Got it

Establishing IPSec Tunnel Between Branch Using 4G&Headquarters Highlighted

Latest reply: Jun 16, 2017 07:47:00 2261 2 1 0 0

Specifications

This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements

The headquarters and branch want to establish a secure IPSec connection. The headquarters gateway RouterB uses a static public address. The branch size is small and its gateway RouterA uses a 4G interface to dynamically obtain an IP address from a provider. When IPSec policies are used, the headquarters must know the branch IP address. The branch IP address often changes and is difficult to maintain. You can use an IPSec policy template on RouterB so that the headquarters and branch can perform IPSec negotiation without knowing the branch IP address.

Figure 1-1 Establishing an SA using an IPSec policy template

20170616153438714001.png

 

note

The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

l  In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

l  In V200R008 and later versions:

l  To configure IKE peers: ike peer peer-name

l  To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.

Procedure

                      Step 1    Configure RouterA.

#
 sysname RouterA
#
acl number 3000  //Configure an ACL to protect data flows.
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal rta  //Configure an IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-192
#
ike peer rta v1  //Configure an IKE peer for establishing an IPSec connection with RouterB.
 pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#  //Set the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00, the pre-shared key pre-shared-key huawei is displayed in plain text.
 remote-address 13.1.1.1  //Configure a peer IP address for initiating IKE negotiation.
#
ipsec policy rta 1 isakmp  //Configure an IPSec policy.
 security acl 3000
 ike-peer rta
 proposal rta
#
interface Ethernet1/0/0
 ip address 192.168.1.1 255.255.255.0
#  
interface Cellular0/0/1  //Set dial parameters for the 4G interface.
dialer enable-circular  //Enable circular DCC.
 dialer-group 1  //Add the dialer interface to the dialer ACL. The group ID must be the same as that in the dialer ACL.
 apn-profile lteprofile
 dialer number *99# autodial  //Enable the interface to automatically dial up using the dialer number *99#.
 ip address negotiate   //Configure the interface to obtain an IP address from the carrier. The interface can use the IP address to connect to the public network.
 ipsec policy rta  //Bind an IPSec policy to the interface to initiate IPSec negotiation.
#
dialer-rule  //Create a dialer ACL that defines conditions to initiate calls.
 dialer-rule 1 ip permit
#                                                                                
apn profile lteprofile   //Create an APN profile.
 apn ltenet      
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return

                      Step 2    Configure RouterB.

#
 sysname RouterB
#
acl number 3000
 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal rtb
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-192
#
ike peer rtb v1  //Configure an IKE peer. You do not need to specify the peer IP address.
 pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#  //Set the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00, the pre-shared key pre-shared-key huawei is displayed in plain text.
#
ipsec policy-template temp 1  //Configure an IPSec policy template and reference parameters to the template.
 security acl 3000
 ike-peer rtb
 proposal rtb
#
ipsec policy rtb 1 isakmp template temp  //Configure an IPSec policy and reference the policy template.
#
interface Ethernet1/0/0
 ip address 192.168.2.1 255.255.255.0
#  
interface Serial1/0/0  //Configure a public network interface and set a fixed IP address for the interface.
 link-protocol ppp
 ip address 13.1.1.1 255.255.255.0
 ipsec policy rtb
#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return

                      Step 3    Verify the configuration.

Run the display ike sa command on the device, you can view information about the SA.

After the configuration, users in the headquarters and branch can ping each other.

----End

Configuration Notes

l   The pre-shared key at both ends must be the same.

l   You do not need to specify the remote address of the IKE peer for the end using an IPSec policy template.

l   You can choose not to configure an ACL on the headquarters using an IPSec policy template. If an ACL is configured on the headquarters to protect data flows, the destination segment address in the ACL must cover all the source addresses in ACLs on branches.

 

  • x
  • convention:

gululu
Created Jun 16, 2017 07:47:00

Establishing IPSec Tunnel Between Branch Using 4G&Headquarters-2296895-1good!
View more
  • x
  • convention:

Ferfox86
Ferfox86 Created Apr 16, 2022 05:19:50 (0) (0)
 

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.