Configuring Spoke1 (AR Router)
Configuration Roadmap
Configure an IP address and a static route on each interface to implement communication between both ends.
Configure an mGRE tunnel interface and NHRP information.
Configure a static route to a private network address of the peer.
Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.
Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.
Procedure
Configure an IP address and a static route on each interface to implement communication between both ends.
<Huawei> system-view [Huawei] sysname Spoke1 [Spoke1] interface gigabitethernet 1/0/0 [Spoke1-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0 [Spoke1-GigabitEthernet1/0/0] quit [Spoke1] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1Configure an mGRE tunnel interface and NHRP information.
[Spoke1] interface Tunnel0/0/0 [Spoke1-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0 [Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp [Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0 [Spoke1-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register [Spoke1-Tunnel0/0/0] nhrp network-id 1000 [Spoke1-Tunnel0/0/0] nhrp authentication simple huawei12 [Spoke1-Tunnel0/0/0] nhrp registration interval 1800 [Spoke1-Tunnel0/0/0] quitConfigure a static route to a private network address of the peer.
[Spoke1] ip route-static 10.1.0.0 255.255.255.0 10.2.1.1 [Spoke1] ip route-static 10.1.2.0 255.255.255.0 10.2.1.3Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
# Configure an IKE proposal.
[Spoke1] ike proposal 5 [Spoke1-ike-proposal-5] encryption-algorithm aes-cbc-128 [Spoke1-ike-proposal-5] authentication-algorithm sha1 [Spoke1-ike-proposal-5] dh group5 [Spoke1-ike-proposal-5] sa duration 28800 [Spoke1-ike-proposal-5] authentication-method pre-share [Spoke1-ike-proposal-5] quit# Configure an IKE peer.
[Spoke1] ike peer spoke1 v1 [Spoke1-ike-peer-spoke1] ike-proposal 5 [Spoke1-ike-peer-spoke1] pre-shared-key cipher huawei@123 [Spoke1-ike-peer-spoke1] exchange-mode main [Spoke1-ike-peer-spoke1] dpd type periodic [Spoke1-ike-peer-spoke1] quit# Configure an IPSec proposal.
[Spoke1] ipsec proposal spoke1 [Spoke1-ipsec-proposal-spoke1] transform esp [Spoke1-ipsec-proposal-spoke1] esp authentication-algorithm sha1 [Spoke1-ipsec-proposal-spoke1] esp encryption-algorithm aes-128 [Spoke1-ipsec-proposal-spoke1] encapsulation-mode transportConfigure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.
[Spoke1] ipsec profile profile1 [Spoke1-ipsec-profile-profile1] ike-peer spoke1 [Spoke1-ipsec-profile-profile1] proposal spoke1 [Spoke1-ipsec-profile-profile1] quitApply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.
[Spoke1] interface tunnel 0/0/0 [Spoke1-Tunnel0/0/0] ipsec profile profile1
Configuring Spoke2 (AR Router)
Configuration Roadmap
Configure an IP address and a static route on each interface to implement communication between both ends.
Configure an mGRE tunnel interface and NHRP information.
Configure a static route to a private network address of the peer.
Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.
Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.
Procedure
Configure an IP address and a static route on each interface to implement communication between both ends.
<Huawei> system-view [Huawei] sysname Spoke2 [Spoke2] interface gigabitethernet 1/0/0 [Spoke2-GigabitEthernet1/0/0] ip address 1.1.3.10 255.255.255.0 [Spoke2-GigabitEthernet1/0/0] quit [Spoke2] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1Configure an mGRE tunnel interface and NHRP information.
[Spoke2] interface Tunnel0/0/0 [Spoke2-Tunnel0/0/0] ip address 10.2.1.3 255.255.255.0 [Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp [Spoke2-Tunnel0/0/0] source gigabitethernet 1/0/0 [Spoke2-Tunnel0/0/0] nhrp entry 10.2.1.1 1.1.1.10 register [Spoke2-Tunnel0/0/0] nhrp network-id 1000 [Spoke2-Tunnel0/0/0] nhrp authentication simple huawei12 [Spoke2-Tunnel0/0/0] nhrp registration interval 1800 [Spoke2-Tunnel0/0/0] quitConfigure a static route to a private network address of the peer.
[Spoke2] ip route-static 10.1.0.0 255.255.255.0 10.2.1.1 [Spoke2] ip route-static 10.1.1.0 255.255.255.0 10.2.1.2Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
# Configure an IKE proposal.
[Spoke2] ike proposal 5 [Spoke2-ike-proposal-5] encryption-algorithm aes-cbc-128 [Spoke2-ike-proposal-5] authentication-algorithm sha1 [Spoke2-ike-proposal-5] dh group5 [Spoke2-ike-proposal-5] sa duration 28800 [Spoke2-ike-proposal-5] authentication-method pre-share [Spoke2-ike-proposal-5] quit# Configure an IKE peer.
[Spoke2] ike peer spoke2 v1 [Spoke2-ike-peer-spoke2] ike-proposal 5 [Spoke2-ike-peer-spoke2] pre-shared-key cipher huawei@123 [Spoke2-ike-peer-spoke2] exchange-mode main [Spoke2-ike-peer-spoke2] dpd type periodic [Spoke2-ike-peer-spoke2] quit# Configure an IPSec proposal.
