Huawei AR2200-S Series Enterprise Routers V200R001C01

Configuration Guide - VPN Issue

01

Date

2012-01-06

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd. Address:

Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China

Website:

http://www.huawei.com

Email:

[email protected]

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

i

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

About This Document

About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the VPN supported by the AR2200-S device. This document describes how to configure the VPN. This document is intended for: l

Data configuration engineers

l

Commissioning engineers

l

Network monitoring engineers

l

System maintenance engineers

Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol

Description

DANGER

WARNING

CAUTION

Issue 01 (2012-01-06)

Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results.

TIP

Indicates a tip that may help you solve a problem or save time.

NOTE

Provides additional information to emphasize or supplement important points of the main text.

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

ii

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

About This Document

Command Conventions The command conventions that may be found in this document are defined as follows. Convention

Description

Boldface

The keywords of a command line are in boldface.

Italic

Command arguments are in italics.

[]

Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... }

Optional items are grouped in braces and separated by vertical bars. One item is selected.

[ x | y | ... ]

Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{ x | y | ... }*

Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.

[ x | y | ... ]*

Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

&

The parameter before the & sign can be repeated 1 to n times.

#

A line starting with the # sign is comments.

Interface Numbering Conventions Interface numbers used in this manual are examples. In device configuration, use the existing interface numbers on devices.

Change History Changes between document issues are cumulative. Therefore, the latest document version contains all updates made to previous versions.

Changes in Issue 01 (2012-01-06) Initial commercial release.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

iii

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

Contents

Contents About This Document.....................................................................................................................ii 1 GRE Configuration.......................................................................................................................1 1.1 Introduction to GRE...........................................................................................................................................2 1.2 GRE Features Supported by the AR2200-S.......................................................................................................2 1.3 Configuring GRE................................................................................................................................................3 1.3.1 Establishing the Configuration Task.........................................................................................................3 1.3.2 Configuring a Tunnel Interface.................................................................................................................4 1.3.3 Configuring Routes for the Tunnel............................................................................................................5 1.3.4 (Optional) Configuring GRE Security Options.........................................................................................6 1.3.5 Checking the Configuration.......................................................................................................................7 1.4 Configuring the Keepalive Function..................................................................................................................8 1.4.1 Establishing the Configuration Task.........................................................................................................8 1.4.2 Enabling the Keepalive Function..............................................................................................................9 1.4.3 Checking the Configuration.....................................................................................................................10 1.5 Maintaining GRE..............................................................................................................................................11 1.5.1 Resetting the Statistics of a Tunnel Interface..........................................................................................11 1.5.2 Monitoring the Running Status of GRE..................................................................................................12 1.5.3 Debugging GRE......................................................................................................................................12 1.6 Configuration Examples...................................................................................................................................12 1.6.1 Example for Configuring a Static Route for GRE...................................................................................12 1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................17 1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........20 1.6.4 Example for Configuring the Keepalive Function for GRE....................................................................26

2 MCE Configuration.....................................................................................................................29 2.1 Introduction to MCE.........................................................................................................................................30 2.1.1 MCE Overview........................................................................................................................................30 2.1.2 MCE Functions Supported by the AR2200-S.........................................................................................31 2.2 Configuring a VPN Instance.............................................................................................................................31 2.2.1 Establishing the Configuration Task.......................................................................................................32 2.2.2 Creating a VPN instance..........................................................................................................................32 2.2.3 Binding an Interface with a VPN Instance..............................................................................................33 2.2.4 Checking the Configuration.....................................................................................................................34 Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

iv

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

Contents

2.3 Configuring a Route Multi-Instance Between an MCE and a Site...................................................................34 2.3.1 Establishing the Configuration Task.......................................................................................................34 2.3.2 (Optional) Configuring a Static Route Between an MCE and a Site......................................................35 2.3.3 (Optional) Configuring RIP Between an MCE and a Site.......................................................................36 2.3.4 (Optional) Configuring OSPF Between an MCE and a Site...................................................................36 2.3.5 (Optional) Configuring IS-IS Between an MCE and a Site....................................................................37 2.3.6 Checking the Configuration.....................................................................................................................37 2.4 Configuring a Route Multi-Instance Between an MCE and a PE....................................................................38 2.4.1 Establishing the Configuration Task.......................................................................................................38 2.4.2 (Optional) Configuring a Static Route Between an MCE and a PE........................................................39 2.4.3 (Optional) Configuring RIP Between an MCE and a PE........................................................................39 2.4.4 (Optional) Configuring OSPF Between an MCE and a PE.....................................................................40 2.4.5 (Optional) Configuring IS-IS Between an MCE and a PE......................................................................41 2.4.6 Checking the Configuration.....................................................................................................................41 2.5 MCE Configuration Examples.........................................................................................................................42 2.5.1 Example for Configuring MCE...............................................................................................................42

3 IPSec Configuration....................................................................................................................49 3.1 IPSec Overview................................................................................................................................................50 3.2 IPSec Features Supported by the AR2200-S....................................................................................................51 3.3 Establishing an IPSec Tunnel Manually...........................................................................................................52 3.3.1 Establishing the Configuration Task.......................................................................................................52 3.3.2 Defining Protected Data Flows................................................................................................................53 3.3.3 Configuring an IPSec Proposal................................................................................................................53 3.3.4 Configuring an IPSec Policy...................................................................................................................54 3.3.5 Applying an IPSec Policy to an Interface................................................................................................56 3.3.6 Checking the Configuration.....................................................................................................................56 3.4 Establishing an IPSec Tunnel Through IKE Negotiation.................................................................................57 3.4.1 Establishing the Configuration Task.......................................................................................................57 3.4.2 Defining Protected Data Flows................................................................................................................58 3.4.3 Configuring an IKE Proposal..................................................................................................................58 3.4.4 Configuring an IKE Peer.........................................................................................................................59 3.4.5 Configuring an IPSec Proposal................................................................................................................61 3.4.6 Configuring an IPSec Policy...................................................................................................................62 3.4.7 (Optional) Configuring an IPSec Policy Template..................................................................................63 3.4.8 (Optional) Setting Optional Parameters..................................................................................................64 3.4.9 Applying an IPSec policy to an interface................................................................................................65 3.4.10 Checking the Configuration...................................................................................................................66 3.5 Maintaining IPSec............................................................................................................................................66 3.5.1 Displaying the IPSec Configuration........................................................................................................66 3.5.2 Clearing IPSec Information.....................................................................................................................67 3.6 Configuration Examples...................................................................................................................................67 3.6.1 Example for Establishing an SA Manually.............................................................................................67 Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

v

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

Contents

3.6.2 Example for Configuring IKE Negotiation Using Default Settings........................................................72 3.6.3 Example for Configuring IKE Negotiation.............................................................................................77

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

vi

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

1

GRE Configuration

About This Chapter Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer protocols so that the encapsulated packets can be transmitted over the IPv4 network. 1.1 Introduction to GRE The transmission of packets in a GRE tunnel involves two processes: encapsulation and decapsulation. After receiving a packet of a certain network layer protocol that needs to be encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the packet into a packet of another protocol, such as IP. 1.2 GRE Features Supported by the AR2200-S GRE features supported by the AR2200-S include the following: enlargement of the operation scope of the network running a hop-limited protocol, and working in conjunction with the IP Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection. 1.3 Configuring GRE You can configure GRE only after a GRE tunnel is configured. 1.4 Configuring the Keepalive Function Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote end, and data loss can be avoided. 1.5 Maintaining GRE This section describes how to reset the statistics of a tunnel interface and monitor the GRE running status. 1.6 Configuration Examples Familiarize yourself with the configuration procedures against the networking diagrams. This section provides networking requirements, configuration notes, and configuration roadmap in configurations examples.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

1

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

1.1 Introduction to GRE The transmission of packets in a GRE tunnel involves two processes: encapsulation and decapsulation. After receiving a packet of a certain network layer protocol that needs to be encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the packet into a packet of another protocol, such as IP. GRE encapsulates the packets of certain network layer protocols. After encapsulation, these packets can be transmitted over the network by another network layer protocol, such as IP. GRE can serve as a Layer 3 tunneling protocol for VPNs. A tunnel is a virtual point-to-point connection and can be regarded as a virtual interface that supports only point-to-point connections. This interface provides a path to transmit encapsulated datagrams. GRE encapsulates and decapsulates datagrams at both ends of the tunnel.

1.2 GRE Features Supported by the AR2200-S GRE features supported by the AR2200-S include the following: enlargement of the operation scope of the network running a hop-limited protocol, and working in conjunction with the IP Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.

Enlarging the Operation Scope of the Network Running a Hop-Limited Protocol If the hop count between two terminals in Figure 1-1 is more than 15, the two terminals cannot communicate with each other. Figure 1-1 Networking diagram of enlarged network operation scope

IP network IP network

IP network Tunnel

PC

PC

When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the network operation.

Working in Combination with IPSec to Compensate for the IPSec Flaw in Multicast Data Protection Based on GRE, multicast data can be encapsulated and transmitted in the GRE tunnel. Based on IPSec, only the unicast data can realize encrypted protection. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

2

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Figure 1-2 Networking diagram of GRE-IPSec tunnel application

Internet IPSec tunnel GRE tunnel

Corporate intranet

Remote office network

As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the GRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulated multicast data with IPSec. When these tasks are performed, the encrypted multicast data can be transmitted in the IPSec tunnel.

1.3 Configuring GRE You can configure GRE only after a GRE tunnel is configured.

1.3.1 Establishing the Configuration Task Before configuring a GRE tunnel, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration.

Applicable Environment To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on the tunnel interface. If the tunnel interface is deleted, all the configurations on the interface are deleted.

Pre-configuration Tasks Before configuring an ordinary GRE tunnel, complete the following task: l

Configuring reachable routes between the source and destination interfaces

Data Preparation To configure an ordinary GRE tunnel, you need the following data.

Issue 01 (2012-01-06)

No.

Data

1

Number of the tunnel interface

2

Source address and destination address of the tunnel Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

3

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

No.

Data

3

IP address of the tunnel interface

4

Key of the tunnel interface

1 GRE Configuration

1.3.2 Configuring a Tunnel Interface After creating a tunnel interface, specify GRE as the encapsulation type, set the tunnel source address or source interface, and set the tunnel destination address. In addition, set the tunnel interface network address so that the tunnel can support dynamic routing protocols.

Context Perform the following steps on the routers at the two ends of a tunnel.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface tunnel interface-number

A tunnel interface is created and the tunnel interface view is displayed. Step 3 Run: tunnel-protocol

{ gre | none }

The tunnel is encapsulated with GRE. Step 4 Run: source { source-ip-address | interface-type interface-number }

The source address or source interface of the tunnel is configured. NOTE

l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE tunnel. l The bridge-if interface can not be configured as the source interface of the GRE tunnel.

The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as the interface of another tunnel. Step 5 Run: destination ip-address

The destination address of the tunnel is configured. Step 6 (Optional) Run: mtu mtu

The Maximum Transmission Unit (MTU) of the tunnel interface is modified. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

4

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

The new MTU takes effect only after you run the shutdown command and the undo shutdown command on the interface. Step 7 Choose one of the following commands to configure the IP address of the tunnel interface. l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP address of the tunnel interface. l Run the ip address unnumbered interface interface-type interface-number command to configure IP unnumbered for the tunnel interface. To support dynamic routing protocols on a tunnel, configure a network address for the tunnel interface. The network address of the tunnel interface may not be a public address, but should be in the same network segment on both ends of the tunnel. By default, the network address of a tunnel interface is not set. ----End

1.3.3 Configuring Routes for the Tunnel Routes for a tunnel must be available on both the source and destination devices so that packets encapsulated with GRE can be forwarded correctly. A route passing through tunnel interfaces can be a static route or a dynamic route.

Context Perform the following steps on the devices at two ends of a tunnel. NOTE

The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available on both the source and destination routers.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Choose one of the following methods to configure routes passing through the tunnel interface. l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number [ description text ] command to configure a static route. The static route must be configured on both ends of the tunnel. In this command, the destination address is neither the destination address of the tunnel nor the address of the opposite tunnel interface, but the destination address of the packet that is not encapsulated with GRE. The outbound interface must be the local tunnel interface. l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here. For the configuration of dynamic routes, see the AR2200-S Configuration Guide - IP Routing. When configuring a dynamic routing protocol, enable the dynamic routing protocol on both the tunnel interface and the interface connected to the private network. To ensure correct routing, do not choose the tunnel interface as the next hop when configuring the route to the physical or logical interface of the destination tunnel. Use Router A in Figure 1-3 as an example. The source interface of Tunnel 0/0/1 is GE 1/0/0 on Router A, and its destination interface is GE 2/0/0 on Router C. If a dynamic routing Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

5

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

protocol is used, the protocol must be configured on the tunnel interface and the GE interface connected to the PC. Moreover, in the routing table of Router A, the egress with the destination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel 0/0/1. In practical configurations, configure a multi-process routing protocol or change the metric value of the tunnel interface. This prevents the tunnel interface from being selected as the outbound interface of routes to the destination physical interface of the tunnel. In practical configurations, tunnel interfaces and physical interfaces connected to the public network should use different routing protocols or different processes of the same routing protocol. With one of these procedures in place, you can avoid selecting a tunnel interface as an outbound interface for packets destined for the destination of the tunnel. In addition, a physical interface is prevented from forwarding user packets that should be forwarded through the tunnel. Figure 1-3 Diagram of configuring the GRE dynamic routing protocol

Backbone GE1/0/0 RouterA

GE2/0/0 RouterC

Tunnel

GE2/0/0 Tunnel0/0/1

Tunnel0/0/2 GE1/0/0

PC1

PC2

----End

1.3.4 (Optional) Configuring GRE Security Options To enhance the security of a GRE tunnel, configure end-to-end checksum authentication or key authentication. This security mechanism can prevent the tunnel interface from incorrectly identifying and receiving packets from other devices.

Context Perform the following steps on the routers at two ends of a tunnel.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface tunnel interface-number

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

6

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

The tunnel interface view is displayed. Step 3 Run: gre checksum

End-to-end checksum authentication is configured for the tunnel. By default, end-to-end checksum authentication is disabled. Step 4 Run: gre key key-number

The key is set for the tunnel interface. If the keys are set for tunnel interfaces on the two ends of the tunnel, ensure that they have the same key number. Alternatively, you may choose not to set the keys for tunnel interfaces on both ends of the tunnel. By default, no key is configured for the tunnel. NOTE

Step 3 and Step 4 can be performed in random order.

