface view is displayed.

Step 3 Run:
gre checksum
End-to-end checksum authentication is configured for the tunnel.

By default, end-to-end checksum authentication is disabled.
Step 4 Run:
gre key key-number
The key is set for the tunnel interface.

If the keys are set for tunnel interfaces on the two ends of the tunnel, ensure that they have the
same key number. Alternatively, you may choose not to set the keys for tunnel interfaces on
both ends of the tunnel.
By default, no key is configured for the tunnel.
NOTE
Step 3 and Step 4 can be performed in random order.
----End
1.3.5 Checking the Configuration

After a GRE tunnel is set up, you can view the running status and routing information about the
tunnel interface.
Context
The configurations of the GRE function are complete.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check tunnel interface
information.
Run the display ip routing-table command to check the IPv4 routing table.
Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End
Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
succeeds. For example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Issue 01 (2012-01-06)


1 GRE Configuration
Current system time: 2008-03-04 19:17:30

300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Input bandwidth utilization : -Output bandwidth utilization : --
Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/2
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/2
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the ping -a source-ip-address host command to see that the ping from the local tunnel
interface to the destination tunnel succeeds.
<Huawei> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
1.4 Configuring the Keepalive Function

Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel
Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that
cannot reach the remote end, and data loss can be avoided.

Before configuring the GRE tunnel Keepalive function, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Issue 01 (2012-01-06)


1 GRE Configuration
Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel
status. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data
black hole.
Figure 1-4 GRE tunnel supporting Keepalive
Internet
Source
Destination
GRE tunnel
RouterA
RouterB
Before configuring the Keepalive function, complete the following tasks:
l
Configuring the link layer attributes of the interfaces
Assigning IP addresses to the interfaces
Establishing the GRE tunnel and keeping the tunnel Up
Data Preparation
To configure the Keepalive function, you need the following data.
No.
Data
Interval for sending Keepalive messages
Retry times of the unreachable timer
1.4.2 Enabling the Keepalive Function

The GRE tunnel Keepalive function is unidirectional. To implement the Keepalive function on
both ends, enable the Keepalive function on both ends of a GRE tunnel.
Context
Perform the following steps on the router that requires the Keepalive function.
Procedure
Step 1 Run:
system-view

Issue 01 (2012-01-06)


1 GRE Configuration
Step 2 Run:

Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated with GRE.

Step 4 Run:
keepalive [ period period [ retry-times retry-times ] ]
The Keepalive function is enabled.

The GRE tunnel Keepalive function is unidirectional. Therefore, to realize the Keepalive
function on both ends, enable the Keepalive function on both ends of a GRE tunnel. One end
can be configured with the Keepalive function regardless of whether the remote end is enabled
with the Keepalive function. But it is still recommended to enable the Keepalive function on
both ends of the GRE tunnel.
TIP
Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the GRE tunnel Keepalive
function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote
end, and the data loss can be avoided. The reasons for enabling the Keepalive function are listed below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.
----End

After a GRE tunnel is enabled with the Keepalive function, you can view the Keepalive packets
and Keepalive Response packets sent and received by the GRE tunnel interfaces.
Prerequisite
The Keepalive function is enabled on the GRE tunnel.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
display keepalive packets count
Issue 01 (2012-01-06)

10

1 GRE Configuration
Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.
----End
Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command to ascertain the number of sent Keepalive packets and received
Keepalive Response packets on both the local end and the remote end. If the Keepalive function
is successfully configured on the local tunnel interface, the number of sent Keepalive packets
or received Keepalive Response packets on the local end is not 0.
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol gre
[Huawei-Tunnel0/0/1] keepalive
[Huawei-Tunnel0/0/1] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers
1.5 Maintaining GRE

This section describes how to reset the statistics of a tunnel interface and monitor the GRE
running status.
1.5.1 Resetting the Statistics of a Tunnel Interface

When you need to reset the statistics of a tunnel interface, you can run the reset commands to
clear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnel
interface.
Procedure
l
Run the reset counters interface tunnel [ interface-number ] command in the system view
to reset statistics about the tunnel interface.
Reset statistics about Keepalive packets on the tunnel interface.

1.
Run:
system-view

2.
Run:

3.
Run:
reset keepalive packets count
Reset the statistics on Keepalive packets on the tunnel interface.

NOTE
You can run the reset keepalive packets count command only in the tunnel interface view,
and the interface tunnel protocol must be GRE.
----End
Issue 01 (2012-01-06)

11

1 GRE Configuration
1.5.2 Monitoring the Running Status of GRE

In routine maintenance, you can run the GRE related display commands to view the GRE running
status.
Context
In routine maintenance, you can run the following commands to view the GRE running status.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the tunnel
interface running status.
Run the display ip routing-table command to check the routing table on the CE.
Run the ping [ -a source-ip-address | -vpn-instance vpn-instance-name ] * host command

to check whether the two ends of the tunnel can communicate with each other.
----End
1.5.3 Debugging GRE

When a GRE fault occurs, you can run the L2TP related debugging commands to debug GRE
and locate the fault.
Context
NOTE
The debugging process affects system performance. Therefore, after finishing the debugging process, run
the undo debugging all command immediately to disable the debugging.
When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.
Procedure
l
Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.
----End

Familiarize yourself with the configuration procedures against the networking diagrams. This
section provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
1.6.1 Example for Configuring a Static Route for GRE

This section provides an example for configuring a static route for GRE. In this networking,
traffic between users is transmitted through a GRE tunnel; a static route is configured between
the device and its connected client.
Issue 01 (2012-01-06)

12

1 GRE Configuration
Networking Requirements
In Figure 1-5, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC
2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
Figure 1-5 Networking diagram of configuring a static route for GRE
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
Tunnel
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
PC1
10.1.1.1/24
RouterC
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
PC2
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a dynamic routing protocol on routers.
2.
Create a tunnel interface on Router A and Router C.
3.
Specify the source address of the tunnel interface as the IP address of the interface that
sends the packet.
4.
Specify the destination address of the tunnel interface as the IP address of the interface that
receives the packet.
5.
Assign network addresses to the tunnel interfaces to enable the tunnel to support the
dynamic routing protocol.
6.
Configure the static route between Router A and its connected PC, and the static route
between Router C and its connected PC to make the traffic between PC1 and PC2
transmitted through the GRE tunnel.
7.
Configure the egress of the static route as the local tunnel interface.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2012-01-06)

13

1 GRE Configuration
Data for running OSPF
Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
# Configure Router A.
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure Router B.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure Router C.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find that they both learn the OSPF route to the network segment of the remote interface.
Take Router A as an example.
[RouterA] display ip routing-table
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Step 3 Configure the tunnel interface.

[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 24
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
Issue 01 (2012-01-06)

14

1 GRE Configuration
[RouterA-Tunnel0/0/1] quit
[RouterC] interface tunnel 0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 24
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can
ping each other successfully.
Take Router A as an example:
[RouterA] ping -a 40.1.1.1 40.1.1.2
0.00% packet loss
ms
ms
ms
ms
ms
Step 4 Configure a static route.

[RouterA] ip route-static 10.2.1.0 24 tunnel 0/0/1
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/1
After the configuration, run the displayip routing-table command on Router A and Router C.
You can find the static route to the network segment of the remote user end through the tunnel
interface.
Destinations : 11
Routes : 11
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/1
20.1.1.0/24 Direct 0
0
D 20.1.1.1
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.2/32 Direct 0
0
D 20.1.1.2
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/1
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
PC 1 and PC 2 can ping each other successfully.

----End
Issue 01 (2012-01-06)

15

1 GRE Configuration
Configuration Files
l
Configuration file of Router A

#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 20.1.1.1 255.255.255.0
#
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1
#
return
Configuration file of Router B

#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
Configuration file of Router C

#
sysname RouterC
#
ip address 30.1.1.2 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
#
return
Issue 01 (2012-01-06)

16

1 GRE Configuration
1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE

This section provides an example for configuring a dynamic route for GRE. In this networking,
traffic between users is transmitted through a GRE tunnel; a dynamic route is configured between
the device and its connected user.
In Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network
and OSPF process 2 is used for user access.
Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE
RouterB
GE1/0/0
GE2/0/0
20.1.1.2/24
30.1.1.1/24
OSPF 1
RouterA
RouterC
Tunnel
GE2/0/0
10.1.1.2/24
10.1.1.1/24
GE1/0/0
30.1.1.2/24
GE1/0/0
20.1.1.1/24
Tunnel0/0/1 OSPF 2
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
GE2/0/0
10.2.1.2/24
10.2.1.1/24
PC1
PC2
1.
Configure IGP on each router in the backbone network to realize the interworking between
these devices. Here OSPF process 1 is used.
2.
Create the GRE tunnel between routers that are connected to PCs.Then routers can
communicate through the GRE runnel.
Issue 01 (2012-01-06)

17

3.
1 GRE Configuration
Configure the dynamic routing protocol on the network segments through which PCs access
the backbone network. Here OSPF process 2 is used.
Data Preparation
l
Source address and destination address of the GRE tunnel
IP addresses of the interfaces on both ends of the GRE tunnel
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-6. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
The specific configuration procedures are the same as those in 1.6.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 3 Configuring the tunnel interfaces
The specific configuration procedures are the same as those in 1.6.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 4 Configure OSPF on the tunnel interfaces.
[RouterA] ospf 2
[RouterA-ospf-2] area 0
[RouterA-ospf-2-area-0.0.0.0] quit
[RouterA-ospf-2] quit
[RouterC] ospf 2
[RouterC-ospf-2] area 0
[RouterC-ospf-2-area-0.0.0.0] quit
[RouterC-ospf-2] quit
Step 5 Verify the configuration.

After the configuration, run the display ip routing-table command on Router A and Router C.
You can find the OSPF route to the network segment of the remote user end through the tunnel
interface. Moreover, the next hop to the destination physical address (30.1.1.0/24) of the tunnel
is not the tunnel interface.
Destinations : 11
Routes : 11
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
Issue 01 (2012-01-06)

18

10.1.1.0/24 Direct
10.1.1.2/32 Direct
10.2.1.0/24 OSPF
20.1.1.0/24 Direct
20.1.1.1/32 Direct
30.1.1.0/24 OSPF
40.1.1.0/24 Direct
40.1.1.1/32 Direct
127.0.0.0/8
Direct
127.0.0.1/32 Direct
1 GRE Configuration
0
10.1.1.2
0
10
0
0
2
0
D
D
D
127.0.0.1
40.1.1.2
20.1.1.1
InLoopBack0
Tunnel0/0/1
0
10
0
2
D
D
127.0.0.1
20.1.1.2
InLoopBack0
0
0
0
0
0
0
0
0
D
D
D
D
40.1.1.1
127.0.0.1
127.0.0.1
127.0.0.1
Tunnel0/0/1
InLoopBack0
InLoopBack0
InLoopBack0
PC 1 and PC 2 can ping each other successfully.

