Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-ARP attack protection configuration
- 02-Attack detection and prevention configuration
- 03-Crypto engine configuration
- 04-DAE proxy configuration
- 05-IP-based attack prevention configuration
- 06-IPsec configuration examples
- 07-IPsec configuration
- 08-IP source guard configuration
- 09-Keychain configuration
- 10-ND attack defense configuration
- 11-Object group configuration
- 12-Password control configuration
- 13-PKI configuration
- 14-Public key management
- 15-SAVA configuration
- 16-SAVNET configuration
- 17-Session management
- 18-SSH configuration
- 19-SSL configuration
- 20-Trust level configuration
- 21-uRPF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-IPsec configuration examples | 1.18 MB |
IPsec configuration examples
Example: Configuring a manual mode IPsec tunnel for IPv4 packets
Network configuration
As shown in Figure 1, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel as follows:
· Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
· Manually set up IPsec SAs.
Table 1 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Router A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterA
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ip address 10.1.1.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/1] quit
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ip address 2.2.2.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/2] quit
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
[RouterA] acl advanced 3101
[RouterA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3101] quit
# Configure a static route to the subnet where Host B resides and a static route to Router B. This example uses 2.2.2.3 as the next hop IP address.
[RouterA] ip route-static 10.1.2.0 24 2.2.2.3
[RouterA] ip route-static 2.2.3.0 24 2.2.2.3
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create a manual IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[RouterA] ipsec policy map1 10 manual
# Apply ACL 3101.
[RouterA-ipsec-policy-manual-map1-10] security acl 3101
# Apply IPsec transform set tran1.
[RouterA-ipsec-policy-manual-map1-10] transform-set tran1
# Specify the remote IP address of the IPsec tunnel as 2.2.3.1.
[RouterA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1
# Configure the inbound and outbound SPIs for ESP.
[RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
[RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
# Configure the inbound and outbound SA keys for ESP.
[RouterA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg
[RouterA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba
[RouterA-ipsec-policy-manual-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/2.
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ipsec apply policy map1
[RouterA-Ten-GigabitEthernet3/0/2] quit
2. Configure Router B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterB
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ip address 10.1.2.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ip address 2.2.3.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
[RouterB] acl advanced 3101
[RouterB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[RouterB-acl-ipv4-adv-3101] quit
# Configure a static route to the subnet where Host A resides and a static route to Router A. This example uses 2.2.3.3 as the next hop IP address.
[RouterB] ip route-static 10.1.1.0 24 2.2.3.3
[RouterB] ip route-static 2.2.2.0 24 2.2.3.3
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[RouterB] ipsec policy use1 10 manual
# Apply ACL 3101.
[RouterB-ipsec-policy-manual-use1-10] security acl 3101
# Apply IPsec transform set tran1.
[RouterB-ipsec-policy-manual-use1-10] transform-set tran1
# Specify the remote IP address of the IPsec tunnel as 2.2.2.1.
[RouterB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1
# Configure the inbound and outbound SPIs for ESP.
[RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
[RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
# Configure the inbound and outbound SA keys for ESP.
[RouterB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba
[RouterB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg
[RouterB-ipsec-policy-manual-use1-10] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/2.
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ipsec policy use1
[RouterB-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
After the configuration is completed, an IPsec tunnel between Router A and Router B is established, and the traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is IPsec-protected. This example uses Router A to verify the configuration.
# Display IPsec SAs on Router A.
[RouterA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: Manual
-----------------------------
Tunnel id: 549
Encapsulation mode: tunnel
Path MTU: 1443
Transmitting entity: Initiator
Tunnel:
local address: 2.2.2.1
remote address: 2.2.3.1
Flow:
as defined in ACL 3101
[Inbound ESP SA]
SPI: 54321 (0x0000d431)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 12345 (0x00003039)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
Configuration files
Router A
#
sysname RouterA
#
interface Ten-GigabitEthernet3/0/1
ip address 10.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet3/0/2
ip address 2.2.2.1 255.255.255.0
ipsec apply policy map1
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ip route-static 10.1.2.0 24 2.2.2.3
ip route-static 2.2.3.0 24 2.2.2.3
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy map1 10 manual
security acl 3101
transform-set tran1
remote-address 2.2.3.1
sa spi outbound esp 12345
sa spi inbound esp 54321
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple gfedcba
#
Router B
#
sysname RouterB
#
interface Ten-GigabitEthernet3/0/1
ip address 10.1.2.1 255.255.255.0
#
interface Ten-GigabitEthernet3/0/2
ip address 2.2.3.1 255.255.255.0
ipsec apply policy use1
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 24 2.2.3.3
ip route-static 2.2.2.0 24 2.2.3.3
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy use1 10 manual
security acl 3101
transform-set tran1
remote-address 2.2.2.1
sa spi outbound esp 54321
sa spi inbound esp 12345
sa string-key outbound esp simple gfedcba
sa string-key inbound esp simple abcdefg
#
Example: Configuring an IKE-based IPsec tunnel for IPv4 packets
Network configuration
As shown in Figure 2, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the IPsec tunnel as follows:
· Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
· Set up SAs through IKE negotiation.
Table 2 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Router A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterA
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ip address 10.1.1.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/1] quit
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ip address 2.2.2.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/2] quit
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
[RouterA] acl advanced 3101
[RouterA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[RouterA-acl-ipv4-adv-3101] quit
# Configure a static route to the subnet where Host B resides and a static route to Router B. This example uses 2.2.2.3 as the next hop IP address.
[RouterA] ip route-static 10.1.2.0 24 2.2.2.3
[RouterA] ip route-static 2.2.3.0 24 2.2.2.3
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[RouterA] ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.3.1.
[RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
[RouterA-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterA] ike profile profile1
[RouterA-ike-profile-profile1] keychain keychain1
[RouterA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[RouterA] ipsec policy map1 10 isakmp
# Apply ACL 3101.
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101
# Apply IPsec transform set tran1.
[RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1.
[RouterA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1
[RouterA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
# Apply IKE profile profile1.
[RouterA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[RouterA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/2.
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ipsec apply policy map1
[RouterA-Ten-GigabitEthernet3/0/2] quit
2. Configure Router B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterB
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ip address 10.1.2.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ip address 2.2.3.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
[RouterB] acl advanced 3101
[RouterB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[RouterB-acl-ipv4-adv-3101] quit
# Configure a static route to the subnet where Host A resides and a static route to Router A. This example uses 2.2.3.3 as the next hop IP address.
[RouterB] ip route-static 10.1.1.0 24 2.2.3.3
[RouterB] ip route-static 2.2.2.0 24 2.2.3.3
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[RouterB] ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.2.1.
[RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[RouterB-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterB] ike profile profile1
[RouterB-ike-profile-profile1] keychain keychain1
[RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[RouterB] ipsec policy use1 10 isakmp
# Apply ACL 3101.
[RouterB-ipsec-policy-isakmp-use1-10] security acl 3101
# Apply IPsec transform set tran1.
[RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.
[RouterB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1
[RouterB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
# Apply IKE profile profile1.
[RouterB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[RouterB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/2.
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ipsec apply policy use1
[RouterB-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec-protected.
# Display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.
[RouterA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1443
Transmitting entity: Initiator
Tunnel:
local address: 2.2.3.1
remote address: 2.2.2.1
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
Configuration files
Router A
#
sysname RouterA
#
interface Ten-GigabitEthernet3/0/1
ip address 10.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet3/0/2
ip address 2.2.2.1 255.255.255.0
ipsec apply policy map1
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ip route-static 10.1.2.0 24 2.2.2.3
ip route-static 2.2.3.0 24 2.2.2.3
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.3.1 255.255.255.0
#
ipsec policy map1 10 isakmp
security acl 3101
transform-set tran1
local-address 2.2.2.1
remote-address 2.2.3.1
ike-profile profile1
#
Router B
#
sysname RouterB
#
interface Ten-GigabitEthernet3/0/1
ip address 10.1.2.1 255.255.255.0
#
interface Ten-GigabitEthernet3/0/2
ip address 2.2.3.1 255.255.255.0
ipsec apply policy use1
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 24 2.2.3.3
ip route-static 2.2.2.0 24 2.2.3.3
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.2.1 255.255.255.0
#
ipsec policy use1 10 isakmp
security acl 3101
transform-set tran1
local-address 2.2.3.1
remote-address 2.2.2.1
ike-profile profile1
#
Example: Configuring an IKE-based IPsec tunnel for IPv6 packets
Network configuration
As shown in Figure 3, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 333::/64 and subnet 555::/64. Configure the IPsec tunnel as follows:
· Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
· Set up SAs through IKE negotiation.