----End

1.3.5 Checking the Configuration After a GRE tunnel is set up, you can view the running status and routing information about the tunnel interface.

Context The configurations of the GRE function are complete.

Procedure l

Run the display interface tunnel [ interface-number ] command to check tunnel interface information.

l

Run the display ip routing-table command to check the IPv4 routing table.

l

Run the ping -a source-ip-address host command to check whether the two ends of the tunnel can successfully ping each other.

----End

Example Run the display interface tunnel command. If the tunnel interface is Up, the configuration succeeds. For example: display interface Tunnel 0/0/1 Tunnel0/0/1 current state : UP Line protocol current state : UP Description:HUAWEI, AR Series, Tunnel0/0/1 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 5.5.5.2/24 Encapsulation is TUNNEL, loopback not set Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2 Tunnel protocol/transport GRE/IP, key disabled keepalive disabled Checksumming of packets disabled

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

7

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Current system time: 2008-03-04 19:17:30 300 seconds input rate 0 bits/sec, 0 packets/sec 300 seconds output rate 0 bits/sec, 0 packets/sec 0 seconds input rate 0 bits/sec, 0 packets/sec 0 seconds output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes 0 input error 0 packets output, 0 bytes 0 output error Input: Unicast: 0 packets, Multicast: 0 packets Output: Unicast: 0 packets, Multicast: 0 packets Input bandwidth utilization : -Output bandwidth utilization : --

Run the display ip routing-table command. If the route passing through the tunnel interface exists in the routing table, the configuration succeeds. For example: [Huawei] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel0/0/2 20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/2 40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Run the ping -a source-ip-address host command to see that the ping from the local tunnel interface to the destination tunnel succeeds. ping -a 40.1.1.1 40.1.1.2 PING 40.1.1.2: 56 data bytes, press CTRL_C to break Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24 Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48 Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33 Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36 --- 40.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 24/34/48 ms

ms ms ms ms ms

1.4 Configuring the Keepalive Function Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote end, and data loss can be avoided.

1.4.1 Establishing the Configuration Task Before configuring the GRE tunnel Keepalive function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

8

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Application Environment The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel status. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data black hole. Figure 1-4 GRE tunnel supporting Keepalive Internet

Source

Destination

GRE tunnel RouterA

RouterB

Pre-configuration Tasks Before configuring the Keepalive function, complete the following tasks: l

Configuring the link layer attributes of the interfaces

l

Assigning IP addresses to the interfaces

l

Establishing the GRE tunnel and keeping the tunnel Up

Data Preparation To configure the Keepalive function, you need the following data. No.

Data

1

Interval for sending Keepalive messages

2

Retry times of the unreachable timer

1.4.2 Enabling the Keepalive Function The GRE tunnel Keepalive function is unidirectional. To implement the Keepalive function on both ends, enable the Keepalive function on both ends of a GRE tunnel.

Context Perform the following steps on the router that requires the Keepalive function.

Procedure Step 1 Run: system-view

The system view is displayed. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

9

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Step 2 Run: interface tunnel interface-number

The tunnel interface view is displayed. Step 3 Run: tunnel-protocol gre

The tunnel is encapsulated with GRE. Step 4 Run: keepalive [ period period [ retry-times retry-times ] ]

The Keepalive function is enabled. The GRE tunnel Keepalive function is unidirectional. Therefore, to realize the Keepalive function on both ends, enable the Keepalive function on both ends of a GRE tunnel. One end can be configured with the Keepalive function regardless of whether the remote end is enabled with the Keepalive function. But it is still recommended to enable the Keepalive function on both ends of the GRE tunnel. TIP

Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the GRE tunnel Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote end, and the data loss can be avoided. The reasons for enabling the Keepalive function are listed below: l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of whether data reaches the remote end. l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the data is not lost.

----End

1.4.3 Checking the Configuration After a GRE tunnel is enabled with the Keepalive function, you can view the Keepalive packets and Keepalive Response packets sent and received by the GRE tunnel interfaces.

Prerequisite The Keepalive function is enabled on the GRE tunnel.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface tunnel interface-number

The tunnel interface view is displayed. Step 3 Run: display keepalive packets count

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

10

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Check the Keepalive packets and Keepalive Response packets sent and received by the GRE tunnel interface. ----End

Example On the tunnel interface that is enabled with the Keepalive function, run the display keepalive packets count command to ascertain the number of sent Keepalive packets and received Keepalive Response packets on both the local end and the remote end. If the Keepalive function is successfully configured on the local tunnel interface, the number of sent Keepalive packets or received Keepalive Response packets on the local end is not 0. [Huawei] interface tunnel 0/0/1 [Huawei-Tunnel0/0/1] tunnel-protocol gre [Huawei-Tunnel0/0/1] keepalive [Huawei-Tunnel0/0/1] display keepalive packets count Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers

1.5 Maintaining GRE This section describes how to reset the statistics of a tunnel interface and monitor the GRE running status.

1.5.1 Resetting the Statistics of a Tunnel Interface When you need to reset the statistics of a tunnel interface, you can run the reset commands to clear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnel interface.

Procedure l

Run the reset counters interface tunnel [ interface-number ] command in the system view to reset statistics about the tunnel interface.

l

Reset statistics about Keepalive packets on the tunnel interface. 1.

Run: system-view

The system view is displayed. 2.

Run: interface tunnel interface-number

The tunnel interface view is displayed. 3.

Run: reset keepalive packets count

Reset the statistics on Keepalive packets on the tunnel interface. NOTE

You can run the reset keepalive packets count command only in the tunnel interface view, and the interface tunnel protocol must be GRE.

----End Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

11

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

1.5.2 Monitoring the Running Status of GRE In routine maintenance, you can run the GRE related display commands to view the GRE running status.

Context In routine maintenance, you can run the following commands to view the GRE running status.

Procedure l

Run the display interface tunnel [ interface-number ] command to check the tunnel interface running status.

l

Run the display ip routing-table command to check the routing table on the CE.

l

Run the ping [ -a source-ip-address | -vpn-instance vpn-instance-name ] * host command to check whether the two ends of the tunnel can communicate with each other.

----End

1.5.3 Debugging GRE When a GRE fault occurs, you can run the L2TP related debugging commands to debug GRE and locate the fault.

Context NOTE

The debugging process affects system performance. Therefore, after finishing the debugging process, run the undo debugging all command immediately to disable the debugging.

When GRE goes abnormal, run the debugging commands in the user view to view debugging information, locate the fault, and analyze the cause.

Procedure l

Run the debugging tunnel keepalive command in the user view to debug the Keepalive function of the GRE tunnel.

----End

1.6 Configuration Examples Familiarize yourself with the configuration procedures against the networking diagrams. This section provides networking requirements, configuration notes, and configuration roadmap in configurations examples.

1.6.1 Example for Configuring a Static Route for GRE This section provides an example for configuring a static route for GRE. In this networking, traffic between users is transmitted through a GRE tunnel; a static route is configured between the device and its connected client. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

12

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Networking Requirements In Figure 1-5, Router A, Router B, and Router C belong to the VPN backbone network and OSPF runs between them. GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC 2. PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway. Figure 1-5 Networking diagram of configuring a static route for GRE

RouterB GE1/0/0 20.1.1.2/24

RouterA

GE2/0/0 30.1.1.1/24

GE1/0/0 GE1/0/0 30.1.1.2/24 20.1.1.1/24 Tunnel

GE2/0/0 Tunnel0/0/1 10.1.1.2/24 40.1.1.1/24 PC1 10.1.1.1/24

RouterC

Tunnel0/0/1 GE2/0/0 40.1.1.2/24 10.2.1.2/24 PC2 10.2.1.1/24

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure a dynamic routing protocol on routers.

2.

Create a tunnel interface on Router A and Router C.

3.

Specify the source address of the tunnel interface as the IP address of the interface that sends the packet.

4.

Specify the destination address of the tunnel interface as the IP address of the interface that receives the packet.

5.

Assign network addresses to the tunnel interfaces to enable the tunnel to support the dynamic routing protocol.

6.

Configure the static route between Router A and its connected PC, and the static route between Router C and its connected PC to make the traffic between PC1 and PC2 transmitted through the GRE tunnel.

7.

Configure the egress of the static route as the local tunnel interface.

Data Preparation To complete the configuration, you need the following data: Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

13

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

l

Data for running OSPF

l

Source address and destination address of the GRE tunnel, and IP addresses of tunnel interfaces

Procedure Step 1 Assign an IP address to each interface. Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not mentioned here. Step 2 Configure IGP for the VPN backbone network. # Configure Router A. [RouterA] ospf 1 [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit

# Configure Router B. [RouterB] ospf 1 [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit

# Configure Router C. [RouterC] ospf 1 [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit

After the configuration, run the display ip routing-table command on Router A and Router C. You can find that they both learn the OSPF route to the network segment of the remote interface. Take Router A as an example. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 30.1.1.0/24 OSPF 10 2 D 20.1.1.2 GigabitEthernet1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 3 Configure the tunnel interface. # Configure Router A. [RouterA] interface tunnel 0/0/1 [RouterA-Tunnel0/0/1] ip address 40.1.1.1 24 [RouterA-Tunnel0/0/1] source 20.1.1.1 [RouterA-Tunnel0/0/1] destination 30.1.1.2

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

14

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

[RouterA-Tunnel0/0/1] quit

# Configure Router C. [RouterC] interface tunnel 0/0/1 [RouterC-Tunnel0/0/1] ip address 40.1.1.2 24 [RouterC-Tunnel0/0/1] source 30.1.1.2 [RouterC-Tunnel0/0/1] destination 20.1.1.1 [RouterC-Tunnel0/0/1] quit

After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can ping each other successfully. Take Router A as an example: [RouterA] ping -a 40.1.1.1 40.1.1.2 PING 40.1.1.2: 56 data bytes, press CTRL_C to break Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24 Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48 Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33 Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36 --- 40.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 24/34/48 ms

ms ms ms ms ms

Step 4 Configure a static route. # Configure Router A. [RouterA] ip route-static 10.2.1.0 24 tunnel 0/0/1

# Configure Router C. [RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/1

After the configuration, run the displayip routing-table command on Router A and Router C. You can find the static route to the network segment of the remote user end through the tunnel interface. Take Router A as an example: [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel0/0/1 20.1.1.0/24 Direct 0 0 D 20.1.1.1 GigabitEthernet1/0/0 20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 20.1.1.2/32 Direct 0 0 D 20.1.1.2 GigabitEthernet1/0/0 30.1.1.0/24 OSPF 10 2 D 20.1.1.2 GigabitEthernet1/0/0 40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/1 40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

PC 1 and PC 2 can ping each other successfully. ----End Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

15

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Configuration Files l

Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 # ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 # ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 # return

l

Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255 # return

l

Configuration file of Router C # sysname RouterC # interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.2.1.2 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 # ospf 1 area 0.0.0.0 network 30.1.1.0 0.0.0.255 # ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 # return

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

16

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE This section provides an example for configuring a dynamic route for GRE. In this networking, traffic between users is transmitted through a GRE tunnel; a dynamic route is configured between the device and its connected user.

Networking Requirements In Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and OSPF runs between them. GRE is enabled between Router A and Router C for the interworking between PC1 and PC2. PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway. OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network and OSPF process 2 is used for user access. Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE

RouterB GE1/0/0 GE2/0/0 20.1.1.2/24 30.1.1.1/24 OSPF 1

RouterA

RouterC

Tunnel

GE2/0/0 10.1.1.2/24

10.1.1.1/24

GE1/0/0 30.1.1.2/24

GE1/0/0 20.1.1.1/24 Tunnel0/0/1 OSPF 2 40.1.1.1/24

Tunnel0/0/1 40.1.1.2/24

GE2/0/0 10.2.1.2/24

10.2.1.1/24 PC1

PC2

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure IGP on each router in the backbone network to realize the interworking between these devices. Here OSPF process 1 is used.

2.

Create the GRE tunnel between routers that are connected to PCs.Then routers can communicate through the GRE runnel.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

17

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3.

1 GRE Configuration

Configure the dynamic routing protocol on the network segments through which PCs access the backbone network. Here OSPF process 2 is used.

Data Preparation To complete the configuration, you need the following data: l

Source address and destination address of the GRE tunnel

l

IP addresses of the interfaces on both ends of the GRE tunnel

Procedure Step 1 Assign an IP address to each interface. Assign an IP address to each interface as shown in Figure 1-6. The specific configuration is not mentioned here. Step 2 Configure IGP for the VPN backbone network. The specific configuration procedures are the same as those in 1.6.1 Example for Configuring a Static Route for GRE and are not mentioned here. Step 3 Configuring the tunnel interfaces The specific configuration procedures are the same as those in 1.6.1 Example for Configuring a Static Route for GRE and are not mentioned here. Step 4 Configure OSPF on the tunnel interfaces. # Configure Router A. [RouterA] ospf 2 [RouterA-ospf-2] area 0 [RouterA-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255 [RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-2-area-0.0.0.0] quit [RouterA-ospf-2] quit

# Configure Router C. [RouterC] ospf 2 [RouterC-ospf-2] area 0 [RouterC-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255 [RouterC-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterC-ospf-2-area-0.0.0.0] quit [RouterC-ospf-2] quit

Step 5 Verify the configuration. After the configuration, run the display ip routing-table command on Router A and Router C. You can find the OSPF route to the network segment of the remote user end through the tunnel interface. Moreover, the next hop to the destination physical address (30.1.1.0/24) of the tunnel is not the tunnel interface. Take Router A as an example: [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask Proto Pre Cost Flags NextHop Interface

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

18

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN 10.1.1.0/24 Direct GigabitEthernet2/0/0 10.1.1.2/32 Direct 10.2.1.0/24 OSPF 20.1.1.0/24 Direct GigabitEthernet1/0/0 20.1.1.1/32 Direct 30.1.1.0/24 OSPF GigabitEthernet1/0/0 40.1.1.0/24 Direct 40.1.1.1/32 Direct 127.0.0.0/8 Direct 127.0.0.1/32 Direct

1 GRE Configuration 0

0

D

10.1.1.2

0 10 0

0 2 0

D D D

127.0.0.1 40.1.1.2 20.1.1.1

InLoopBack0 Tunnel0/0/1

0 10

0 2

D D

127.0.0.1 20.1.1.2

InLoopBack0

0 0 0 0

0 0 0 0

D D D D

40.1.1.1 127.0.0.1 127.0.0.1 127.0.0.1

Tunnel0/0/1 InLoopBack0 InLoopBack0 InLoopBack0

PC 1 and PC 2 can ping each other successfully. ----End

Configuration Files l

Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 # ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 # ospf 2 area 0.0.0.0 network 40.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255 # return

l

Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255 # return

l

Configuration file of Router C # sysname RouterC #

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

19

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.2.1.2 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 # ospf 1 area 0.0.0.0 network 30.1.1.0 0.0.0.255 # ospf 2 area 0.0.0.0 network 40.1.1.0 0.0.0.255 network 10.2.1.0 0.0.0.255 # return

1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec This section provides an example for configuring a GRE tunnel to transmit multicast packets encrypted with IPSec. In this networking, a GRE tunnel is set up between devices; multicast packets are encapsulated with GRE and then IPSec.

