【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn

Latest reply: Sep 6, 2015 01:09:31 2342 1 0 0

1.1 Example for Establishing an IPSec Tunnel Between the AR and Cisco Router in IKEv1 Main Mode

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-1, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate through the Internet.

Figure 1-1 Networking for establishing an IPSec tunnel between the AR and Cisco router in IKEv1 main mode

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-1

 

Procedure

                      Step 1    Configure RouterA.

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-2

MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

#
 sysname RouterA  //Configure the device name.
#
acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1  //Configure an IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 1  //Configure an IKE proposal.
 encryption-algorithm aes-cbc-128
 dh group2
 authentication-algorithm sha2-256
 prf hmac-sha2-256
#
ike peer peer1 v1  //Configure an IKE peer.
 pre-shared-key cipher %#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.
 ike-proposal 1
 remote-address 60.1.2.1    //Use the IP address to identify the IKE peer.
#
ipsec policy policy1 10 isakmp  //Configure an IPSec policy.
 security acl 3000 
 ike-peer peer1
 proposal prop1
#
interface GigabitEthernet0/0/1
 ip address 60.1.1.1 255.255.255.0
 ipsec policy policy1     //Apply the IPSec policy to the interface.
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2  //Configure a static route to ensure reachability at both ends.
#
return

                      Step 2    Configure RouterB.

!
hostname RouterB  //Configure the device name.
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key huawei@1234 address 0.0.0.0 0.0.0.0  //Configure the pre-shared key as huawei@1234.
!
crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.
!
crypto map p1 1 ipsec-isakmp  //Configure an IPSec policy.
 set peer 60.1.1.1     //Use the IP address to identify the IKE peer.
 set transform-set p1
 match address 102
!
!
interface GigabitEthernet0/0
 ip address 60.1.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map p1     //Apply the IPSec policy to the interface.
!
interface GigabitEthernet0/1
 ip address 10.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
!
ip route 0.0.0.0 0.0.0.0 60.1.2.2  //Configure a static route to ensure reachability at both ends.
!
access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.
!
end

                      Step 3    Verify the configuration.

# After the configuration is complete, run the ping command on PC A. PC B can be pinged.

# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

# Run the display ipsec statistics esp command on RouterA to check data packet statistics.

----End

Configuration Notes

In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit http://www.cisco.com/cisco/web/support.

1.2 Example for Establishing an IPSec Tunnel Between the AR and Cisco Router in IKEv1 Aggressive Mode

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-2, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate through the Internet.

Figure 1-2 Networking for establishing an IPSec tunnel between the AR and Cisco router in IKEv1 aggressive mode

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-3

 

1.3 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address to the Headquarters Cisco Router (Using Dynamic Crypto Map Entry)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-3, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the dynamic crypto map entry to establish an IPSec tunnel with the branch gateway.

Figure 1-3 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-4

 

1.4 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address to the Headquarters Cisco Router (Using the Host Name)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-4, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the host name to establish an IPSec tunnel with the branch gateway.

Figure 1-4 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-5

 

1.5 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway (NAT Enabled on the Outbound Interface) to the Headquarters Cisco Router (Using the Host Name)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-5, RouterA is the enterprise branch gateway, NAT is deployed on the outbound interface of RouterA, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the host name to establish an IPSec tunnel with the branch gateway.

IPSec and NAT are both configured on the outbound interface of the branch gateway, so traffic to be protected is processed by NAT and IPSec in sequence. You can add ACL rules used by NAT to deny traffic to be protected by IPSec so that the traffic is only encrypted by IPSec.

Figure 1-5 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-6

 

1.6 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address in Aggressive Mode to the Headquarters Cisco Router (Using the Host Name)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-6, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the host name to establish an IPSec tunnel with the branch gateway.

Figure 1-6 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-7

 

1.7 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address in Aggressive Mode to the Headquarters Cisco Router (Using Dynamic Crypto Map Entry)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-7, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the dynamic crypto map entry to establish an IPSec tunnel with the branch gateway. The headquarters gateway uses the fuzzy match mode to access any branch.

Figure 1-7 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-8

 

1.8 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address in Main Mode to the Headquarters Cisco Router (Using Dynamic Crypto Map Entry)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-8, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the dynamic crypto map entry to establish an IPSec tunnel with the branch gateway. The main mode is used for IKE negotiation and identity protection. The headquarters gateway uses the fuzzy match mode to access any branch.