Table 3 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Router A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterA
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ipv6 address 333::1/64
[RouterA-Ten-GigabitEthernet3/0/1] quit
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ipv6 address 111::1/64
[RouterA-Ten-GigabitEthernet3/0/2] quit
# Configure an IPv6 advanced ACL to identify data flows from subnet 333::/64 to subnet 555::/64.
[RouterA] acl ipv6 advanced 3101
[RouterA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64
[RouterA-acl-ipv6-adv-3101] quit
# Configure a static route to the subnet where Host B resides and a static route to Router B. This example uses 111::2 as the next hop IP address.
[RouterA] ipv6 route-static 555::0 64 111::2
[RouterA] ipv6 route-static 222::0 64 111::2
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create and configure the IKE keychain named keychain1.
[RouterA] ike keychain keychain1
[RouterA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
[RouterA-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterA] ike profile profile1
[RouterA-ike-profile-profile1] keychain keychain1
[RouterA-ike-profile-profile1] match remote identity address ipv6 222::1 64
[RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[RouterA] ipsec ipv6-policy map1 10 isakmp
# Apply IPv6 ACL 3101.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101
# Apply IPsec transform set tran1.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1
# Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1
# Apply IKE profile profile1.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] ike-profile profile1
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/2.
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ipsec apply ipv6-policy map1
[RouterA-Ten-GigabitEthernet3/0/2] quit
2. Configure Router B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterB
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ipv6 address 555::1/64
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ipv6 address 222::1/64
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Configure an IPv6 advanced ACL to identify data flows from subnet 555::/64 to subnet 333::/64.
[RouterB] acl ipv6 advanced 3101
[RouterB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64
[RouterB-acl-ipv6-adv-3101] quit
# Configure a static route to the subnet where Host A resides and a static route to Router A. This example uses 222::2 as the next hop IP address.
[RouterB] ipv6 route-static 333::0 64 222::2
[RouterB] ipv6 route-static 111::0 64 222::2
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Create and configure the IKE keychain named keychain1.
[RouterB] ike keychain keychain1
[RouterB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
[RouterB-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterB] ike profile profile1
[RouterB-ike-profile-profile1] keychain keychain1
[RouterB-ike-profile-profile1] match remote identity address ipv6 111::1 64
[RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[RouterB] ipsec ipv6-policy use1 10 isakmp
# Apply ACL 3101.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101
# Apply IPsec transform set tran1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1
# Apply IKE profile profile1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/2.
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ipsec apply ipv6-policy use1
[RouterB-Ten-GigabitEthernet3/0/2] quit
Verifying the configuration
# Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec-protected.
# Display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.
[RouterA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1423
Transmitting entity: Initiator
Tunnel:
local address: 111::1
remote address: 222::1
Flow:
sour addr: 111::1/0 port: 0 protocol: ipv6
dest addr: 222::1/0 port: 0 protocol: ipv6
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
Configuration files
Router A
#
sysname RouterA
#
interface ten-gigabitethernet 3/0/1
ipv6 address 333::1/64
#
interface ten-gigabitethernet 3/0/2
ipv6 address 111::1/64
ipsec apply ipv6-policy map1
#
acl ipv6 advanced 3101
rule permit ipv6 source 333::0 64 destination 555::0 64
#
ipv6 route-static 555::0 64 111::2
ipv6 route-static 222::0 64 111::2
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address ipv6 222::1 64
#
ipsec ipv6-policy map1 10 isakmp
security acl ipv6 3101
transform-set tran1
local-address ipv6 111::1
remote-address ipv6 222::1
ike-profile profile1
#
Router B
#
sysname RouterB
#
interface ten-gigabitethernet 3/0/1
ipv6 address 555::1/64
#
interface ten-gigabitethernet 3/0/2
ipv6 address 222::1/64
ipsec apply ipv6-policy use1
#
acl ipv6 advanced 3101
rule permit ipv6 source 555::/64 destination 333::/64
#
ipv6 route-static 333::0 64 222::2
ipv6 route-static 111::0 64 222::2
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address ipv6 111::1 64
#
ipsec ipv6-policy use1 10 isakmp
security acl ipv6 3101
transform-set tran1
local-address ipv6 222::1
remote-address ipv6 111::1
ike-profile profile1
#
Example: Configuring IPsec for RIPng
Network configuration
As shown in Figure 4, Router A, Router B, and Router C learn IPv6 routes through RIPng.
Establish an IPsec tunnel between the routers to protect the RIPng packets transmitted in between. Specify the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1 for the IPsec tunnel.
Table 4 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Analysis
To meet the network configuration requirements, perform the following tasks:
1. Configure basic RIPng.
For more information about RIPng configuration, see Layer 3—IP Routing Configuration Guide.
2. Configure an IPsec profile.
¡ The IPsec policies on all the routers must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.
¡ The SPI and key configured for the inbound SA and those for the outbound SA must be the same on each router.
¡ The SPI and key configured for the SAs on all the routers must be the same.
3. Apply the IPsec profile to a RIPng process or to an interface.
Procedure
1. Configure Router A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterA
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ipv6 address 1::1/64
[RouterA-Ten-GigabitEthernet3/0/1] quit
# Configure basic RIPng.
[RouterA] ripng 1
[RouterA-ripng-1] quit
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ripng 1 enable
[RouterA-Ten-GigabitEthernet3/0/1] quit
# Create and configure the IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[RouterA] ipsec profile profile001 manual
[RouterA-ipsec-profile-manual-profile001] transform-set tran1
[RouterA-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterA-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterA-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterA-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterA-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[RouterA] ripng 1
[RouterA-ripng-1] enable ipsec-profile profile001
[RouterA-ripng-1] quit
2. Configure Router B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterB
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ipv6 address 1::2/64
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ipv6 address 3::1/64
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Configure basic RIPng.
[RouterB] ripng 1
[RouterB-ripng-1] quit
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ripng 1 enable
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ripng 1 enable
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Create and configure the IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[RouterB] ipsec profile profile001 manual
[RouterB-ipsec-profile-manual-profile001] transform-set tran1
[RouterB-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterB-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterB-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterB-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterB-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[RouterB] ripng 1
[RouterB-ripng-1] enable ipsec-profile profile001
[RouterB-ripng-1] quit
3. Configure Router C:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterC
[RouterC] interface ten-gigabitethernet 3/0/1
[RouterC-Ten-GigabitEthernet3/0/1] ipv6 address 3::2/64
[RouterC-Ten-GigabitEthernet3/0/1] quit
# Configure basic RIPng.
[RouterC] ripng 1
[RouterC-ripng-1] quit
[RouterC] interface ten-gigabitethernet 3/0/1
[RouterC-Ten-GigabitEthernet3/0/1] ripng 1 enable
[RouterC-Ten-GigabitEthernet3/0/1] quit
# Create and configure the IPsec transform set named tran1.
[RouterC] ipsec transform-set tran1
[RouterC-ipsec-transform-set-tran1] encapsulation-mode transport
[RouterC-ipsec-transform-set-tran1] protocol esp
[RouterC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[RouterC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterC-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile001.
[RouterC] ipsec profile profile001 manual
[RouterC-ipsec-profile-manual-profile001] transform-set tran1
[RouterC-ipsec-profile-manual-profile001] sa spi outbound esp 123456
[RouterC-ipsec-profile-manual-profile001] sa spi inbound esp 123456
[RouterC-ipsec-profile-manual-profile001] sa string-key outbound esp simple abcdefg
[RouterC-ipsec-profile-manual-profile001] sa string-key inbound esp simple abcdefg
[RouterC-ipsec-profile-manual-profile001] quit
# Apply the IPsec profile to RIPng process 1.
[RouterC] ripng 1
[RouterC-ripng-1] enable ipsec-profile profile001
[RouterC-ripng-1] quit
Verifying the configuration
After the configuration is completed, Router A, Router B, and Router C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the routers to protect RIPng packets. This example uses Router A to verify the configuration.
