Hi, everyone! Today I’m going to introduce establishing an IPSec tunnel between a branch gateway (AR) and headquarters gateway (Cisco Router) using VT interfaces.
Overview
Generally, service data is transparently transmitted on the Internet. This makes the service data prone to attacks, for example, password or bank account information theft or tampering, forced user access, or malicious network attacks. Internet Protocol Security (IPSec) can protect transmitted service data to reduce the risk of information leak.
IPSec is a set of open network security protocols defined by the Internet Engineering Task Force (IETF). Two communicating parties can encrypt data and authenticate the data origin at the IP layer to ensure data confidentiality and integrity and protect against replay attacks on the Internet.
l Data origin authentication: The receiver checks the validity of the sender.
l Data encryption: The sender encrypts data packets and transmits the encrypted packets on the Internet. The receiver decrypts and processes received packets or forwards them directly.
l Data integrity: The receiver authenticates received data to check whether the data has been modified by unauthorized users.
l Anti-replay: The receiver rejects outdated or repeated data packets to prevent attacks from malicious users.
As shown in Figure 1-1, IPSec connects VPNs over the Internet to allow users to connect to VPNs through the Internet, no matter they are in a remote city or country outside China. IPSec VPN provides the access service for mobile office users and partners, and also enables communication between enterprise branches.
Figure 1-1 Basic IPSec VPN networking
Generally, the headquarters and branches establish IPSec tunnels using ACL. If a large amount of data flows need to be protected by IPSec, it is recommended that IPSec tunnels be established using virtual tunnel (VT) interfaces. There is no need to create ACL rules to define traffic characteristics to be protected.
Precautions
l Devices from different vendors may have different default values for IPSec parameters. Adjust IPSec parameter values based on actual needs to ensure that they are the same on two the devices at both ends of an IPSec tunnel.
l The dead peer detection (DPD) packet format supported by Cisco differs from the default DPD packet format on the AR. If DPD is enabled, you need to set the DPD packet format on the AR to seq-hash-notify.
l When the IPSec protocol on both the AR and its connected vendor device uses the SHA-2 algorithm, an IPSec tunnel can be established but traffic cannot be transmitted if the SHA-2 encryption and decryption modes on the two devices are different. If so, you are advised to run the ipsec authentication sha2 compatible enable command on the AR to set the SHA-2 encryption and decryption modes to be the same as those on the vendor device.
l If the source address of a tunnel interface is a dynamic IP address, you are advised to configure source as the source interface to prevent impact on the IPSec configuration due to the address change.
Networking Requirements
On a network shown in Figure 1-2, AR router RouterA functions as the branch gateway and Cisco router RouterB functions as the headquarters gateway. They communicate over the Internet.
The enterprise wants to protect traffic transmitted over the Internet between the enterprise branch and headquarters. An IPSec tunnel can be established between the headquarters gateway and branch gateway to protect communication between the headquarters and branch over the Internet. If a large amount of data flows need to be protected by IPSec, it is recommended that the IPSec tunnel be established using virtual tunnel (VT) interfaces. There is no need to create ACL rules to define traffic characteristics to be protected.
Figure 1-2 Establishing an IPSec tunnel between a branch gateway (AR) and headquarters gateway (Cisco router) using VT interfaces
Data Plan
Before the configuration, plan data according to Table 1-1. The data in Table 1-16 is used for reference only.
Table 1-1 Data plan for interconnection between the RouterA and RouterB
RouterA Public Network Address | 1.1.2.10 |
RouterA Tunnel Interface Address | 10.2.1.2 |
RouterA Private Network Address | 10.1.1.1 |
RouterB Public Network Address | 1.1.1.10 |
RouterB Tunnel Interface Address | 10.2.1.1 |
RouterB Private Network Address | 10.3.1.1 |
Parameters for IPSec Phase 1 (IKE Negotiation Phase) | IKE version: v1 Negotiation mode: main Authentication method: pre-shared key Pre-shared key: huawei@123 Encryption algorithm: aes-cbc-128 Authentication algorithm: sha1 DH group: group5 DPD detection: enabled |
Parameters for IPSec Phase 2 (IPSec Negotiation Phase) | Security protocol: ESP Encapsulation mode: tunnel Encryption algorithm: aes-128 Authentication algorithm: sha1 Lifetime: 3600s (default value) PFS: disabled |
Configuration Procedure
1 Configuring RouterA (AR Router)
Configuration Roadmap
1. Configure an IP address and a static route on each interface to implement communication between both ends.
2. Configure an IPSec proposal to define the traffic protection method.
3. Configure an IKE peer and define the attributes used for IKE negotiation.
4. Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile to define the data flows to be protected and protection method.
5. Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.
Procedure
Step 1 Configure an IP address and a static route on each interface to implement communication between both ends over the Internet.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1
Step 2 Configure a tunnel interface and set the tunnel type to IPSec.
[RouterA] interface Tunnel0/0/0
[RouterA-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0
[RouterA-Tunnel0/0/0] tunnel-protocol ipsec
[RouterA-Tunnel0/0/0] source gigabitethernet 1/0/0
[RouterA-Tunnel0/0/0] destination 1.1.1.10
[RouterA-Tunnel0/0/0] quit
Step 3 Configure dynamic routes to the private network address of the peer.