Figure 1-8 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-9

 

1.9 Example for Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Gateway with a Dynamic IP Address in Main Mode to the Headquarters Cisco Router (Using the Host Name)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-9, RouterA is the enterprise branch gateway, the public network interface dynamically obtains an IP address, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. Because the branch gateway dynamically obtains an IP address, the headquarters gateway can use the host name to establish an IPSec tunnel with the branch gateway. The main mode is used for IKE negotiation and identity protection. (Although the local ID type in IKE negotiation on the AR is set to name, the key is still selected based on the IP address in main mode.)

Figure 1-9 Networking for establishing an IPSec tunnel through negotiation initiated by the branch gateway with a dynamic IP address to the headquarters Cisco router

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-10

 

1.10 Example for establishing an IPSec Tunnel Between the AR and Cisco Router Using the Host Name (NAT Deployed on the Device Connected to Cisco Router)

Specifications

This example applies to all versions and routers.

Networking Requirements

As shown in Figure 1-10, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The headquarters and branch communicate through the NAT device over the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. The headquarters router is deployed on the private network, and the NAT device connected to the headquarters gateway provides the NAT server function and shields the private network address of the headquarters router. An IPSec tunnel between the branch gateway and headquarters gateway can be established using the host name.

Figure 1-10 Networking for establishing an IPSec tunnel between the AR and Cisco router using the host name

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-11

 

Procedure

                      Step 1    Configure RouterA.

【Mr Gateway After-Sales Service 】Connection Cases for Establishing an IPSec Tunn-1275907-12

MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

#
 sysname RouterA  //Configure the device name
#
 ike local-name huawei
#
acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1  //Configure an IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 1  //Configure an IKE proposal.
 encryption-algorithm aes-cbc-128
 dh group2
 authentication-algorithm sha2-256
 prf hmac-sha2-256
#
ike peer peer1 v1  //Configure an IKE peer.
 exchange-mode aggressive  //Configure the aggressive mode.
 pre-shared-key cipher %#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.
 ike-proposal 1
 local-id-type name   //Set the local ID type in IKE negotiation to name.
 remote-name RouterB
 nat traversal  //Enable NAT traversal.
 remote-address 60.1.2.1  //Use the translated IP address as the IP address of the IKE peer.
#
ipsec policy policy1 10 isakmp  //Configure an IPSec policy.
 security acl 3000 
 ike-peer peer1
 proposal prop1
#
interface GigabitEthernet0/0/1
 ip address 60.1.1.1 255.255.255.0
 ipsec policy policy1     //Apply the IPSec policy to the interface.
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2  //Configure a static route to ensure reachability at both ends.
#
return

                      Step 2    Configure NATer.

#
 sysname NATer  //Configure the device name.
#
interface GigabitEthernet0/0/1
 ip address 60.1.2.1 255.255.255.0
 nat server protocol udp global current-interface 500 inside 192.168.1.2 500  //Specify the port number before IPSec over NAT traversal.
 nat server protocol udp global current-interface 4500 inside 192.168.1.2 4500  //Specify the port number after IPSec over NAT traversal.
 nat server protocol icmp global current-interface inside 192.168.1.2  //Configure the device to allow ICMP packets.
#
interface GigabitEthernet0/0/2
 ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.2.2  //Configure a static route to ensure reachability at both ends.
#
return

                      Step 3    Configure RouterB.

!
hostname RouterB  //Configure the device name.
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key huawei@1234 hostname huawei  //Configure the pre-shared key as huawei@1234.
!
crypto isakmp identity hostname   //Set the local ID type in IKE negotiation to hostname.
!
crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.
!
crypto map p1 1 ipsec-isakmp  //Configure an IPSec policy.
 set peer 60.1.1.1
 set transform-set p1
 match address 102
!
!
interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map p1     //Apply the IPSec policy to the interface.
!
interface GigabitEthernet0/1
 ip address 10.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1  //Configure a static route to ensure reachability at both ends.
!
access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.
!
end

                      Step 4    Verify the configuration.

# After the configuration is complete, run the ping command on PC A. PC B can be pinged.

# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

# Run the display ipsec statistics esp command on RouterA to check data packet statistics.

----End

Configuration Notes

In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit http://www.cisco.com/cisco/web/support.

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_2790689
Created Sep 6, 2015 01:09:31 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login