As shown in Figure Networking for establishing an IPSec tunnel between the AR and Cisco router using the host name, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The headquarters and branch communicate through the NAT device over the public network.
The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. The headquarters router is deployed on the private network, and the NAT device connected to the headquarters gateway provides the NAT server function and shields the private network address of the headquarters router. An IPSec tunnel between the branch gateway and headquarters gateway can be established using the host name.
Figure1 Networking for establishing an IPSec tunnel between the AR and Cisco router using the host name
Procedure
Configure RouterA.
#sysname RouterA //Configure the device name#ipsec authentication sha2 compatible enable#ike local-name huawei#acl number 3000 //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255#ipsec proposal prop1 //Configure an IPSec proposal.esp authentication-algorithm sha2-256esp encryption-algorithm aes-128#ike proposal 1 //Configure an IKE proposal.encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.dh group14authentication-algorithm sha2-256#ike peer peer1 v1 //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.exchange-mode aggressive //Configure the aggressive mode.pre-shared-key cipher %@%@W'KwGZ8`tQ8s^C8q(qC"0(;@%@%@%#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%# //Configure the pre-shared key as huawei@1234.ike-proposal 1local-id-type name //Configure the local ID type for IKE negotiation. In V200R008 and later versions, the name parameter is changed to fqdn.remote-name RouterB //Configure the IKE peer name. In V200R008 and later versions, the device does not support the remote-name command. This command provides teh same function as the remote-id command.nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on the device by default, and this command is not supported. In versions later than V200R008, this command is supported.remote-address 60.1.2.1 //Use the translated IP address as the IP address of the IKE peer.#ipsec policy policy1 10 isakmp //Configure an IPSec policy.security acl 3000ike-peer peer1proposal prop1#interface GigabitEthernet0/0/1ip address 60.1.1.1 255.255.255.0ipsec policy policy1 //Apply the IPSec policy to the interface.#interface GigabitEthernet0/0/2ip address 10.1.1.1 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route to ensure reachability at both ends.#returnConfigure NATer.
#sysname NATer //Configure the device name.#interface GigabitEthernet0/0/1ip address 60.1.2.1 255.255.255.0nat server protocol udp global current-interface 500 inside 192.168.1.2 500 //Specify the port number before IPSec over NAT traversal.nat server protocol udp global current-interface 4500 inside 192.168.1.2 4500 //Specify the port number after IPSec over NAT traversal.nat server protocol icmp global current-interface inside 192.168.1.2 //Configure the device to allow ICMP packets.#interface GigabitEthernet0/0/2ip address 192.168.1.1 255.255.255.0#ip route-static 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route to ensure reachability at both ends.#return
Configure RouterB.
!hostname RouterB //Configure the device name.!crypto isakmp policy 1encryption aes 128hash sha256authentication pre-sharegroup 14crypto isakmp key huawei@1234 hostname huawei //Configure the pre-shared key as huawei@1234.!crypto isakmp identity hostname //Set the local ID type in IKE negotiation to hostname.!crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128 //Configure a security algorithm used by IPSec.!crypto map p1 1 ipsec-isakmp //Configure an IPSec policy.set peer 60.1.1.1set transform-set p1match address 102!!interface GigabitEthernet0/0ip address 192.168.1.2 255.255.255.0duplex autospeed autocrypto map p1 //Apply the IPSec policy to the interface.!interface GigabitEthernet0/1ip address 10.1.2.1 255.255.255.0duplex autospeed auto!!ip route 0.0.0.0 0.0.0.0 192.168.1.1 //Configure a static route to ensure reachability at both ends.!access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.!end
Verify the configuration.
# After the configuration is complete, run the ping command on PC A. PC B can be pinged.
# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.
# Run the display ipsec statistics command on RouterA to check data packet statistics.
