Establishing an IPSec Tunnel Between a Branch Gateway (AR) and Headquarters Gateway (Cisco Router) Using VT Interfaces Highlighted

Latest reply: Mar 1, 2017 16:53:39 1261 1 0 0

Overview

Generally, service data is transparently transmitted on the Internet. This makes the service data prone to attacks, for example, password or bank account information theft or tampering, forced user access, or malicious network attacks. Internet Protocol Security (IPSec) can protect transmitted service data to reduce the risk of information leak.

IPSec is a set of open network security protocols defined by the Internet Engineering Task Force (IETF). Two communicating parties can encrypt data and authenticate the data origin at the IP layer to ensure data confidentiality and integrity and protect against replay attacks on the Internet.

l   Data origin authentication: The receiver checks the validity of the sender.

l   Data encryption: The sender encrypts data packets and transmits the encrypted packets on the Internet. The receiver decrypts and processes received packets or forwards them directly.

l   Data integrity: The receiver authenticates received data to check whether the data has been modified by unauthorized users.

l   Anti-replay: The receiver rejects outdated or repeated data packets to prevent attacks from malicious users.

As shown in Figure 1-1, IPSec connects VPNs over the Internet to allow users to connect to VPNs through the Internet, no matter they are in a remote city or country outside China. IPSec VPN provides the access service for mobile office users and partners, and also enables communication between enterprise branches.

Figure 1-1 Basic IPSec VPN networking

20170301141556057001.png

 

Generally, the headquarters and branches establish IPSec tunnels using ACL. If a large amount of data flows need to be protected by IPSec, it is recommended that IPSec tunnels be established using virtual tunnel (VT) interfaces. There is no need to create ACL rules to define traffic characteristics to be protected.

 Precautions

l   Devices from different vendors may have different default values for IPSec parameters. Adjust IPSec parameter values based on actual needs to ensure that they are the same on two the devices at both ends of an IPSec tunnel.

l   The dead peer detection (DPD) packet format supported by Cisco differs from the default DPD packet format on the AR. If DPD is enabled, you need to set the DPD packet format on the AR to seq-hash-notify.

l   When the IPSec protocol on both the AR and its connected vendor device uses the SHA-2 algorithm, an IPSec tunnel can be established but traffic cannot be transmitted if the SHA-2 encryption and decryption modes on the two devices are different. If so, you are advised to run the ipsec authentication sha2 compatible enable command on the AR to set the SHA-2 encryption and decryption modes to be the same as those on the vendor device.

l   If the source address of a tunnel interface is a dynamic IP address, you are advised to configure source as the source interface to prevent impact on the IPSec configuration due to the address change.

Networking Requirements

On a network shown in Figure 1-2, AR router RouterA functions as the branch gateway and Cisco router RouterB functions as the headquarters gateway. They communicate over the Internet.

The enterprise wants to protect traffic transmitted over the Internet between the enterprise branch and headquarters. An IPSec tunnel can be established between the headquarters gateway and branch gateway to protect communication between the headquarters and branch over the Internet. If a large amount of data flows need to be protected by IPSec, it is recommended that the IPSec tunnel be established using virtual tunnel (VT) interfaces. There is no need to create ACL rules to define traffic characteristics to be protected.

Figure 1-2 Establishing an IPSec tunnel between a branch gateway (AR) and headquarters gateway (Cisco router) using VT interfaces

20170301141556448002.png

 

Data Plan

Before the configuration, plan data according to Table 1-1. The data in Table 1-16 is used for reference only.