# Display the RIPng configuration. The output shows that IPsec profile profile001 has been applied to RIPng process 1.
[RouterA] display ripng 1
RIPng process : 1
Preference : 100
Checkzero : Enabled
Default Cost : 0
Maximum number of load balanced routes : 8
Update time : 30 secs Timeout time : 180 secs
Suppress time : 120 secs Garbage-Collect time : 120 secs
Update output delay: 20(ms) Output count: 3
Graceful-restart interval: 60 secs
Triggered Interval : 5 50 200
Number of periodic updates sent : 186
Number of triggered updates sent : 1
IPsec profile name: profile001
# Display the established IPsec SAs.
[RouterA] display ipsec sa
-------------------------------
Global IPsec SA
-------------------------------
-----------------------------
IPsec profile: profile001
Mode: Manual
-----------------------------
Encapsulation mode: transport
[Inbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 123456 (0x3039)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
Configuration files
Router A
#
sysname RouterA
#
interface ten-gigabitethernet 3/0/1
ipv6 address 1::1/64
#
ripng 1
#
interface ten-gigabitethernet 3/0/1
ripng 1 enable
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile profile001 manual
transform-set tran1
sa spi outbound esp 123456
sa spi inbound esp 123456
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple abcdefg
#
ripng 1
enable ipsec-profile profile001
#
Router B
#
sysname RouterB
#
interface ten-gigabitethernet 3/0/1
ipv6 address 1::2/64
#
interface ten-gigabitethernet 3/0/2
ipv6 address 3::1/64
#
ripng 1
#
interface ten-gigabitethernet 3/0/1
ripng 1 enable
#
interface ten-gigabitethernet 3/0/2
ripng 1 enable
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile profile001 manual
transform-set tran1
sa spi outbound esp 123456
sa spi inbound esp 123456
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple abcdefg
#
ripng 1
enable ipsec-profile profile001
#
Router C
#
sysname RouterC
#
interface ten-gigabitethernet 3/0/1
ipv6 address 3::2/64
#
ripng 1
#
interface ten-gigabitethernet 3/0/1
ripng 1 enable
#
ipsec transform-set tran1
encapsulation-mode transport
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec profile profile001 manual
transform-set tran1
sa spi outbound esp 123456
sa spi inbound esp 123456
sa string-key outbound esp simple abcdefg
sa string-key inbound esp simple abcdefg
#
ripng 1
enable ipsec-profile profile001
#
Example: Configuring IPsec tunnel interface-based IPsec for IPv4 packets
As shown in Figure 5, both the branch and headquarters of an enterprise use fixed IP addresses to access the Internet. The current networking requirements are as follows:
· All traffic between the branch and headquarters must be transmitted through an IPsec tunnel.
· When the private network IP address segment of the branch is adjusted, there is no need to modify the IPsec configuration on the headquarters gateway.
To achieve these networking requirements, configure IPsec tunnel interface-based IPsec on Router A and Router B to protect the traffic between the subnet of Host A (10.1.1.0/24) and the subnet of Host B (10.1.2.0/24).
Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 256-bit AES, and the authentication algorithm as HMAC-MD5. Set up SAs through IKE negotiation.
Table 5 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Router A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterA
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ip address 10.1.1.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/1] quit
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ip address 2.2.2.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/2] quit
# Create an IPsec transform set named tran1, and enter its view.
~[RouterA] ipsec transform-set tran1
# Configure the packet encapsulation mode as tunnel.
~[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Configure the security protocol as ESP.
~[RouterA-ipsec-transform-set-tran1] protocol esp
# Configure the ESP encryption algorithm as 256-bit AES and authentication algorithm as HMAC-MD5.
~[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256
~[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm md5
~[RouterA-ipsec-transform-set-tran1] quit
# Configure an IKE keychain named keychain1.
~[RouterA] ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with peer 2.2.3.1.
~[RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
~[RouterA-ike-keychain-keychain1] quit
# Create and configure IKE profile profile1.
~[RouterA] ike profile profile1
~[RouterA-ike-profile-profile1] keychain keychain1
~[RouterA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
~[RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec profile named map1.
~[RouterA] ipsec profile map1 isakmp
# Specify IPsec transform set tran1 for the IPsec profile.
~[RouterA-ipsec-profile-isakmp-map1] transform-set tran1
# Specify IKE profile profile1 for the IPsec profile.
~[RouterA-ipsec-profile-isakmp-map1] ike-profile profile1
# Specify a primary slot for processing IPsec traffic.
~[RouterA-ipsec-profile-isakmp-map1] service slot 2
~[RouterA-ipsec-profile-isakmp-map1] quit
# Create IPsec tunnel interface Tunnel100, and apply IPsec profile map1 to the tunnel interface.
~[RouterA] interface Tunnel100 mode ipsec
~[RouterA-Tunnel100] ip address 3.3.3.1 255.255.255.0
~[RouterA-Tunnel100] source 2.2.2.1
~[RouterA-Tunnel100] destination 2.2.3.1
~[RouterA-Tunnel100] tunnel protection ipsec profile map1
~[RouterA-Tunnel100] quit
# Configure a static route to Host B.
~[RouterA] ip route-static 10.1.2.0 255.255.255.0 Tunnel100
2. Configure Router B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterB
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ip address 10.1.2.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ip address 2.2.3.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Create an IPsec transform set named tran1, and enter its view.
~[RouterB] ipsec transform-set tran1
# Configure the packet encapsulation mode as tunnel.
~[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Configure the security protocol as ESP.
~[RouterB-ipsec-transform-set-tran1] protocol esp
# Configure the ESP encryption algorithm as 256-bit AES and authentication algorithm as HMAC-MD5.
~[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-256
~[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm md5
~[RouterB-ipsec-transform-set-tran1] quit
# Configure an IKE keychain named keychain1.
~[RouterB] ike keychain keychain1
~[RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
~[RouterB-ike-keychain-keychain1] quit
# Create and configure IKE profile profile1.
~[RouterB] ike profile profile1
~[RouterB-ike-profile-profile1] keychain keychain1
~[RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
~[RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec profile named map1.
~[RouterB] ipsec profile map1 isakmp
# Specify IPsec transform set tran1 for the IPsec profile.
~[RouterB-ipsec-profile-isakmp-map1] transform-set tran1
# Specify IKE profile profile1 for the IPsec profile.
~[RouterB-ipsec-profile-isakmp-map1] ike-profile profile1
~[RouterB-ipsec-profile-isakmp-map1] quit
# Specify a primary slot for processing IPsec traffic.
~[RouterB-ipsec-profile-isakmp-map1] service slot 2
# Create IPsec tunnel interface Tunnel100, apply IPsec profile map1 to the tunnel interface, and configure the service processing slot for the tunnel interface as slot 0.
~[RouterB] interface Tunnel100 mode ipsec
~[RouterB-Tunnel100] ip address 3.3.3.2 255.255.255.0
~[RouterB-Tunnel100] source 2.2.3.1
~[RouterB-Tunnel100] destination 2.2.2.1
~[RouterB-Tunnel100] tunnel protection ipsec profile map1
~[RouterB-Tunnel100] quit
# Configure a static route to Router A.
~[RouterB] ip route-static 10.1.1.0 255.255.255.0 Tunnel100
Verifying the configuration
After the configuration is completed, Router A and Router B will negotiate IPsec SAs through IKE. After the IPsec SAs are successfully negotiated, IPv4 data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 will be protected by the IPsec SAs.
# Display information about tunnel interface 100.
~[RouterA] display interface Tunnel 100
Tunnel100
Interface index: 260
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 1444
Internet address: 3.3.3.1/24 (primary)
Tunnel source 2.2.2.1, destination 2.2.3.1
Tunnel TTL 255
Tunnel protocol/transport IPsec/IP
Output queue - Urgent queuing: Size/Length/Discards 0/100/0
Output queue - Protocol queuing: Size/Length/Discards 0/500/0
Output queue - FIFO queuing: Size/Length/Discards 0/75/0
Last clearing of counters: Never
Traffic statistic: Not include Inter-frame Gaps and Preambles
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Display IPsec SAs on Router A.
~[RouterA] display ipsec sa
-------------------------------
Interface: Tunnel100
-------------------------------
-----------------------------
IPsec profile:: map1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Transmitting entity: Initiator
Path MTU: 1443
Tunnel:
local address: 2.2.2.1
remote address: 2.2.3.1
Flow:
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-MD5
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
Hardware decrption: No
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-MD5
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
Hardware encrption: No
# Display IPsec SAs on Router B. (Details not shown.)
Configuration files
Router A
#
sysname RouterA
#
interface Ten-GigabitEthernet3/0/1
ip address 10.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet3/0/2
ip address 2.2.2.1 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 Tunnel100
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.3.1 255.255.255.0
#
ipsec profile map1 isakmp
transform-set tran1
ike-profile profile1
service slot 2
#
interface Tunnel100 mode ipsec
ip address 3.3.3.1 255.255.255.0
source 2.2.2.1
destination 2.2.3.1
tunnel protection ipsec profile map1
#
Router B
#
sysname RouterB
#
interface Ten-GigabitEthernet3/0/1
ip address 10.1.2.1 255.255.255.0
#
interface Ten-GigabitEthernet3/0/2
ip address 2.2.3.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel100
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
match remote identity address 2.2.2.1 255.255.255.0
#
ipsec profile map1 isakmp
transform-set tran1
ike-profile profile1
service slot 2
#
interface Tunnel100 mode ipsec
ip address 3.3.3.2 255.255.255.0
source 2.2.3.1
destination 2.2.2.1
tunnel protection ipsec profile map1
#
Example: Configuring IPsec RRI
Network configuration
As shown in Figure 6, branches access the enterprise center through an IPsec VPN.
