VPN Ipsec entre Huawei et Cisco

publié il y a  2019-3-4 17:50:36Dernière réponse jul. 14, 2019 08:15:49 76 1 0 0
  F-coins comme récompense: 0 (Non résolu)

Comment faire un VPN Ipsec entre Huawei (1200) et Cisco (1900)?

  • x
  • Standard:

Réponses en vedette
Gladiator
Admin publié il y a 2019-7-14 08:15:49 Utile(0) Utile(0)

Specifications

This example applies to all versions and routers.

This example applies to routers of all versions.

Networking Requirements

As shown in Figure 1-1, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate through the Internet.

Figure 1-1 Networking for establishing an IPSec tunnel between the AR and Cisco router in IKEv1 main mode

20170223162158815001.png

 

Procedure

                      Step 1    Configure RouterA.

note

MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

l  In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

l  In V200R008 and later versions:

l  To configure IKE peers: ike peer peer-name

l  To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.

#
 sysname RouterA  //Configure the device name.
#
 ipsec authentication sha2 compatible enable
#
acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1  //Configure an IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 1  //Configure an IKE proposal.
 encryption-algorithm aes-cbc-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
 dh group14
 authentication-algorithm sha2-256
#
ike peer peer1 v1  //Configure an IKE peer.
 pre-shared-key cipher %@%@W'KwGZ8`tQ8s^C8q(qC"0(;@%@%@%#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.
 ike-proposal 1
 remote-address 60.1.2.1    //Use the IP address to identify the IKE peer.
#
ipsec policy policy1 10 isakmp  //Configure an IPSec policy.
 security acl 3000 
 ike-peer peer1
 proposal prop1
#
interface GigabitEthernet0/0/1
 ip address 60.1.1.1 255.255.255.0
 ipsec policy policy1     //Apply the IPSec policy to the interface.
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2  //Configure a static route to ensure reachability at both ends.
#
return

                      Step 2    Configure RouterB.

!
hostname RouterB  //Configure the device name.
!
crypto isakmp policy 1
 encryption aes 128
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key huawei@1234 address 0.0.0.0 0.0.0.0  //Configure the pre-shared key as huawei@1234.
!
crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.
!
crypto map p1 1 ipsec-isakmp  //Configure an IPSec policy.
 set peer 60.1.1.1     //Use the IP address to identify the IKE peer.
 set transform-set p1
 match address 102
!
!
interface GigabitEthernet0/0
 ip address 60.1.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map p1     //Apply the IPSec policy to the interface.
!
interface GigabitEthernet0/1
 ip address 10.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
!
ip route 0.0.0.0 0.0.0.0 60.1.2.2  //Configure a static route to ensure reachability at both ends.
!
access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.
!
end

                      Step 3    Verify the configuration.

# After the configuration is complete, run the ping command on PC A. PC B can be pinged.

# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

# Run the display ipsec statistics command on RouterA to check data packet statistics.

----End

Configuration Notes

In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit http://www.cisco.com/cisco/web/support.


  • x
  • Standard:

Toutes les réponses
Gladiator
Gladiator Admin publié il y a 2019-7-14 08:15:49 Utile(0) Utile(0)

Specifications

This example applies to all versions and routers.

This example applies to routers of all versions.

Networking Requirements

As shown in Figure 1-1, RouterA is the enterprise branch gateway, and RouterB is the enterprise headquarters gateway (Cisco router). The branch and headquarters communicate through the public network.

The enterprise wants to protect data flows between the branch subnet and the headquarters subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway because they communicate through the Internet.

Figure 1-1 Networking for establishing an IPSec tunnel between the AR and Cisco router in IKEv1 main mode

20170223162158815001.png

 

Procedure

                      Step 1    Configure RouterA.

note

MD5, SHA-1, DES, and 3DES have potential security risks. Exercise caution when you use them.

The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

l  In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

l  In V200R008 and later versions:

l  To configure IKE peers: ike peer peer-name

l  To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.