----End
Configuration Files
l

#
sysname RouterA
#
ip address 20.1.1.1 255.255.255.0
#
ip address 10.1.1.2 255.255.255.0
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

#
sysname RouterC
#
Issue 01 (2012-01-06)

19

1 GRE Configuration
ip address 30.1.1.2 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN

Multicast Data Encrypted with IPSec
This section provides an example for configuring a GRE tunnel to transmit multicast packets
encrypted with IPSec. In this networking, a GRE tunnel is set up between devices; multicast
packets are encapsulated with GRE and then IPSec.
In Figure 1-7, Router A and Router C are required to transmit multicast packets, and the multicast
packets must be encrypted through IPSec. Before being encrypted through IPSec, multicast
packets must be encapsulated with GRE because IPSec cannot directly encrypt multicast packets.
Figure 1-7 Networking diagram of transmitting IPSec-encrypted multicast packets through a
GRE tunnel
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
GRE with IPSec
RouterC
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
10.1.1.1/24
10.2.1.1/24
Issue 01 (2012-01-06)

20

1 GRE Configuration
1.
Configure OSPF on the backbone network devices, namely, Router A, Router B, and
Router C, to realize the interworking between these devices.
2.
Create a GRE tunnel between Router A and Router C to encapsulate multicast packets.
3.
Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated
multicast packets.
Data Preparation
l
Data for configuring the routing protocol for the backbone network
IP addresses of the interfaces on both ends of the GRE tunnel
Parameters for configuring IKE such as pre-shared-key and remote-name
Data for configuring IPSec such as IPSec proposal name and ACL
Procedure
Step 1 Configure the routing protocol.
Configure a routing protocol on Router A, Router B, and Router C to implement the interworking
between these devices. OSPF is configured in this example. The configuration details are not
mentioned here.
After the configuration,
l Router A and Router C are routable.
l Router A can successfully ping GE1/0/0 of Router C.
l Router C can successfully ping GE1/0/0 of Router A.
Step 2 Configure the interfaces of the GRE tunnel.
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
After the configuration,

l The GRE tunnel between Router A and Router C is set up.
Issue 01 (2012-01-06)

21

1 GRE Configuration
l The status of the tunnel interfaces is Up.

Step 3 Enable multicast.
# Enable the multicast routing protocol globally. Enable PIM DM on the tunnel interfaces, and
enable PIM DM and IGMP on the interfaces connected to the PCs.
[RouterA] multicast routing-enable
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] pim dm
[RouterA-GigabitEthernet2/0/0] igmp enable
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] pim dm
[RouterC] multicast routing-enable
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] pim dm
[RouterC-GigabitEthernet2/0/0] igmp enable
[RouterC-GigabitEthernet2/0/0] quit
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] pim dm
# After multicast is enabled, the multicast data between Router A and Router C is transmitted
through the GRE tunnel.
Step 4 Configure aggressive IKE negotiation between Router A and Router C.
NOTE
To encapsulate multicast packets with GRE and then encrypt the multicast packets with IPSec, the remote
address in IKE peer mode must be the destination address of the local tunnel.
[RouterA] ike local-name rta
[RouterA] ike peer RouterC v1
[RouterA-ike-peer-routerc] exchange-mode aggressive
[RouterA-ike-peer-routerc] local-id-type name
[RouterA-ike-peer-routerc] pre-shared-key 12345
[RouterA-ike-peer-routerc] remote-name rtc
[RouterA-ike-peer-routerc] remote-address 30.1.1.2
[RouterA-ike-peer-routerc] quit
[RouterC] ike local-name rtc
[RouterC] ike peer RouterA v1
[RouterC-ike-peer-routera] exchange-mode aggressive
[RouterC-ike-peer-routera] local-id-type name
[RouterC-ike-peer-routera] pre-shared-key 12345
[RouterC-ike-peer-routera] remote-name rta
[RouterC-ike-peer-routera] remote-address 20.1.1.1
[RouterC-ike-peer-routera] quit
Step 5 Configure IPSec.

NOTE
Encapsulate multicast packets with GRE and then encrypt these packets with IPSec. Note that the source
and destination addresses for the local end of the tunnel must match the ACL of the IPSec policy, and the
IPSec policy must be applied to the physical interface transmitting data.
Issue 01 (2012-01-06)

22

1 GRE Configuration
# Configure IPSec on Router A and Router C. The default parameters of the IPSec proposal is
used in this example.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit gre source 20.1.1.1 0 destination 30.1.1.2 0
[RouterA-acl-adv-3000] quit
[RouterA] ipsec proposal p1
[RouterA-ipsec-proposal-p1] quit
[RouterA] ipsec policy policy1 1 isakmp
[RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-1] ike-peer RouterC
[RouterA-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterA-ipsec-policy-isakmp-policy1-1] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy policy1
[RouterA-GigabitEthernet1/0/0] quit
[RouterC] acl number 3000
[RouterC-acl-adv-3000] rule permit gre source 30.1.1.2 0 destination 20.1.1.1 0
[RouterC-acl-adv-3000] quit
[RouterC] ipsec proposal p1
[RouterC-ipsec-proposal-p1] quit
[RouterC] ipsec policy policy1 1 isakmp
[RouterC-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterC-ipsec-policy-isakmp-policy1-1] ike-peer RouterA
[RouterC-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterC-ipsec-policy-isakmp-policy1-1] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy policy1
[RouterC-GigabitEthernet1/0/0] quit
# After the configuration, the multicast data between Router A and Router C can be transmitted
through the GRE tunnel encrypted with IPSec.
Step 6 On the source device and the destination device of the tunnel, configure the tunnel to forward
routes.
[RouterA] ip route-static 10.2.1.0 255.255.255.0 tunnel 0/0/1
[RouterC] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1

# After PC1 and PC2 successfully ping each other, you can view that IKE negotiation is
configured and IPSec encryption takes effect.
[RouterA] display ike sa
Conn-ID Peer
VPN
Flag(s)
Phase
--------------------------------------------------------------16
30.1.1.2
0
RD
1
17
30.1.1.2
0
RD
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
LKG--LAST KNOWN GOOD SEQ NO.
BCK--BACKED UP
[RouterA] display ips sa
===============================
Interface: GigabitEthernet1/0/0
path MTU: 1500
===============================
Issue 01 (2012-01-06)

23

1 GRE Configuration
----------------------------IPsec policy name: "policy1"

sequence number: 1
mode: isakmp
----------------------------connection id: 17
encapsulation mode: tunnel
tunnel local : 20.1.1.1
tunnel remote: 30.1.1.2
[inbound ESP SAs]
spi: 2970386335 (0xb10c7f9f)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887434624/3081
max received sequence-number: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 1720763150 (0x6690c30e)
max sent sequence-number: 33
[RouterC] display ike sa
Conn-ID Peer
VPN
Flag(s)
Phase
--------------------------------------------------------- ---20
20.1.1.2
0
RD|ST
1
21
20.1.1.2
0
RD|ST
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
BCK--BACKED UP
[RouterC] display ips sa
===============================
Interface: GigabitEthernet1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "policy1"
sequence number: 1
mode: isakmp
----------------------------connection id: 21
tunnel local : 30.1.1.2
[inbound ESP SAs]
spi: 1720763150 (0x6690c30e)
[outbound ESP SAs]
spi: 2970386335 (0xb10c7f9f)
----End
Configuration Files
l

#
sysname RouterA
#
ike local-name rta
#
multicast routing-enable
#
acl number 3000
Issue 01 (2012-01-06)

24

1 GRE Configuration
rule 5 permit gre source 20.1.1.1 0.0.0.0 destination 30.1.1.2 0.0.0.0

#
ike peer routerc v1
exchange-mode aggressive
pre-shared-key 12345
local-id-type name
remote-name rtc
remote-address 30.1.1.2
#
ipsec proposal p1
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer Routerc
proposal p1
#
ip address 20.1.1.1 255.255.255.0
ipsec policy policy1
#
ip address 10.1.1.2 255.255.255.0
pim dm
igmp enable
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
pim dm
#
ospf 1
area 0.0.0.0
network 20.1.1.1 0.0.0.0
#
#
return

#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

#
sysname RouterC
#
ike local-name rtc
#
multicast routing-enable
#
acl number 3000
rule 5 permit gre source 30.1.1.2 0.0.0.0 destination 20.1.1.1 0.0.0.0
#
ike peer routera v1
exchange-mode aggressive
Issue 01 (2012-01-06)

25

1 GRE Configuration
pre-shared-key 12345
local-id-type name
remote-name rta
#
ipsec proposal p1
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer Routera
proposal p1
#
ip address 30.1.1.2 255.255.255.0
ipsec policy policy1
#
ip address 10.2.1.2 255.255.255.0
pim dm
igmp enable
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
pim dm
#
ospf 1
area 0.0.0.0
network 30.1.1.2 0.0.0.0
#
#
return
1.6.4 Example for Configuring the Keepalive Function for GRE

This section provides an example for configuring the Keepalive function of the GRE tunnel. In
this manner, the VPN does not select the GRE tunnel that cannot reach the remote end, and data
loss can be avoided.
As shown in Figure 1-8, Router A and Router B are configured with the GRE protocol. The two
ends of the GRE tunnel need be configured with the Keepalive function.
Figure 1-8 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel
GE1/0/0
20.1.1.1/24
RouterA
Issue 01 (2012-01-06)
Internet
GE1/0/0
30.1.1.2/24
GRE Tunnel
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24

RouterB
26

1 GRE Configuration
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP
If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.
Data Preparation
l
Data for configuring the routing protocol for the backbone network
Interval for sending Keepalive messages
Parameters of unreachable timer
Procedure
Step 1 Configure Router A and Router B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Router A and enable the Keepalive function.
<RouterA> system-view
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3
Step 3 Configure a tunnel on Router B and enable the Keepalive function.

