MSR Routers

Establish an IKEv2-Based IPsec Tunnel for IPv4 Packets Between a Mobile Phone and a Gateway

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Establishing an IKEv2-based IPsec tunnel to protect IPv4 packets between a mobile phone and a gateway· 1

Network configuration· 1

Analysis· 2

Software versions used· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring the device· 2

Configuring the phone· 5

Verifying the configuration· 9

Configuration files· 12

Related documentation· 13

 

Introduction

The following information provides an example for configuring an IKEv2-based IPsec tunnel to protect IPv4 packets between a mobile phone and a gateway.

Prerequisites

The following information applies to Comware 7-based MSR router series. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of IPsec.

Example: Establishing an IKEv2-based IPsec tunnel to protect IPv4 packets between a mobile phone and a gateway

Network configuration

Establish an IPsec tunnel between a mobile phone (Phone) and a gateway (Device) in order to protect the data flows between them. The following information describes the deployment in detail:

·     The encapsulation mode is the tunnel mode.

·     The security protocol is ESP.

·     The phone and device use IKEv2 to establish IPsec SAs.

·     The device does not perform IKE extended authentication on the phone and assigns an IPv4 address to the phone.

Figure 1 Network diagram

 

Analysis

·     To establish an IPsec tunnel between the phone and the device, complete IKEv2 and IPsec configurations.

·     For the device to assign an IPv4 address to the phone, complete ISP domain and local user configurations.

Software versions used

This configuration example was created and verified on R6749P15 of the MSR830-10HI router and iOS 16.0.2 of iPhone11.

Restrictions and guidelines

Make sure the phone has connected to the AP, and the AP and the gateway device can reach each other.

Procedures

Configuring the device

1.     Assign IP addresses to interfaces.

<Device> system-view

[Device] interface GigabitEthernet0/1

[Device-GigabitEthernet0/1] ip address 192.168.200.233 255.255.255.0

[Device-GigabitEthernet0/1] quit

2.     Configure an IKEv2 local IPv4 address pool for assigning IPv4 addresses to peers.

# Create IKEv2 local IPv4 address pool 1, and configure the address range as 36.1.1.2 to 36.1.1.10 and mask as 255.255.255.255.