#
 sysname RouterA  //Configure the device name.
#
 ipsec authentication sha2 compatible enable
#
acl number 3000  //Specify data flows (traffic from the branch subnet to the headquarters subnet) to be protected.
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1  //Configure an IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 1  //Configure an IKE proposal.
 encryption-algorithm aes-cbc-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
 dh group14
 authentication-algorithm sha2-256
#
ike peer peer1 v1  //Configure an IKE peer.
 pre-shared-key cipher %@%@W'KwGZ8`tQ8s^C8q(qC"0(;@%@%@%#%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%#%#  //Configure the pre-shared key as huawei@1234.
 ike-proposal 1
 remote-address 60.1.2.1    //Use the IP address to identify the IKE peer.
#
ipsec policy policy1 10 isakmp  //Configure an IPSec policy.
 security acl 3000 
 ike-peer peer1
 proposal prop1
#
interface GigabitEthernet0/0/1
 ip address 60.1.1.1 255.255.255.0
 ipsec policy policy1     //Apply the IPSec policy to the interface.
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2  //Configure a static route to ensure reachability at both ends.
#
return

                      Step 2    Configure RouterB.

!
hostname RouterB  //Configure the device name.
!
crypto isakmp policy 1
 encryption aes 128
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key huawei@1234 address 0.0.0.0 0.0.0.0  //Configure the pre-shared key as huawei@1234.
!
crypto ipsec transform-set p1 esp-sha256-hmac esp-aes 128  //Configure a security algorithm used by IPSec.
!
crypto map p1 1 ipsec-isakmp  //Configure an IPSec policy.
 set peer 60.1.1.1     //Use the IP address to identify the IKE peer.
 set transform-set p1
 match address 102
!
!
interface GigabitEthernet0/0
 ip address 60.1.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map p1     //Apply the IPSec policy to the interface.
!
interface GigabitEthernet0/1
 ip address 10.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
!
ip route 0.0.0.0 0.0.0.0 60.1.2.2  //Configure a static route to ensure reachability at both ends.
!
access-list 102 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 //Specify data flows (traffic from the headquarters subnet to the branch subnet) to be protected.
!
end

                      Step 3    Verify the configuration.

# After the configuration is complete, run the ping command on PC A. PC B can be pinged.

# Run the display ike sa and display ipsec sa commands on RouterA, and run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can see that the IPSec tunnel is created successfully.

# Run the display ipsec statistics command on RouterA to check data packet statistics.

----End

Configuration Notes

In this example, the commands on the Cisco router are recommended ones. The product version is Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M1, RELEASE SOFTWARE (fc1). For details, visit http://www.cisco.com/cisco/web/support.


  • x
  • Standard:

Responder

envoyer
Connectez-vous pour répondre. Se connecter | Enregistrer

Remarque Remarque : Afin de protéger vos droits et intérêts légitimes, ceux de la communauté et des tiers, ne divulguez aucun contenu qui pourrait présenter des risques juridiques pour toutes les parties. Le contenu interdit comprend, sans toutefois s'y limiter, le contenu politiquement sensible, le contenu lié à la pornographie, aux jeux d'argent, à l'abus et au trafic de drogues, le contenu qui peut divulguer ou enfreindre la propriété intellectuelle d'autrui, y compris les secrets professionnels, les marques commerciales, les droits d'auteur et les brevets, ainsi que la vie privée personnelle. Ne partagez pas votre nom d'utilisateur ou votre mot de passe avec d'autres personnes. Toutes les opérations effectuées à partir de votre compte seront considérées comme vos propres actions, et toutes les conséquences en découlant vous seront imputées. Pour plus de détails, voir « Politique de confidentialité ».
Si le bouton de la pièce-jointe n'est pas disponible, mettez à jour Adobe Flash Player à la dernière version.
Connectez-vous pour participer à la communication et au partage

Connectez-vous pour participer à la communication et au partage

S'identifier