<RouterB> system-view
[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterB-Tunnel0/0/1] source 30.1.1.2
[RouterB-Tunnel0/0/1] destination 20.1.1.1
[RouterB-Tunnel0/0/1] keepalive period 20 retry-times 3
[RouterB-Tunnel0/0/1] quit

# The tunnel interface on Router A can successfully ping the tunnel interface on Router B.
<RouterA> ping -a 40.1.1.1 40.1.1.2
0.00% packet loss
ms
ms
ms
ms
ms
# Enable the debugging of the Keepalive messages on Router A and view information about the
Keepalive messages.
Issue 01 (2012-01-06)

27

1 GRE Configuration
<RouterA> terminal monitor

<RouterA> terminal debugging
<RouterA> debugging tunnel keepalive
May 18 2011 11:36:11.590.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive
finished. Received keepalive detecting packet from peer router.
<RouterA>
May 18 2011 11:36:11.590.2+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard u
lKeepaliveReceiveOpposite++ then send mbuf to slave when RECEIVE keepalive packe
t.
<RouterA>
May 18 2011 11:36:11.590.3+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive peer kee
palive on mainboard successfully. Put into decapsulation.
<RouterA>
May 18 2011 11:36:15.120.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive
finished. Received keepalive response packet from peer router.
<RouterA>
May 18 2011 11:36:15.120.2+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive the resp
onse keepalive packet on mainboard successfully, keepalive finished.
<RouterA>
May 18 2011 11:36:15.120.3+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard s
end mbuf to slaveboard when RECEIVE response packet.
----End
Configuration Files
l

#
sysname RouterA
#
ip address 20.1.1.1 255.255.255.0
#
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
keepalive period 20
#
return

#
sysname RouterB
#
ip address 30.1.1.2 255.255.255.0
#
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
keepalive period 20
#
return
Issue 01 (2012-01-06)

28

2 MCE Configuration
MCE Configuration
About This Chapter

Generally, a Customer Edge (CE) can connect to only one Virtual Private Network (VPN). If
multiple VPNs need to be divided, multiple CEs are required. The Multi-VPN-Instance CE
(MCE) technology enables a CE to be connected to multiple VPNs. This isolates services
between different VPNs and reduces the investment on network devices.
2.1 Introduction to MCE
MCE isolates different services or users by using the route multi-instance on the CE.
2.2 Configuring a VPN Instance
This section describes how to configure a VPN instance.
2.3 Configuring a Route Multi-Instance Between an MCE and a Site
This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between an
MCE and a site.
2.4 Configuring a Route Multi-Instance Between an MCE and a PE
MCE and a PE.
2.5 MCE Configuration Examples
This section provides several configuration examples of MCE.
Issue 01 (2012-01-06)

29

2 MCE Configuration
2.1 Introduction to MCE

2.1.1 MCE Overview

Background
With increasing diversification of user services and higher requirements on the security, multiple
VPNs are required in a private network in most cases and services of different VPNs need to be
isolated. In this case, using a CE for each VPN increases the device expenditure and maintenance
cost; the security of data cannot be ensured if multiple VPNs share a CE and a route forwarding
table.
As shown in Figure 2-1, MCE can effectively solve issues of security of the data and network
costs in a VPN. MCE isolates services of different VPNs by binding VLANIF interfaces to
VPNs, and creating and maintaining an independent multi-VRF table for each VPN.
Figure 2-1 Typical MCE networking diagram
VPN 1
Site
P
MCE
Service
provider's
backbone
VPN 2
Site
CE
P
PE
PE
PE
VPN 2
Site
CE
VPN 1
Site
Basic Concepts
l
CE
An edge device that is located in a user network. A CE provides interfaces that are directly
connected to the Service Provider (SP) network. A CE can be a router, a switch, or a host.
In most situations, a CE neither senses a VPN nor supports MPLS.
MCE
A CE configured with MCE functions. An MCE can connect to multiple VPNs whose
services are isolated completely.
Issue 01 (2012-01-06)

30

2 MCE Configuration
PE
An edge router that is located in an SP network. A PE is an edge device in the SP network
and is directly connected to the CE and MCE. In an MPLS network, PEs process all VPN
services.
Provider (P)
A backbone router that is located in an SP network. A P device is not directly connected
to CEs. The P devices only need the basic MPLS forwarding capability, without
maintaining information about a VPN.
Site
A group of IP systems with IP connectivity between each other. Their connectivity need
not be implemented through an SP network. The site is connected to the SP network through
a CE or an MCE.
2.1.2 MCE Functions Supported by the AR2200-S

When the AR2200-S functions as an MCE, multiple routing protocols can be run between an
MCE and a PE, and between an MCE and a site, including static routes, the Routing Information
Protocol (RIP), the Open Shortest Path First (OSPF), the Intermediate System-to-Intermediate
System (IS-IS), and BGP.
Multiple Routing Protocols Run Between an MCE and a PE

When the AR2200-S functions as an MCE, multiple routing protocols can be run between the
AR2200-S and a PE, including:
l
Static routes
RIP
OSPF
IS-IS
BGP
Multiple Routing Protocols Run Between an MCE and a Site

When the AR2200-S functions as an MCE, multiple routing protocols can be run between the
AR2200-S and a site, including:
l
Static routes
RIP
OSPF
IS-IS
BGP

This section describes how to configure a VPN instance.
Issue 01 (2012-01-06)

31

2 MCE Configuration

To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configure
MCE functions. Before configuring MCE functions, you need to configure VPN instances on
an MCE and a PE.
Before configuring a VPN instance, complete the following tasks:
l
Creating a VLAN on the MCE and adding the interface connecting the site and PE to the
VLAN
Creating a VLAN on the PE and adding the sub-interface connecting the MCE to the VLAN
Creating a VLAN on the device connected to the MCE in a site and adding the interface
connected to the MCE on the device to the VLAN
Data Preparation
To configure a VPN instance, you need the following data.
No.
Data
Name of the VPN instance
Route Distinguisher (RD) of the VPN instance
(Optional) Description of the VPN instance
(Optional) Maximum number of routes supported by the VPN instance
ID of the VLAN corresponding to the VPN instance
2.2.2 Creating a VPN instance

Context
Do as follows on the MCE.
You need to perform similar configurations on the PE; however, configuration commands and
methods may be different because device manufacturers and types are different. For details, refer
to manuals of corresponding products.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip vpn-instance vpn-instance-name command to create a VPN instance and enter the
VPN instance view.
Issue 01 (2012-01-06)

32

2 MCE Configuration
NOTE
The name of a VPN instance is case-sensitive. For example, "vpn1" and "VPN1" are taken as different
VPN instances.
Step 3 Run the route-distinguisher route-distinguisher command to configure an RD for the VPN
instance.
The RD does not have a default value; therefore, you must configure an RD when creating a
VPN instance.
A VPN instance takes effect only after it is configured with an RD. The RDs of different VPN
instances on a device should be different.
Before configuring an RD, you can configure only the description.
Step 4 (Optional) Run the description description command to configure the description for the VPN
instance.
By default, no description is configured for a VPN instance.
The description is similar to that of the host name and interface, which can be used to record
information about the relationship between a VPN instance and a VPN.
Step 5 (Optional) Run the routing-table limit number { alert-percent | simply-alert } command to set
the maximum number of routes supported by the VPN instance.
By default, the maximum number of routes supported by a VPN instance is not set.
To prevent excessive routes from being imported, set the maximum number of routes supported
by a VPN instance.
----End
2.2.3 Binding an Interface with a VPN Instance

After associating an interface with a VPN instance, you can change the interface to a VPN
interface. As a result, packets that pass through the interface are forwarded according to the
forwarding information of the VPN instance, and Layer 3 attributes such as the IP address and
routing protocol that are configured for the interface, are deleted. These Layer 3 attributes need
to be re-configured if required.
Context
Do as follows on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface interface-type interface-number
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
Issue 01 (2012-01-06)

33

2 MCE Configuration
The interface is bound to the VPN instance.

NOTE
The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to
configure them again.
An interface cannot be bound to any VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and
routing protocol of the interface bound to the VPN instance. Disabling all address families of a VPN instance
unbinds all bound interfaces from the VPN instance.
Step 4 Run:
ip address ip-address { mask | mask-length }
The IP address is configured.

----End

Run the command display ip vpn-instance [ verbose ] [ vpn-instance-name ] to check the
previous configuration.
If the configuration is correct, you can view:
l
VPN instance created correctly
RD
Description
Maximum number of routes supported by the VPN instance
Interface configured correctly
<Quidway> display ip vpn-instance verbose

Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Create date : 2011/09/10 16:58:42
Up time : 0 days, 21 hours, 42 minutes and 10 seconds
Log Interval : 5
2.3 Configuring a Route Multi-Instance Between an MCE

and a Site
MCE and a site.
For configuring a route multi-instance between an MCE and a site,2.3.2 (Optional) Configuring
a Static Route Between an MCE and a Site to (Optional) Configuring BGP Between an MCE
and a Site are optional and can be configured as required.