Configure the IPsec VPN as follows:
· Configure an IPsec tunnel between Router A and each branch gateway (Router B, Router C, and Router D) to protect traffic between subnets 4.4.4.0/24 and 5.5.5.0/24.
· Configure the tunnels to use security protocol ESP, encryption algorithm DES, and authentication algorithm SHA1-HMAC-96. Use IKE for IPsec SA negotiation.
· On each router, configure an IKE proposal to use the pre-shared key authentication method, encryption algorithm 3DES, and authentication algorithm HMAC-SHA1.
· Configure IPsec RRI on Router A to automatically create static routes to the branches based on the established IPsec SAs.
Table 6 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Router A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterA
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ip address 1.1.1.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/1] quit
[RouterA] interface ten-gigabitethernet 3/0/2
[RouterA-Ten-GigabitEthernet3/0/2] ip address 4.4.4.1 255.255.255.0
[RouterA-Ten-GigabitEthernet3/0/2] quit
# Configure static route settings according to the network diagram. This example uses 1.1.1.2 as the next hop IP address.
[RouterA] ip route-static 2.2.2.0 24 1.1.1.2
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create and configure the IPsec profile named profile1.
[RouterA] ike profile profile1
[RouterA-ike-profile-profile1] keychain key1
[RouterA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
[RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry named map1. Specify IPsec transform set tran1 and IKE profile profile1 for the IPsec policy.
[RouterA] ipsec policy map1 10 isakmp
[RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1
[RouterA-ipsec-policy-isakmp-map1-10] ike-profile profile1
# Enable IPsec RRI, and set the preference to 100 and the tag to 1000 for the static routes created by IPsec RRI.
[RouterA-ipsec-policy-isakmp-map1-10] reverse-route dynamic
[RouterA-ipsec-policy-isakmp-map1-10] reverse-route preference 100
[RouterA-ipsec-policy-isakmp-map1-10] reverse-route tag 1000
[RouterA-ipsec-policy-isakmp-map1-10] quit
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.
[RouterA] ike proposal 1
[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterA-ike-proposal-1] authentication-algorithm sha
[RouterA-ike-proposal-1] authentication-method pre-share
[RouterA-ike-proposal-1] quit
# Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2.
[RouterA] ike keychain key1
[RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
[RouterA-ike-keychain-key1] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/1.
[RouterA] interface ten-gigabitethernet 3/0/1
[RouterA-Ten-GigabitEthernet3/0/1] ipsec apply policy map1
[RouterA-Ten-GigabitEthernet3/0/1] quit
2. Configure Router B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname RouterB
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ip address 2.2.2.2 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/1] quit
[RouterB] interface ten-gigabitethernet 3/0/2
[RouterB-Ten-GigabitEthernet3/0/2] ip address 5.5.5.1 255.255.255.0
[RouterB-Ten-GigabitEthernet3/0/2] quit
# Configure static route settings according to the network diagram. This example uses 2.2.2.3 as the next hop IP address.
[RouterB] ip route-static 1.1.1.0 24 2.2.2.3
[RouterB] ip route-static 4.4.4.0 24 2.2.2.3
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
[RouterB] ipsec transform-set tran1
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterB-ipsec-transform-set-tran1] protocol esp
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Configure IPv4 advanced ACL 3000 to identify traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24.
[RouterB] acl advanced 3000
[RouterB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
[RouterB-acl-ipv4-adv-3000] quit
# Create and configure an IKE profile named profile1.
[RouterB] ike profile profile1
[RouterB-ike-profile-profile1] keychain key1
[RouterB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
[RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry named map1 and configure the following settings for the policy entry:
¡ Set the sequence number to 10.
¡ Specify transform set tran1 and ACL 3000.
¡ Specify the remote IP address for the tunnel as 1.1.1.1.
¡ Specify IKE profile profile1.
[RouterB] ipsec policy map1 10 isakmp
[RouterB-ipsec-policy-isakmp-map1-10] transform-set tran1
[RouterB-ipsec-policy-isakmp-map1-10] security acl 3000
[RouterB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
[RouterB-ipsec-policy-isakmp-map1-10] ike-profile profile1
[RouterB-ipsec-policy-isakmp-map1-10] quit
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.
[RouterB] ike proposal 1
[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterB-ike-proposal-1] authentication-algorithm sha
[RouterB-ike-proposal-1] authentication-method pre-share
[RouterB-ike-proposal-1] quit
# Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1.
[RouterB] ike keychain key1
[RouterB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
[RouterB-ike-keychain-key1] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/1.
[RouterB] interface ten-gigabitethernet 3/0/1
[RouterB-Ten-GigabitEthernet3/0/1] ipsec apply policy map1
[RouterB-Ten-GigabitEthernet3/0/1] quit
3. Configure Router C and Router D in the same way Router B is configured.
Verifying the configuration
1. Verify that IPsec RRI can automatically create a static route from Router A to Router B:
# Initiate a connection from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B. (Details not shown.)
# Verify that IPsec SAs are established on Router A.
[RouterA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1463
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1014286405 (0x3c74c845)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 4011716027 (0xef1dedbb)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
# Verify that IPsec RRI has created a static route to reach Router B.
[RouterA] display ip routing-table verbose
2. Verify that Router A can automatically create static routes to Router C and Router D in the same way that you verify the IPsec RRI feature by using Router A and Router B. (Details not shown.)
Configuration files
Router A
#
sysname RouterA
#
interface ten-gigabitethernet 3/0/1
ip address 1.1.1.1 255.255.255.0
#
interface ten-gigabitethernet 3/0/2
ip address 4.4.4.1 255.255.255.0
#
ip route-static 2.2.2.0 24 1.1.1.2
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des
esp authentication-algorithm sha1
#
ike profile profile1
keychain key1
match remote identity address 2.2.2.2 255.255.255.0
#
ipsec policy-template temp1 1
transform-set tran1
ike-profile profile1
reverse-route dynamic
reverse-route preference 100
reverse-route tag 1000
#
ipsec policy map1 10 isakmp template temp1
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 2.2.2.2 key simple 123
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy map1
#
Router B
#
sysname RouterB
#
interface ten-gigabitethernet 3/0/1
ip address 2.2.2.2 255.255.255.0
#
interface ten-gigabitethernet 3/0/2
ip address 5.5.5.1 255.255.255.0
#
ip route-static 1.1.1.0 24 2.2.2.3
ip route-static 4.4.4.0 24 2.2.2.3
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des
esp authentication-algorithm sha1
#
acl advanced 3000
rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
#
ike profile profile1
keychain key1
match remote identity address 1.1.1.1 255.255.255.0
#
ipsec policy map1 10 isakmp
transform-set tran1
security acl 3000
remote-address 1.1.1.1
ike-profile profile1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm sha
authentication-method pre-share
#
ike keychain key1
pre-shared-key address 1.1.1.1 key simple 123
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy map1
#
IKE configuration examples
Example: Main mode IKE with pre-shared key authentication configuration example
Network configuration
As shown in Figure 7, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
· Configure Device A and Device B to use the default IKE proposal for the IKE negotiation to set up the IPsec SAs.
· Configure the two devices to use the pre-shared key authentication method for the IKE negotiation phase 1.
Table 7 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Device A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceA
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-Ten-GigabitEthernet3/0/1] quit
[DeviceA] interface ten-gigabitethernet 3/0/2
[DeviceA-Ten-GigabitEthernet3/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[DeviceA] ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2.
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.0.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[DeviceA] ike profile profile1
# Specify IKE keychain keychain1.
[DeviceA-ike-profile-profile1] keychain keychain1
# Configure the local ID with the identity type as IP address and the value as 1.1.1.1.
[DeviceA-ike-profile-profile1] local-identity address 1.1.1.1
# Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/16.
[DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[DeviceA] ipsec policy map1 10 isakmp
# Specify the remote IP address 2.2.2.2 for the IPsec tunnel.
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify IKE profile profile1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/1.
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ipsec apply policy map1
[DeviceA-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host B resides and a static route to Device B. This example uses 1.1.1.2 as the next hop IP address.