Networking Requirements In Figure 1-7, Router A and Router C are required to transmit multicast packets, and the multicast packets must be encrypted through IPSec. Before being encrypted through IPSec, multicast packets must be encapsulated with GRE because IPSec cannot directly encrypt multicast packets. Figure 1-7 Networking diagram of transmitting IPSec-encrypted multicast packets through a GRE tunnel

RouterB GE1/0/0 20.1.1.2/24

RouterA

GE2/0/0 30.1.1.1/24

GE1/0/0 GE1/0/0 30.1.1.2/24 20.1.1.1/24 GRE with IPSec

RouterC

GE2/0/0 Tunnel0/0/1 10.1.1.2/24 40.1.1.1/24

Tunnel0/0/1 GE2/0/0 40.1.1.2/24 10.2.1.2/24

10.1.1.1/24

10.2.1.1/24

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

20

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure OSPF on the backbone network devices, namely, Router A, Router B, and Router C, to realize the interworking between these devices.

2.

Create a GRE tunnel between Router A and Router C to encapsulate multicast packets.

3.

Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated multicast packets.

Data Preparation To complete the configuration, you need the following data: l

Data for configuring the routing protocol for the backbone network

l

Source address and destination address of the GRE tunnel

l

IP addresses of the interfaces on both ends of the GRE tunnel

l

Parameters for configuring IKE such as pre-shared-key and remote-name

l

Data for configuring IPSec such as IPSec proposal name and ACL

Procedure Step 1 Configure the routing protocol. Configure a routing protocol on Router A, Router B, and Router C to implement the interworking between these devices. OSPF is configured in this example. The configuration details are not mentioned here. After the configuration, l Router A and Router C are routable. l Router A can successfully ping GE1/0/0 of Router C. l Router C can successfully ping GE1/0/0 of Router A. Step 2 Configure the interfaces of the GRE tunnel. # Configure Router A. [RouterA] interface tunnel0/0/1 [RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0 [RouterA-Tunnel0/0/1] tunnel-protocol gre [RouterA-Tunnel0/0/1] source 20.1.1.1 [RouterA-Tunnel0/0/1] destination 30.1.1.2 [RouterA-Tunnel0/0/1] quit

# Configure Router C. [RouterC] interface tunnel0/0/1 [RouterC-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0 [RouterC-Tunnel0/0/1] tunnel-protocol gre [RouterC-Tunnel0/0/1] source 30.1.1.2 [RouterC-Tunnel0/0/1] destination 20.1.1.1 [RouterC-Tunnel0/0/1] quit

After the configuration, l The GRE tunnel between Router A and Router C is set up. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

21

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

l The status of the tunnel interfaces is Up. Step 3 Enable multicast. # Enable the multicast routing protocol globally. Enable PIM DM on the tunnel interfaces, and enable PIM DM and IGMP on the interfaces connected to the PCs. # Configure Router A. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim dm [RouterA-GigabitEthernet2/0/0] igmp enable [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface tunnel0/0/1 [RouterA-Tunnel0/0/1] pim dm [RouterA-Tunnel0/0/1] quit

# Configure Router C. [RouterC] multicast routing-enable [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] pim dm [RouterC-GigabitEthernet2/0/0] igmp enable [RouterC-GigabitEthernet2/0/0] quit [RouterC] interface tunnel0/0/1 [RouterC-Tunnel0/0/1] pim dm [RouterC-Tunnel0/0/1] quit

# After multicast is enabled, the multicast data between Router A and Router C is transmitted through the GRE tunnel. Step 4 Configure aggressive IKE negotiation between Router A and Router C. NOTE

To encapsulate multicast packets with GRE and then encrypt the multicast packets with IPSec, the remote address in IKE peer mode must be the destination address of the local tunnel.

# Configure Router A. [RouterA] ike local-name rta [RouterA] ike peer RouterC v1 [RouterA-ike-peer-routerc] exchange-mode aggressive [RouterA-ike-peer-routerc] local-id-type name [RouterA-ike-peer-routerc] pre-shared-key 12345 [RouterA-ike-peer-routerc] remote-name rtc [RouterA-ike-peer-routerc] remote-address 30.1.1.2 [RouterA-ike-peer-routerc] quit

# Configure Router C. [RouterC] ike local-name rtc [RouterC] ike peer RouterA v1 [RouterC-ike-peer-routera] exchange-mode aggressive [RouterC-ike-peer-routera] local-id-type name [RouterC-ike-peer-routera] pre-shared-key 12345 [RouterC-ike-peer-routera] remote-name rta [RouterC-ike-peer-routera] remote-address 20.1.1.1 [RouterC-ike-peer-routera] quit

Step 5 Configure IPSec. NOTE

Encapsulate multicast packets with GRE and then encrypt these packets with IPSec. Note that the source and destination addresses for the local end of the tunnel must match the ACL of the IPSec policy, and the IPSec policy must be applied to the physical interface transmitting data.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

22

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

# Configure IPSec on Router A and Router C. The default parameters of the IPSec proposal is used in this example. # Configure Router A. [RouterA] acl number 3000 [RouterA-acl-adv-3000] rule permit gre source 20.1.1.1 0 destination 30.1.1.2 0 [RouterA-acl-adv-3000] quit [RouterA] ipsec proposal p1 [RouterA-ipsec-proposal-p1] quit [RouterA] ipsec policy policy1 1 isakmp [RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000 [RouterA-ipsec-policy-isakmp-policy1-1] ike-peer RouterC [RouterA-ipsec-policy-isakmp-policy1-1] proposal p1 [RouterA-ipsec-policy-isakmp-policy1-1] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ipsec policy policy1 [RouterA-GigabitEthernet1/0/0] quit

# Configure Router C. [RouterC] acl number 3000 [RouterC-acl-adv-3000] rule permit gre source 30.1.1.2 0 destination 20.1.1.1 0 [RouterC-acl-adv-3000] quit [RouterC] ipsec proposal p1 [RouterC-ipsec-proposal-p1] quit [RouterC] ipsec policy policy1 1 isakmp [RouterC-ipsec-policy-isakmp-policy1-1] security acl 3000 [RouterC-ipsec-policy-isakmp-policy1-1] ike-peer RouterA [RouterC-ipsec-policy-isakmp-policy1-1] proposal p1 [RouterC-ipsec-policy-isakmp-policy1-1] quit [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ipsec policy policy1 [RouterC-GigabitEthernet1/0/0] quit

# After the configuration, the multicast data between Router A and Router C can be transmitted through the GRE tunnel encrypted with IPSec. Step 6 On the source device and the destination device of the tunnel, configure the tunnel to forward routes. # Configure Router A. [RouterA] ip route-static 10.2.1.0 255.255.255.0 tunnel 0/0/1

# Configure Router C. [RouterC] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1

Step 7 Verify the configuration. # After PC1 and PC2 successfully ping each other, you can view that IKE negotiation is configured and IPSec encryption takes effect. [RouterA] display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------16 30.1.1.2 0 RD 1 17 30.1.1.2 0 RD 2 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [RouterA] display ips sa =============================== Interface: GigabitEthernet1/0/0 path MTU: 1500 ===============================

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

23

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

----------------------------IPsec policy name: "policy1" sequence number: 1 mode: isakmp ----------------------------connection id: 17 encapsulation mode: tunnel tunnel local : 20.1.1.1 tunnel remote: 30.1.1.2 [inbound ESP SAs] spi: 2970386335 (0xb10c7f9f) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434624/3081 max received sequence-number: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 1720763150 (0x6690c30e) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434112/3081 max sent sequence-number: 33 udp encapsulation used for nat traversal: N [RouterC] display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------- ---20 20.1.1.2 0 RD|ST 1 21 20.1.1.2 0 RD|ST 2 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP [RouterC] display ips sa =============================== Interface: GigabitEthernet1/0/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "policy1" sequence number: 1 mode: isakmp ----------------------------connection id: 21 encapsulation mode: tunnel tunnel local : 30.1.1.2 tunnel remote: 20.1.1.1 [inbound ESP SAs] spi: 1720763150 (0x6690c30e) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434624/3041 max received sequence-number: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 2970386335 (0xb10c7f9f) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434112/3041 max sent sequence-number: 33 udp encapsulation used for nat traversal: N

----End

Configuration Files l

Configuration file of Router A # sysname RouterA # ike local-name rta # multicast routing-enable # acl number 3000

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

24

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

rule 5 permit gre source 20.1.1.1 0.0.0.0 destination 30.1.1.2 0.0.0.0 # ike peer routerc v1 exchange-mode aggressive pre-shared-key 12345 local-id-type name remote-name rtc remote-address 30.1.1.2 # ipsec proposal p1 # ipsec policy policy1 1 isakmp security acl 3000 ike-peer Routerc proposal p1 # interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 pim dm igmp enable # interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 pim dm # ospf 1 area 0.0.0.0 network 20.1.1.1 0.0.0.0 # ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 # return

l

Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255 # return

l

Configuration file of Router C # sysname RouterC # ike local-name rtc # multicast routing-enable # acl number 3000 rule 5 permit gre source 30.1.1.2 0.0.0.0 destination 20.1.1.1 0.0.0.0 # ike peer routera v1 exchange-mode aggressive

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

25

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

pre-shared-key 12345 local-id-type name remote-name rta remote-address 20.1.1.1 # ipsec proposal p1 # ipsec policy policy1 1 isakmp security acl 3000 ike-peer Routera proposal p1 # interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0 ipsec policy policy1 # interface GigabitEthernet2/0/0 ip address 10.2.1.2 255.255.255.0 pim dm igmp enable # interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 pim dm # ospf 1 area 0.0.0.0 network 30.1.1.2 0.0.0.0 # ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 # return

1.6.4 Example for Configuring the Keepalive Function for GRE This section provides an example for configuring the Keepalive function of the GRE tunnel. In this manner, the VPN does not select the GRE tunnel that cannot reach the remote end, and data loss can be avoided.

Networking Requirements As shown in Figure 1-8, Router A and Router B are configured with the GRE protocol. The two ends of the GRE tunnel need be configured with the Keepalive function. Figure 1-8 Networking diagram of configuring the Keepalive function on two ends of a GRE tunnel

GE1/0/0 20.1.1.1/24 RouterA

Issue 01 (2012-01-06)

Internet

GE1/0/0 30.1.1.2/24

GRE Tunnel Tunnel0/0/1 40.1.1.1/24

Tunnel0/0/1 40.1.1.2/24

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

RouterB

26

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

Configuration Roadmap To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in the tunnel interface view on the end. TIP

If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the Keepalive function is optional for the destination end.

Data Preparation To complete the configuration, you need the following data: l

Data for configuring the routing protocol for the backbone network

l

Source address and destination address of the GRE tunnel

l

Interval for sending Keepalive messages

l

Parameters of unreachable timer

Procedure Step 1 Configure Router A and Router B to implement the interworking between the two devices. The detailed procedures are not mentioned here. Step 2 Configure a tunnel on Router A and enable the Keepalive function. system-view [RouterA] interface tunnel 0/0/1 [RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0 [RouterA-Tunnel0/0/1] source 20.1.1.1 [RouterA-Tunnel0/0/1] destination 30.1.1.2 [RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3 [RouterA-Tunnel0/0/1] quit

Step 3 Configure a tunnel on Router B and enable the Keepalive function. system-view [RouterB] interface tunnel 0/0/1 [RouterB-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0 [RouterB-Tunnel0/0/1] source 30.1.1.2 [RouterB-Tunnel0/0/1] destination 20.1.1.1 [RouterB-Tunnel0/0/1] keepalive period 20 retry-times 3 [RouterB-Tunnel0/0/1] quit

Step 4 Verify the configuration. # The tunnel interface on Router A can successfully ping the tunnel interface on Router B. ping -a 40.1.1.1 40.1.1.2 PING 40.1.1.2: 56 data bytes, press CTRL_C to break Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=9 Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=7 Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=7 Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=7 Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=7 --- 40.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 7/7/9 ms

ms ms ms ms ms

# Enable the debugging of the Keepalive messages on Router A and view information about the Keepalive messages. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

27

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

1 GRE Configuration

terminal monitor terminal debugging debugging tunnel keepalive May 18 2011 11:36:11.590.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive finished. Received keepalive detecting packet from peer router. May 18 2011 11:36:11.590.2+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard u lKeepaliveReceiveOpposite++ then send mbuf to slave when RECEIVE keepalive packe t. May 18 2011 11:36:11.590.3+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive peer kee palive on mainboard successfully. Put into decapsulation. May 18 2011 11:36:15.120.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive finished. Received keepalive response packet from peer router. May 18 2011 11:36:15.120.2+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive the resp onse keepalive packet on mainboard successfully, keepalive finished. May 18 2011 11:36:15.120.3+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard s end mbuf to slaveboard when RECEIVE response packet.