MCE functions. Before configuring MCE functions, you need to perform the task of 2.2
Issue 01 (2012-01-06)

34

2 MCE Configuration
Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance
between an MCE and a site.
Before configuring a route multi-instance between an MCE and a site, complete the following
task:
l
Data Preparation
To configure a route multi-instance between an MCE and a site, you need the following data.
No.
Data
(Optional) Destination address of a static route to the site, name of the destination
VPN instance, mask or mask length, next hop IP address, priority of the route, and
description of the route
(Optional) RIP process number, address of the network segment where the VLANIF
interface bound to the VPN instance is located, type and process number of the routing
protocol run between an MCE and a PE, cost of the imported route, and name of the
routing policy during route importing
(Optional) OSPF process number, router ID of OSPF, area ID of OSPF, address of

the network segment where the VLANIF interface bound to the VPN instance is
located, type and process number of the routing protocol run between an MCE and a
PE, cost of the imported route, metric of the imported route, tag in the external Link
State Advertisement (LSA) of the imported route, and name of the routing policy
during route importing
(Optional) IS-IS process number, Network Entity Title (NET) of the IS-IS process,
number of the VLANIF interface bound to the VPN instance, type and process number
of the routing protocol run between an MCE and a PE, type and value of the cost of
the imported route, administrative tag of the imported route, and level of the routing
table for storing the imported route
(Optional) Autonomous System (AS) number, IP address of the VLANIF interface

connecting a CE and an MCE, type and process number of the routing protocol run
between an MCE and a PE, Multi-Exit Discriminator (MED) of the imported route,
and name of the routing policy during route importing
2.3.2 (Optional) Configuring a Static Route Between an MCE and a

Site
Context
You need to configure only routing protocols on a device in a site.
Issue 01 (2012-01-06)

35

2 MCE Configuration
Procedure
Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | masklength }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destinationname gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfgname ] [ description description ] command to configure a static route to the site.
You must specify the next hop address on the local device.
----End
2.3.3 (Optional) Configuring RIP Between an MCE and a Site

Context
Procedure
Step 2 Run the rip [ process-id ] [ vpn-instance vpn-instance-name ] command to create and enable a
RIP process used by a VPN instance and enter the RIP view.
Step 3 Run the network network-address command to enable RIP routes on the network segment where
the IP address of the interface bound to the VPN instance belongs.
Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }
[ cost cost | route-policy route-policy-name ] * command to import routes from other routing
protocols.
If another routing protocol is run between an MCE and a PE in this VPN, you need to perform
this step.
----End
2.3.4 (Optional) Configuring OSPF Between an MCE and a Site

Context
Procedure
Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command
to create an OSPF process used by a VPN instance and enter the OSPF view.
Issue 01 (2012-01-06)

36

2 MCE Configuration
NOTE
In this step, you must specify vpn-instance vpn-instance-name.
Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost |
route-policy route-policy-name | tag tag | type type ] * } command to import routes from other
routing protocols.
this step.
Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view.
Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routes
on the network segment where the IP address of the interface bound to the VPN instance belongs.
----End
2.3.5 (Optional) Configuring IS-IS Between an MCE and a Site

Context
Procedure
Step 2 Run the interface interface-type interface-number command to enter the view of the interface
bound to the VPN instance.
Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface.
By default, IS-IS is disabled on a VLANIF interface.
Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS process
used by a VPN instance and enter the IS-IS view.
Step 5 Run the network-entity net command to configure an NET.
By default, no NET is configured for an IS-IS process.
Step 6 Run the import-route protocol [ process-id ] [ cost-type { external | internal } | cost cost |
tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command to import
routes from other routing protocols.
this step.
----End

Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command on the MCE. If
you can view the route to the local VPN in the display, it means that the configuration succeeds.
Take RIP used between an MCE and a site as an example. The information is displayed as
follows:
Issue 01 (2012-01-06)

37

2 MCE Configuration
[MCE] display ip routing-table vpn-instance vpnb

-----------------------------------------------------------------------------Routing Tables: vpnb
Destinations : 7
Routes : 7
Destination/Mask
172.16.0.0/16
172.16.1.1/32
172.16.1.2/32
172.18.0.0/16
172.18.1.1/32
172.18.1.2/32
192.168.0.0/16
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
Direct
RIP
0
0
0
0
0
0
100
0
0
0
0
0
0
1
Flags NextHop
D
D
D
D
D
D
D
172.16.1.2
172.16.1.1
127.0.0.1
172.18.1.2
172.18.1.1
127.0.0.1
172.16.1.1
Interface
Vlanif10
Vlanif10
InLoopBack0
Vlanif30
Vlanif30
InLoopBack0
Vlanif10
2.4 Configuring a Route Multi-Instance Between an MCE

and a PE
MCE and a PE.
For configuring a route multi-instance between an MCE and a PE, 2.4.2 (Optional) Configuring
a Static Route Between an MCE and a PE to (Optional) Configuring BGP Between an MCE
and a PE are optional and can be configured as required.

MCE functions. Before configuring MCE functions, you need to perform the task of 2.2
Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance
between the MCE and PE.
Before configuring a route multi-instance between an MCE and a PE, complete the following
task:
l
Data Preparation
To configure a route multi-instance between an MCE and a PE, you need the following data.
Issue 01 (2012-01-06)
No.
Data
(Optional) Destination address of a static route to the PE, name of the

destination VPN instance, mask or mask length, next hop IP address,
priority of the route, and description of the route

38

2 MCE Configuration
No.
Data
(Optional) RIP process number, address of the network segment where

the interface bound to the VPN instance is located, type and process
number of the routing protocol run between an MCE and a site, cost
of the imported route, and name of the routing policy used during route
importing
(Optional) OSPF process number, router ID of OSPF, area ID of OSPF,

address of the network segment where the interface bound to the VPN
instance is located, type and process number of the routing protocol
run between an MCE and a site, cost of the imported route, metric of
the imported route, tag in the external LSA of the imported route, and
name of the routing policy during route importing
(Optional) IS-IS process number, NET of the IS-IS process, number

of the interface bound to the VPN instance, type and process number
of the routing protocol run between an MCE and a site, type and value
of the cost of the imported route, administrative tag of the imported
route, and level of the routing table for storing the imported route
(Optional) AS number, IP address of the interface connecting a CE and

an MCE, type and process number of the routing protocol run between
an MCE and a site, MED of the imported route, and name of the routing
policy during route importing
2.4.2 (Optional) Configuring a Static Route Between an MCE and a

PE
Context
You can use a static route on a PE, and can also use RIP, OSPF, IS-IS, or BGP. For details, refer
to manuals of corresponding products.
Procedure
Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | masklength }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destinationname gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfgname ] [ description description ] command to configure a static route to a PE.
You must specify the next hop address on the local device.
----End
2.4.3 (Optional) Configuring RIP Between an MCE and a PE

Issue 01 (2012-01-06)

39

2 MCE Configuration
Context
You need to perform similar configurations on a PE. For details, refer to manuals of
corresponding products.
Procedure
Step 2 Run the rip [ process-id ] vpn-instance vpn-instance-name command to create and enable a
RIP process used by a VPN instance and enter the RIP view.
Step 3 Run the network network-address command to enable RIP routes on the network segment where
the IP address of the interface bound to the VPN instance belongs.
Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }
[ cost cost | route-policy route-policy-name ] * command to import routes from other routing
protocols.
If another routing protocol is run between an MCE and a site in this VPN, you need to perform
this step.
----End
2.4.4 (Optional) Configuring OSPF Between an MCE and a PE

Context
Procedure
Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command
to create an OSPF process used by a VPN instance and enter the OSPF view.
NOTE
In this step, you must specify vpn-instance vpn-instance-name.
Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost |
route-policy route-policy-name | tag tag | type type ] * } command to import routes from other
routing protocols.
this step.
Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view.
Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routes
on the network segment where the IP address of the interface bound to the VPN instance belongs.
----End
Issue 01 (2012-01-06)

40

2 MCE Configuration
2.4.5 (Optional) Configuring IS-IS Between an MCE and a PE

Context
Procedure
Step 2 Run the interface interface-type interface-number command to enter the view of the interface
bound to the VPN instance.
Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface.
By default, IS-IS is disabled on a VLANIF interface.
Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS process
used by a VPN instance and enter the IS-IS view.
Step 5 Run the network-entity net command to configure a NET.
By default, no NET is configured for an IS-IS process.
Step 6 (Optional) Run the import-route protocol [ process-id ] [ cost-type { external | internal } |
cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command
to import routes from other routing protocols.
this step.
----End

Run the display ip routing-table vpn-instance command on the PE, and you can find the routes
to the local VPN. Take Huawei Huawei AR2200-S Series as an example. The information is
displayed as follows:
[PE1] display ip routing-table vpn-instance vpnb
Destinations : 5
Routes : 5
Destination/Mask
Proto
172.18.0.0/16
0/0
172.18.1.1/32
172.18.255.255/32
192.168.0.0/16
0/0
255.255.255.255/32
Issue 01 (2012-01-06)
Pre
Cost
Flags NextHop
Direct 0
172.18.1.1
Ethernet0/
Direct 0
Direct 0
O_ASE 150
0
0
1
D
D
D
127.0.0.1
127.0.0.1
172.16.1.1
InLoopBack0
InLoopBack0
Ethernet0/
Direct 0
127.0.0.1
InLoopBack0

Interface
41

2 MCE Configuration
2.5 MCE Configuration Examples

This section provides several configuration examples of MCE.
2.5.1 Example for Configuring MCE

As shown in Figure 2-2, the networking is as follows:
l
CE1, CE2, CE3, and CE4 are edge devices of the VPN.
CE1 and CE3 belong to a VPN instance named vpnb, and CE2 and CE4 belong to a VPN
instance named vpna.
PE1 and PE2 are edge routers of the backbone network. BGP or MPLS IP VPN is configured
on the backbone network between PE1 and PE2.
The MCE functions as a Multi-VPN-Instance CE located in the user network.
RIP is run between the MCE, CE3, and CE4.
OSPF is run between the MCE and PE2.
It is required that route isolation between VPNs be implemented on the MCE and routes of VPNs
be advertised to the PE2 through OSPF.
Figure 2-2 Networking diagram for configuring MCE
vpnb
vpnb
192.168.1.0/24
VLANIF10
172.16.1.1/16
CE1
CE3
Eth0/0/1
BGP MPLS
IP VPN
PE1
PE2
VLAN10
VLANIF10
172.16.1.2/16
Eth0/0/3
172.18.1.1/16
GE0/0/1
VLANIF30
172.18.1.2/16
VLAN30 Eth0/0/1
MCE
GE0/0/2 VLAN40 Eth0/0/2

VLANIF40
172.19.1.1/16
172.19.1.2/16
Eth0/0/4
VLANIF20
172.17.1.2/16
VLAN20
Eth0/0/1
CE2
vpna
Issue 01 (2012-01-06)
VLANIF20
172.17.1.1/16
CE4
vpna
192.168.2.0/24

42

2 MCE Configuration
1.
Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these
devices to the VLANs.
2.
Create and configure VPN instances on the MCE and PE2.
3.
Configure the OSPF route multi-instance on the MCE and PE2.
4.
Configure RIP between the MCE and CE3, and between the MCE and CE4.
Data Preparation
l
VLANs between the MCE, PE2, CE3, and CE4, as shown in Figure 2-2
IP addresses of VLANIF interfaces, as shown in Figure 2-2
Configuration Procedure
1.
Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these
devices to the VLANs.
# Create VLANs on the MCE.
<Quidway> system-view
[Quidway] sysname MCE
[MCE] vlan batch 10 20 30 40
# Add interfaces to the VLANs on the MCE.

[MCE] interface ethernet
[MCE-Ethernet0/0/1] port
[MCE-Ethernet0/0/1] quit
0/0/1
link-type access
default vlan 30
0/0/2
link-type access
default vlan 40
0/0/3
link-type trunk
trunk allow-pass vlan 10
0/0/4
link-type trunk
trunk allow-pass vlan 20
# Create a VLAN on CE3.