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
2. Configure Device B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceB
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-Ten-GigabitEthernet3/0/1] quit
[DeviceB] interface ten-gigabitethernet 3/0/2
[DeviceB-Ten-GigabitEthernet3/0/2] ip address 10.1.2.1 255.255.255.0
[DeviceB-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[DeviceB]ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1.
[DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.0.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
# Create an IKE profile named profile1.
[DeviceB] ike profile profile1
# Specify IKE keychain keychain1
[DeviceB-ike-profile-profile1] keychain keychain1
# Configure the local ID with the identity type as IP address and the value as 2.2.2.2.
[DeviceB-ike-profile-profile1] local-identity address 2.2.2.2
# Configure a peer ID with the identity type as IP address and the value as 1.1.1.1/16.
[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
[DeviceB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[DeviceB] ipsec policy use1 10 isakmp
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Specify IKE profile profile1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1
[DeviceB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/1.
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ipsec apply policy use1
# Configure a static route to the subnet where Host A resides and a static route to Device A. This example uses 2.2.2.1 as the direct next hop address.
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
[DeviceB] ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec-protected.
# Display the IKE proposal configuration on Device A and Device B. Because no IKE proposal is configured, the command displays the default IKE proposal.
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# Display the IKE SA on Device A.
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# Display the IPsec SAs generated on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Display the IKE SA and IPsec SAs on Device B.
[DeviceB] display ike sa
[DeviceB] display ipsec sa
Configuration files
Device A
#
sysname DeviceA
#
interface ten-gigabitethernet 3/0/1
ip address 1.1.1.1 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.1.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 2.2.2.2 255.255.0.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
local-identity address 1.1.1.1
match remote identity address 2.2.2.2 255.255.0.0
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
security acl 3101
transform-set tran1
ike-profile profile1
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy map1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
#
Device B
#
sysname DeviceB
#
interface ten-gigabitethernet 3/0/1
ip address 2.2.2.2 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.2.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ike keychain keychain1
pre-shared-key address 1.1.1.1 255.255.0.0 key simple 123456TESTplat&!
#
ike profile profile1
keychain keychain1
local-identity address 2.2.2.2
match remote identity address 1.1.1.1 255.255.0.0
#
ipsec policy use1 10 isakmp
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ike-profile profile1
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy use1
#
ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
#
Example: Aggressive mode with RSA signature authentication configuration example
Network configuration
As shown in Figure 8, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use aggressive mode for IKE negotiation phase 1 and to use RSA signature authentication. Device A acts as the initiator, and the subnet where Device A resides uses IP addresses dynamically allocated.
Table 8 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Device A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceA
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-Ten-GigabitEthernet3/0/1] quit
[DeviceA] interface ten-gigabitethernet 3/0/2
[DeviceA-Ten-GigabitEthernet3/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity1.
[DeviceA] pki entity entity1
# Set the common name to routera for the PKI entity.
[DeviceA-pki-entity-entity1] common-name routera
[DeviceA-pki-entity-entity1] quit
# Create a PKI domain named domain1.
[DeviceA] pki domain domain1
# Set the certificate request mode to auto and set the password to 123 for certificate revocation.
[DeviceA-pki-domain-domain1] certificate request mode auto password simple 123
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceA-pki-domain-domain1] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA 8088.
[DeviceA-pki-domain-domain1] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.
[DeviceA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceA-pki-domain-domain1] certificate request from ca
# Specify the PKI entity for certificate request as entity1.
[DeviceA-pki-domain-domain1] certificate request entity entity1
# Specify RSA key pair rsa1 with the general purpose for certificate request.
[DeviceA-pki-domain-domain1] public-key rsa general name rsa1
[DeviceA-pki-domain-domain1] quit
# Create an IKE profile named profile1.
[DeviceA] ike profile profile1
# Specify PKI domain domain1 for the IKE profile.
[DeviceA-ike-profile-profile1] certificate domain domain1
# Specify that IKE negotiation operates in aggressive mode.
[DeviceA-ike-profile-profile1] exchange-mode aggressive
# Set the local identity to FQDN name www.routera.example.com.
[DeviceA-ike-profile-profile1] local-identity fqdn www.routera.example.com
# Configure a peer ID with the identity type of FQDN name and the value of www.example.com.
[DeviceA-ike-profile-profile1] match remote identity fqdn www.example.com
[DeviceA-ike-profile-profile1] quit
# Create an IKE proposal named 10.
[DeviceA] ike proposal 10
# Specify the authentication algorithm as HMAC-MD5.
[DeviceA-ike-proposal-10] authentication-algorithm md5
# Specify the RSA authentication method.
[DeviceA-ike-proposal-10] authentication-method rsa-signature
[DeviceA-ike-proposal-10] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[DeviceA] ipsec policy map1 10 isakmp
# Specify remote IP address 2.2.2.2 for the IPsec tunnel.
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IKE profile profile1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/1.
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ipsec apply policy map1
[DeviceA-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host B resides and a static route to Device B. This example uses 1.1.1.2 as the next hop IP address.
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
2. Configure Device B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceB
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-Ten-GigabitEthernet3/0/1] quit
[DeviceB] interface ten-gigabitethernet 3/0/2
[DeviceB-Ten-GigabitEthernet3/0/2] ip address 10.1.2.1 255.255.255.0
[DeviceB-Ten-GigabitEthernet3/0/2] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity2.
[DeviceB] pki entity entity2
# Set the common name to routerb for the PKI entity.
[DeviceB-pki-entity-entity2] common-name routerb
[DeviceB-pki-entity-entity2] quit
# Create a PKI domain named domain2.
[DeviceB] pki domain domain2
# Set the certificate request mode to auto and set the password to 123 for certificate revocation.
[DeviceB-pki-domain-domain2] certificate request mode auto password simple 123
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA 8088.
[DeviceB-pki-domain-domain2] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.
[DeviceB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceB-pki-domain-domain2] certificate request from ca
# Specify the PKI entity for certificate request as entity2.
[DeviceB-pki-domain-domain2] certificate request entity entity2
# Specify RSA key pair rsa1 with the general purpose for certificate request.
[DeviceB-pki-domain-domain2] public-key rsa general name rsa1
[DeviceB-pki-domain-domain2] quit
# Create an IKE profile named profile2.
[DeviceB] ike profile profile2
# Specify PKI domain domain2 for the IKE profile.
[DeviceB-ike-profile-profile2] certificate domain domain2
# Configure IKE phase 1 negotiation to use the aggressive mode.
[DeviceB-ike-profile-profile2] exchange-mode aggressive
# Set the local identity to FQDN name www.example.com.
[DeviceB-ike-profile-profile2] local-identity fqdn www.example.com
# Configure a peer ID with the identity type of FQDN name and the value of www.routera.example.com.
[DeviceB-ike-profile-profile2] match remote identity fqdn www.routera.example.com
[DeviceB-ike-profile-profile2] quit
# Create an IKE proposal named 10.
[DeviceB] ike proposal 10
# Specify the authentication algorithm as HMAC-MD5.
[DeviceB-ike-proposal-10] authentication-algorithm md5
# Specify the RSA authentication method.
[DeviceB-ike-proposal-10] authentication-method rsa-signature
[DeviceB-ike-proposal-10] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 1.
[DeviceB] ipsec policy use1 1 isakmp
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-1] transform-set tran1
# Specify IKE profile profile2 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-1] ike-profile profile2
[DeviceB-ipsec-policy-isakmp-use1-1] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/1.
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ipsec apply policy use1
[DeviceB-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host A resides and a static route to Device A. This example uses 2.2.2.1 as the next hop IP address.
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
[DeviceB] ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec-protected.
# Display the IKE proposal configuration on Device A and Device B.
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 RSA-SIG MD5 DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
10 RSA-SIG MD5 DES-CBC Group 1 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
# Display the IKE SA on Device A.
[DeviceA] display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
1 2.2.2.2/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# Display information about the CA certificate on Device A.
[DeviceA] display pki certificate domain domain1 ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 6 01:53:58 2012 GMT
Not After : Sep 8 01:50:58 2015 GMT
Subject: C=cn, O=rnd, OU=sec, CN=8088
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42:
00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43:
c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14:
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27:
d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb:
4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0:
ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66:
2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33:
1b:31:03:78:4f:77:a0:db:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90:
08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8:
7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7:
f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf:
55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9:
8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31:
57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d:
82:16
# Display the local certificate on Device A.
[DeviceA] display pki certificate domain domain1 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 26 02:06:43 2012 GMT
Not After : Sep 26 02:06:43 2013 GMT
Subject: CN=devicea
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9:
84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4:
17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6:
25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d:
d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:
2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d:
ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1:
79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c:
f0:e5:62:e7:d0:81:5d:de:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:http://xx.rsa.com:447/8088.crl
Signature Algorithm: sha1WithRSAEncryption
73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61:
9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e:
cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98:
30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78:
f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5:
21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff:
65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90:
7e:cd
# Display the IPsec SA information on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Display the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device B.