----End

Configuration Files l

Configuration file of Router A # sysname RouterA # interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 keepalive period 20 # return

l

Configuration file of Router B # sysname RouterB # interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 keepalive period 20 # return

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

28

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

2

MCE Configuration

About This Chapter Generally, a Customer Edge (CE) can connect to only one Virtual Private Network (VPN). If multiple VPNs need to be divided, multiple CEs are required. The Multi-VPN-Instance CE (MCE) technology enables a CE to be connected to multiple VPNs. This isolates services between different VPNs and reduces the investment on network devices. 2.1 Introduction to MCE MCE isolates different services or users by using the route multi-instance on the CE. 2.2 Configuring a VPN Instance This section describes how to configure a VPN instance. 2.3 Configuring a Route Multi-Instance Between an MCE and a Site This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between an MCE and a site. 2.4 Configuring a Route Multi-Instance Between an MCE and a PE This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between an MCE and a PE. 2.5 MCE Configuration Examples This section provides several configuration examples of MCE.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

29

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

2.1 Introduction to MCE MCE isolates different services or users by using the route multi-instance on the CE.

2.1.1 MCE Overview MCE isolates different services or users by using the route multi-instance on the CE.

Background With increasing diversification of user services and higher requirements on the security, multiple VPNs are required in a private network in most cases and services of different VPNs need to be isolated. In this case, using a CE for each VPN increases the device expenditure and maintenance cost; the security of data cannot be ensured if multiple VPNs share a CE and a route forwarding table. As shown in Figure 2-1, MCE can effectively solve issues of security of the data and network costs in a VPN. MCE isolates services of different VPNs by binding VLANIF interfaces to VPNs, and creating and maintaining an independent multi-VRF table for each VPN. Figure 2-1 Typical MCE networking diagram VPN 1 Site P MCE

Service provider's backbone

VPN 2 Site

CE P PE

PE PE

VPN 2 Site

P

P

CE

VPN 1 Site

Basic Concepts l

CE An edge device that is located in a user network. A CE provides interfaces that are directly connected to the Service Provider (SP) network. A CE can be a router, a switch, or a host. In most situations, a CE neither senses a VPN nor supports MPLS.

l

MCE A CE configured with MCE functions. An MCE can connect to multiple VPNs whose services are isolated completely.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

30

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

l

2 MCE Configuration

PE An edge router that is located in an SP network. A PE is an edge device in the SP network and is directly connected to the CE and MCE. In an MPLS network, PEs process all VPN services.

l

Provider (P) A backbone router that is located in an SP network. A P device is not directly connected to CEs. The P devices only need the basic MPLS forwarding capability, without maintaining information about a VPN.

l

Site A group of IP systems with IP connectivity between each other. Their connectivity need not be implemented through an SP network. The site is connected to the SP network through a CE or an MCE.

2.1.2 MCE Functions Supported by the AR2200-S When the AR2200-S functions as an MCE, multiple routing protocols can be run between an MCE and a PE, and between an MCE and a site, including static routes, the Routing Information Protocol (RIP), the Open Shortest Path First (OSPF), the Intermediate System-to-Intermediate System (IS-IS), and BGP.

Multiple Routing Protocols Run Between an MCE and a PE When the AR2200-S functions as an MCE, multiple routing protocols can be run between the AR2200-S and a PE, including: l

Static routes

l

RIP

l

OSPF

l

IS-IS

l

BGP

Multiple Routing Protocols Run Between an MCE and a Site When the AR2200-S functions as an MCE, multiple routing protocols can be run between the AR2200-S and a site, including: l

Static routes

l

RIP

l

OSPF

l

IS-IS

l

BGP

2.2 Configuring a VPN Instance This section describes how to configure a VPN instance.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

31

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

2.2.1 Establishing the Configuration Task Applicable Environment To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configure MCE functions. Before configuring MCE functions, you need to configure VPN instances on an MCE and a PE.

Pre-configuration Tasks Before configuring a VPN instance, complete the following tasks: l

Creating a VLAN on the MCE and adding the interface connecting the site and PE to the VLAN

l

Creating a VLAN on the PE and adding the sub-interface connecting the MCE to the VLAN

l

Creating a VLAN on the device connected to the MCE in a site and adding the interface connected to the MCE on the device to the VLAN

Data Preparation To configure a VPN instance, you need the following data. No.

Data

1

Name of the VPN instance

2

Route Distinguisher (RD) of the VPN instance

3

(Optional) Description of the VPN instance

4

(Optional) Maximum number of routes supported by the VPN instance

5

ID of the VLAN corresponding to the VPN instance

2.2.2 Creating a VPN instance Context Do as follows on the MCE. You need to perform similar configurations on the PE; however, configuration commands and methods may be different because device manufacturers and types are different. For details, refer to manuals of corresponding products.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the ip vpn-instance vpn-instance-name command to create a VPN instance and enter the VPN instance view. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

32

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

NOTE

The name of a VPN instance is case-sensitive. For example, "vpn1" and "VPN1" are taken as different VPN instances.

Step 3 Run the route-distinguisher route-distinguisher command to configure an RD for the VPN instance. The RD does not have a default value; therefore, you must configure an RD when creating a VPN instance. A VPN instance takes effect only after it is configured with an RD. The RDs of different VPN instances on a device should be different. Before configuring an RD, you can configure only the description. Step 4 (Optional) Run the description description command to configure the description for the VPN instance. By default, no description is configured for a VPN instance. The description is similar to that of the host name and interface, which can be used to record information about the relationship between a VPN instance and a VPN. Step 5 (Optional) Run the routing-table limit number { alert-percent | simply-alert } command to set the maximum number of routes supported by the VPN instance. By default, the maximum number of routes supported by a VPN instance is not set. To prevent excessive routes from being imported, set the maximum number of routes supported by a VPN instance. ----End

2.2.3 Binding an Interface with a VPN Instance After associating an interface with a VPN instance, you can change the interface to a VPN interface. As a result, packets that pass through the interface are forwarded according to the forwarding information of the VPN instance, and Layer 3 attributes such as the IP address and routing protocol that are configured for the interface, are deleted. These Layer 3 attributes need to be re-configured if required.

Context Do as follows on the PE that is connected to the CE.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface interface-type interface-number

The view of the interface that is to be bound with the VPN instance is displayed. Step 3 Run: ip binding vpn-instance vpn-instance-name

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

33

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

The interface is bound to the VPN instance. NOTE

The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes, such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to configure them again. An interface cannot be bound to any VPN instance that is not enabled with an address family. Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and routing protocol of the interface bound to the VPN instance. Disabling all address families of a VPN instance unbinds all bound interfaces from the VPN instance.

Step 4 Run: ip address ip-address { mask | mask-length }

The IP address is configured. ----End

2.2.4 Checking the Configuration Run the command display ip vpn-instance [ verbose ] [ vpn-instance-name ] to check the previous configuration. If the configuration is correct, you can view: l

VPN instance created correctly

l

Name of the VPN instance

l

RD

l

Description

l

Maximum number of routes supported by the VPN instance

l

Interface configured correctly

display ip vpn-instance verbose Total VPN-Instances configured : 1 VPN-Instance Name and ID : vpn1, 1 Create date : 2011/09/10 16:58:42 Up time : 0 days, 21 hours, 42 minutes and 10 seconds Log Interval : 5

2.3 Configuring a Route Multi-Instance Between an MCE and a Site This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between an MCE and a site. For configuring a route multi-instance between an MCE and a site,2.3.2 (Optional) Configuring a Static Route Between an MCE and a Site to (Optional) Configuring BGP Between an MCE and a Site are optional and can be configured as required.

2.3.1 Establishing the Configuration Task Applicable Environment To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configure MCE functions. Before configuring MCE functions, you need to perform the task of 2.2 Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

34

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance between an MCE and a site.

Pre-configuration Tasks Before configuring a route multi-instance between an MCE and a site, complete the following task: l

2.2 Configuring a VPN Instance

Data Preparation To configure a route multi-instance between an MCE and a site, you need the following data. No.

Data

1

Name of the VPN instance

2

(Optional) Destination address of a static route to the site, name of the destination VPN instance, mask or mask length, next hop IP address, priority of the route, and description of the route

3

(Optional) RIP process number, address of the network segment where the VLANIF interface bound to the VPN instance is located, type and process number of the routing protocol run between an MCE and a PE, cost of the imported route, and name of the routing policy during route importing

4

(Optional) OSPF process number, router ID of OSPF, area ID of OSPF, address of the network segment where the VLANIF interface bound to the VPN instance is located, type and process number of the routing protocol run between an MCE and a PE, cost of the imported route, metric of the imported route, tag in the external Link State Advertisement (LSA) of the imported route, and name of the routing policy during route importing

5

(Optional) IS-IS process number, Network Entity Title (NET) of the IS-IS process, number of the VLANIF interface bound to the VPN instance, type and process number of the routing protocol run between an MCE and a PE, type and value of the cost of the imported route, administrative tag of the imported route, and level of the routing table for storing the imported route

6

(Optional) Autonomous System (AS) number, IP address of the VLANIF interface connecting a CE and an MCE, type and process number of the routing protocol run between an MCE and a PE, Multi-Exit Discriminator (MED) of the imported route, and name of the routing policy during route importing

2.3.2 (Optional) Configuring a Static Route Between an MCE and a Site Context Do as follows on the MCE. You need to configure only routing protocols on a device in a site. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

35

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | masklength }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destinationname gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfgname ] [ description description ] command to configure a static route to the site. You must specify the next hop address on the local device. ----End

2.3.3 (Optional) Configuring RIP Between an MCE and a Site Context Do as follows on the MCE. You need to configure only routing protocols on a device in a site.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the rip [ process-id ] [ vpn-instance vpn-instance-name ] command to create and enable a RIP process used by a VPN instance and enter the RIP view. Step 3 Run the network network-address command to enable RIP routes on the network segment where the IP address of the interface bound to the VPN instance belongs. Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } } [ cost cost | route-policy route-policy-name ] * command to import routes from other routing protocols. If another routing protocol is run between an MCE and a PE in this VPN, you need to perform this step. ----End

2.3.4 (Optional) Configuring OSPF Between an MCE and a Site Context Do as follows on the MCE. You need to configure only routing protocols on a device in a site.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command to create an OSPF process used by a VPN instance and enter the OSPF view. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

36

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

NOTE

In this step, you must specify vpn-instance vpn-instance-name.

Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost | route-policy route-policy-name | tag tag | type type ] * } command to import routes from other routing protocols. If another routing protocol is run between an MCE and a PE in this VPN, you need to perform this step. Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view. Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routes on the network segment where the IP address of the interface bound to the VPN instance belongs. ----End

2.3.5 (Optional) Configuring IS-IS Between an MCE and a Site Context Do as follows on the MCE. You need to configure only routing protocols on a device in a site.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number command to enter the view of the interface bound to the VPN instance. Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface. By default, IS-IS is disabled on a VLANIF interface. Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS process used by a VPN instance and enter the IS-IS view. Step 5 Run the network-entity net command to configure an NET. By default, no NET is configured for an IS-IS process. Step 6 Run the import-route protocol [ process-id ] [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command to import routes from other routing protocols. If another routing protocol is run between an MCE and a PE in this VPN, you need to perform this step. ----End

2.3.6 Checking the Configuration Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command on the MCE. If you can view the route to the local VPN in the display, it means that the configuration succeeds. Take RIP used between an MCE and a site as an example. The information is displayed as follows: Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

37

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

[MCE] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpnb Destinations : 7 Routes : 7 Destination/Mask 172.16.0.0/16 172.16.1.1/32 172.16.1.2/32 172.18.0.0/16 172.18.1.1/32 172.18.1.2/32 192.168.0.0/16

Proto

Pre

Cost

Direct Direct Direct Direct Direct Direct RIP

0 0 0 0 0 0 100

0 0 0 0 0 0 1

Flags NextHop D D D D D D D

172.16.1.2 172.16.1.1 127.0.0.1 172.18.1.2 172.18.1.1 127.0.0.1 172.16.1.1

Interface Vlanif10 Vlanif10 InLoopBack0 Vlanif30 Vlanif30 InLoopBack0 Vlanif10

2.4 Configuring a Route Multi-Instance Between an MCE and a PE This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between an MCE and a PE. For configuring a route multi-instance between an MCE and a PE, 2.4.2 (Optional) Configuring a Static Route Between an MCE and a PE to (Optional) Configuring BGP Between an MCE and a PE are optional and can be configured as required.

2.4.1 Establishing the Configuration Task Applicable Environment To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configure MCE functions. Before configuring MCE functions, you need to perform the task of 2.2 Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance between the MCE and PE.

Pre-configuration Tasks Before configuring a route multi-instance between an MCE and a PE, complete the following task: l

2.2 Configuring a VPN Instance

Data Preparation To configure a route multi-instance between an MCE and a PE, you need the following data.

Issue 01 (2012-01-06)

No.

Data

1

Name of the VPN instance

2

(Optional) Destination address of a static route to the PE, name of the destination VPN instance, mask or mask length, next hop IP address, priority of the route, and description of the route

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

38

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

No.

Data

3

(Optional) RIP process number, address of the network segment where the interface bound to the VPN instance is located, type and process number of the routing protocol run between an MCE and a site, cost of the imported route, and name of the routing policy used during route importing

4

(Optional) OSPF process number, router ID of OSPF, area ID of OSPF, address of the network segment where the interface bound to the VPN instance is located, type and process number of the routing protocol run between an MCE and a site, cost of the imported route, metric of the imported route, tag in the external LSA of the imported route, and name of the routing policy during route importing

5

(Optional) IS-IS process number, NET of the IS-IS process, number of the interface bound to the VPN instance, type and process number of the routing protocol run between an MCE and a site, type and value of the cost of the imported route, administrative tag of the imported route, and level of the routing table for storing the imported route

6

(Optional) AS number, IP address of the interface connecting a CE and an MCE, type and process number of the routing protocol run between an MCE and a site, MED of the imported route, and name of the routing policy during route importing

2.4.2 (Optional) Configuring a Static Route Between an MCE and a PE Context Do as follows on the MCE. You can use a static route on a PE, and can also use RIP, OSPF, IS-IS, or BGP. For details, refer to manuals of corresponding products.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | masklength }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destinationname gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfgname ] [ description description ] command to configure a static route to a PE. You must specify the next hop address on the local device. ----End

2.4.3 (Optional) Configuring RIP Between an MCE and a PE Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

39

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

Context Do as follows on the MCE. You need to perform similar configurations on a PE. For details, refer to manuals of corresponding products.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the rip [ process-id ] vpn-instance vpn-instance-name command to create and enable a RIP process used by a VPN instance and enter the RIP view. Step 3 Run the network network-address command to enable RIP routes on the network segment where the IP address of the interface bound to the VPN instance belongs. Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } } [ cost cost | route-policy route-policy-name ] * command to import routes from other routing protocols. If another routing protocol is run between an MCE and a site in this VPN, you need to perform this step. ----End

2.4.4 (Optional) Configuring OSPF Between an MCE and a PE Context Do as follows on the MCE. You need to perform similar configurations on a PE. For details, refer to manuals of corresponding products.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command to create an OSPF process used by a VPN instance and enter the OSPF view. NOTE

In this step, you must specify vpn-instance vpn-instance-name.

Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost | route-policy route-policy-name | tag tag | type type ] * } command to import routes from other routing protocols. If another routing protocol is run between an MCE and a site in this VPN, you need to perform this step. Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view. Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routes on the network segment where the IP address of the interface bound to the VPN instance belongs. ----End Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

40

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

2.4.5 (Optional) Configuring IS-IS Between an MCE and a PE Context Do as follows on the MCE. You need to perform similar configurations on a PE. For details, refer to manuals of corresponding products.

Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number command to enter the view of the interface bound to the VPN instance. Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface. By default, IS-IS is disabled on a VLANIF interface. Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS process used by a VPN instance and enter the IS-IS view. Step 5 Run the network-entity net command to configure a NET. By default, no NET is configured for an IS-IS process. Step 6 (Optional) Run the import-route protocol [ process-id ] [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command to import routes from other routing protocols. If another routing protocol is run between an MCE and a site in this VPN, you need to perform this step. ----End

2.4.6 Checking the Configuration Run the display ip routing-table vpn-instance command on the PE, and you can find the routes to the local VPN. Take Huawei Huawei AR2200-S Series as an example. The information is displayed as follows: [PE1] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpnb Destinations : 5 Routes : 5 Destination/Mask

Proto

172.18.0.0/16 0/0 172.18.1.1/32 172.18.255.255/32 192.168.0.0/16 0/0 255.255.255.255/32

Issue 01 (2012-01-06)

Pre

Cost

Flags NextHop

Direct 0

0

D

172.18.1.1

Ethernet0/

Direct 0 Direct 0 O_ASE 150

0 0 1

D D D

127.0.0.1 127.0.0.1 172.16.1.1

InLoopBack0 InLoopBack0 Ethernet0/

Direct 0

0

D

127.0.0.1

InLoopBack0

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Interface

41

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

2.5 MCE Configuration Examples This section provides several configuration examples of MCE.

2.5.1 Example for Configuring MCE Networking Requirements As shown in Figure 2-2, the networking is as follows: l

CE1, CE2, CE3, and CE4 are edge devices of the VPN.

l

CE1 and CE3 belong to a VPN instance named vpnb, and CE2 and CE4 belong to a VPN instance named vpna.

l

PE1 and PE2 are edge routers of the backbone network. BGP or MPLS IP VPN is configured on the backbone network between PE1 and PE2.

l

The MCE functions as a Multi-VPN-Instance CE located in the user network.

l

RIP is run between the MCE, CE3, and CE4.

l

OSPF is run between the MCE and PE2.

It is required that route isolation between VPNs be implemented on the MCE and routes of VPNs be advertised to the PE2 through OSPF. Figure 2-2 Networking diagram for configuring MCE vpnb

vpnb

192.168.1.0/24 VLANIF10 172.16.1.1/16

CE1

CE3

Eth0/0/1

BGP MPLS IP VPN

PE1

PE2

VLAN10 VLANIF10 172.16.1.2/16 Eth0/0/3

172.18.1.1/16 GE0/0/1

VLANIF30 172.18.1.2/16 VLAN30 Eth0/0/1

MCE

GE0/0/2 VLAN40 Eth0/0/2 VLANIF40 172.19.1.1/16 172.19.1.2/16

Eth0/0/4 VLANIF20 172.17.1.2/16

VLAN20 Eth0/0/1

CE2 vpna

Issue 01 (2012-01-06)

VLANIF20 172.17.1.1/16

CE4 vpna

192.168.2.0/24

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

42

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

Configuration Roadmap The configuration roadmap is as follows: 1.

Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these devices to the VLANs.

2.

Create and configure VPN instances on the MCE and PE2.

3.

Configure the OSPF route multi-instance on the MCE and PE2.

4.

Configure RIP between the MCE and CE3, and between the MCE and CE4.

Data Preparation To complete the configuration, you need the following data: l

VLANs between the MCE, PE2, CE3, and CE4, as shown in Figure 2-2

l

IP addresses of VLANIF interfaces, as shown in Figure 2-2

Configuration Procedure 1.

Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these devices to the VLANs. # Create VLANs on the MCE. system-view [Quidway] sysname MCE [MCE] vlan batch 10 20 30 40

# Add interfaces to the VLANs on the MCE. [MCE] interface ethernet [MCE-Ethernet0/0/1] port [MCE-Ethernet0/0/1] port [MCE-Ethernet0/0/1] quit [MCE] interface ethernet [MCE-Ethernet0/0/2] port [MCE-Ethernet0/0/2] port [MCE-Ethernet0/0/2] quit [MCE] interface ethernet [MCE-Ethernet0/0/3] port [MCE-Ethernet0/0/3] port [MCE-Ethernet0/0/3] quit [MCE] interface ethernet [MCE-Ethernet0/0/4] port [MCE-Ethernet0/0/4] port [MCE-Ethernet0/0/4] quit

0/0/1 link-type access default vlan 30 0/0/2 link-type access default vlan 40 0/0/3 link-type trunk trunk allow-pass vlan 10 0/0/4 link-type trunk trunk allow-pass vlan 20

# Create a VLAN on CE3. system-view [Quidway] sysname CE3 [CE3] vlan 10

# Add an interface to the VLAN on CE3. [CE3-A] interface ethernet 0/0/1 [CE3-Ethernet0/0/1] port link-type trunk [CE3-Ethernet0/0/1] port trunk allow-pass vlan 10 [CE3-Ethernet0/0/1] quit

# Create a VLAN on CE4. The configuration on CE4 is similar to that on CE3, and is not mentioned here. # Add an interface to the VLAN on CE4. The configuration on CE4 is similar to that on CE3, and is not mentioned here. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

43

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2.

2 MCE Configuration

Create and configure VPN instances. # Create VPN instances on the MCE. [MCE] ip vpn-instance vpna [MCE-vpn-instance-vpna] ipv4-family [MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [MCE-vpn-instance-vpna-af-ipv4] quit [MCE-vpn-instance-vpna] quit [MCE] ip vpn-instance vpnb [MCE-vpn-instance-vpnb] ipv4-family [MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2 [MCE-vpn-instance-vpnb-af-ipv4] quit [MCE-vpn-instance-vpnb] quit

# Bind VPN instances to VLANIF interfaces on the MCE and assign IP addresses to the VLANIF interfaces. [MCE] interface vlanif 10 [MCE-Vlanif10] ip binding [MCE-Vlanif10] ip address [MCE-Vlanif10] quit [MCE] interface vlanif 20 [MCE-Vlanif20] ip binding [MCE-Vlanif20] ip address [MCE-Vlanif20] quit [MCE] interface vlanif 30 [MCE-Vlanif30] ip binding [MCE-Vlanif30] ip address [MCE-Vlanif30] quit [MCE] interface vlanif 40 [MCE-Vlanif40] ip binding [MCE-Vlanif40] ip address [MCE-Vlanif40] quit

vpn-instance vpnb 172.16.1.2 16 vpn-instance vpna 172.17.1.2 16 vpn-instance vpnb 172.18.1.2 16 vpn-instance vpna 172.19.1.2 16

# Create VPN instances on PE2. [PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] route-distinguisher 100:1 [PE2-vpn-instance-vpna] quit [PE2] ip vpn-instance vpnb [PE2-vpn-instance-vpnb] route-distinguisher 100:2 [PE2-vpn-instance-vpnb] quit

# Bind VPN instances to sub-interfaces on PE2 and assign IP addresses to the subinterfaces. [PE2] interface gigabitethernet 0/0/1 [PE2-GigabitEthernet0/0/1] ip binding [PE2-GigabitEthernet0/0/1] ip address [PE2-GigabitEthernet0/0/1] quit [PE2] interface gigabitethernet 0/0/2 [PE2-GigabitEthernet0/0/2] ip binding [PE2-GigabitEthernet0/0/2] ip address [PE2-GigabitEthernet0/0/2] quit

3.

vpn-instance vpnb 172.18.1.1 255.255.0.0 vpn-instance vpna 172.19.1.1 255.255.0.0

Configure the OSPF route multi-instance between the MCE and PE2. # Configure the OSPF route multi-instance on PE2. [PE2] ospf 100 vpn-instance vpna [PE2-ospf-100] vpn-instance-capability simple [PE2-ospf-100] area 0 [PE2-ospf-100-area-0.0.0.0] network 172.19.0.0 0.0.255.255 [PE2-ospf-100-area-0.0.0.0] quit [PE2-ospf-100] quit [PE2] ospf 200 vpn-instance vpnb [PE2-ospf-100] vpn-instance-capability simple [PE2-ospf-200] area 0 [PE2-ospf-200-area-0.0.0.0] network 172.18.0.0 0.0.255.255 [PE2-ospf-200-area-0.0.0.0] quit [PE2-ospf-200] quit

# Configure the OSPF route multi-instance on the MCE. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

44

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

[MCE] ospf 100 vpn-instance [MCE-ospf-100] area 0 [MCE-ospf-100-area-0.0.0.0] [MCE-ospf-100-area-0.0.0.0] [MCE-ospf-100] quit [MCE] ospf 200 vpn-instance [MCE-ospf-200] area 0 [MCE-ospf-200-area-0.0.0.0] [MCE-ospf-200-area-0.0.0.0]

4.

vpna network 172.19.0.0 0.0.255.255 quit vpnb network 172.18.0.0 0.0.255.255 quit

Configure RIP between the MCE and CE3, and between the MCE and CE4. # Configure RIP-2 on the MCE. [MCE] rip 100 [MCE-rip-100] [MCE-rip-100] [MCE-rip-100] [MCE-rip-100] [MCE] rip 200 [MCE-rip-200] [MCE-rip-200] [MCE-rip-200]

vpn-instance vpna version 2 network 172.17.0.0 import-route ospf 100 quit vpn-instance vpnb version 2 network 172.16.0.0 import-route ospf 200

# Configure RIP-2 on CE3. [CE3] rip 200 [CE3-rip-200] [CE3-rip-200] [CE3-rip-200] [CE3-rip-200]

version 2 network 172.16.0.0 network 192.168.1.0 import-route direct

# Configure RIP-2 on CE4. [CE4] rip 100 [CE4-rip-100] [CE4-rip-100] [CE4-rip-100] [CE4-rip-100]

version 2 network 172.17.0.0 network 192.168.2.0 import-route direct

# Import RIP routes on the MCE. [MCE] ospf 100 [MCE-ospf-100] import-route rip 100 [MCE-ospf-100] quit [MCE] ospf 200 [MCE-ospf-200] import-route rip 200

5.

Verify the configuration. # After the configuration, run the display ip routing-table vpn-instance command on the MCE, and you can view the routes to the local VPN. Take vpnb as an example: [MCE] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpnb Destinations : 7 Routes : 7 Destination/Mask 172.16.0.0/16 172.16.1.1/32 172.16.1.2/32 172.18.0.0/16 172.18.1.1/32 172.18.1.2/32 192.168.0.0/16

Proto

Pre

Cost

Direct Direct Direct Direct Direct Direct RIP

0 0 0 0 0 0 100

0 0 0 0 0 0 1

Flags NextHop D D D D D D D

172.16.1.2 172.16.1.1 127.0.0.1 172.18.1.2 172.18.1.1 127.0.0.1 172.16.1.1

Interface Vlanif10 Vlanif10 InLoopBack0 Vlanif30 Vlanif30 InLoopBack0 Vlanif10

# Run the display ip routing-table vpn-instance command on the PE, and you can view the routes to the local VPN. Take vpnb on PE2 as an example: Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

45

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

[PE1] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: vpnb Destinations : 3 Routes : 3 Destination/Mask

Proto

Pre

172.18.0.0/16 Direct 0 GigabitEthernet0/0/1 172.18.1.1/32 Direct 0 192.168.0.0/16 O_ASE 150 GigabitEthernet0/0/1

Cost

Flags NextHop

0

D

172.18.1.1

0 1

D D

127.0.0.1 172.18.1.2

Interface

InLoopBack0

Configuration Files l

Configuration file of the MCE # sysname MCE # vlan batch 10 20 30 40 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 # ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 # interface Vlanif10 ip binding vpn-instance vpnb ip address 172.16.1.2 255.255.0.0 # interface Vlanif20 ip binding vpn-instance vpna ip address 172.17.1.2 255.255.0.0 # interface Vlanif30 ip binding vpn-instance vpnb ip address 172.18.1.2 255.255.0.0 # interface Vlanif40 ip binding vpn-instance vpna ip address 172.19.1.2 255.255.0.0 # interface Ethernet0/0/1 port link-type access port default vlan 30 # interface Ethernet0/0/2 port link-type access port default vlan 40 # interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 10 # interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 20 # ospf 100 vpn-instance vpna import-route rip 100 area 0.0.0.0 network 172.17.0.0 0.0.255.255 network 172.19.0.0 0.0.255.255 # ospf 200 vpn-instance vpnb

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

46

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

import-route rip 200 area 0.0.0.0 network 172.16.0.0 0.0.255.255 network 172.18.0.0 0.0.255.255 # rip 100 vpn-instance vpna version 2 network 172.17.0.0 import-route ospf 100 # rip 200 vpn-instance vpnb version 2 network 172.16.0.0 import-route ospf 200 # return

l

Configuration file of PE2 # sysname PE2 # ip vpn-instance vpna route-distinguisher 100:1 # ip vpn-instance vpnb route-distinguisher 100:2 # interface GigabitEthernet0/0/1 ip binding vpn-instance vpnb ip address 172.18.1.3 255.255.0.0 # interface GigabitEthernet0/0/2 ip binding vpn-instance vpna ip address 172.19.1.3 255.255.0.0 # # ospf 100 vpn-instance vpna vpn-instance-capability simple area 0.0.0.0 network 172.19.0.0 0.0.255.255 # ospf 200 vpn-instance vpnb vpn-instance-capability simple area 0.0.0.0 network 172.18.0.0 0.0.255.255 # return NOTE

The following lists only configuration files related to the MCE. For details on configuring BGP or MPLS IP VPN, refer to manuals of corresponding devices.