[Device] ikev2 address-group 1 36.1.1.2 36.1.1.10 255.255.255.255

3.     Configure an ISP domain:

# Create an ISP domain named test and enter its view.

[Device] domain test

# Configure the user authorization attribute to specify an address pool for assigning IPv4 addresses to users.

[Device-isp-test] authorization-attribute ip-pool 1

# Configure the IKE extended authentication method as none.

[Device-isp-test] authentication ike none

[Device-isp-test]quit

4.     Configure a local user:

# Create local user ikev2 for network access.

[Device] local-user ikev2 class network

# Specify the IKE service for the local user.

[Device-luser-network-ikev2] service-type ike

# Assign the network-operator role to the local user. (The default configuration.)

[Device-luser-network-ikev2] authorization-attribute user-role network-operator

# Specify the address pool for assigning an IPv4 address to the local user.

[Device-luser-network-ikev2] authorization-attribute ip-pool 1

[Device-luser-network-ikev2] quit

5.     Configure IPsec transform sets:

# Create IPsec transform set 1.

[Device] ipsec transform-set 1

# Set the packet encapsulation mode to tunnel.

[Device-ipsec-transform-set-1] encapsulation-mode tunnel

# Use the ESP protocol for the IPsec transform set.

[Device-ipsec-transform-set-1] protocol esp

# Specify the encryption and authentication algorithms.

[Device-ipsec-transform-set-1] esp encryption-algorithm aes-cbc-128

[Device-ipsec-transform-set-1] esp authentication-algorithm sha1

[Device-ipsec-transform-set-1] quit

# Create IPsec transform set 2.

[Device] ipsec transform-set 2

# Set the packet encapsulation mode to tunnel.

[Device-ipsec-transform-set-2] encapsulation-mode tunnel

# Use the ESP protocol for the IPsec transform set.

[Device-ipsec-transform-set-2] protocol esp

# Specify the encryption and authentication algorithms.

[Device-ipsec-transform-set-2] esp encryption-algorithm 3des-cbc

[Device-ipsec-transform-set-2] esp authentication-algorithm sha1

[Device-ipsec-transform-set-2] quit

# Create IPsec transform set 3.

[Device] ipsec transform-set 3

# Set the packet encapsulation mode to tunnel.

[Device-ipsec-transform-set-3] encapsulation-mode tunnel

# Use the ESP protocol for the IPsec transform set.

[Device-ipsec-transform-set-3] protocol esp

# Specify the encryption and authentication algorithms.

[Device-ipsec-transform-set-3] esp encryption-algorithm aes-cbc-128

[Device-ipsec-transform-set-3] esp authentication-algorithm sha384

[Device-ipsec-transform-set-3] quit

6.     Configure an IKEv2 keychain:

# Create IKEv2 keychain 1.

[Device] ikev2 keychain 1

# Create an IKEv2 peer named peer1.

[Device-ikev2-keychain-1] peer 1

# Configure the host address of peer1 as 0.0.0.0/0.

[Device-ikev2-keychain-keychain1-peer-1] address 0.0.0.0 0.0.0.0

# Configure the preshared key for peer1 as 123 in plain text.

[Device-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123

[Device-ikev2-keychain-keychain1-peer-peer1] quit

[Device-ikev2-keychain-keychain1] quit

7.     Configure an IKEv2 profile to define the security parameters for establishing IKE SAs:

# Create IKEv2 profile 1.

[Device] ikev2 profile 1

# Specify the local authentication method as preshared key.

[Device-ikev2-profile-1] authentication-method local pre-share

# Specify the remote authentication method as preshared key.

[Device-ikev2-profile-1] authentication-method remote pre-share

# Specify IKEv2 keychain 1 for the IKEv2 profile.

[Device-ikev2-profile-1] keychain 1

# Configure the AAA authorization ISP domain as test and username as ikev2.

[Device-ikev2-profile-1] aaa authorization domain test username ikev2

# Configure the peer ID as IP address 0.0.0.0/0.

[Device-ikev2-profile-1] match remote identity address 0.0.0.0 0.0.0.0

# Configure the peer ID as FQDN name test.

[Device-ikev2-profile-1] match remote identity fqdn test

[Device-ikev2-profile-1] quit

8.     Configure an IKEv2 proposal to define the security parameters for IKE negotiation:

# Create IKEv2 proposal 10.

[Device] ikev2 proposal 10

# Specify the integrity protection algorithms for the IKEv2 proposal.

[Device-ikev2-proposal-10] integrity sha384 sha1

# Specify the encryption algorithms for the IKEv2 proposal.

[Device-ikev2-proposal-10] encryption aes-cbc-128 3des-cbc

# Specify the DH groups for the IKEv2 proposal.

[Device-ikev2-proposal-10] dh group14 group5 group2

# Specify the PRF algorithms for the IKEv2 proposal.

[Device-ikev2-proposal-10] prf sha384 sha1

[Device-ikev2-proposal-10] quit

9.     Configure an IKEv2 policy for negotiating IKEv2 SAs:

# Create IKEv2 policy 10.

[Device] ikev2 policy 10

# Specify IKEv2 proposal 10 for the IKEv2 policy.

[Device-ikev2-policy-10] proposal 10

[Device-ikev2-policy-10] quit

10.     Configure an IPsec policy template:

Create and configure an IPsec policy template named t with a sequence number of 10, and specify IPsec transform sets 1, 2, and 3 for the IPsec policy template.

