Establishing a DSVPN Over IPSec Tunnel Between AR and Cisco

Created Mar 08, 2017 21:02:32Latest reply Mar 09, 2017 15:31:11 4420 1 0 0

Overview

Dynamic Smart Virtual Private Network (DSVPN) allows the headquarters and branches or branches to dynamically establish virtual private networks (VPNs) in the Hub-Spoke model.

DSVPN implements dynamic connections between the headquarters and branches, and between branches. Branches can dynamically establish tunnels to directly exchange service data, reducing the forwarding delay and improving forwarding performance and efficiency.

On a DSVPN tunnel, data packets are encapsulated with a GRE header. DSVPN does not provide encryption, so IPSec can be deployed on the network demanding high security. Then data packets are encapsulated through the DSVPN over IPSec tunnel.

In Figure 1-1, branches use dynamic addresses to access the public network and dynamically establish Spoke-Spoke tunnels with each other for direct communication between them. In addition, multipoint Generic Routing Encapsulation (mGRE) technology allows multiple GRE tunnels to be created on one mGRE tunnel interface. DSVPN uses mGRE technology to simplify branch traffic management and configuration of GRE and IPSec.

Figure 1-1 Hub-Spoke model

20170308210214978001.png

 

Precautions

l   DSVPN is a Huawei proprietary protocol. When the AR connects to a non-Huawei device using DSVPN, there may be legal risks. Contact Huawei local office and report it to the Legal Affairs Dept in advance.

l   The DSVPN function on some models requires a license. By default, the DSVPN function cannot be used on the AR. To use the DSVPN function, contact Huawei local office or apply for and purchase the license from Huawei local office.

l   NAT traversal cannot be implemented on a DSVPN network if two branches use the same NAT device and their private network addresses are translated to the same public network address.

l   When DSVPN branches establish a tunnel, NAT traversal cannot be implemented if different NAT devices exist between two branches and Port Address Translation (PAT) is enabled on the NAT devices.

l   The NAT devices must have NAT server or static NAT configured. NAT traversal cannot be implemented if inbound or outbound NAT is configured on the NAT devices.

l   Precautions for DSVPN route deployment:

        Configuring static routes

l   Non-shortcut

You need to configure static routes between the Hub and Spoke and between Spokes and specify the peer tunnel address as the next-hop address.

l   Shortcut

You need to configure static routes on the Hub and Spokes. The next-hop address of the Hub is the peer tunnel address of a Spoke, and the next-hop address of a Spoke is the tunnel address of the Hub.

        Configuring dynamic routes

Scenario

RIP

OSPF

BGP

Non-shortcut

Disable split horizon and automatic route summarization on the mGRE interface of the Hub.

Run the ospf network-type broadcast command to set the OSPF network type to broadcast on the Hub and Spokes.

Do not configure route summarization on the Hub.

Shortcut

Enable split horizon and automatic route summarization on the mGRE interface of the Hub.

Run the ospf network-type p2mp command to set the OSPF network type to P2MP on the Hub and Spokes.

Configure route summarization on the Hub.

 

Networking Requirements

A large-sized enterprise has the headquarters (Hub) and multiple branches (Spoke1, Spoke2, and other Spokes) located in different areas, and the branches connect to public networks using dynamic IP addresses. This example uses two branches. The Hub is a Cisco router, and Spoke1 and Spoke2 are AR routers.

The enterprise requires that VPN connections between branches should be achieved and data transmitted between the headquarters and a branch, and between branches should be encrypted.

Figure 1-2 Networking for establishing DSVPN over IPSec tunnels between AR routers and Cisco router

20170308210215584002.png

 

Data Plan

Before the configuration, plan data according to Table 1-15. The data in Table 1-15 is used for reference only.