[DeviceB] display ike sa
[DeviceB] display pki certificate domain domain2 ca
[DeviceB] display pki certificate domain domain2 local
[DeviceB] display ipsec sa
Configuration files
Device A
#
sysname DeviceA
#
interface ten-gigabitethernet 3/0/1
ip address 1.1.1.1 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.1.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity1
common-name routera
#
pki domain domain1
certificate request mode auto password simple 123
root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
ca identifier 8088
certificate request url https://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
certificate request from ca
certificate request entity entity1
public-key rsa general name rsa1
#
ike profile profile1
certificate domain domain1
exchange-mode aggressive
local-identity fqdn routera.example.com
match remote identity fqdn www.example.com
#
ike proposal 10
authentication-algorithm md5
authentication-method rsa-signature
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
transform-set tran1
security acl 3101
ike-profile profile1
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy map1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
#
Device B
#
sysname DeviceB
#
interface ten-gigabitethernet 3/0/1
ip address 2.2.2.2 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.2.1 255.255.255.0
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity2
common-name routerb
#
pki domain domain2
certificate request mode auto password simple 123
root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
ca identifier 8088
certificate request url https://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
certificate request from ca
certificate request entity entity2
public-key rsa general name rsa1
#
ike profile profile2
certificate domain domain2
exchange-mode aggressive
local-identity fqdn www.example.com
match remote identity fqdn routera.example.com
#
ike proposal 10
authentication-algorithm md5
authentication-method rsa-signature
#
ipsec policy-template template1 1
transform-set tran1
ike-profile profile2
#
ipsec policy use1 1 isakmp template template1
interface ten-gigabitethernet 3/0/1
ipsec apply policy use1
#
ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
#
IKEv2 configuration examples
Example: IKEv2 with pre-shared key authentication configuration example
Network configuration
As shown in Figure 9, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
· Configure Device A and Device B to use the default IKEv2 proposal and the default IKEv2 policy in IKEv2 negotiation to set up IPsec SAs.
· Configure the two devices to use the pre-shared key authentication method in IKEv2 negotiation.
Table 9 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Device A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceA
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-Ten-GigabitEthernet3/0/1] quit
[DeviceA] interface ten-gigabitethernet 3/0/2
[DeviceA-Ten-GigabitEthernet3/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create an IKEv2 keychain named keychain1.
[DeviceA] ikev2 keychain keychain1
# Create an IKEv2 peer named peer1.
[DeviceA-ikev2-keychain-keychain1] peer peer1
# Specify peer IP address 2.2.2.2/16.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16
# Specify the peer ID, which is IP address 2.2.2.2.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2
# Specify abcde in plain text as the pre-shared key to be used with the peer at 2.2.2.2.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde
[DeviceA-ikev2-keychain-keychain1-peer-peer1] quit
[DeviceA-ikev2-keychain-keychain1] quit
# Create an IKEv2 profile named profile1.
[DeviceA] ikev2 profile profile1
# Specify the local authentication method as pre-shared key.
[DeviceA-ikev2-profile-profile1] authentication-method local pre-share
# Specify the remote authentication method as pre-shared key.
[DeviceA-ikev2-profile-profile1] authentication-method remote pre-share
# Specify IKEv2 keychain keychain1.
[DeviceA-ikev2-profile-profile1] keychain keychain1
# Specify the peer ID that the IKEv2 profile matches. The peer ID is IP address 2.2.2.2/16.
[DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0
[DeviceA-ikev2-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[DeviceA] ipsec policy map1 10 isakmp
# Specify remote IP address 2.2.2.2 for the IPsec tunnel.
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify IKEv2 profile profile1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/1.
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ipsec apply policy map1
[DeviceA-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host B resides and a static route to Device B. This example uses 1.1.1.2 as the next hop IP address.
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
2. Configure Device B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceB
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-Ten-GigabitEthernet3/0/1] quit
[DeviceB] interface ten-gigabitethernet 3/0/2
[DeviceB-Ten-GigabitEthernet3/0/2] ip address 10.1.2.1 255.255.255.0
[DeviceB-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create an IKEv2 keychain named keychain1.
[DeviceB] ikev2 keychain keychain1
# Create an IKEv2 peer named peer1.
[DeviceB-ikev2-keychain-keychain1] peer peer1
# Specify peer IP address 1.1.1.1/16.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16
# Specify the peer ID, which is IP address 1.1.1.1.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 1.1.1.1
# Specify abcde in plain text as the pre-shared key to be used with the peer at 1.1.1.1.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde
[DeviceB-ikev2-keychain-keychain1-peer-peer1] quit
[DeviceB-ikev2-keychain-keychain1] quit
# Create an IKEv2 profile named profile1.
[DeviceB] ikev2 profile profile1
# Specify the local authentication method as pre-shared key.
[DeviceB-ikev2-profile-profile1] authentication-method local pre-share
# Specify the remote authentication method as pre-shared key.
[DeviceB-ikev2-profile-profile1] authentication-method remote pre-share
# Specify IKEv2 keychain keychain1.
[DeviceB-ikev2-profile-profile1] keychain keychain1
# Specify the peer ID that the IKEv2 profile matches. The peer ID is IP address 1.1.1.1/16.
[DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0
[DeviceA-ikev2-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[DeviceB] ipsec policy use1 10 isakmp
# Specify remote IP address 1.1.1.1 for the IPsec tunnel.
[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1
# # Specify IKEv2 profile profile1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1
[DeviceB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/1.
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ipsec apply policy use1
[DeviceB-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host A resides and a static route to Device A. This example uses 2.2.2.1 as the next hop IP address.
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
[DeviceB] ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec-protected.
# Display the IKEv2 proposal and IKEv2 policy on Device A.
[DeviceA] display ikev2 proposal
IKEv2 proposal : default
Encryption: AES-CBC-128 3DES-CBC
Integrity: SHA1 MD5
PRF: SHA1 MD5
DH Group: MODP1536/Group5 MODP1024/Group2
[DeviceA] display ikev2 policy
IKEv2 policy : default
Match VRF : any
Proposal: default
# Display the IKEv2 SA on Device A.
[DeviceA] display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
# Display the IPsec SAs on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 141733920771
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Display the IKEv2 proposal, IKEv2 policy, IKEv2 SA and IPsec SAs on Device B.
[DeviceB] display ikev2 proposal
[DeviceB] display ikev2 policy
[DeviceB] display ikev2 sa
[DeviceB] display ipsec sa
Configuration files
Device A
#
sysname DeviceA
#
interface ten-gigabitethernet 3/0/1
ip address 1.1.1.1 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.1.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ikev2 keychain keychain1
peer peer1
address 2.2.2.2 16
identity address 2.2.2.2
pre-shared-key plaintext abcde
#
ikev2 profile profile1
authentication-method local pre-share
authentication-method remote pre-share
keychain keychain1
match remote identity address 2.2.2.2 255.255.0.0
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
security acl 3101
transform-set tran1
ikev2-profile profile1
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy map1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
#
Device B
#
sysname DeviceB
#
interface ten-gigabitethernet 3/0/1
ip address 2.2.2.2 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.2.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ikev2 keychain keychain1
peer peer1
address 1.1.1.1 16
identity address 1.1.1.1
pre-shared-key plaintext abcde
#
ikev2 profile profile1
authentication-method local pre-share
authentication-method remote pre-share
keychain keychain1
match remote identity address 1.1.1.1 255.255.0.0
#
ipsec policy use1 10 isakmp
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ikev2-profile profile1
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy use1
#
ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
#
Example: IKEv2 with RSA signature authentication configuration example
Network configuration
As shown in Figure 10, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use IKEv2 negotiation and RSA signature authentication. Device A acts as the initiator, and the subnet where Device A resides uses IP addresses dynamically allocated.
Table 10 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Procedure
1. Configure Device A:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceA
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ip address 1.1.1.1 255.255.0.0
[DeviceA-Ten-GigabitEthernet3/0/1] quit
[DeviceA] interface ten-gigabitethernet 3/0/2
[DeviceA-Ten-GigabitEthernet3/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view
[DeviceA] acl advanced 3101
[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity1.