[Device] ipsec policy-template t 10

[Device-ipsec-policy-template-t-10] transform-set 1 2 3

# Specify IKEv2 profile 1 for the IPsec policy template.

[Device-ipsec-policy-template-t-10] ikev2-profile 1

# Enable IPsec RRI.

[Device-ipsec-policy-template-t-10] reverse-route dynamic

[Device-ipsec-policy-template-t-10] quit

11.     Configure an IKE-based IPsec policy:

# Create and configure IPsec policy 1 based on IPsec policy template t.

[Device] ipsec policy 1 10 isakmp template t

12.     Apply IPsec policy 1 to an interface to protect traffic on the interface.

[Device] interface GigabitEthernet0/1

[Device-GigabitEthernet0/1] ipsec apply policy 1

[Device-GigabitEthernet0/1] quit

13.     Configure a static route for Internet access. In this example, the next hop address is 192.168.200.1.

[Device] ip route-static 0.0.0.0 0 192.168.200.1

Configuring the phone

1.     Access the Settings page of the phone, and then click VPN, as shown in Figure 2.

Figure 2 Settings

 

2.     Go to the VPN & Device Management > VPN page, and then click Add VPN Configuration to open the Add Configuration page.

Figure 3 VPN

 

3.     Add the following configuration:

¡     Type: Select IKEv2 as the VPN type.

¡     Description: Enter a description for the VPN. This example uses test.

¡     Server: Enter 192.168.200.233.

¡     Remote ID: Enter 192.168.200.233.

¡     User Authentication: Select None.

¡     Use Certificate: Turn off this button.

¡     Secret: Enter 123.

¡     Click Done to complete and save the VPN configuration.

Figure 4 Add Configuration

 

Verifying the configuration

After the previous configuration is complete, the phone and the device can establish an IPsec tunnel through IKEv2 negotiation.

# On the VPN page of the phone, connect to VPN test. You can see that the VPN status turns to Connected, indicating that the phone has connected to the device. Click the icon at the right of the VPN connection field to view the details.

Figure 5 VPN

 

# On the VPN details page, you can see that the phone has connected to the device and obtained an IPv4 address of 36.1.1.3.

Figure 6 VPN details

 

Configuration files

#

domain test

 authorization-attribute ip-pool 1

 authentication ike none

#

local-user ikev2 class network

 service-type ike

 authorization-attribute user-role network-operator

 authorization-attribute ip-pool 1

#

ipsec transform-set 1

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec transform-set 2

 esp encryption-algorithm 3des-cbc

 esp authentication-algorithm sha1

#

ipsec transform-set 3

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha384

#

ipsec policy-template t 10

 transform-set 1 2 3

 ikev2-profile 1

 reverse-route dynamic

#

ipsec policy 1 10 isakmp template t

#

 ikev2 address-group 1 36.1.1.2 36.1.1.10 255.255.255.255

#

ikev2 keychain 1

 peer 1

  address 0.0.0.0 0.0.0.0

  pre-shared-key ciphertext $c$3$yKfcFd5/ruY590JrZZdACVs6LMy1hA==

#

 

ikev2 profile 1

 authentication-method local pre-share

 authentication-method remote pre-share

 keychain 1

 aaa authorization domain test username ikev2

 match remote identity address 0.0.0.0 0.0.0.0

 match remote identity fqdn test

#

ikev2 proposal 10

 encryption aes-cbc-128 3des-cbc

 integrity sha384 sha1

 dh group14 group5 group2

 prf sha384 sha1

#

ikev2 policy 10

 proposal 10

#

 

interface GigabitEthernet0/1

 port link-mode route

 ip address 192.168.200.233 255.255.255.0

 ipsec apply policy 1

#

 ip route-static 0.0.0.0 0 192.168.200.1

Related documentation

·     IPsec configuration in Security Configuration Guide in H3C MSR610[810][830][1000S][2600][3600] Routers Configuration Guides(V7)-R6749

·     IPsec commands in Security Command Reference in H3C MSR610[810][830][1000S][2600][3600] Routers Command References(V7)-R6749