l

Configuration file of CE3 # sysname CE3 # vlan batch 10 # interface Vlanif10 ip address 172.16.1.1 255.255.0.0 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # rip 200 version 2 network 172.16.0.0

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

47

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

2 MCE Configuration

network 192.168.1.0 import-route direct # return

l

Configuration file of CE4 # sysname CE4 # vlan batch 20 # interface Vlanif20 ip address 172.17.1.1 255.255.0.0 # interface Ethernet0/0/1 port trunk allow-pass vlan 20 # rip 100 version 2 network 172.17.0.0 network 192.168.2.0 import-route direct # return

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

48

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

3

IPSec Configuration

About This Chapter IP Security (IPSec) uses data encryption and data source authentication at the IP layer to ensure data confidentiality and integrity and prevent replay of data packets. Internet Key Exchange (IKE) enables key negotiation and security associations (SAs) establishment to simplify use and management of IPSec. This chapter describes how to configure IPSec and IKE. 3.1 IPSec Overview The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. Communicating parties encrypt data and authenticate the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of data packets. 3.2 IPSec Features Supported by the AR2200-S The AR2200-S supports IPSec tunnel established in manual mode or IKE negotiation mode. 3.3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple. 3.4 Establishing an IPSec Tunnel Through IKE Negotiation IKE provides an automatic protection mechanism to distribute keys, authenticate the identity, and set up SAs on an insecure network. 3.5 Maintaining IPSec This section describes how to display the IPSec configuration and clear the IPSec statistics. 3.6 Configuration Examples This section provides several configuration examples of IPSec.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

49

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

3.1 IPSec Overview The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. Communicating parties encrypt data and authenticate the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of data packets. IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the Internet Key Exchange (IKE) protocol, which simplifies use and management of IPSec. IPSec involves the following terms: l

Security association (SA) – An SA is a set of conventions adopted by the communicating parties. For example, it determines the security protocol (AH, ESP, or both), encapsulation mode (transport mode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protect certain flow, and the lifetime of the shared key. – An SA is unidirectional, at least two SAs are required to protect data flows in bidirectional communication. If two peers need to communicate using both AH and ESP, each peer needs to establish two SAs for the two protocols. – An SA is identified by three parameters: Security Parameter Index (SPI), destination IP address, and security protocol ID (AH or ESP).

l

Encapsulation mode – Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols or all other IPSec protocols, as shown in Figure 3-1. – Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP header, as shown in Figure 3-2. Figure 3-1 Packet format in transport mode Mode

transport

Protocol AH

IP Header AH TCP Header

ESP

IP Header ESP TCP Header data

AH-ESP

Issue 01 (2012-01-06)

data ESP Tail

ESP Auth data

IP Header AH ESP TCP Header data ESP Tail ESP Auth data

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

50

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Figure 3-2 Packet format in tunnel mode Mode

tunnel

Protocol AH ESP

new IP Header AH raw IP Header TCP Header data new IP Header

ESP

raw IP Header

TCP Header dataESP Tail ESP Auth data

AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data

l

Authentication algorithm and encryption algorithm – IPSec uses the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm (SHA-1) for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, but the SHA-1 algorithm is more secure than the MD5 algorithm. – IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption Standard (AES) algorithm for encryption. The ASE algorithm encrypts plain text by using a key of 128 bits, 192 bits, or 256 bits.

l

Negotiation mode IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE negotiation mode (isakmp).

3.2 IPSec Features Supported by the AR2200-S The AR2200-S supports IPSec tunnel established in manual mode or IKE negotiation mode. The AR2200-S implements the IPSec functions described in 3.1 IPSec Overview. IPSec peers adopt various security protection measures (authentication, encryption, or both) on different data flows. The IPSec configuration roadmap is as follows: 1.

Define data flows to be protected by using an ACL.

2.

Configure an IPSec proposal to specify the security protocol, authentication algorithm, encryption algorithm, and encapsulation mode.

3.

Configure an IPSec policy or an IPSec policy group to specify the association between data flows and the IPSec proposal (protection measures for the data flows), SA negotiation mode, peer IP address (start and end points of the protection path), required key, and SA lifetime.

4.

Apply the IPSec policy on an interface of the router. In addition, IPSec supports MPLS VPN access. You can implement this function by: l Associating a VPN instance with an SA l Configuring the router as a PE and associating the VPN instance with the PE interface connected to the CE

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

51

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

3.3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple.

3.3.1 Establishing the Configuration Task Before manually establishing an IPSec tunnel, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.

Applicable Environment Data flows must be authenticated to ensure data transmission security. In a high security scenario, data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service.

Pre-configuration Tasks Before establishing an IPSec tunnel manually, complete the following tasks: l

Setting parameters of the link-layer protocol for the interfaces to ensure that the link-layer protocol on the interfaces is Up

l

Configuring routes between the source and the destination

Data Preparation To establish an IPSec tunnel manually, you need the following data. No.

Data

1

Parameters of an advanced ACL

2

IPSec proposal name, security protocol, authentication algorithm of AH, authentication algorithm and encryption algorithm of ESP, and packet encapsulation mode

3

IPSec policy settings, including: l Name and sequence number of the IPSec policy l Local and peer IP addresses of the tunnel l Inbound and outbound SPIs for AH or ESP l Inbound and outbound authentication keys (character string or hexadecimal number) for AH or ESP l (optional) VPN instance name Type and number of the interface to which the IPSec policy is applied

4

NOTE

Use the AH or ESP protocol based on requirements on your network.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

52

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

3.3.2 Defining Protected Data Flows IPSec can protect different data flows. In real-world applications, configure an ACL to define the protected data flows and apply the ACL to a security policy.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { config | auto } ]

An advanced ACL is created and the ACL view is displayed. Step 3 Run: rule

An ACL rule is configured. NOTE

l The ACL must be configured to match the data flows accurately. It is recommended that you set the action of the ACL rule to permit for the data flows that need to be protected. l Create different ACLs and IPSec policies for the data flows with different security requirements.

----End

3.3.3 Configuring an IPSec Proposal An IPSec proposal defines the security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode. Both ends of a tunnel must use the same IPSec proposal configuration.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ipsec proposal proposal-name

An IPSec proposal is created and the IPSec proposal view is displayed. Step 3 (Optional) Run: transform { ah | esp | ah-esp }

The security protocol is specified. By default, the ESP protocol defined in RFC 2406 is used. Step 4 (Optional) Run: ah authentication-algorithm { md5 | sha1 }

The authentication algorithm used by AH is specified. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

53

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

By default, AH uses the MD5 authentication algorithm. Step 5 (Optional) Run: esp authentication-algorithm [ md5 | sha1 ]

The authentication algorithm used by ESP is specified. By default, both ESP and AH use the MD5 authentication algorithm. You can configure the authentication and encryption algorithms only after selecting a security protocol using the transform command. Step 6 (Optional) Run: esp encryption-algorithm [ 3des | des | aes-128 | aes-192 | aes-256 ]

The encryption algorithm used by ESP is specified. By default, ESP uses the DES encryption algorithm. Step 7 (Optional) Run: encapsulation-mode { transport | tunnel }

The packet encapsulation mode is configured. By default, the tunnel mode is used. ----End

3.3.4 Configuring an IPSec Policy After establishing an IPSec tunnel manually, configure an IPSec policy for the tunnel.

Context

CAUTION When configuring SPI, string authentication key (string-key), hexadecimal authentication key (authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound parameters on the remote end, and the outbound parameters on the local end are the same as the inbound parameters on the remote end.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ipsec policy policy-name seq-number manual

An IPSec policy is created. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

54

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy exists. Step 3 Run: security acl acl-number

An ACL is applied to the IPSec policy. An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy, the last configured ACL takes effect. Step 4 Run: proposal proposal-name

An IPSec proposal is applied to the IPSec policy. If the manual mode is used, an IPSec policy can use only one proposal. If an IPSec proposal has been applied to the IPSec policy, cancel the existing proposal before applying a new one to the IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must have the same security protocol, algorithm, and packet encapsulation mode. Step 5 Run: tunnel local ip-address

The IP address of the local end is configured. Step 6 Run: tunnel remote ip-address

The IP address of the remote end is configured. Step 7 Run: sa spi { inbound | outbound } { ah | esp } spi-number

The SPI of the SA is configured. When configuring an SA, set both inbound and outbound parameters. To manually create an IPSec tunnel, use the sa spi command together with the sa string-key, sa authentication-hex, or sa encryption-hex command. The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the local end must be the same as the outbound SPI of the remote end, and the outbound SPI of the local end must be the same as the inbound SPI of the remote end. Step 8 (Optional) Run: sa authentication-hex { inbound | outbound } { ah | esp } hex-key

The authentication key (a hexadecimal number) of the security protocol is configured. Step 9 (Optional) Run: sa string-key { inbound | outbound } { ah | esp } string-key

The authentication key (a character string) of the security protocol is configured.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

55

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

CAUTION Use the same key format on the two ends. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established. If you configure the keys in different formats, the last configured key takes effect. Step 10 (Optional) Run: sa encryption-hex { inbound | outbound } esp hex-key

The encryption key (a hexadecimal number) is configured for ESP. ----End

3.3.5 Applying an IPSec Policy to an Interface A manually configured IPSec policy can be applied to only one interface.

Context An interface can use only one IPSec policy. An IPSec policy group that establishes an SA through IKE negotiation can be applied to multiple interfaces, whereas an IPSec policy group that is used to establish an SA manually can be applied only to one interface. If the applied IPSec policy establishes an SA in manual mode, the SA is generated immediately.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface interface-type interface-number

The interface view is displayed. Step 3 Run: ipsec policy policy-name

An IPSec policy is applied to the interface. ----End

3.3.6 Checking the Configuration After an IPSec tunnel is manually established, you can check information about the SA, IPSec proposal, and IPSec policy.

Prerequisite The configurations required for establishing an IPSec tunnel manually are complete. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

56

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Procedure l

Run the display ipsec sa command to view information about the SA.

l

Run the display ipsec proposal [ name proposal-name ] command to view information about the IPSec proposal.

l

Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view information about the IPSec policy.

----End

3.4 Establishing an IPSec Tunnel Through IKE Negotiation IKE provides an automatic protection mechanism to distribute keys, authenticate the identity, and set up SAs on an insecure network.

3.4.1 Establishing the Configuration Task Before establishing an IPSec tunnel through IKE negotiation, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.

Application Environment Data flows must be authenticated to ensure data transmission security. In a high security scenario, data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service. When the network topology is complex, you can establish IPSec tunnels through IKE negotiation.

Pre-configuration Tasks Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks: l

Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure that the link-layer protocol on the interfaces is Up

l

Configuring routes between the source and the destination

Data Preparation To establish an IPSec tunnel through IKE negotiation, you need to the following data.

Issue 01 (2012-01-06)

No.

Data

1

Parameters of an advanced ACL

2

Priority of the IKE proposal, encryption algorithm, authentication algorithm, and authentication method used in IKE negotiation, identifier of the Diffie-Hellman group, and SA lifetime

3

IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, (optional) VPN instance bound to the IPSec tunnel, and remote host name Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

57

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

No.

Data

4

IPSec proposal name, security protocol, authentication algorithm of AH, authentication algorithm and encryption algorithm of ESP, and packet encapsulation mode

5

Name and sequence number of the IPSec policy, (optional) Perfect Forward Secrecy (PFS) feature used in IKE negotiation

6

(Optional) Name of the IPSec policy template

7

(Optional) Local address of the IPSec policy group, time-based global SA lifetime, traffic-based global SA lifetime, interval for sending keepalive packets, timeout inertial of keepalive packets, and interval for sending NAT update packets

8

Type and number of the interface to which the IPSec policy is applied

NOTE

Use the AH or ESP protocol based on requirements on your network.

3.4.2 Defining Protected Data Flows IPSec can protect different data flows. In real-world applications, configure an ACL to define the protected data flows and apply the ACL to a security policy.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: acl [ number ] acl-number [ match-order { config | auto }]

An advanced ACL is created and the ACL view is displayed. Step 3 Run: rule

An ACL rule is configured. ----End

3.4.3 Configuring an IKE Proposal You can create multiple IKE proposals with different priority levels. The two ends must have at least one matching IKE proposal for IKE negotiation.