Table 1-1 Data plan for interconnection between the RouterA and RouterB

RouterA Public Network Address

1.1.2.10

RouterA Tunnel Interface Address

10.2.1.2

RouterA Private Network Address

10.1.1.1

RouterB Public Network Address

1.1.1.10

RouterB Tunnel Interface Address

10.2.1.1

RouterB Private Network Address

10.3.1.1

Parameters for IPSec Phase 1 (IKE Negotiation Phase)

IKE version: v1

Negotiation mode: main

Authentication method: pre-shared key

Pre-shared key: huawei@123

Encryption algorithm: aes-cbc-128

Authentication algorithm: sha1

DH group: group5

DPD detection: enabled

Parameters for IPSec Phase 2 (IPSec Negotiation Phase)

Security protocol: ESP

Encapsulation mode: tunnel

Encryption algorithm: aes-128

Authentication algorithm: sha1

Lifetime: 3600s (default value)

PFS: disabled

 

Configuration Procedure

Configuring RouterA (AR Router)

Configuration Roadmap

1.      Configure an IP address and a static route on each interface to implement communication between both ends.

2.      Configure an IPSec proposal to define the traffic protection method.

3.      Configure an IKE peer and define the attributes used for IKE negotiation.

4.      Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile to define the data flows to be protected and protection method.

5.      Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.

Procedure

                      Step 1    Configure an IP address and a static route on each interface to implement communication between both ends over the Internet.

<Huawei> system-view  
[Huawei] sysname RouterA  
[RouterA] interface gigabitethernet 1/0/0  
[RouterA-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0  
[RouterA-GigabitEthernet1/0/0] quit  
[RouterA] interface gigabitethernet 2/0/0  
[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0  
[RouterA-GigabitEthernet2/0/0] quit  
[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1

                      Step 2    Configure a tunnel interface and set the tunnel type to IPSec.

[RouterA] interface Tunnel0/0/0  
[RouterA-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0  
[RouterA-Tunnel0/0/0] tunnel-protocol ipsec  
[RouterA-Tunnel0/0/0] source gigabitethernet 1/0/0  
[RouterA-Tunnel0/0/0] destination 1.1.1.10  
[RouterA-Tunnel0/0/0] quit

                      Step 3    Configure dynamic routes to the private network address of the peer.

[RouterA] ospf 2  
[RouterA-ospf-2] area 0.0.0.0 
[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255 
[RouterA-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255

                      Step 4    Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

# Configure an IKE proposal.

[RouterA] ike proposal 5  
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128 
[RouterA-ike-proposal-5] authentication-algorithm sha1 
[RouterA-ike-proposal-5] dh group5  
[RouterA-ike-proposal-5] authentication-method pre-share  
[RouterA-ike-proposal-5] quit

# Configure an IKE peer.

[RouterA] ike peer RouterA v1  
[RouterA-ike-peer-RouterA] ike-proposal 5  
[RouterA-ike-peer-RouterA] pre-shared-key cipher huawei@123 
[RouterA-ike-peer-RouterA] dpd type periodic    
[RouterA-ike-peer-RouterA] dpd msg seq-hash-notify 
[RouterA-ike-peer-RouterA] quit

# Configure an IPSec proposal.

[RouterA] ipsec proposal RouterA  
[RouterA-ipsec-proposal-RouterA] transform esp  
[RouterA-ipsec-proposal-RouterA] encapsulation-mode tunnel 
[RouterA-ipsec-proposal-RouterA] esp authentication-algorithm sha1[RouterA-ipsec-proposal-RouterA] esp encryption-algorithm aes-128

                      Step 5    Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.

[RouterA] ipsec profile profile1  
[RouterA-ipsec-profile-profile1] ike-peer RouterA   
[RouterA-ipsec-profile-profile1] proposal RouterA  
[RouterA-ipsec-profile-profile1] quit

                      Step 6    Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.

[RouterA] interface tunnel 0/0/0  
[RouterA-Tunnel0/0/0] ipsec profile profile1

----End

Configuring RouterB (Cisco Router)

Configuration Roadmap

1.      Configure an IP address and a static route on each interface to implement communication between both ends.

2.      Configure an IPSec proposal to define the traffic protection method.

3.      Configure an IKE peer and define the attributes used for IKE negotiation.

4.      Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile to define the data flows to be protected and protection method.