[Spoke2] ipsec proposal spoke2 [Spoke2-ipsec-proposal-spoke2] transform esp [Spoke2-ipsec-proposal-spoke2] esp authentication-algorithm sha1 [Spoke2-ipsec-proposal-spoke2] esp encryption-algorithm aes-128 [Spoke2-ipsec-proposal-spoke2] encapsulation-mode transportConfigure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.
[Spoke2] ipsec profile profile1 [Spoke2-ipsec-profile-profile1] ike-peer spoke2 [Spoke2-ipsec-profile-profile1] proposal spoke2 [Spoke2-ipsec-profile-profile1] quitApply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.
[Spoke2] interface tunnel 0/0/0 [Spoke2-Tunnel0/0/0] ipsec profile profile1
Configuring the Hub (Cisco Router)
Configuration Roadmap
Configure an IP address and a static route on each interface to implement communication between both ends.
Configure an mGRE tunnel interface and NHRP information.
Configure a static route to a private network address of the peer.
Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.
Apply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.
Procedure
Configure an IP address and a static route on each interface to implement communication between both ends.
Router#configure Router(config)#interface gigabitethernet 0/1 Router(config-if)#ip address 1.1.1.10 255.255.255.0 Router(config-if)#exit Router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1Configure an mGRE tunnel interface and NHRP information.
Router(config)#interface tunnel 0 Router(config-if)#ip address 10.2.1.1 255.255.255.0 Router(config-if)#tunnel mode gre multipoint Router(config-if)#tunnel source gigabitethernet0/1 Router(config-if)#ip nhrp holdtime 3600 Router(config-if)#ip nhrp network-id 1000 Router(config-if)#ip nhrp authentication huawei12 Router(config-if)#ip nhrp map multicast dynamic Router(config-if)#exitConfigure a static route to a private network address of the peer.
Router(config)#ip route 10.1.2.0 255.255.255.0 10.2.1.3 Router(config)#ip route 10.1.1.0 255.255.255.0 10.2.1.2Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
# Configure an IKE proposal.
Router(config)#crypto isakmp policy 10 Router(config-isakmp)#hash sha Router(config-isakmp)#encryption aes 128 Router(config-isakmp)#group 5 Router(config-isakmp)#authentication pre-share Router(config-isakmp)#lifetime 28800 Router(config-isakmp)#exit# Set IPSec phase 1 negotiation parameters.
Router(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth# Configure an IPSec proposal.
Router(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128 Router(cfg-crypto-trans)#mode transport require Router(cfg-crypto-trans)#exitConfigure an IPSec profile and bind the IPSec proposal to the IPSec profile.
Router(config)#crypto ipsec profile profile1 Router(ipsec-profile)#set transform-set tran1 Router(ipsec-profile)#exitApply the IPSec profile to the mGRE tunnel interface so that the mGRE tunnel interface can protect traffic.
Router(config)#interface tunnel 0 Router(config-if)#tunnel protection ipsec profile profile1 Router(config-if)#exit
Verification
Run the display ike sa and show crypto isakmp sa commands on the Spoke and Hub. The command output shows that SAs in phase 1 and phase 2 have been successfully established (Spoke1 is used as an example).
[Spoke1] display ike sa Conn-ID Peer VPN Flag(s) Phase---------------------------------------------------------8 1.1.1.10 0 RD|ST 26 1.1.1.10 0 RD|ST 1Flag Description:RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUTHRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UPAn IPSec tunnel has been successfully established between Spoke1 and the Hub to protect traffic exchanged between them.
Ping the IP address of 10.1.2.1 of Spoke2 from Spoke1, and run the display nhrp peer all command on the Spoke. The command output displays NHRP peer entries (Spoke1 is used as an example).
[Spoke1] display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.2.1.1 32 1.1.1.10 10.2.1.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 05:13:06
Expire time : --
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.2.1.3 32 1.1.3.10 10.2.1.3 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:00:31
Expire time : 01:59:29
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
10.2.1.2 32 1.1.2.10 10.2.1.2 dynamic local
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/0
Created time : 00:00:31
Expire time : 01:59:29
Number of nhrp peers: 3
The Hub and Spoke can learn routes to each other, and DSVPN tunnels have been successfully established.
After Spokes communicate, run the display ike sa command on the Spokes. The command output shows that SAs in phase 1 and phase 2 have been successfully established (Spoke1 is used as an example).
[Spoke1] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
22 1.1.1.3 0 RD|ST 2
15 1.1.1.3 0 RD|ST 1
8 1.1.1.10 0 RD|ST 2
6 1.1.1.10 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
An IPSec tunnel has been successfully established between Spokes to protect traffic exchanged between them.
Exception Handling
When an IPSec tunnel fails to be set up, check whether routes are reachable and whether the IPSec configurations at both ends are consistent.
When a DSVPN tunnel fails to be set up, check whether the DSVPN configurations at both ends are consistent.
