Got it

Establishing an IPSec tunnel between the AR and the Cisco Router in the IKEv1 Aggressive Mode Highlighted

Latest reply: Feb 24, 2017 07:32:08 10138 1 3 0 0

Hello there, everyone!

This post refers to an example for establishing an IPSec tunnel between the AR and the Cisco Router in the IKEv1 Aggressive Mode. Please have a read below.


This example applies to all versions and routers.

This example applies to routers of all versions.

Networking Requirements

As shown in Figure 1-1, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate through the Internet.

Figure 1-1 Networking for establishing an IPSec tunnel between the AR and Cisco router in IKEv1 aggressive mode




                      Step 1    Configure RouterA.


MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

l  In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

l  In V200R008 and later versions:

l  To configure IKE peers: ike peer peer-name

l  To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.

 sysname RouterA  //Configure the device name.
 ipsec authentication sha2 compatible enable
 ike local-name huawei
acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.
 rule 5 permit ip source destination
ipsec proposal prop1  //Configure an IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
ike proposal 1  //Configure an IKE proposal.
 encryption-algorithm aes-cbc-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
 dh group14
 authentication-algorithm sha2-256
ike peer peer1 v1  //Configure an IKE peer.
 exchange-mode aggressive  //Configure the aggressive mode.
 pre-shared-key cipher %@%@W'KwGZ8`tQ8s^C8q(qC"0(;@%@%@%#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.
 ike-proposal 1
 local-id-type name   //Configure the local ID type for IKE negotiation. In V200R008 and later versions, the name parameter is changed to fqdn.
 remote-name RouterB   //Configure the IKE peer name. In V200R008 and later versions, the device does not support the remote-name command. This command provides teh same function as the remote-id command.
ipsec policy policy1 10 isakmp  //Configure an IPSec policy.
 security acl 3000 
 ike-peer peer1
 proposal prop1
interface GigabitEthernet0/0/1
 ip address
 ipsec policy policy1     //Apply the IPSec policy to the interface.
interface GigabitEthernet0/0/2
 ip address
ip route-static  //Configure a static route to ensure reachability at both ends.

                      Step 2    Configure RouterB.

hostname RouterB  //Configure the device name.
crypto isakmp policy 1
 encryption aes 128
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key huawei@1234 hostname huawei  //Configure the pre-shared key as huawei@1234.
crypto isakmp identity hostname   //Set the local ID type in IKE negotiation to name.
crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.
crypto map p1 1 ipsec-isakmp  //Configure an IPSec policy.
 set peer
 set transform-set p1
 match address 102
interface GigabitEthernet0/0
 ip address
 duplex auto
 speed auto
 crypto map p1     //Apply the IPSec policy to the interface.
interface GigabitEthernet0/1
 ip address
 duplex auto
 speed auto
ip route  //Configure a static route to ensure reachability at both ends.
access-list 102 permit ip //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.

                      Step 3    Verify the configuration.

# After the configuration is complete, run the ping command on PC A. PC B can be pinged.

# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

# Run the display ipsec statistics command on RouterA to check data packet statistics.


Configuration Notes

l   In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit

l   When the Cisco router initiates IPSec negotiation in aggressive mode, you need to configure the local ID and pre-shared key in aggressive mode. The following shows a sample configuration.

crypto isakmp peer ip-address   //Configure the remote IP address for IKE negotiation.
 set aggressive-mode client-endpoint fqdn huawei   //Configure the local ID for IKE negotiation.
 set aggressive-mode password huawei@1234   //Configure the pre-shared key.

l   When GRE over IPSec is configured for interconnection between a Huawei router and a Cisco router, you are advised to set the IPSec encapsulation mode to transport, to reduce the encapsulation cost.

If you have any problems, please post them in our Community. We are happy to solve them for you!


  • x
  • convention:

Created Feb 24, 2017 07:32:08

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.