5.      Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.

Procedure

                      Step 1    Configure an IP address and a static route on each interface to implement communication between both ends over the Internet.

RouterB#configure  
RouterB(config)#interface gigabitethernet 0/1  
RouterB(config-if)#ip address 1.1.1.10 255.255.255.0  
RouterB(config-if)#exit  
RouterB(config)#interface gigabitethernet 0/2  
RouterB(config-if)#ip address 10.3.1.1 255.255.255.0  
RouterB(config-if)#exit 
RouterB(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1

                      Step 2    Configure a tunnel interface and set the tunnel type to IPSec.

RouterB(config)#interface tunnel 0  
RouterB(config-if)#ip address 10.2.1.1 255.255.255.0  
RouterB(config-if)#tunnel mode ipsec ipv4 
RouterB(config-if)#tunnel source gigabitethernet0/1  
RouterB(config-if)#tunnel destination 1.1.2.10 
RouterB(config-if)#exit

                      Step 3    Configure dynamic routes to the private network address of the peer.

RouterB(config)#RouterB ospf 2 
RouterB(config-RouterB)#network 10.2.1.0 0.0.0.255 area 0 
RouterB(config-RouterB)#network 10.3.1.0 0.0.0.255 area 0 
RouterB(config-RouterB)#exit

                      Step 4    Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.

# Configure an IKE proposal.

RouterB(config)#crypto isakmp policy 10    
RouterB(config-isakmp)#hash sha  
RouterB(config-isakmp)#encryption aes 128  
RouterB(config-isakmp)#group 5  
RouterB(config-isakmp)#authentication pre-share  
RouterB(config-isakmp)#exit

# Set IPSec phase 1 negotiation parameters.

RouterB(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth 
RouterB(config)#crypto isakmp keepalive 10 periodic

# Configure an IPSec proposal.

RouterB(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128  
RouterB(cfg-crypto-trans)#mode tunnel  
RouterB(cfg-crypto-trans)#exit

                      Step 5    Configure an IPSec profile and bind the IPSec proposal to the IPSec profile.

RouterB(config)#crypto ipsec profile profile1  
RouterB(ipsec-profile)#set transform-set tran1  
RouterB(ipsec-profile)#exit

                      Step 6    Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.

RouterB(config)#interface tunnel 0  
RouterB(config-if)#tunnel protection ipsec profile profile1  
RouterB(config-if)#exit

----End

Verification

1.      Run the display ike sa and show crypto isakmp sa commands on the RouterA and RouterB. The command output shows that SAs in phase 1 and phase 2 have been successfully established (RouterA is used as an example).

[RouterA] display ike sa  
       Conn-ID      Peer           VPN    Flag(s)     Phase  
 ---------------------------------------------------------  
        8          1.1.1.10         0     RD|ST         2  
        6          1.1.1.10         0     RD|ST         1  
 Flag Description:                                                                
 RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT               
 HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

An IPSec tunnel has been successfully established between RouterA and the RouterB to protect traffic exchanged between them.

2.      Ping the host in the headquarters from the hosts in the branches. The ping operations succeed. Run the display ipsec statistics esp command to view statistics on IPSec packets. The values of the Inpacket decap count and Outpacket encap count fields are not 0, indicating that data transmitted between the branch and headquarters is encrypted.

Exception Handling

When an IPSec tunnel fails to be set up, check whether routes are reachable and whether the IPSec configurations at both ends are consistent.

 

本帖最后由 关关系列 于 2017-03-01 14:21 编辑
  • x
  • convention:

gululu Admin Created Mar 1, 2017 16:53:39 Helpful(0) Helpful(0)

Establishing an IPSec Tunnel Between a Branch Gateway (AR) and Headquarters Gateway (Cisco Router) Using VT Interfaces-2193219-1thanks
  • x
  • convention:

Come on!

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top