[DeviceA] pki entity entity1
# Set the common name to routera for the PKI entity.
[DeviceA-pki-entity-entity1] common-name routera
[DeviceA-pki-entity-entity1] quit
# Create a PKI domain named domain1.
[DeviceA] pki domain domain1
# Set the certificate request mode to auto and set the password to 123 for certificate revocation.
[DeviceA-pki-domain-domain1] certificate request mode auto password simple 123
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceA-pki-domain-domain1] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA 8088.
[DeviceA-pki-domain-domain1] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.
[DeviceA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceA-pki-domain-domain1] certificate request from ca
# Specify the PKI entity for certificate request as entity1.
[DeviceA-pki-domain-domain1] certificate request entity entity1
# Specify RSA key pair rsa1 with the general purpose for certificate request.
[DeviceA-pki-domain-domain1] public-key rsa general name rsa1
[DeviceA-pki-domain-domain1] quit
# Create an IKEv2 profile named profile1.
[DeviceA] ikev2 profile profile1
# Specify the local authentication method as RSA signatures.
[DeviceA-ikev2-profile-profile1] authentication-method local rsa-signature
# Specify the remote authentication method as RSA signatures.
[DeviceA-ikev2-profile-profile1] authentication-method remote rsa-signature
# Specify PKI domain domain1 for the IKEv2 profile.
[DeviceA-ikev2-profile-profile1] certificate domain domain1
# Set the local ID to FQDN name www.routera.example.com.
[DeviceA-ikev2-profile-profile1] identity local fqdn www.routera.example.com
# Specify the peer ID that the IKEv2 profile matches. The peer ID is FQDN name www.example.com.
[DeviceA-ikev2-profile-profile1] match remote identity fqdn www.example.com
[DeviceA-ikev2-profile-profile1] quit
# Create an IKEv2 proposal named 10.
[DeviceA] ikev2 proposal 10
# Specify the integrity protection algorithm as HMAC-MD5.
[DeviceA-ikev2-proposal-10] integrity md5
# Specify the encryption algorithm as 3DES-CBC.
[DeviceA-ikev2-proposal-10] encryption 3des-cbc
# Specify the DH group as Group 1.
[DeviceA-ikev2-proposal-10] dh group1
# Specify the PRF algorithm as HMAC-MD5.
[DeviceA-ikev2-proposal-10] prf md5
[DeviceA-ikev2-proposal-10] quit
# Create an IKEv2 policy named 1.
[DeviceA] ikev2 policy 1
# Specify IKEv2 proposal 10 for the IKEv2 policy.
[DeviceA-ikev2-policy-1] proposal 10
[DeviceA-ikev2-policy-1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[DeviceA] ipsec policy map1 10 isakmp
# Specify remote IP address 2.2.2.2 for the IPsec tunnel.
[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IKEv2 profile profile1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1
[DeviceA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to Ten-GigabitEthernet 3/0/1.
[DeviceA] interface ten-gigabitethernet 3/0/1
[DeviceA-Ten-GigabitEthernet3/0/1] ipsec apply policy map1
[DeviceA-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host B resides and a static route to Device B. This example uses 1.1.1.2 as the next hop IP address.
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
[DeviceA] ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
2. Configure Device B:
# Assign IP addresses to interfaces according to the network diagram.
<Sysname> system-view
[Sysname] sysname DeviceB
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ip address 2.2.2.2 255.255.0.0
[DeviceB-Ten-GigabitEthernet3/0/1] quit
[DeviceB] interface ten-gigabitethernet 3/0/2
[DeviceB-Ten-GigabitEthernet3/0/2] ip address 10.1.2.1 255.255.255.0
[DeviceB-Ten-GigabitEthernet3/0/2] quit
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
[DeviceB] acl advanced 3101
[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[DeviceB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity2.
[DeviceB] pki entity entity2
# Set the common name to routerb for the PKI entity.
[DeviceB-pki-entity-entity2] common-name routerb
[DeviceB-pki-entity-entity2] quit
# Create a PKI domain named domain2.
[DeviceB] pki domain domain2
# Set the certificate request mode to auto and set the password to 123 for certificate revocation.
[DeviceB-pki-domain-domain2] certificate request mode auto password simple 123
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
[DeviceB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA 8088.
[DeviceB-pki-domain-domain2] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.
[DeviceB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[DeviceB-pki-domain-domain2] certificate request from ca
# Specify the PKI entity for certificate request as entity2.
[DeviceB-pki-domain-domain2] certificate request entity entity2
# Specify RSA key pair rsa1 with the general purpose for certificate request.
[DeviceB-pki-domain-domain2] public-key rsa general name rsa1
[DeviceB-pki-domain-domain2] quit
# Create an IKEv2 profile named profile2.
[DeviceB] ikev2 profile profile2
# Specify the local authentication method as RSA signatures.
[DeviceB-ikev2-profile-profile2] authentication-method local rsa-signature
# Specify the remote authentication method as RSA signatures.
[DeviceB-ikev2-profile-profile2] authentication-method remote rsa-signature
# Set the local identity to FQDN name www.example.com.
[DeviceB-ikev2-profile-profile2] identity local fqdn www.example.com
# Specify the peer ID that the IKEv2 profile matches. The peer ID is FQDN name www.routera.example.com.
[DeviceB-ikev2-profile-profile2] match remote identity fqdn www.routera.example.com
[DeviceB-ikev2-profile-profile2] quit
# Create an IKEv2 proposal named 10.
[DeviceB] ikev2 proposal 10
# Specify the integrity protection algorithm as HMAC-MD5.
[DeviceB-ikev2-proposal-10] integrity md5
# Specify the encryption algorithm as 3DES-CBC.
[DeviceB-ikev2-proposal-10] encryption 3des-cbc
# Specify the DH group as Group 1.
[DeviceB-ikev2-proposal-10] dh group1
# Specify the PRF algorithm as HMAC-MD5.
[DeviceB-ikev2-proposal-10] prf md5
[DeviceB-ikev2-proposal-10] quit
# Create an IKEv2 policy named 1.
[DeviceB] ikev2 policy 1
# Specify IKEv2 proposal 10 for the IKEv2 policy.
[DeviceB-ikev2-policy-1] proposal 10
[DeviceB-ikev2-policy-1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 1.
[DeviceB] ipsec policy use1 1 isakmp
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[DeviceB-ipsec-policy-isakmp-use1-1] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceB-ipsec-policy-isakmp-use1-1] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-1] transform-set tran1
# Specify IKEv2 profile profile2 for the IPsec policy.
[DeviceB-ipsec-policy-isakmp-use1-1] ikev2-profile profile2
[DeviceB-ipsec-policy-isakmp-use1-1] quit
# Apply IPsec policy use1 to Ten-GigabitEthernet 3/0/1.
[DeviceB] interface ten-gigabitethernet 3/0/1
[DeviceB-Ten-GigabitEthernet3/0/1] ipsec apply policy use1
[DeviceB-Ten-GigabitEthernet3/0/1] quit
# Configure a static route to the subnet where Host A resides and a static route to Device A. This example uses 2.2.2.1 as the next hop IP address.
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
[DeviceB] ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec-protected.
# Display the IKEv2 proposal configuration on Device A and Device B.
[DeviceA] display ikev2 proposal 10
IKEv2 proposal : 10
Encryption : 3DES-CBC
Integrity : MD5
PRF : MD5
DH Group : MODP768/Group1
[DeviceB] display ikev2 proposal 10
IKEv2 proposal : 10
Encryption : 3DES-CBC
Integrity : MD5
PRF : MD5
DH Group : MODP768/Group1
# Display the IKEv2 policy configuration Device A and Device B.
[DeviceA] display ikev2 policy 1
IKEv2 policy : 1
Priority: 100
Match Local : any
Match VRF : public
Proposal : 10
[DeviceB] display ikev2 policy 1
IKEv2 policy : 1
Priority: 100
Match Local : any
Match VRF : public
Proposal : 10
# Display the IKEv2 SA on Device A.
[DeviceA] display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
1 1.1.1.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL:Deleting
# Display information about the CA certificate on Device A.
[DeviceA] display pki certificate domain domain1 ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 6 01:53:58 2012 GMT
Not After : Sep 8 01:50:58 2015 GMT
Subject: C=cn, O=rnd, OU=sec, CN=8088
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42:
00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43:
c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14:
70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27:
d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb:
4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0:
ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66:
2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33:
1b:31:03:78:4f:77:a0:db:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90:
08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8:
7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7:
f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf:
55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9:
8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31:
57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d:
82:16
# Display the local certificate on Device A.
[DeviceA]display pki certificate domain domain1 local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=rnd, OU=sec, CN=8088
Validity
Not Before: Sep 26 02:06:43 2012 GMT
Not After : Sep 26 02:06:43 2013 GMT
Subject: CN=devicea
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9:
84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4:
17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6:
25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d:
d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:
2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d:
ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1:
79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c:
f0:e5:62:e7:d0:81:5d:de:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:http://xx.rsa.com:447/8088.crl
Signature Algorithm: sha1WithRSAEncryption
73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61:
9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e:
cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98:
30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78:
f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5:
21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff:
65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90:
7e:cd
# Display the IPsec SAs on Device A.
[DeviceA] display ipsec sa
-------------------------------
Interface: Ten-GigabitEthernet3/0/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1456
Transmitting entity: Initiator
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3264152513 (0xc28f03c1)
Connection ID: 141733920771
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Connection ID: 141733920770
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max sent sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Display the information about the CA certificate, local certificate, IKEv2 SA, and IPsec SA on Device B.