<Quidway> system-view
[Quidway] sysname CE3
[CE3] vlan 10
# Add an interface to the VLAN on CE3.

[CE3-A] interface ethernet 0/0/1
[CE3-Ethernet0/0/1] port link-type trunk
[CE3-Ethernet0/0/1] port trunk allow-pass vlan 10
[CE3-Ethernet0/0/1] quit
# Create a VLAN on CE4.

The configuration on CE4 is similar to that on CE3, and is not mentioned here.
# Add an interface to the VLAN on CE4.
The configuration on CE4 is similar to that on CE3, and is not mentioned here.
Issue 01 (2012-01-06)

43

2.
2 MCE Configuration
Create and configure VPN instances.

# Create VPN instances on the MCE.
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
# Bind VPN instances to VLANIF interfaces on the MCE and assign IP addresses to the
VLANIF interfaces.
[MCE] interface vlanif 10
[MCE-Vlanif10] ip binding
[MCE-Vlanif10] ip address
[MCE-Vlanif10] quit
[MCE-Vlanif20] quit
[MCE-Vlanif30] quit
[MCE-Vlanif40] quit
vpn-instance vpnb
172.16.1.2 16
vpn-instance vpna
172.17.1.2 16
vpn-instance vpnb
172.18.1.2 16
vpn-instance vpna
172.19.1.2 16
# Create VPN instances on PE2.

[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 100:1
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 100:2
[PE2-vpn-instance-vpnb] quit
# Bind VPN instances to sub-interfaces on PE2 and assign IP addresses to the subinterfaces.
[PE2] interface gigabitethernet 0/0/1
[PE2-GigabitEthernet0/0/1] ip binding
[PE2-GigabitEthernet0/0/1] ip address
[PE2-GigabitEthernet0/0/1] quit
[PE2] interface gigabitethernet 0/0/2
[PE2-GigabitEthernet0/0/2] ip binding
[PE2-GigabitEthernet0/0/2] ip address
[PE2-GigabitEthernet0/0/2] quit
3.
vpn-instance vpnb
172.18.1.1 255.255.0.0
vpn-instance vpna
172.19.1.1 255.255.0.0
Configure the OSPF route multi-instance between the MCE and PE2.
# Configure the OSPF route multi-instance on PE2.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] vpn-instance-capability simple
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 172.19.0.0 0.0.255.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-100] vpn-instance-capability simple
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 172.18.0.0 0.0.255.255
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] quit
# Configure the OSPF route multi-instance on the MCE.

Issue 01 (2012-01-06)

44

2 MCE Configuration
[MCE] ospf 100 vpn-instance

[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0]
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance
[MCE-ospf-200] area 0
4.
vpna
network 172.19.0.0 0.0.255.255
quit
vpnb
network 172.18.0.0 0.0.255.255
quit
Configure RIP between the MCE and CE3, and between the MCE and CE4.
# Configure RIP-2 on the MCE.
[MCE] rip 100
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE] rip 200
[MCE-rip-200]
[MCE-rip-200]
[MCE-rip-200]
vpn-instance vpna
version 2
network 172.17.0.0
import-route ospf 100
quit
vpn-instance vpnb
version 2
network 172.16.0.0
# Configure RIP-2 on CE3.

[CE3] rip 200
[CE3-rip-200]
[CE3-rip-200]
[CE3-rip-200]
[CE3-rip-200]
version 2
network 172.16.0.0
network 192.168.1.0
import-route direct
# Configure RIP-2 on CE4.

[CE4] rip 100
[CE4-rip-100]
[CE4-rip-100]
[CE4-rip-100]
[CE4-rip-100]
version 2
network 172.17.0.0
network 192.168.2.0
import-route direct
# Import RIP routes on the MCE.

[MCE] ospf 100
[MCE-ospf-100] import-route rip 100
[MCE-ospf-100] quit
[MCE] ospf 200
[MCE-ospf-200] import-route rip 200
5.
Verify the configuration.

# After the configuration, run the display ip routing-table vpn-instance command on the
MCE, and you can view the routes to the local VPN.
Take vpnb as an example:
[MCE] display ip routing-table vpn-instance vpnb
Destinations : 7
Routes : 7
Destination/Mask
172.16.0.0/16
172.16.1.1/32
172.16.1.2/32
172.18.0.0/16
172.18.1.1/32
172.18.1.2/32
192.168.0.0/16
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
Direct
RIP
0
0
0
0
0
0
100
0
0
0
0
0
0
1
Flags NextHop
D
D
D
D
D
D
D
172.16.1.2
172.16.1.1
127.0.0.1
172.18.1.2
172.18.1.1
127.0.0.1
172.16.1.1
Interface
Vlanif10
Vlanif10
InLoopBack0
Vlanif30
Vlanif30
InLoopBack0
Vlanif10
# Run the display ip routing-table vpn-instance command on the PE, and you can view
the routes to the local VPN.
Take vpnb on PE2 as an example:
Issue 01 (2012-01-06)

45

2 MCE Configuration
[PE1] display ip routing-table vpn-instance vpnb

Destinations : 3
Routes : 3
Destination/Mask
Proto
Pre
172.18.0.0/16
Direct 0
172.18.1.1/32
Direct 0
192.168.0.0/16
O_ASE 150
Cost
Flags NextHop
172.18.1.1
0
1
D
D
127.0.0.1
172.18.1.2
Interface
InLoopBack0
Configuration Files
l
Configuration file of the MCE

#
sysname MCE
#
vlan batch 10 20 30 40
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
#
ip vpn-instance vpnb
ipv4-family
#
interface Vlanif10
ip binding vpn-instance vpnb
ip address 172.16.1.2 255.255.0.0
#
interface Vlanif20
ip binding vpn-instance vpna
ip address 172.17.1.2 255.255.0.0
#
interface Vlanif30
ip address 172.18.1.2 255.255.0.0
#
interface Vlanif40
ip address 172.19.1.2 255.255.0.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
#
port link-type access
port default vlan 40
#
port link-type trunk
port trunk allow-pass vlan 10
#
#
ospf 100 vpn-instance vpna
import-route rip 100
area 0.0.0.0
network 172.17.0.0 0.0.255.255
network 172.19.0.0 0.0.255.255
#
ospf 200 vpn-instance vpnb
Issue 01 (2012-01-06)

46

2 MCE Configuration
import-route rip 200

area 0.0.0.0
network 172.16.0.0 0.0.255.255
network 172.18.0.0 0.0.255.255
#
rip 100 vpn-instance vpna
version 2
network 172.17.0.0
#
rip 200 vpn-instance vpnb
version 2
network 172.16.0.0
#
return
Configuration file of PE2

#
sysname PE2
#
ip vpn-instance vpna
#
ip vpn-instance vpnb
#
ip address 172.18.1.3 255.255.0.0
#
ip address 172.19.1.3 255.255.0.0
#
#
ospf 100 vpn-instance vpna
vpn-instance-capability simple
area 0.0.0.0
network 172.19.0.0 0.0.255.255
#
ospf 200 vpn-instance vpnb
vpn-instance-capability simple
area 0.0.0.0
network 172.18.0.0 0.0.255.255
#
return
NOTE
The following lists only configuration files related to the MCE. For details on configuring BGP or
MPLS IP VPN, refer to manuals of corresponding devices.
Configuration file of CE3

#
sysname CE3
#
vlan batch 10
#
interface Vlanif10
ip address 172.16.1.1 255.255.0.0
#
#
rip 200
version 2
network 172.16.0.0
Issue 01 (2012-01-06)

47

2 MCE Configuration
network 192.168.1.0
import-route direct
#
return
Configuration file of CE4

#
sysname CE4
#
vlan batch 20
#
interface Vlanif20
ip address 172.17.1.1 255.255.0.0
#
#
rip 100
version 2
network 172.17.0.0
network 192.168.2.0
import-route direct
#
return
Issue 01 (2012-01-06)

48

3 IPSec Configuration
IPSec Configuration
About This Chapter

IP Security (IPSec) uses data encryption and data source authentication at the IP layer to ensure
data confidentiality and integrity and prevent replay of data packets. Internet Key Exchange
(IKE) enables key negotiation and security associations (SAs) establishment to simplify use and
management of IPSec. This chapter describes how to configure IPSec and IKE.
3.1 IPSec Overview
The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. Communicating parties encrypt data and authenticate
the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of
data packets.
3.2 IPSec Features Supported by the AR2200-S
The AR2200-S supports IPSec tunnel established in manual mode or IKE negotiation mode.
3.3 Establishing an IPSec Tunnel Manually
You can establish IPSec tunnels manually when the network topology is simple.
3.4 Establishing an IPSec Tunnel Through IKE Negotiation
IKE provides an automatic protection mechanism to distribute keys, authenticate the identity,
and set up SAs on an insecure network.
3.5 Maintaining IPSec
This section describes how to display the IPSec configuration and clear the IPSec statistics.
This section provides several configuration examples of IPSec.
Issue 01 (2012-01-06)

49

3.1 IPSec Overview

The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. Communicating parties encrypt data and authenticate
the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of
data packets.
IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating
Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the
Internet Key Exchange (IKE) protocol, which simplifies use and management of IPSec.
IPSec involves the following terms:
l
Security association (SA)

An SA is a set of conventions adopted by the communicating parties. For example, it
determines the security protocol (AH, ESP, or both), encapsulation mode (transport
mode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protect
certain flow, and the lifetime of the shared key.
An SA is unidirectional, at least two SAs are required to protect data flows in
bidirectional communication. If two peers need to communicate using both AH and
ESP, each peer needs to establish two SAs for the two protocols.
An SA is identified by three parameters: Security Parameter Index (SPI), destination IP
address, and security protocol ID (AH or ESP).
Encapsulation mode
Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols or all other IPSec protocols, as shown in Figure 3-1.
Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP
header, as shown in Figure 3-2.
Figure 3-1 Packet format in transport mode
Mode
transport
Protocol
AH
IP Header AH TCP Header
ESP
IP Header ESP TCP Header data
AH-ESP
Issue 01 (2012-01-06)
data
ESP
Tail
ESP Auth data
IP Header AH ESP TCP Header data ESP Tail ESP Auth data

50

Figure 3-2 Packet format in tunnel mode

Mode
tunnel
Protocol
AH
ESP
new IP Header AH raw IP Header TCP Header data

new IP
Header
ESP
raw IP
Header
TCP Header dataESP Tail ESP Auth data
AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data
Authentication algorithm and encryption algorithm

IPSec uses the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm (SHA-1)
for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, but
the SHA-1 algorithm is more secure than the MD5 algorithm.
IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption
Standard (AES) algorithm for encryption. The ASE algorithm encrypts plain text by
using a key of 128 bits, 192 bits, or 256 bits.
Negotiation mode
IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE
negotiation mode (isakmp).
3.2 IPSec Features Supported by the AR2200-S

The AR2200-S supports IPSec tunnel established in manual mode or IKE negotiation mode.
The AR2200-S implements the IPSec functions described in 3.1 IPSec Overview.
IPSec peers adopt various security protection measures (authentication, encryption, or both) on
different data flows.
The IPSec configuration roadmap is as follows:
1.
Define data flows to be protected by using an ACL.
2.
Configure an IPSec proposal to specify the security protocol, authentication algorithm,

encryption algorithm, and encapsulation mode.
3.
Configure an IPSec policy or an IPSec policy group to specify the association between data
flows and the IPSec proposal (protection measures for the data flows), SA negotiation
mode, peer IP address (start and end points of the protection path), required key, and SA
lifetime.
4.
Apply the IPSec policy on an interface of the router.