[RouterA] ospf 2
[RouterA-ospf-2] area 0.0.0.0
[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255
Step 4 Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
# Configure an IKE proposal.
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterA-ike-proposal-5] authentication-algorithm sha1
[RouterA-ike-proposal-5] dh group5
[RouterA-ike-proposal-5] authentication-method pre-share
[RouterA-ike-proposal-5] quit
# Configure an IKE peer.
[RouterA] ike peer RouterA v1
[RouterA-ike-peer-RouterA] ike-proposal 5
[RouterA-ike-peer-RouterA] pre-shared-key cipher huawei@123
[RouterA-ike-peer-RouterA] dpd type periodic
[RouterA-ike-peer-RouterA] dpd msg seq-hash-notify
[RouterA-ike-peer-RouterA] quit
# Configure an IPSec proposal.
[RouterA] ipsec proposal RouterA
[RouterA-ipsec-proposal-RouterA] transform esp
[RouterA-ipsec-proposal-RouterA] encapsulation-mode tunnel
[RouterA-ipsec-proposal-RouterA] esp authentication-algorithm sha1[RouterA-ipsec-proposal-RouterA] esp encryption-algorithm aes-128
Step 5 Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile.
[RouterA] ipsec profile profile1
[RouterA-ipsec-profile-profile1] ike-peer RouterA
[RouterA-ipsec-profile-profile1] proposal RouterA
[RouterA-ipsec-profile-profile1] quit
Step 6 Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.
[RouterA] interface tunnel 0/0/0
[RouterA-Tunnel0/0/0] ipsec profile profile1
----End
2 Configuring RouterB (Cisco Router)
Configuration Roadmap
1. Configure an IP address and a static route on each interface to implement communication between both ends.
2. Configure an IPSec proposal to define the traffic protection method.
3. Configure an IKE peer and define the attributes used for IKE negotiation.
4. Configure an IPSec profile and bind the IPSec proposal and IKE peer to the IPSec profile to define the data flows to be protected and protection method.
5. Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.
Procedure
Step 1 Configure an IP address and a static route on each interface to implement communication between both ends over the Internet.
RouterB#configure
RouterB(config)#interface gigabitethernet 0/1
RouterB(config-if)#ip address 1.1.1.10 255.255.255.0
RouterB(config-if)#exit
RouterB(config)#interface gigabitethernet 0/2
RouterB(config-if)#ip address 10.3.1.1 255.255.255.0
RouterB(config-if)#exit
RouterB(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1
Step 2 Configure a tunnel interface and set the tunnel type to IPSec.
RouterB(config)#interface tunnel 0
RouterB(config-if)#ip address 10.2.1.1 255.255.255.0
RouterB(config-if)#tunnel mode ipsec ipv4
RouterB(config-if)#tunnel source gigabitethernet0/1
RouterB(config-if)#tunnel destination 1.1.2.10
RouterB(config-if)#exit
Step 3 Configure dynamic routes to the private network address of the peer.
RouterB(config)#RouterB ospf 2
RouterB(config-RouterB)#network 10.2.1.0 0.0.0.255 area 0
RouterB(config-RouterB)#network 10.3.1.0 0.0.0.255 area 0
RouterB(config-RouterB)#exit
Step 4 Configure an IKE proposal, an IKE peer, and an IPSec proposal, and set IPSec negotiation parameters.
# Configure an IKE proposal.
RouterB(config)#crypto isakmp policy 10
RouterB(config-isakmp)#hash sha
RouterB(config-isakmp)#encryption aes 128
RouterB(config-isakmp)#group 5
RouterB(config-isakmp)#authentication pre-share
RouterB(config-isakmp)#exit
# Set IPSec phase 1 negotiation parameters.
RouterB(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth
RouterB(config)#crypto isakmp keepalive 10 periodic
# Configure an IPSec proposal.
RouterB(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128
RouterB(cfg-crypto-trans)#mode tunnel
RouterB(cfg-crypto-trans)#exit
Step 5 Configure an IPSec profile and bind the IPSec proposal to the IPSec profile.
RouterB(config)#crypto ipsec profile profile1
RouterB(ipsec-profile)#set transform-set tran1
RouterB(ipsec-profile)#exit
Step 6 Apply the IPSec profile to the tunnel interface so that the tunnel interface can protect traffic.
RouterB(config)#interface tunnel 0
RouterB(config-if)#tunnel protection ipsec profile profile1
RouterB(config-if)#exit
----End
Verification
1. Run the display ike sa and show crypto isakmp sa commands on the RouterA and RouterB. The command output shows that SAs in phase 1 and phase 2 have been successfully established (RouterA is used as an example).
[RouterA] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
8 1.1.1.10 0 RD|ST 2
6 1.1.1.10 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
An IPSec tunnel has been successfully established between RouterA and the RouterB to protect traffic exchanged between them.
2. Ping the host in the headquarters from the hosts in the branches. The ping operations succeed. Run the display ipsec statistics esp command to view statistics on IPSec packets. The values of the Inpacket decap count and Outpacket encap count fields are not 0, indicating that data transmitted between the branch and headquarters is encrypted.
Exception Handling
When an IPSec tunnel fails to be set up, check whether routes are reachable and whether the IPSec configurations at both ends are consistent.
If you have any problems, please post them in our Community. We are happy to solve them for you!