Table 1-1 Data plan for interconnection between the AR and Cisco router

Spoke1 Public Network Address

1.1.2.10

Spoke1 Tunnel Interface Address

10.2.1.2

Spoke1 Private Network Address

10.1.1.1

Spoke2 Public Network Address

1.1.3.10

Spoke2 Tunnel Interface Address

10.2.1.3

Spoke2 Private Network Address

10.1.2.1

Cisco Public Network Address

1.1.1.10

Cisco Tunnel Interface Address

10.2.1.1

Cisco Private Network Address

10.1.0.1

NHRP Parameters

DSVPN domain: 1000

NHRP authentication key: huawei12

NHRP branch registration interval: 1800s

NHRP headquarters hold time: 3600s

Parameters for IPSec Phase 1 (IKE Negotiation Phase)

IKE version: v1

Negotiation mode: main

Authentication method: pre-shared key

Pre-shared key: huawei@123

Encryption algorithm: aes-cbc-128

Authentication algorithm: sha1

DH group: group5

Lifetime: 28800s

DPD detection: enabled

Parameters for IPSec Phase 2 (IPSec Negotiation Phase)

Security protocol: ESP

Encapsulation mode: transport

Encryption algorithm: aes-128

Authentication algorithm:sha1

Lifetime: 3600s (default value)

PFS: enabled

 

Configuration Procedure

1 Configuring Spoke1 (AR Router)

Configuration Roadmap

1.      Configure an IP address and a static route on each interface to implement communication between both ends.

2.      Configure an mGRE tunnel interface and NHRP information.

3.      Configure a static route to a private network address of the peer.

4.      Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

5.      Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.

6.      Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.

Procedure

                      Step 1    Configure an IP address and a static route on each interface to implement communication between both ends.

<Huawei> system-view 
[Huawei] sysname Spoke1 
[Spoke1] interface gigabitethernet 1/0/0 
[Spoke1-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0 
[Spoke1-GigabitEthernet1/0/0] quit 
[Spoke1] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1

                      Step 2    Configure an mGRE tunnel interface and NHRP information.

[Spoke1] interface Tunnel0/0/0  
[Spoke1-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0 
[Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp 
[Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0 
[Spoke1-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register 
[Spoke1-Tunnel0/0/0] nhrp network-id 1000 
[Spoke1-Tunnel0/0/0] nhrp authentication simple huawei12 
[Spoke1-Tunnel0/0/0] nhrp registration interval 1800 
[Spoke1-Tunnel0/0/0] quit

                      Step 3    Configure a static route to a private network address of the peer.

[Spoke1] ip route-static 10.1.0.0 255.255.255.0 10.2.1.1 
[Spoke1] ip route-static 10.1.2.0 255.255.255.0 10.2.1.3

                      Step 4    Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

# Configure an IKE proposal.

[Spoke1] ike proposal 5 
[Spoke1-ike-proposal-5] encryption-algorithm aes-cbc-128  
[Spoke1-ike-proposal-5] authentication-algorithm sha1  
[Spoke1-ike-proposal-5] dh group5 
[Spoke1-ike-proposal-5] sa duration 28800 
[Spoke1-ike-proposal-5] authentication-method pre-share 
[Spoke1-ike-proposal-5] quit

# Configure an IKE peer.

[Spoke1] ike peer spoke1 v1 
[Spoke1-ike-peer-spoke1] ike-proposal 5 
[Spoke1-ike-peer-spoke1] pre-shared-key cipher huawei@123 
[Spoke1-ike-peer-spoke1] exchange-mode main 
[Spoke1-ike-peer-spoke1] dpd type periodic  
[Spoke1-ike-peer-spoke1] quit

# Configure an IPSec proposal.

[Spoke1] ipsec proposal spoke1 
[Spoke1-ipsec-proposal-spoke1] transform esp 
[Spoke1-ipsec-proposal-spoke1] esp authentication-algorithm sha1 
[Spoke1-ipsec-proposal-spoke1] esp encryption-algorithm aes-128 
[Spoke1-ipsec-proposal-spoke1] encapsulation-mode transport

                      Step 5    Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.

[Spoke1] ipsec profile profile1 
[Spoke1-ipsec-profile-profile1] ike-peer spoke1 
[Spoke1-ipsec-profile-profile1] proposal spoke1 
[Spoke1-ipsec-profile-profile1] quit

                      Step 6    Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.

[Spoke1] interface tunnel 0/0/0 
[Spoke1-Tunnel0/0/0] ipsec profile profile1

----End

2 Configuring Spoke2 (AR Router)

Configuration Roadmap

1.      Configure an IP address and a static route on each interface to implement communication between both ends.

2.      Configure an mGRE tunnel interface and NHRP information.

3.      Configure a static route to a private network address of the peer.

4.      Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

5.      Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.

6.      Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.

Procedure

                      Step 1    Configure an IP address and a static route on each interface to implement communication between both ends.