In addition, IPSec supports MPLS VPN access. You can implement this function by:
l Associating a VPN instance with an SA
l Configuring the router as a PE and associating the VPN instance with the PE interface
connected to the CE
Issue 01 (2012-01-06)

51

3.3 Establishing an IPSec Tunnel Manually

You can establish IPSec tunnels manually when the network topology is simple.

Before manually establishing an IPSec tunnel, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
Before establishing an IPSec tunnel manually, complete the following tasks:
l
Setting parameters of the link-layer protocol for the interfaces to ensure that the link-layer
protocol on the interfaces is Up
Configuring routes between the source and the destination
Data Preparation
To establish an IPSec tunnel manually, you need the following data.
No.
Data
Parameters of an advanced ACL
IPSec proposal name, security protocol, authentication algorithm of AH,

authentication algorithm and encryption algorithm of ESP, and packet
encapsulation mode
IPSec policy settings, including:

l Name and sequence number of the IPSec policy
l Local and peer IP addresses of the tunnel
l Inbound and outbound SPIs for AH or ESP
l Inbound and outbound authentication keys (character string or hexadecimal
number) for AH or ESP
l (optional) VPN instance name
Type and number of the interface to which the IPSec policy is applied
NOTE
Use the AH or ESP protocol based on requirements on your network.
Issue 01 (2012-01-06)

52

3.3.2 Defining Protected Data Flows

IPSec can protect different data flows. In real-world applications, configure an ACL to define
the protected data flows and apply the ACL to a security policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number [ match-order { config | auto } ]
An advanced ACL is created and the ACL view is displayed.

Step 3 Run:
rule
An ACL rule is configured.

NOTE
l The ACL must be configured to match the data flows accurately. It is recommended that you set the
action of the ACL rule to permit for the data flows that need to be protected.
l Create different ACLs and IPSec policies for the data flows with different security requirements.
----End
3.3.3 Configuring an IPSec Proposal

An IPSec proposal defines the security protocol, authentication algorithm, encryption algorithm,
and packet encapsulation mode. Both ends of a tunnel must use the same IPSec proposal
configuration.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec proposal proposal-name
An IPSec proposal is created and the IPSec proposal view is displayed.

transform { ah | esp | ah-esp }
The security protocol is specified.

By default, the ESP protocol defined in RFC 2406 is used.
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by AH is specified.

Issue 01 (2012-01-06)

53

By default, AH uses the MD5 authentication algorithm.

esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is specified.

By default, both ESP and AH use the MD5 authentication algorithm.
You can configure the authentication and encryption algorithms only after selecting a security
protocol using the transform command.
esp encryption-algorithm [ 3des | des | aes-128 | aes-192 | aes-256 ]
The encryption algorithm used by ESP is specified.

By default, ESP uses the DES encryption algorithm.
encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured.

By default, the tunnel mode is used.
----End
3.3.4 Configuring an IPSec Policy

After establishing an IPSec tunnel manually, configure an IPSec policy for the tunnel.
Context
CAUTION
When configuring SPI, string authentication key (string-key), hexadecimal authentication key
(authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an
IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound
parameters on the remote end, and the outbound parameters on the local end are the same as the
inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec policy policy-name seq-number manual
An IPSec policy is created.

Issue 01 (2012-01-06)

54

An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy
exists.
Step 3 Run:
security acl acl-number
An ACL is applied to the IPSec policy.

An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy,
the last configured ACL takes effect.
Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy.

If the manual mode is used, an IPSec policy can use only one proposal. If an IPSec proposal has
been applied to the IPSec policy, cancel the existing proposal before applying a new one to the
IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must have the
same security protocol, algorithm, and packet encapsulation mode.
Step 5 Run:
tunnel local ip-address
The IP address of the local end is configured.

Step 6 Run:
tunnel remote ip-address
The IP address of the remote end is configured.

Step 7 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured.

When configuring an SA, set both inbound and outbound parameters.
To manually create an IPSec tunnel, use the sa spi command together with the sa string-key,
sa authentication-hex, or sa encryption-hex command.
The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the local
end must be the same as the outbound SPI of the remote end, and the outbound SPI of the local
end must be the same as the inbound SPI of the remote end.
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (a hexadecimal number) of the security protocol is configured.

sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (a character string) of the security protocol is configured.
Issue 01 (2012-01-06)

55

CAUTION
Use the same key format on the two ends. For example, if the key on one end is a character string
but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established.
If you configure the keys in different formats, the last configured key takes effect.
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (a hexadecimal number) is configured for ESP.

----End
3.3.5 Applying an IPSec Policy to an Interface

A manually configured IPSec policy can be applied to only one interface.
Context
An interface can use only one IPSec policy. An IPSec policy group that establishes an SA through
IKE negotiation can be applied to multiple interfaces, whereas an IPSec policy group that is used
to establish an SA manually can be applied only to one interface. If the applied IPSec policy
establishes an SA in manual mode, the SA is generated immediately.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The interface view is displayed.

Step 3 Run:
ipsec policy policy-name
An IPSec policy is applied to the interface.

----End

After an IPSec tunnel is manually established, you can check information about the SA, IPSec
proposal, and IPSec policy.
Prerequisite
The configurations required for establishing an IPSec tunnel manually are complete.
Issue 01 (2012-01-06)

56

Procedure
l
Run the display ipsec sa command to view information about the SA.
Run the display ipsec proposal [ name proposal-name ] command to view information
about the IPSec proposal.
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about the IPSec policy.
----End
3.4 Establishing an IPSec Tunnel Through IKE Negotiation

IKE provides an automatic protection mechanism to distribute keys, authenticate the identity,
and set up SAs on an insecure network.

Before establishing an IPSec tunnel through IKE negotiation, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data.
Application Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
When the network topology is complex, you can establish IPSec tunnels through IKE
negotiation.
Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure
that the link-layer protocol on the interfaces is Up
Configuring routes between the source and the destination
Data Preparation
To establish an IPSec tunnel through IKE negotiation, you need to the following data.
Issue 01 (2012-01-06)
No.
Data
Parameters of an advanced ACL
Priority of the IKE proposal, encryption algorithm, authentication algorithm, and

authentication method used in IKE negotiation, identifier of the Diffie-Hellman
group, and SA lifetime
IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, (optional) VPN instance bound to the IPSec tunnel,
and remote host name
57

No.
Data
IPSec proposal name, security protocol, authentication algorithm of AH,

authentication algorithm and encryption algorithm of ESP, and packet
encapsulation mode
Name and sequence number of the IPSec policy, (optional) Perfect Forward
Secrecy (PFS) feature used in IKE negotiation
(Optional) Name of the IPSec policy template
(Optional) Local address of the IPSec policy group, time-based global SA

lifetime, traffic-based global SA lifetime, interval for sending keepalive packets,
timeout inertial of keepalive packets, and interval for sending NAT update packets
Type and number of the interface to which the IPSec policy is applied
NOTE
Use the AH or ESP protocol based on requirements on your network.
3.4.2 Defining Protected Data Flows

IPSec can protect different data flows. In real-world applications, configure an ACL to define
the protected data flows and apply the ACL to a security policy.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number [ match-order { config | auto }]
An advanced ACL is created and the ACL view is displayed.

Step 3 Run:
rule
An ACL rule is configured.

----End
3.4.3 Configuring an IKE Proposal

You can create multiple IKE proposals with different priority levels. The two ends must have
at least one matching IKE proposal for IKE negotiation.
Procedure
Step 1 Run:
system-view
Issue 01 (2012-01-06)

58


Step 2 Run:
ike proposal proposal-number
An IKE proposal is created and the IKE proposal view is displayed.

The IKE negotiation succeeds only when the two ends use the IKE proposals with the same
settings.
encryption-algorithm { des-cbc |3des-cbc | aes-cbc-128 | aes-cbc-192 | aescbc-256 }
The encryption algorithm is configured.

By default, an IKE proposal uses the DES-CBC encryption algorithm.
authentication-algorithm { md5 | sha1 }
The authentication algorithm is configured.

By default, an IKE proposal uses the SHA-1 algorithm.
dh { group1 | group2 }
The Diffie-Hellman group is specified.

prf { hmac-md5 | hmac-sha1
The algorithm used to generate the pseudo random number is specified.

sa duration interval
The SA lifetime is set.

If the lifetime expires, the IKE SA is automatically updated.
You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of
manually created SAs is not limited. That is, the manually created SAs are always effective.
----End
3.4.4 Configuring an IKE Peer

Procedure
Step 1 Run:
system-view

Step 2 Run:
ike peer peer-name [ v1 | v2 ]
An IKE peer is created and the IKE peer view is displayed.

Issue 01 (2012-01-06)

59


exchange-mode { main | aggressive }
The IKE negotiation mode is configured.

In aggressive mode, the local ID type must be set to ip or name in step 5. In main mode, the
local ID type must be set to ip.
ike-proposal proposal-number
An IKE proposal is configured.

local-id-type { ip | name }
The local ID type is configured.