Procedure Step 1 Run: system-view

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

58

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

The system view is displayed. Step 2 Run: ike proposal proposal-number

An IKE proposal is created and the IKE proposal view is displayed. The IKE negotiation succeeds only when the two ends use the IKE proposals with the same settings. Step 3 (Optional) Run: encryption-algorithm { des-cbc |3des-cbc | aes-cbc-128 | aes-cbc-192 | aescbc-256 }

The encryption algorithm is configured. By default, an IKE proposal uses the DES-CBC encryption algorithm. Step 4 (Optional) Run: authentication-algorithm { md5 | sha1 }

The authentication algorithm is configured. By default, an IKE proposal uses the SHA-1 algorithm. Step 5 (Optional) Run: dh { group1 | group2 }

The Diffie-Hellman group is specified. Step 6 (Optional) Run: prf { hmac-md5 | hmac-sha1

}

The algorithm used to generate the pseudo random number is specified. Step 7 (Optional) Run: sa duration interval

The SA lifetime is set. If the lifetime expires, the IKE SA is automatically updated. You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. ----End

3.4.4 Configuring an IKE Peer Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ike peer peer-name [ v1 | v2 ]

An IKE peer is created and the IKE peer view is displayed. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

59

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Step 3 (Optional) Run: exchange-mode { main | aggressive }

The IKE negotiation mode is configured. In aggressive mode, the local ID type must be set to ip or name in step 5. In main mode, the local ID type must be set to ip. Step 4 (Optional) Run: ike-proposal proposal-number

An IKE proposal is configured. Step 5 (Optional) Run: local-id-type { ip | name }

The local ID type is configured. By default, the IP address of the local end is used as the local ID. Step 6 (Optional) Run: local-address address

The IP address of the local end is configured. By default, the local end address is the IP address of the interface bound to the IPSec policy. Step 7 (Optional) Run: peer-id-type { ip | name }

The peer ID type is configured. By default, the IP address of the local end is used as the local ID. The peer-id-type command is valid only when IKEv2 is used. Step 8 (Optional) Run: nat traversal

NAT traversal is enabled. When NAT traversal is enabled, local-id-type must be set to name. Step 9 (Optional) Run: pre-shared-key key-string

The pre-shared key used by the local end and remote peer is configured. If pre-shared key authentication is configured, configure a pre-shared key for each remote peer. The two ends of an IPSec tunnel must use the same pre-shared key. When pre-shared key authentication is configured, an authenticator must be configured. Step 10 (Optional) Run: remote-address [ vpn-instance vpn-instance-name ] ip-address

The IP address or the domain name of the remote peer is configured. Step 11 (Optional) Run: remote-name name

The remote host name is configured. Perform this step only when name authentication is used in aggressive mode. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

60

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

If IKEv2 is used, set local-id-type to ip and peer-id-type to name, and configure remotename. Step 12 Run: quit

Return to the system view. Step 13 (Optional) Run: ike local-name local-name

The local host name used in the IKE negotiation is configured. Perform this step when the local-id-type is set to name. ----End

3.4.5 Configuring an IPSec Proposal Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ipsec proposal proposal-name

An IPSec proposal is created and the IPSec proposal view is displayed. Step 3 (Optional) Run: transform { ah | esp | ah-esp }

The security protocol is configured. By default, the ESP protocol defined in RFC 2406 is used. Step 4 (Optional) Run: ah authentication-algorithm { md5 | sha1 }

The authentication algorithm used by AH is configured. By default, AH uses the MD5 authentication algorithm. Step 5 (Optional) Run: esp authentication-algorithm [ md5 | sha1 ]

The authentication algorithm used by ESP is configured. By default, ESP uses the MD5 authentication algorithm. Step 6 (Optional) Run: esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }

The encryption algorithm used by ESP is configured. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

61

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

By default, ESP uses the DES encryption algorithm. Step 7 (Optional) Run: encapsulation-mode { transport | tunnel }

The packet encapsulation mode is configured. By default, the security protocol uses the tunnel mode to encapsulate IP packets. ----End

3.4.6 Configuring an IPSec Policy After configuring an IKE peer, apply it to an IPSec policy. Then the two ends can start IKE negotiation.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ipsec policy policy-name seq-number isakmp [ template template-name ]

An IPSec policy is created. Step 3 Run: proposal proposal-name

An IPSec proposal is applied to the IPSec policy. An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals. During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same parameter settings first. Step 4 Run: security acl acl-number

An ACL is applied to the IPSec policy. Step 5 (Optional) Run: sa trigger-mode { auto | traffic-based }

The SA triggering mode is configured. After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering mode. In automatic triggering mode, the IPSec SA is established immediately after IKE negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only after packets are received. By default, the automatic triggering mode is used. Step 6 (Optional) Run: sa duration { traffic-based kilobytes | time-based interval }

The SA lifetime is set. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

62

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller value as the IPSec SA lifetime. l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set SA lifetime. l The default IPSec SA lifetime is 3600 seconds, and the default traffic volume is 1843200 kilobytes. Step 7 Run: ike-peer peer-name

An IKE peer is applied to the IPSec policy. Step 8 (Optional) Run: pfs { dh-group1 | dh-group2 }

The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. If the remote end uses the template mode, the Diffie-Hellman groups can be different. ----End

3.4.7 (Optional) Configuring an IPSec Policy Template An IPSec policy template can be used to configure multiple IPSec policies, reducing the workload of establishing multiple IPSec tunnels.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ipsec policy-template policy-template-name seq-number

An IPSec policy template is created. Step 3 (Optional) Run: security acl acl-number

An ACL is applied to the IPSec policy template. Step 4 Run: proposal proposal-name

An IPSec proposal is applied to the IPSec policy template. An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals. During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same parameter settings first. Step 5 (Optional) Run: sa duration { traffic-based kilobytes | time-based interval }

The IPSec SA lifetime is set. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

63

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Step 6 Run: ike-peer peer-name

An IKE peer is applied to the IPSec policy template. Step 7 (Optional) Run: pfs { dh-group1 | dh-group2 }

The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. By default, the PFS feature is not used in IKE negotiation. ----End

3.4.8 (Optional) Setting Optional Parameters This section describes how to set optional parameters for IKE negotiation.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ipsec sa global-duration { time-based interval | traffic-based kilobytes }

The global SA lifetime is set. You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. If the SA lifetime is not set in an IPSec policy, the global lifetime is used. The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation. Step 3 Run: ike heartbeat-timer interval interval

The interval for sending heartbeat packets is set. Step 4 Run: ike heartbeat-timer timeout interval

The timeout interval of heartbeat packets is set. If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeat packets must be set on the other end. On a network, packet loss rarely occurs consecutively more than three times. Therefore, the timeout interval of heartbeat packets on one end can be set to three times the interval for sending heartbeat packets on the other end. Step 5 Run: ike nat-keepalive-timer interval interval

The interval for sending NAT keepalive packets is set. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

64

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Step 6 Run: ipsec anti-replay { enable | disable }

The anti-replay function is set. Step 7 Run: ike peer

The IKE peer view is displayed. Step 8 Run: local-address address

The IP address of the local end is configured. Step 9 Run following commands to configure the dead peer detection (DPD) function. l

Run: dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }

The idle time for DPD, retransmission interval of DPD packets, and maximum number of retransmissions are set. l

Run: dpd msg { seq-hash-notify | seq-notify-hash }

The sequence of payload in DPD packets is configured. l

Run: dpd type { on-demand | periodic }

The DPD mode is configured. ----End

3.4.9 Applying an IPSec policy to an interface An interface can use only one IPSec policy. An IPSec policy for IKE negotiation can be applied to multiple interfaces.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface interface-type interface-number

The interface view is displayed. Step 3 Run: ipsec policy policy-name

An IPSec policy is applied to the interface. Only one IPSec policy can be applied to an interface. An IPSec policy can be applied to multiple interfaces. After the configuration is complete, the packets transmitted between two ends of the IPSec tunnel trigger SA establishment through IKE negotiation. In automatic triggering mode, the SA is Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

65

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

established immediately after the IKE negotiation succeeds. In traffic-based triggering mode, the SA is established only after data flows matching the IPSec policy are sent from the interface. After IKE negotiation succeeds and the SA is established, the data flows are encrypted and then transmitted between two ends. ----End

3.4.10 Checking the Configuration After an IPSec tunnel is established through IKE negotiation, you can view information about the SA, configuration of the IKE peer, and configuration of the IKE proposal.

Prerequisite The configurations required to establish an IPSec tunnel through IKE negotiation are complete.

Procedure l

Run the display ike sa command to view information about the SAs established through IKE negotiation.

l

Run the display ike peer [ name peer-name ] [ verbose ] command to view the configuration of a specified IKE peer or all IKE peers.

l

Run the display ike proposal command to view the configuration of a specified IKE proposal or all IKE proposals.

l

Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip peer-ip-address ] command to view the configuration of a specified SA or all SAs.

l

Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view information about a specified IPSec policy or all IPSec policies.

l

Run the display ipsec proposal [ name proposal-name ] command to view information about a specified IPSec proposal or all IPSec proposals.

----End

3.5 Maintaining IPSec This section describes how to display the IPSec configuration and clear the IPSec statistics.

3.5.1 Displaying the IPSec Configuration You can run the following display commands to view information about the SA, established IPSec tunnel, and statistics about IPSec packets.

Prerequisite The configurations of IPSec are complete.

Procedure l

Issue 01 (2012-01-06)

Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip peer-ip-address ] command to check information about the IPSec SA. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

66

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

l

Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to check information about the IPSec tunnel that is established.

l

Run the display ipsec statistics { ah | esp } command to check the statistics about IPSec packets.

l

Run the display ike statistics { all | msg | v2 } command to check the statistics about IKE packets.

----End

3.5.2 Clearing IPSec Information This section describes how to clear the statistics about IPSec and IKE packets, information about SAs, and information about the IPSec tunnels established through IKE negotiation.

Context

CAUTION The statistics cannot be restored after being cleared.

Procedure l

Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics about IPSec packets.

l

Run the reset ike statistics { all | msg } command in the user view to clear the statistics about IKE packets.

l

Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-address { ah | esp } spi ] command in the user view to clear an SA.

l

Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a specified IPSec tunnel or all established IPSec tunnels.

----End

3.6 Configuration Examples This section provides several configuration examples of IPSec.

3.6.1 Example for Establishing an SA Manually You can establish security associations (SAs) manually when the network topology is simple. When there are a large number of devices on the network, it is difficult to establish SAs manually, and network security cannot be ensured.

Networking Requirements As shown in Figure 3-3, an IPSec tunnel is established between RouterA and RouterB to protect data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

67

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Figure 3-3 Network diagram for configuring IPSec Eth 1/0/0

Eth 1/0/0 202.138.163.1/24 RouterA

202.138.162.1/24 RouterB

Internet IPSec Tunnel

PC A

10.1.1.2/24

10.1.2.2/24

PC B

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure IP addresses for interfaces.

2.

Configure Access Control Lists (ACLs) and define the data flows to be protected.

3.

Configure static routes to peers.

4.

Configure an IPSec proposal.

5.

Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.

6.

Apply IPSec policies to interfaces.

Procedure Step 1 Configure IP addresses for the interfaces on RouterA and RouterB. # Assign an IP address to the interface of RouterA. system-view [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0 [Huawei-Ethernet1/0/0] quit

# Assign an IP address to the interface of RouterB. system-view [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ip address 202.138.162.1 255.255.255.0 [Huawei-Ethernet1/0/0] quit

Step 2 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3101] quit

# Configure an ACL on RouterB. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

68

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

[Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [Huawei-acl-adv-3101] quit

Step 3 Configure static routes to the peers on RouterA and RouterB. # Configure a static route to the peer on RouterA. In this example, the next hop to PCB is 202.138.163.2. [Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2

# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is 202.138.162.2. [Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2

Step 4 Create an IPSec proposal on RouterA and RouterB. # Create the IPSec proposal on RouterA. [Huawei] ipsec proposal tran1 [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1]

encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit

# Create the IPSec proposal on RouterB. [Huawei] ipsec proposal tran1 [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1]

encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit

Run the display ipsec proposal command on RouterA and RouterB to view the configuration of the IPSec proposal. Take the display on RouterA as an example. [Huawei] display ipsec proposal Number of Proposals: 1 IPsec proposal name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES

Step 5 Create IPSec policies on RouterA and RouterB. # Create an IPSec policy on RouterA. [Huawei] ipsec policy map1 10 manual [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10] [Huawei-ipsec-policy-manual-map1-10]

security acl 3101 proposal tran1 tunnel remote 202.138.162.1 tunnel local 202.138.163.1 sa spi outbound esp 12345 sa spi inbound esp 54321 sa string-key outbound esp abcdefg sa string-key inbound esp gfedcba quit

# Create an IPSec policy on RouterB. [Huawei] ipsec policy use1 10 manual [Huawei-ipsec-policyl-manual-use1-10] security acl 3101 [Huawei-ipsec-policyl-manual-use1-10] proposal tran1

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

69

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN [Huawei-ipsec-policyl-manual-use1-10] [Huawei-ipsec-policyl-manual-use1-10] [Huawei-ipsec-policyl-manual-use1-10] [Huawei-ipsec-policyl-manual-use1-10] [Huawei-ipsec-policyl-manual-use1-10] [Huawei-ipsec-policyl-manual-use1-10] [Huawei-ipsec-policyl-manual-use1-10]

3 IPSec Configuration tunnel remote 202.138.163.1 tunnel local 202.138.162.1 sa spi outbound esp 54321 sa spi inbound esp 12345 sa string-key outbound esp gfedcba sa string-key inbound esp abcdefg quit

Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies. Take the display on RouterA as an example. [Huawei] display ipsec policy =========================================== IPsec Policy Group: "map1" Using interface: {} =========================================== Sequence number: 10 Security data flow: 3101 Tunnel local address: 202.138.163.1 Tunnel remote address: 202.138.162.1 Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 12345 (0x3039) ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key:

Step 6 Apply the IPSec policies to the interfaces of RouterA and RouterB. # Apply the IPSec policy to the interface of RouterA. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy map1 [Huawei-Ethernet1/0/0] quit

# Apply the IPSec policy to the interface of RouterB. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy use1 [Huawei-Ethernet1/0/0] quit

Run the display ipsec sa command on RouterA and RouterB to view the configuration of the IPSec SAs. Take the display on RouterA as an example. [Huawei] display ipsec sa =============================== Interface: Ethernet 1/0/0 Path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" Sequence number: 10

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

70

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Mode: Manual ----------------------------Encapsulation mode: Tunnel Tunnel local : 202.138.163.1 Tunnel remote: 202.138.162.1 [Outbound ESP SAs] SPI: 12345 (0x3039) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA [Inbound ESP SAs] SPI: 54321 (0xd431) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA

Step 7 Verify the configurations. After the configurations are complete, PC A can ping PC B successfully. You can run the display ipsec statistics esp command to view packet statistics. ----End

Configuration Files l

Configuration file of RouterA # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 manual security acl 3101 proposal tran1 tunnel local 202.138.163.1 tunnel remote 202.138.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg # ip route-static 10.1.2.0 255.255.255.0 202.138.163.2 # interface Ethernet1/0/0 ip address 202.138.163.1 255.255.255.0 ipsec policy map1 # return

l Issue 01 (2012-01-06)

Configuration file of RouterB Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

71

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

# acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 manual security acl 3101 proposal tran1 tunnel local 202.138.162.1 tunnel remote 202.138.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg sa spi outbound esp 54321 sa string-key outbound esp gfedcba # ip route-static 10.1.1.0 255.255.255.0 202.138.162.2 # interface Ethernet1/0/0 ip address 202.138.162.1 255.255.255.0 ipsec policy use1 # return

3.6.2 Example for Configuring IKE Negotiation Using Default Settings This section provides an example for configuring IKE negotiation using default settings.

Networking Requirements As shown in Figure 3-4, an IPSec tunnel is established between RouterA and RouterB. This IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and MD5 authentication algorithm. NOTE

l In this example, the default IKE proposal is used. l By default, a new IPSec proposal created using the ipsec proposal command uses the ESP protocol, DES encryption algorithm, MD5 authentication algorithm, and tunnel encapsulation mode.

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

72

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Figure 3-4 Network diagram for configuring IKE negotiation Eth 1/0/0

Eth 1/0/0 202.138.163.1/24

202.138.162.1/24

RouterA

RouterB

Internet IPSec Tunnel

PC A

10.1.1.2/24

10.1.2.2/24

PC B

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure IP addresses for interfaces.