<Huawei> system-view 
[Huawei] sysname Spoke2 
[Spoke2] interface gigabitethernet 1/0/0 
[Spoke2-GigabitEthernet1/0/0] ip address 1.1.3.10 255.255.255.0 
[Spoke2-GigabitEthernet1/0/0] quit 
[Spoke2] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1

                      Step 2    Configure an mGRE tunnel interface and NHRP information.

[Spoke2] interface Tunnel0/0/0 
[Spoke2-Tunnel0/0/0] ip address 10.2.1.3 255.255.255.0 
[Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp 
[Spoke2-Tunnel0/0/0] source gigabitethernet 1/0/0 
[Spoke2-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register 
[Spoke2-Tunnel0/0/0] nhrp network-id 1000 
[Spoke2-Tunnel0/0/0] nhrp authentication simple huawei12 
[Spoke2-Tunnel0/0/0] nhrp registration interval 1800 
[Spoke2-Tunnel0/0/0] quit

                      Step 3    Configure a static route to a private network address of the peer.

[Spoke2] ip route-static 10.1.0.0 255.255.255.0 10.2.1.1 
[Spoke2] ip route-static 10.1.1.0 255.255.255.0 10.2.1.2

                      Step 4    Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

# Configure an IKE proposal.

[Spoke2] ike proposal 5 
[Spoke2-ike-proposal-5] encryption-algorithm aes-cbc-128  
[Spoke2-ike-proposal-5] authentication-algorithm sha1  
[Spoke2-ike-proposal-5] dh group5 
[Spoke2-ike-proposal-5] sa duration 28800 
[Spoke2-ike-proposal-5] authentication-method pre-share 
[Spoke2-ike-proposal-5] quit

# Configure an IKE peer.

[Spoke2] ike peer spoke2 v1 
[Spoke2-ike-peer-spoke2] ike-proposal 5 
[Spoke2-ike-peer-spoke2] pre-shared-key cipher huawei@123 
[Spoke2-ike-peer-spoke2] exchange-mode main 
[Spoke2-ike-peer-spoke2] dpd type periodic  
[Spoke2-ike-peer-spoke2] quit

# Configure an IPSec proposal.

[Spoke2] ipsec proposal spoke2 
[Spoke2-ipsec-proposal-spoke2] transform esp 
[Spoke2-ipsec-proposal-spoke2] esp authentication-algorithm sha1 
[Spoke2-ipsec-proposal-spoke2] esp encryption-algorithm aes-128 
[Spoke2-ipsec-proposal-spoke2] encapsulation-mode transport

                      Step 5    Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.

[Spoke2] ipsec profile profile1 
[Spoke2-ipsec-profile-profile1] ike-peer spoke2 
[Spoke2-ipsec-profile-profile1] proposal spoke2 
[Spoke2-ipsec-profile-profile1] quit

                      Step 6    Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.

[Spoke2] interface tunnel 0/0/0 
[Spoke2-Tunnel0/0/0] ipsec profile profile1

----End

3 Configuring the Hub (Cisco Router)

Configuration Roadmap

1.      Configure an IP address and a static route on each interface to implement communication between both ends.

2.      Configure an mGRE tunnel interface and NHRP information.

3.      Configure a static route to a private network address of the peer.

4.      Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

5.      Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.

6.      Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.

Procedure

                      Step 1    Configure an IP address and a static route on each interface to implement communication between both ends.

Router#configure 
Router(config)#interface gigabitethernet 0/1 
Router(config-if)#ip address 1.1.1.10 255.255.255.0 
Router(config-if)#exit 
Router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1

                      Step 2    Configure an mGRE tunnel interface and NHRP information.

Router(config)#interface tunnel 0 
Router(config-if)#ip address 10.2.1.1 255.255.255.0 
Router(config-if)#tunnel mode  gre multipoint 
Router(config-if)#tunnel source gigabitethernet0/1 
Router(config-if)#ip nhrp holdtime 3600 
Router(config-if)#ip nhrp network-id 1000 
Router(config-if)#ip nhrp authentication huawei12 
Router(config-if)#ip nhrp map multicast dynamic 
Router(config-if)#exit

                      Step 3    Configure a static route to a private network address of the peer.