By default, the IP address of the local end is used as the local ID.
local-address address

By default, the local end address is the IP address of the interface bound to the IPSec policy.
peer-id-type { ip | name }
The peer ID type is configured.

By default, the IP address of the local end is used as the local ID.
The peer-id-type command is valid only when IKEv2 is used.
nat traversal
NAT traversal is enabled.

When NAT traversal is enabled, local-id-type must be set to name.
pre-shared-key key-string
The pre-shared key used by the local end and remote peer is configured.
If pre-shared key authentication is configured, configure a pre-shared key for each remote peer.
The two ends of an IPSec tunnel must use the same pre-shared key.
When pre-shared key authentication is configured, an authenticator must be configured.
remote-address [ vpn-instance vpn-instance-name ] ip-address
The IP address or the domain name of the remote peer is configured.

remote-name name
The remote host name is configured. Perform this step only when name authentication is used
in aggressive mode.
Issue 01 (2012-01-06)

60

If IKEv2 is used, set local-id-type to ip and peer-id-type to name, and configure remotename.
Step 12 Run:
quit
Return to the system view.

ike local-name local-name
The local host name used in the IKE negotiation is configured.

Perform this step when the local-id-type is set to name.
----End
3.4.5 Configuring an IPSec Proposal

Both ends of the tunnel must be configured with the same security protocol, authentication
algorithm, encryption algorithm, and packet encapsulation mode.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec proposal proposal-name
An IPSec proposal is created and the IPSec proposal view is displayed.

transform { ah | esp | ah-esp }
The security protocol is configured.

By default, the ESP protocol defined in RFC 2406 is used.
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by AH is configured.

By default, AH uses the MD5 authentication algorithm.
esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is configured.

By default, ESP uses the MD5 authentication algorithm.
esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }
The encryption algorithm used by ESP is configured.

Issue 01 (2012-01-06)

61

By default, ESP uses the DES encryption algorithm.

encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured.

By default, the security protocol uses the tunnel mode to encapsulate IP packets.
----End
3.4.6 Configuring an IPSec Policy

After configuring an IKE peer, apply it to an IPSec policy. Then the two ends can start IKE
negotiation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec policy policy-name seq-number isakmp [ template template-name ]
An IPSec policy is created.

Step 3 Run:
An IPSec proposal is applied to the IPSec policy.

An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals.
During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same
parameter settings first.
Step 4 Run:
An ACL is applied to the IPSec policy.

sa trigger-mode { auto | traffic-based }
The SA triggering mode is configured.

After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering
mode. In automatic triggering mode, the IPSec SA is established immediately after IKE
negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only
after packets are received.
By default, the automatic triggering mode is used.
sa duration { traffic-based kilobytes | time-based interval }
The SA lifetime is set.

Issue 01 (2012-01-06)

62

l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller
value as the IPSec SA lifetime.
l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set
SA lifetime.
l The default IPSec SA lifetime is 3600 seconds, and the default traffic volume is 1843200
kilobytes.
Step 7 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy.

pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. If
the remote end uses the template mode, the Diffie-Hellman groups can be different.
----End
3.4.7 (Optional) Configuring an IPSec Policy Template

An IPSec policy template can be used to configure multiple IPSec policies, reducing the
workload of establishing multiple IPSec tunnels.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec policy-template policy-template-name seq-number
An IPSec policy template is created.

An ACL is applied to the IPSec policy template.

Step 4 Run:
An IPSec proposal is applied to the IPSec policy template.

An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals.
During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same
parameter settings first.
sa duration { traffic-based kilobytes | time-based interval }
The IPSec SA lifetime is set.

Issue 01 (2012-01-06)

63

Step 6 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy template.

pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
By default, the PFS feature is not used in IKE negotiation.
----End
3.4.8 (Optional) Setting Optional Parameters

This section describes how to set optional parameters for IKE negotiation.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipsec sa global-duration { time-based interval | traffic-based kilobytes }
The global SA lifetime is set.

You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of
manually created SAs is not limited. That is, the manually created SAs are always effective.
If the SA lifetime is not set in an IPSec policy, the global lifetime is used.
The new global lifetime does not affect the IPSec policies that have their own lifetime or the
SAs that have been established. The new global lifetime will be used to establish new SAs during
IKE negotiation.
Step 3 Run:
ike heartbeat-timer interval interval
The interval for sending heartbeat packets is set.

Step 4 Run:
ike heartbeat-timer timeout interval
The timeout interval of heartbeat packets is set.

If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeat
packets must be set on the other end.
On a network, packet loss rarely occurs consecutively more than three times. Therefore, the
timeout interval of heartbeat packets on one end can be set to three times the interval for sending
heartbeat packets on the other end.
Step 5 Run:
ike nat-keepalive-timer interval interval
The interval for sending NAT keepalive packets is set.

Issue 01 (2012-01-06)

64

Step 6 Run:
ipsec anti-replay { enable | disable }
The anti-replay function is set.

Step 7 Run:
ike peer
The IKE peer view is displayed.

Step 8 Run:
local-address address

Step 9 Run following commands to configure the dead peer detection (DPD) function.
l
Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of
retransmissions are set.
l
Run:
dpd msg { seq-hash-notify | seq-notify-hash }
The sequence of payload in DPD packets is configured.

l
Run:
dpd type { on-demand | periodic }
The DPD mode is configured.

----End
3.4.9 Applying an IPSec policy to an interface

An interface can use only one IPSec policy. An IPSec policy for IKE negotiation can be applied
to multiple interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The interface view is displayed.

Step 3 Run:
ipsec policy policy-name
An IPSec policy is applied to the interface.

Only one IPSec policy can be applied to an interface. An IPSec policy can be applied to multiple
interfaces.
After the configuration is complete, the packets transmitted between two ends of the IPSec tunnel
trigger SA establishment through IKE negotiation. In automatic triggering mode, the SA is
Issue 01 (2012-01-06)

65

established immediately after the IKE negotiation succeeds. In traffic-based triggering mode,
the SA is established only after data flows matching the IPSec policy are sent from the interface.
After IKE negotiation succeeds and the SA is established, the data flows are encrypted and then
transmitted between two ends.
----End

After an IPSec tunnel is established through IKE negotiation, you can view information about
the SA, configuration of the IKE peer, and configuration of the IKE proposal.
Prerequisite
The configurations required to establish an IPSec tunnel through IKE negotiation are complete.
Procedure
l
Run the display ike sa command to view information about the SAs established through
IKE negotiation.
Run the display ike peer [ name peer-name ] [ verbose ] command to view the
configuration of a specified IKE peer or all IKE peers.
Run the display ike proposal command to view the configuration of a specified IKE
proposal or all IKE proposals.
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip
peer-ip-address ] command to view the configuration of a specified SA or all SAs.
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about a specified IPSec policy or all IPSec policies.
Run the display ipsec proposal [ name proposal-name ] command to view information
about a specified IPSec proposal or all IPSec proposals.
----End
3.5 Maintaining IPSec

This section describes how to display the IPSec configuration and clear the IPSec statistics.
3.5.1 Displaying the IPSec Configuration

You can run the following display commands to view information about the SA, established
IPSec tunnel, and statistics about IPSec packets.
Prerequisite
The configurations of IPSec are complete.
Procedure
l
Issue 01 (2012-01-06)
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip
peer-ip-address ] command to check information about the IPSec SA.
66

Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to check information about the IPSec tunnel that is
established.
Run the display ipsec statistics { ah | esp } command to check the statistics about IPSec
packets.
Run the display ike statistics { all | msg | v2 } command to check the statistics about IKE
packets.
----End
3.5.2 Clearing IPSec Information

This section describes how to clear the statistics about IPSec and IKE packets, information about
SAs, and information about the IPSec tunnels established through IKE negotiation.
Context
CAUTION
The statistics cannot be restored after being cleared.
Procedure
l
Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics
about IPSec packets.
Run the reset ike statistics { all | msg } command in the user view to clear the statistics
about IKE packets.
Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] |

parameters dest-address { ah | esp } spi ] command in the user view to clear an SA.
Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a
specified IPSec tunnel or all established IPSec tunnels.
----End

This section provides several configuration examples of IPSec.
3.6.1 Example for Establishing an SA Manually

You can establish security associations (SAs) manually when the network topology is simple.
When there are a large number of devices on the network, it is difficult to establish SAs manually,
and network security cannot be ensured.
As shown in Figure 3-3, an IPSec tunnel is established between RouterA and RouterB to protect
data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec
tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm.
Issue 01 (2012-01-06)

67

Figure 3-3 Network diagram for configuring IPSec

Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
1.
Configure IP addresses for interfaces.
2.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
3.
Configure static routes to peers.
4.
Configure an IPSec proposal.
5.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
6.
Apply IPSec policies to interfaces.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
# Assign an IP address to the interface of RouterB.

Step 2 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure an ACL on RouterB.

Issue 01 (2012-01-06)

68


0.0.0.255
Step 3 Configure static routes to the peers on RouterA and RouterB.

# Configure a static route to the peer on RouterA. In this example, the next hop to PCB is
202.138.163.2.
[Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
Step 4 Create an IPSec proposal on RouterA and RouterB.

# Create the IPSec proposal on RouterA.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
# Create the IPSec proposal on RouterB.

transform esp
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Step 5 Create IPSec policies on RouterA and RouterB.

# Create an IPSec policy on RouterA.
[Huawei] ipsec policy map1 10 manual
[Huawei-ipsec-policy-manual-map1-10]
security acl 3101

proposal tran1
tunnel remote 202.138.162.1
tunnel local 202.138.163.1
sa spi outbound esp 12345
sa spi inbound esp 54321
sa string-key outbound esp abcdefg
sa string-key inbound esp gfedcba
quit
# Create an IPSec policy on RouterB.

[Huawei] ipsec policy use1 10 manual
[Huawei-ipsec-policyl-manual-use1-10] security acl 3101
[Huawei-ipsec-policyl-manual-use1-10] proposal tran1
Issue 01 (2012-01-06)

69

[Huawei-ipsec-policyl-manual-use1-10]
tunnel remote 202.138.163.1
tunnel local 202.138.162.1
sa spi outbound esp 54321
sa spi inbound esp 12345
sa string-key outbound esp gfedcba
sa string-key inbound esp abcdefg
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Tunnel local address: 202.138.163.1
Tunnel remote address: 202.138.162.1
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
Step 6 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei-Ethernet1/0/0] ipsec policy map1
# Apply the IPSec policy to the interface of RouterB.

