Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters gateway RouterB uses a static public address. The branch size is small and its gateway RouterA uses a 4G interface to dynamically obtain an IP address from a provider. When IPSec policies are used, the headquarters must know the branch IP address. The branch IP address often changes and is difficult to maintain. You can use an IPSec policy template on RouterB so that the headquarters and branch can perform IPSec negotiation without knowing the branch IP address.
Figure 1-1 Establishing an SA using an IPSec policy template
The commands used to configure IKE peers and the IKE protocol differ depending on the software version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer rta v1 //Configure an IKE peer for establishing an IPSec connection with RouterB.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00, the pre-shared key pre-shared-key huawei is displayed in plain text.
remote-address 13.1.1.1 //Configure a peer IP address for initiating IKE negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Cellular0/0/1 //Set dial parameters for the 4G interface.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must be the same as that in the dialer ACL.
apn-profile lteprofile
dialer number *99# autodial //Enable the interface to automatically dial up using the dialer number *99#.
ip address negotiate //Configure the interface to obtain an IP address from the carrier. The interface can use the IP address to connect to the public network.
ipsec policy rta //Bind an IPSec policy to the interface to initiate IPSec negotiation.
#
dialer-rule //Create a dialer ACL that defines conditions to initiate calls.
dialer-rule 1 ip permit
#
apn profile lteprofile //Create an APN profile.
apn ltenet
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return
Step 2 Configure RouterB.
#
sysname RouterB
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal rtb
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer rtb v1 //Configure an IKE peer. You do not need to specify the peer IP address.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00, the pre-shared key pre-shared-key huawei is displayed in plain text.
#
ipsec policy-template temp 1 //Configure an IPSec policy template and reference parameters to the template.
security acl 3000
ike-peer rtb
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and reference the policy template.
#
interface Ethernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface Serial1/0/0 //Configure a public network interface and set a fixed IP address for the interface.
link-protocol ppp
ip address 13.1.1.1 255.255.255.0
ipsec policy rtb
#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return
Step 3 Verify the configuration.
Run the display ike sa command on the device, you can view information about the SA.
After the configuration, users in the headquarters and branch can ping each other.
----End
Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote address of the IKE peer for the end using an IPSec policy template.
l You can choose not to configure an ACL on the headquarters using an IPSec policy template. If an ACL is configured on the headquarters to protect data flows, the destination segment address in the ACL must cover all the source addresses in ACLs on branches.
good!