2.

Specify the local host ID and IKE peer for IKE negotiation.

3.

Configure Access Control Lists (ACLs) and define the data flows to be protected.

4.

Configure static routes to peers.

5.

Configure an IPSec proposal.

6.

Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.

7.

Apply IPSec policies to interfaces.

Procedure Step 1 Configure IP addresses for the interfaces on RouterA and RouterB. # Assign an IP address to the interface of RouterA. system-view [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0 [Huawei-Ethernet1/0/0] quit

# Assign an IP address to the interface of RouterB. system-view [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ip address 202.138.162.1 255.255.255.0 [Huawei-Ethernet1/0/0] quit

Step 2 Configure local IDs and IKE peers on RouterA and RouterB. # Configure the local ID and IKE peer on RouterA. [Huawei] ike peer spub [Huawei-ike-peer-spub] [Huawei-ike-peer-spub] [Huawei-ike-peer-spub]

Issue 01 (2012-01-06)

v1 pre-shared-key huawei remote-address 202.138.162.1 quit

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

73

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

NOTE

In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer (remote-address x.x.x.x) on the local end.

# Configure the local ID and IKE peer on RouterB. [Huawei] ike peer spua [Huawei-ike-peer-spua] [Huawei-ike-peer-spua] [Huawei-ike-peer-spua]

v1 pre-shared-key huawei remote-address 202.138.163.1 quit

Run the display ike peer command on RouterA and RouterB to view the configuration of the IKE peer. Take the display on RouterA as an example. [Huawei] display ike peer name spub verbose ---------------------------------------Peer name : spub Exchange mode : main on phase 1 Pre-shared-key : huawei Local ID type : IP DPD : Disable DPD mode : Periodic DPD idle time : 30 DPD retransmit interval : 15 DPD retry limit : 3 Peer Ip address VPN name Local IP address Remote name Nat-traversal Configured IKE version

: 202.138.162.1 : : : : Disable : Version one

----------------------------------------

Step 3 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3101] quit

# Configure an ACL on RouterB. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [Huawei-acl-adv-3101] quit

Step 4 Configure static routes to the peers on RouterA and RouterB. # Configure a static route to the peer on RouterA. In this example, the next hop to PCB is 202.138.163.2. [Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2

# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is 202.138.162.2. [Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2

Step 5 Create an IPSec proposal on RouterA and RouterB. # Create the IPSec proposal on RouterA. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

74

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

[Huawei] ipsec proposal tran1 [Huawei-ipsec-proposal-tran1] quit

# Create the IPSec proposal on RouterB. [Huawei] ipsec proposal tran1 [Huawei-ipsec-proposal-tran1] quit

Run the display ipsec proposal command on RouterA and RouterB to view the configuration of the IPSec proposal. Take the display on RouterA as an example. [Huawei] display ipsec proposal Number of Proposals: 1 IPsec proposal name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication MD5-HMAC-96 Encryption DES

Step 6 Create IPSec policies on RouterA and RouterB. # Create an IPSec policy on RouterA. [Huawei] ipsec policy map1 10 isakmp [Huawei-ipsec-policy-isakmp-map1-10] [Huawei-ipsec-policy-isakmp-map1-10] [Huawei-ipsec-policy-isakmp-map1-10] [Huawei-ipsec-policy-isakmp-map1-10]

ike-peer spub proposal tran1 security acl 3101 quit

# Create an IPSec policy on RouterB. [Huawei] ipsec policy use1 10 isakmp [Huawei-ipsec-policy-isakmp-use1-10] [Huawei-ipsec-policy-isakmp-use1-10] [Huawei-ipsec-policy-isakmp-use1-10] [Huawei-ipsec-policy-isakmp-use1-10]

ike-peer spua proposal tran1 security acl 3101 quit

Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies. Take the display on RouterA as an example. [Huawei] display ipsec policy =========================================== IPsec policy group: "map1" Using interface: {} =========================================== Sequence number: 10 Security data flow: 3101 Peer name: spub Perfect forward secrecy: None Proposal name: tran1 IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA trigger mode: Automatic

Step 7 Apply the IPSec policies to the interfaces of RouterA and RouterB. # Apply the IPSec policy to the interface of RouterA. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy map1 [Huawei-Ethernet1/0/0] quit

# Apply the IPSec policy to the interface of RouterB. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy use1

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

75

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

[Huawei-Ethernet1/0/0] quit

Run the display ipsec sa command on RouterA and RouterB to view the configuration of the IPSec SAs. Take the display on RouterA as an example. [Huawei] display ipsec sa =============================== Interface: Ethernet 1/0/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------Connection id: 3 encapsulation mode: tunnel tunnel local : 202.138.163.1 tunnel remote: 202.138.162.1 [inbound ESP SAs] spi: 1406123142 (0x53cfbc86) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436528/3575 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3835455224 (0xe49c66f8) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887436464/3575 max sent sequence-number: 5 udp encapsulation used for nat traversal: N

Step 8 Verify the configurations. After the configurations are complete, PC A can ping PC B successfully. The data transmitted between PC A and PC B is encrypted. Run the display ike sa command on RouterA, and the following information is displayed: [Huawei] display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------14 202.138.162.1 0 RD|ST 1 16 202.138.162.1 0 RD|ST 2 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

----End

Configuration Files l

Configuration file of RouterA # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 # ike peer spub v1 pre-shared-key huawei remote-address 202.138.162.1 #

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

76

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

ipsec policy map1 10 isakmp security acl 3101 ike-peer spub proposal tran1 # ip route-static 10.1.2.0 255.255.255.0 202.138.163.2 # interface Ethernet1/0/0 ip address 202.138.163.1 255.255.255.0 ipsec policy map1 # return

l

Configuration file of RouterB # acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ike peer spua v1 pre-shared-key huawei remote-address 202.138.163.1 # ipsec policy use1 10 isakmp security acl 3101 ike-peer spua proposal tran1 # ip route-static 10.1.1.0 255.255.255.0 202.138.162.2 # interface Ethernet1/0/0 ip address 202.138.162.1 255.255.255.0 ipsec policy use1 # return

3.6.3 Example for Configuring IKE Negotiation IKE automatically establishes an SA and performs key exchange to improve efficiency of SA establishment and ensure network security.

Networking Requirements As shown in Figure 3-5, an IPSec tunnel is established between RouterA and RouterB. This IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

77

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Figure 3-5 Network diagram for configuring IKE negotiation Eth 1/0/0

Eth 1/0/0 202.138.163.1/24 RouterA

202.138.162.1/24 RouterB

Internet IPSec Tunnel

PC A

10.1.1.2/24

10.1.2.2/24

PC B

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure IP addresses for interfaces.

2.

Configure an IKE proposal.

3.

Specify the local host ID and IKE peer for IKE negotiation.

4.

Configure Access Control Lists (ACLs) and define the data flows to be protected.

5.

Configure static routes to peers.

6.

Configure an IPSec proposal.

7.

Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.

8.

Apply IPSec policies to interfaces.

Procedure Step 1 Configure IP addresses for the interfaces on RouterA and RouterB. # Assign an IP address to the interface of RouterA. system-view [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0 [Huawei-Ethernet1/0/0] quit

# Assign an IP address to the interface of RouterB. system-view [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ip address 202.138.162.1 255.255.255.0 [Huawei-Ethernet1/0/0] quit

Step 2 Create an IKE proposal on RouterA and RouterB. # Create the IKE proposal on RouterA. [Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm aes-cbc-128

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

78

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

[Huawei-ike-proposal-1] authentication-algorithm md5 [Huawei-ike-proposal-1] quit

# Create the IKE proposal on RouterB. [Huawei] ike proposal 1 [Huawei-ike-proposal-1] encryption-algorithm aes-cbc-128 [Huawei-ike-proposal-1] authentication-algorithm md5 [Huawei-ike-proposal-1] quit

Step 3 Configure local IDs and IKE peers on RouterA and RouterB. # Configure the local ID and IKE peer on RouterA. [Huawei] ike local-name huawei01 [Huawei] ike peer spub v1 [Huawei-ike-peer-spub] exchange-mode aggressive [Huawei-ike-peer-spub] ike-proposal 1 [Huawei-ike-peer-spub] local-id-type name [Huawei-ike-peer-spub] pre-shared-key huawei [Huawei-ike-peer-spub] remote-name huawei02 [Huawei-ike-peer-spub] remote-address 202.138.162.1 [Huawei-ike-peer-spub] local-address 202.138.163.1 [Huawei-ike-peer-spub] quit NOTE

In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer (remote-address x.x.x.x) on the local end.

# Configure the local ID and IKE peer on RouterB. [Huawei] ike local-name huawei02 [Huawei] ike peer spua v1 [Huawei-ike-peer-spua] exchange-mode aggressive [Huawei-ike-peer-spua] ike-proposal 1 [Huawei-ike-peer-spua] local-id-type name [Huawei-ike-peer-spua] pre-shared-key huawei [Huawei-ike-peer-spua] remote-name huawei01 [Huawei-ike-peer-spua] remote-address 202.138.163.1 [Huawei-ike-peer-spua] local-address 202.138.162.1 [Huawei-ike-peer-spua] quit

Run the display ike peer command on RouterA and RouterB to view the configuration of the IKE peer. Take the display on RouterA as an example. [Huawei] display ike peer name spub verbose ---------------------------------------Peer name : spub Exchange mode : aggressive on phase 1 Pre-shared-key : huawei Proposal : 1 Local ID type : Name DPD : Disable DPD mode : Periodic DPD idle time : 30 DPD retransmit interval : 15 DPD retry limit : 3 Peer Ip address VPN name Local IP address Remote name Nat-traversal Configured IKE version

: : : : : :

202.138.162.1 202.138.163.1 huawei02 Disable Version one

----------------------------------------

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

79

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

Step 4 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3101] quit

# Configure an ACL on RouterB. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [Huawei-acl-adv-3101] quit

Step 5 Configure static routes to the peers on RouterA and RouterB. # Configure a static route to the peer on RouterA. In this example, the next hop to PCB is 202.138.163.2. [Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2

# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is 202.138.162.2. [Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2

Step 6 Create an IPSec proposal on RouterA and RouterB. # Create the IPSec proposal on RouterA. [Huawei] ipsec proposal tran1 [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1]

encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit

# Create the IPSec proposal on RouterB. [Huawei] ipsec proposal tran1 [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1] [Huawei-ipsec-proposal-tran1]

encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit

Run the display ipsec proposal command on RouterA and RouterB to view the configuration of the IPSec proposal. Take the display on RouterA as an example. [Huawei] display ipsec proposal Number of Proposals: 1 IPsec proposal name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES

Step 7 Create IPSec policies on RouterA and RouterB. # Create an IPSec policy on RouterA. [Huawei] ipsec policy map1 10 isakmp [Huawei-ipsec-policy-isakmp-map1-10] ike-peer spub [Huawei-ipsec-policy-isakmp-map1-10] proposal tran1 [Huawei-ipsec-policy-isakmp-map1-10] security acl 3101

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

80

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

[Huawei-ipsec-policy-isakmp-map1-10] quit

# Create an IPSec policy on RouterB. [Huawei] ipsec policy use1 10 isakmp [Huawei-ipsec-policy-isakmp-use1-10] [Huawei-ipsec-policy-isakmp-use1-10] [Huawei-ipsec-policy-isakmp-use1-10] [Huawei-ipsec-policy-isakmp-use1-10]

ike-peer spua proposal tran1 security acl 3101 quit

Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies. Take the display on RouterA as an example. [Huawei] display ipsec policy =========================================== IPsec policy group: "map1" Using interface: {} =========================================== Sequence number: 10 Security data flow: 3101 Peer name: spub Perfect forward secrecy: None Proposal name: tran1 IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA trigger mode: Automatic

Step 8 Apply the IPSec policies to the interfaces of RouterA and RouterB. # Apply the IPSec policy to the interface of RouterA. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy map1 [Huawei-Ethernet1/0/0] quit

# Apply the IPSec policy to the interface of RouterB. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy use1 [Huawei-Ethernet1/0/0] quit

Run the display ipsec sa command on RouterA and RouterB to view the configuration of the IPSec SAs. Take the display on RouterA as an example. [Huawei] display ipsec sa =============================== Interface: Ethernet 1/0/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------Connection id: 3 encapsulation mode: tunnel tunnel local : 202.138.163.1 tunnel remote: 202.138.162.1 [inbound ESP SAs] spi: 1406123142 (0x53cfbc86) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436528/3575 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3835455224 (0xe49c66f8) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436464/3575

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

81

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

max sent sequence-number: 5 udp encapsulation used for nat traversal: N

Step 9 Verify the configurations. After the configurations are complete, PC A can ping PC B successfully. The data transmitted between PC A and PC B is encrypted. Run the display ike sa command on RouterA, and the following information is displayed: [Huawei] display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------14 202.138.162.1 0 RD|ST 1 16 202.138.162.1 0 RD|ST 2 Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

----End

Configuration Files l

Configuration file of RouterA # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ike proposal 1 encryption-algorithm aescbc-128 authentication-algorithm md5 # ike local-name huawei01 # ike peer spub v1 exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei02 local-address 202.138.163.1 remote-address 202.138.162.1 # ipsec policy map1 10 isakmp security acl 3101 ike-peer spub proposal tran1 #

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

82

Huawei AR2200-S Series Enterprise Routers Configuration Guide - VPN

3 IPSec Configuration

ip route-static 10.1.2.0 255.255.255.0 202.138.163.2 # interface Ethernet1/0/0 ip address 202.138.163.1 255.255.255.0 ipsec policy map1 # return

l

Configuration file of RouterB # acl number 3101 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ike proposal 1 encryption-algorithm aescbc-128 authentication-algorithm md5 # ike local-name huawei02 # ike peer spua v1 exchange-mode aggressive pre-shared-key huawei ike-proposal 1 local-id-type name remote-name huawei01 local-address 202.138.162.1 remote-address 202.138.163.1 # ipsec policy use1 10 isakmp security acl 3101 ike-peer spua proposal tran1 # ip route-static 10.1.1.0 255.255.255.0 202.138.162.2 # interface Ethernet1/0/0 ip address 202.138.162.1 255.255.255.0 ipsec policy use1 # return

Issue 01 (2012-01-06)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

83