Got it

Establishing an IPSec Tunnel Through Negotiation Initiated by AR with a Dynamic IP Address in Main Mode to C3900e (Using Dynamic Crypto Map Entry)

Latest reply: Feb 28, 2017 00:22:08 1708 1 0 0 0

Hello everyone,

Today I will share with you how to establish an IPSec tunnel through negotiation initiated by AR with a dynamic IP address in the main mode to C3900e (using dynamic crypto map entry)

Specifications

This example applies to all versions and routers.

This example applies to routers of all versions.

Networking Requirements

As shown in Figure 1-8, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the dynamic crypto map entry to establish an IPSec tunnel with the branch gateway. The main mode is used for IKE negotiation and identity protection. The headquarters gateway uses the fuzzy match mode to access any branch.

Figure 1-1 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

1

Procedure

Step 1 Configure RouterA.

Note

MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

  • In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

  • In V200R008 and later versions:

  • To configure IKE peers: ike peer peer-name

  • To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.

#

sysname RouterA  //Configure the device name.

#

ipsec authentication sha2 compatible enable

#

acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.

rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

#

ipsec proposal prop1  //Configure an IPSec proposal.

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-128

#

ike proposal 1  //Configure an IKE proposal.

 encryption-algorithm aes-cbc-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.

 dh group14

 authentication-algorithm sha2-256

#

ike peer peer1 v1  //Configure an IKE peer.

 pre-shared-key cipher %@%@W'KwGZ8`tQ8s^C8q(qC"0(;@%@%@%#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.

 ike-proposal 1

 nat traversal  //Enable NAT traversal. In V200R008 and later versions, the device supports NAT traversal by default, and this command is not supported.

 remote-address 60.1.2.1  //Use the IP address to identify the IKE peer.

#

ipsec policy policy1 10 isakmp  //Configure an IPSec policy.

 security acl 3000 

 ike-peer peer1

 proposal prop1

#

interface GigabitEthernet0/0/1

 ipsec policy policy1     //Apply the IPSec policy to the interface.

 ip address dhcp-alloc

#

interface GigabitEthernet0/0/2

 ip address 10.1.1.1 255.255.255.0

#

return

Step 2 Configure NATer.

#

 sysname NATer  //Configure the device name.

#

dhcp enable

#

acl number 3000  //Apply NAT to all traffic.

 rule 5 permit ip

#

interface GigabitEthernet0/0/1

 ip address 60.1.1.1 255.255.255.0

 nat outbound 3000

#

interface GigabitEthernet0/0/2

 ip address 192.168.1.1 255.255.255.0

 dhcp select interface

#

ip route-static 0.0.0.0 0.0.0.0 60.1.1.2  //Configure a static route to ensure reachability at both ends.

#

return

Step 3 Configure RouterB.

!

hostname RouterB  //Configure the device name.

!

crypto isakmp policy 1

 encryption aes 128

 hash sha256

 authentication pre-share

 group 14

crypto isakmp key huawei@1234 address 0.0.0.0 0.0.0.0  //Configure the pre-shared key as huawei@1234, use the IP address to identify an IKE peer, and configure the device to allow access from any branch.

!

crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.

!

!

crypto dynamic-map p1 1  //Create a dynamic crypto map entry.

 set transform-set p1

 match address 102

!

crypto map p1 1 ipsec-isakmp dynamic p1  //Configure an IPSec policy.

!

!

interface GigabitEthernet0/0

 ip address 60.1.2.1 255.255.255.0

 duplex auto

 speed auto

 crypto map p1     //Apply the IPSec policy to the interface.

!

interface GigabitEthernet0/1

 ip address 10.1.2.1 255.255.255.0

 duplex auto

 speed auto

!

!

ip route 0.0.0.0 0.0.0.0 60.1.2.2  //Configure a static route to ensure reachability at both ends.

!

access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.

!

end

Step 4 Verify the configuration.

# After the configuration is complete, run the ping command on PC A. PC B can be pinged.

# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

# Run the display ipsec statistics command on RouterA to check data packet statistics.

----End

Configuration Notes

In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit http://www.cisco.com/cisco/web/support.

That is all I want to share with you! Thank you!


  • x
  • convention:

Busy_with_lazy_mind
Created Feb 28, 2017 00:22:08

Establishing an IPSec Tunnel Through Negotiation Initiated by AR with a Dynamic IP Address in Main Mode to C3900e (Using Dynamic Crypto Map Entry)-2191483-1
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.