Router(config)#ip route 10.1.2.0 255.255.255.0 10.2.1.3 
Router(config)#ip route 10.1.1.0 255.255.255.0 10.2.1.2

                      Step 4    Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

# Configure an IKE proposal.

Router(config)#crypto isakmp policy 10                              
Router(config-isakmp)#hash sha 
Router(config-isakmp)#encryption aes 128 
Router(config-isakmp)#group 5 
Router(config-isakmp)#authentication pre-share 
Router(config-isakmp)#lifetime 28800 
Router(config-isakmp)#exit

# Set IPSec phase 1 negotiation parameters.

Router(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth

# Configure an IPSec proposal.

Router(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128 
Router(cfg-crypto-trans)#mode transport require 
Router(cfg-crypto-trans)#exit

                      Step 5    Configure an IPSec profile and bind the IPSec proposal to the IPSec profile.

Router(config)#crypto ipsec profile profile1 
Router(ipsec-profile)#set transform-set tran1 
Router(ipsec-profile)#exit

                      Step 6    Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.

Router(config)#interface tunnel 0 
Router(config-if)#tunnel protection ipsec profile profile1 
Router(config-if)#exit

----End 

 Exception Handling

1.      When an IPSec tunnel fails to be set up, check whether routes are reachable and whether the IPSec configurations at both ends are consistent.

2.      When a DSVPN tunnel fails to be set up, check whether the DSVPN configurations at both ends are consistent.

Verification

1.      Run the display ike sa and show crypto isakmp sa commands on the Spoke and Hub. The command output shows that SAs in phase 1 and phase 2 have been successfully established (Spoke1 is used as an example).

[Spoke1] display ike sa 
      Conn-ID      Peer           VPN    Flag(s)     Phase 
  --------------------------------------------------------- 
       8          1.1.1.10         0     RD|ST         2 
       6          1.1.1.10         0     RD|ST         1 
  Flag Description:                                                              
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT              
  HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

An IPSec tunnel has been successfully established between Spoke1 and the Hub to protect traffic exchanged between them.

2.      Ping the IP address of 10.1.2.1 of Spoke2 from Spoke1, and run the display nhrp peer all command on the Spoke. The command output displays NHRP peer entries (Spoke1 is used as an example).

[Spoke1] display nhrp peer all 
------------------------------------------------------------------------------- 
Protocol-addr Mask  NBMA-addr       NextHop-addr    Type         Flag 
------------------------------------------------------------------------------- 
10.2.1.1        32    1.1.1.10        10.2.1.1      static        hub 
------------------------------------------------------------------------------- 
Tunnel interface: Tunnel0/0/0 
Created time    : 05:13:06 
Expire time     : -- 
------------------------------------------------------------------------------- 
Protocol-addr Mask  NBMA-addr       NextHop-addr    Type         Flag 
------------------------------------------------------------------------------- 
10.2.1.3        32    1.1.3.10        10.2.1.3       dynamic      route tunnel 
------------------------------------------------------------------------------- 
Tunnel interface: Tunnel0/0/0 
Created time    : 00:00:31 
Expire time     : 01:59:29 
------------------------------------------------------------------------------- 
Protocol-addr Mask  NBMA-addr       NextHop-addr    Type         Flag 
------------------------------------------------------------------------------- 
10.2.1.2        32    1.1.2.10        10.2.1.2       dynamic      local 
------------------------------------------------------------------------------- 
Tunnel interface: Tunnel0/0/0 
Created time    : 00:00:31 
Expire time     : 01:59:29 
 
Number of nhrp peers: 3

The Hub and Spoke can learn routes to each other, and DSVPN tunnels have been successfully established.

3.      After Spokes communicate, run the display ike sa command on the Spokes. The command output shows that SAs in phase 1 and phase 2 have been successfully established (Spoke1 is used as an example).

[Spoke1] display ike sa 
      Conn-ID      Peer           VPN    Flag(s)     Phase 
  ---------------------------------------------------------  
       22         1.1.1.3          0     RD|ST         2 
       15         1.1.1.3          0     RD|ST         1 
       8          1.1.1.10         0     RD|ST         2 
       6          1.1.1.10         0     RD|ST         1 
 
  Flag Description:                                                               
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT              
  HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

An IPSec tunnel has been successfully established between Spokes to protect traffic exchanged between them.

 

本帖最后由 关关系列 于 2017-3-9 09:13 编辑
  • x
  • convention:

gululu  Admin   Created Mar 09, 2017 15:31:11 Helpful(1) Helpful(1)

good
  • x
  • convention:

Come on!

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top