[Huawei-Ethernet1/0/0] ipsec policy use1
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
Path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
Sequence number: 10
Issue 01 (2012-01-06)

70

Mode: Manual
----------------------------Encapsulation mode: Tunnel
Tunnel local : 202.138.163.1
Tunnel remote: 202.138.162.1
[Outbound ESP SAs]
SPI: 12345 (0x3039)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
[Inbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
Step 7 Verify the configurations.

After the configurations are complete, PC A can ping PC B successfully. You can run the display
ipsec statistics esp command to view packet statistics.
----End
Configuration Files
l
Configuration file of RouterA

#
acl number
3101
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm
sha1
#
ipsec policy map1 10
manual
security acl
3101
proposal
tran1
tunnel local
202.138.163.1
tunnel remote
202.138.162.1
sa spi inbound esp
54321
sa string-key inbound esp
gfedcba
sa spi outbound esp
12345
sa string-key outbound esp
abcdefg
#
ip route-static 10.1.2.0 255.255.255.0
202.138.163.2
#
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return
l
Issue 01 (2012-01-06)
Configuration file of RouterB

71

#
acl number
3101
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm
sha1
#
ipsec policy use1 10
manual
security acl
3101
proposal tran1
tunnel local
202.138.162.1
tunnel remote
202.138.163.1
sa spi inbound esp
12345
sa string-key inbound esp
abcdefg
sa spi outbound esp
54321
sa string-key outbound esp
gfedcba
#
ip route-static 10.1.1.0 255.255.255.0
202.138.162.2
#
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
return
3.6.2 Example for Configuring IKE Negotiation Using Default

Settings
This section provides an example for configuring IKE negotiation using default settings.
As shown in Figure 3-4, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and MD5
authentication algorithm.
NOTE
l In this example, the default IKE proposal is used.

l By default, a new IPSec proposal created using the ipsec proposal command uses the ESP protocol, DES
encryption algorithm, MD5 authentication algorithm, and tunnel encapsulation mode.
Issue 01 (2012-01-06)

72

Figure 3-4 Network diagram for configuring IKE negotiation

Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
202.138.162.1/24
RouterA
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
1.
2.
Specify the local host ID and IKE peer for IKE negotiation.
3.
4.
5.
6.
7.
Procedure

Step 2 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike peer spub
[Huawei-ike-peer-spub]
Issue 01 (2012-01-06)
v1
pre-shared-key huawei
quit

73

NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
# Configure the local ID and IKE peer on RouterB.

[Huawei] ike peer spua
[Huawei-ike-peer-spua]
v1
pre-shared-key huawei
quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: main on phase 1
Pre-shared-key
: huawei
Local ID type
: IP
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
DPD retransmit interval : 15
DPD retry limit
: 3
Peer Ip address
VPN name
Local IP address
Remote name
Nat-traversal
Configured IKE version
: 202.138.162.1
:
:
:
: Disable
: Version one
----------------------------------------
0.0.0.255

0.0.0.255

202.138.163.2.
202.138.162.2.

Issue 01 (2012-01-06)

74


[Huawei-ipsec-proposal-tran1] quit

[Huawei-ipsec-proposal-tran1] quit
Transform
: esp-new
ESP protocol
: Authentication MD5-HMAC-96
Encryption
DES

[Huawei] ipsec policy map1 10 isakmp
[Huawei-ipsec-policy-isakmp-map1-10]
ike-peer spub
proposal tran1
security acl 3101
quit

[Huawei] ipsec policy use1 10 isakmp
[Huawei-ipsec-policy-isakmp-use1-10]
ike-peer spua
proposal tran1
security acl 3101
quit
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic

Issue 01 (2012-01-06)

75

===============================
path MTU: 1500
===============================
sequence number: 10
mode: isakmp
----------------------------Connection id: 3
tunnel local : 202.138.163.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
[outbound ESP SAs]
spi: 3835455224 (0xe49c66f8)

After the configurations are complete, PC A can ping PC B successfully. The data transmitted
between PC A and PC B is encrypted.
Run the display ike sa command on RouterA, and the following information is displayed:
[Huawei] display ike sa
Conn-ID
Peer
VPN
Flag(s)
Phase
--------------------------------------------------------14
202.138.162.1
0
RD|ST
1
16
202.138.162.1
0
RD|ST
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
BCK--BACKED UP
----End
Configuration Files
l

#
acl number
3101
0.0.0.255
#
ipsec proposal
tran1
#
ike peer spub
v1
pre-shared-key
huawei
remote-address
202.138.162.1
#
Issue 01 (2012-01-06)

76


isakmp
security acl
3101
ike-peer
spub
proposal
tran1
#
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
#
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return

#
acl number
3101
0.0.0.255
#
ipsec proposal
tran1
#
ike peer spua
v1
pre-shared-key
huawei
remote-address
202.138.163.1
#
isakmp
security acl
3101
ike-peer
spua
proposal
tran1
#
ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
#
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
return
3.6.3 Example for Configuring IKE Negotiation

IKE automatically establishes an SA and performs key exchange to improve efficiency of SA
establishment and ensure network security.
As shown in Figure 3-5, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
Issue 01 (2012-01-06)

77

Figure 3-5 Network diagram for configuring IKE negotiation

Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
1.
2.
Configure an IKE proposal.
3.
Specify the local host ID and IKE peer for IKE negotiation.
4.
5.
6.
7.
8.
Procedure

Step 2 Create an IKE proposal on RouterA and RouterB.

# Create the IKE proposal on RouterA.
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] encryption-algorithm aes-cbc-128
Issue 01 (2012-01-06)

78

[Huawei-ike-proposal-1] authentication-algorithm md5

[Huawei-ike-proposal-1] quit
# Create the IKE proposal on RouterB.

[Huawei] ike proposal 1
[Huawei-ike-proposal-1] encryption-algorithm aes-cbc-128
[Huawei-ike-proposal-1] authentication-algorithm md5
[Huawei-ike-proposal-1] quit
Step 3 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike local-name huawei01
[Huawei] ike peer spub v1
[Huawei-ike-peer-spub] exchange-mode aggressive
[Huawei-ike-peer-spub] ike-proposal 1
[Huawei-ike-peer-spub] local-id-type name
[Huawei-ike-peer-spub] pre-shared-key huawei
[Huawei-ike-peer-spub] remote-name huawei02
[Huawei-ike-peer-spub] remote-address 202.138.162.1
[Huawei-ike-peer-spub] local-address 202.138.163.1
[Huawei-ike-peer-spub] quit
NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
# Configure the local ID and IKE peer on RouterB.

[Huawei] ike local-name huawei02
[Huawei] ike peer spua v1
[Huawei-ike-peer-spua] exchange-mode aggressive
[Huawei-ike-peer-spua] ike-proposal 1
[Huawei-ike-peer-spua] local-id-type name
[Huawei-ike-peer-spua] pre-shared-key huawei
[Huawei-ike-peer-spua] remote-name huawei01
[Huawei-ike-peer-spua] remote-address 202.138.163.1
[Huawei-ike-peer-spua] local-address 202.138.162.1
[Huawei-ike-peer-spua] quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: aggressive on phase 1
Pre-shared-key
: huawei
Proposal
: 1
Local ID type
: Name
DPD
: Disable
DPD mode
: Periodic
DPD idle time
: 30
DPD retransmit interval : 15
DPD retry limit
: 3
Peer Ip address
VPN name
Local IP address
Remote name
Nat-traversal
Configured IKE version
:
:
:
:
:
:
202.138.162.1
202.138.163.1
huawei02
Disable
Version one
----------------------------------------
Issue 01 (2012-01-06)

79

0.0.0.255

0.0.0.255

202.138.163.2.
202.138.162.2.

transform esp
quit

transform esp
quit
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES

[Huawei] ipsec policy map1 10 isakmp
[Huawei-ipsec-policy-isakmp-map1-10] ike-peer spub
[Huawei-ipsec-policy-isakmp-map1-10] proposal tran1
[Huawei-ipsec-policy-isakmp-map1-10] security acl 3101
Issue 01 (2012-01-06)

80

[Huawei-ipsec-policy-isakmp-map1-10] quit

[Huawei] ipsec policy use1 10 isakmp
ike-peer spua
proposal tran1
security acl 3101
quit
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic

===============================
path MTU: 1500
===============================
sequence number: 10
mode: isakmp
----------------------------Connection id: 3
tunnel local : 202.138.163.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
[outbound ESP SAs]
spi: 3835455224 (0xe49c66f8)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
Issue 01 (2012-01-06)

81



After the configurations are complete, PC A can ping PC B successfully. The data transmitted
between PC A and PC B is encrypted.
Run the display ike sa command on RouterA, and the following information is displayed:
[Huawei] display ike sa
Conn-ID
Peer
VPN
Flag(s)
Phase
--------------------------------------------------------14
202.138.162.1
0
RD|ST
1
16
202.138.162.1
0
RD|ST
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
BCK--BACKED UP
----End
Configuration Files
l

#
acl number
3101
0.0.0.255
#
ipsec proposal
tran1
#
ike proposal
1
encryption-algorithm aescbc-128
authentication-algorithm md5
#
ike local-name huawei01
#
ike peer spub
v1
exchange-mode
aggressive
pre-shared-key
huawei
ike-proposal
1
local-id-type
name
remote-name
huawei02
local-address
202.138.163.1
remote-address
202.138.162.1
#
isakmp
security acl
3101
ike-peer
spub
proposal
tran1
#
Issue 01 (2012-01-06)

82

ip route-static 10.1.2.0 255.255.255.0 202.138.163.2

#
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return

#
acl number
3101
0.0.0.255
#
ipsec proposal
tran1
#
ike proposal
1
encryption-algorithm aescbc-128
authentication-algorithm md5
#
ike local-name huawei02
#
ike peer spua
v1
exchange-mode
aggressive
pre-shared-key
huawei
ike-proposal
1
local-id-type
name
remote-name
huawei01
local-address
202.138.162.1
remote-address
202.138.163.1
#
isakmp
security acl
3101
ike-peer
spua
proposal
tran1
#
ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
#
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
return
Issue 01 (2012-01-06)

83

Configuration Guide - VPN (V200R001C01 - 01)

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuration Guide - VPN (V200R001C01 - 01)

Încărcat de

Drepturi de autor:

Formate disponibile

Huawei AR2200-S Series Enterprise Routers