[DeviceB] display ikev2 sa
[DeviceB] display pki certificate domain domain2 ca
[DeviceB] display pki certificate domain domain2 local
[DeviceB] display ipsec sa
Configuration files
Device A
#
sysname DeviceA
#
interface ten-gigabitethernet 3/0/1
ip address 1.1.1.1 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.1.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity1
common-name routera
#
pki domain domain1
certificate request mode auto password simple 123
root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
ca identifier 8088
certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
certificate request from ca
certificate request entity entity1
public-key rsa general name rsa1
#
ikev2 profile profile1
authentication-method local rsa-signature
authentication-method remote rsa-signature
certificate domain domain1
identity local fqdn routera.example.com
match remote identity fqdn www.example.com
#
ikev2 proposal 10
integrity md5
encryption 3des-cbc
dh group1
prf md5
#
ikev2 policy 1
proposal 10
#
ipsec policy map1 10 isakmp
remote-address 2.2.2.2
transform-set tran1
security acl 3101
ikev2-profile profile1
#
interface ten-gigabitethernet 3/0/1
ipsec apply policy map1
#
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
ip route-static 2.2.0.0 255.255.0.0 1.1.1.2
#
Device B
#
sysname DeviceB
#
interface ten-gigabitethernet 3/0/1
ip address 2.2.2.2 255.255.0.0
#
interface ten-gigabitethernet 3/0/2
ip address 10.1.2.1 255.255.255.0
#
acl advanced 3101
rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
pki entity entity2
common-name routerb
#
pki domain domain2
certificate request mode auto password simple 123
root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
ca identifier 8088
certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
certificate request from ca
certificate request entity entity2
public-key rsa general name rsa1
#
ikev2 profile profile2
authentication-method local rsa-signature
authentication-method remote rsa-signature
identity local fqdn www.example.com
match remote identity fqdn routera.example.com
#
ikev2 proposal 10
integrity md5
encryption 3des-cbc
dh group1
prf md5
#
ikev2 policy 1
proposal 10
#
ipsec policy-template template1 1
remote-address 1.1.1.1
security acl 3101
transform-set tran1
ikev2-profile profile2
#
ipsec policy use1 1 isakmp template template1
interface ten-gigabitethernet 3/0/1
ipsec apply policy use1
#
ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
ip route-static 1.1.0.0 255.255.0.0 2.2.2.1
#
IPsec over ADVPN configuration examples
Example: Configuring IPv4 full-mesh ADVPN
Network configuration
As shown in Figure 11, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange.
· Establish a permanent ADVPN tunnel between each spoke and each hub.
· Establish a temporary ADVPN tunnel dynamically between the two spokes in the same ADVPN domain.
Table 11 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Table 12 Interface and IP address assignment
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Hub 1 |
XGE3/0/1 |
1.0.0.1/24 |
Spoke 1 |
XGE3/0/1 |
1.0.0.3/24 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
XGE3/0/2 |
192.168.1.1/24 |
|
Hub 2 |
XGE3/0/1 |
1.0.0.2/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
|
Tunnel1 |
192.168.0.2/24 |
Spoke 2 |
XGE3/0/1 |
1.0.0.4/24 |
|
AAA server |
|
1.0.0.10/24 |
|
XGE3/0/2 |
192.168.2.1/24 |
|
Primary server |
XGE3/0/1 |
1.0.0.11/24 |
|
Tunnel1 |
192.168.0.4/24 |
|
Secondary server |
XGE3/0/1 |
1.0.0.12/24 |
|
|
|
Configuring the primary VAM server
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure AAA:
# Configure RADIUS scheme abc.
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812
[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# Configure AAA methods for ISP domain abc.
[PrimaryServer] domain name abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
3. Configure the VAM server:
# Create ADVPN domain abc.
[PrimaryServer] vam server advpn-domain abc id 1
# Create hub group 0.
[PrimaryServer-vam-server-domain-abc] hub-group 0
# Specify hub private IPv4 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# Specify a spoke private IPv4 network.
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# Set the preshared key to 123456.
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# Set the authentication mode to CHAP.
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# Enable the VAM server for the ADVPN domain.
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
Configuring the secondary VAM server
# Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)
Configuring Hub 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub1.
<Hub1> system-view
[Hub1] vam client name Hub1
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# Set both the username and password to hub1.
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] service slot 2
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub1] ip route-static 192.168.1.0 24 192.168.0.3
[Hub1] ip route-static 192.168.2.0 24 192.168.0.4
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub1] interface tunnel1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] service slot 2
[Hub1-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
Configuring Hub 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub2.
<Hub2> system-view
[Hub2] vam client name Hub2
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] service slot 2
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub2] ip route-static 192.168.1.0 24 192.168.0.3
[Hub2] ip route-static 192.168.2.0 24 192.168.0.4
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] service slot 2
[Hub2-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
Configuring Spoke 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke1.
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# Specify ADVPN domain abc for the VAM client.
[Spoke1-vam-client-Spoke1] advpn-domain abc
# Set the preshared key to 123456.
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# Set both the username and password to spoke1.
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# Specify the primary and secondary VAM servers.
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] service slot 2
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
4. Configure a static route.
[Spoke1] ip route-static 192.168.2.0 24 192.168.0.4
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 1 from participating in DR/BDR election.
[Spoke1] interface tunnel1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] service slot 2
[Spoke1-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
Configuring Spoke 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke2.
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# Specify ADVPN domain abc for the VAM client.
[Spoke2-vam-client-Spoke2] advpn-domain abc
# Set the preshared key to 123456.
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# Set both the username and password to spoke2.
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# Specify the primary and secondary VAM servers.
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] service slot 2
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
4. Configure a static route.
[Spoke2] ip route-static 192.168.1.0 24 192.168.0.3
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 2 from participating in DR/BDR election.
[Spoke2] interface tunnel1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] service slot 2
[Spoke2-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
Verifying the configuration
# Display IPv4 address mapping information for all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
# Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 have all registered their address mapping information with the VAM servers.
# Display IPv4 ADVPN tunnel information on Hubs. This example uses Hub 1.
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.2 -- H-H Success 0H 46M 8S
192.168.0.3 1.0.0.3 -- H-S Success 0H 27M 27S
192.168.0.4 1.0.0.4 -- H-S Success 0H 18M 18S
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2.
# Display IPv4 ADVPN tunnel information on Spokes. This example uses Spoke 1.
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S
192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
# Verify that Spoke 1 can ping the private address 192.168.0.4 of Spoke 2.
[Spoke1] ping 192.168.0.4
Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms
56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.0.4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms
# Display IPv4 ADVPN tunnel information on Spokes. This example uses Spoke 1.
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S
192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S
192.168.0.4 1.0.0.4 -- S-S Success 0H 0M 1S
The output shows the following information:
· Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
· Spoke 1 has established a temporary spoke-spoke tunnel to Spoke 2.
Example: Configuring IPv6 full-mesh ADVPN
Network configuration
As shown in Figure 12, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange.
· Establish a permanent ADVPN tunnel between each spoke and each hub.
· Establish a temporary ADVPN tunnel dynamically between the two spokes in the same ADVPN domain.
Table 13 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Table 14 Interface and IP address assignment
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Hub 1 |
XGE3/0/1 |
1::1/64 |
Spoke 1 |
XGE3/0/1 |
1::3/64 |
|
|
Tunnel1 |
192:168::1/64 |
|
XGE3/0/2 |
192:168:1::1/64 |
|
Hub 2 |
XGE3/0/1 |
1::2/64 |
|
Tunnel1 |
192:168::3/64 |
|
|
Tunnel1 |
192:168::2/64 |
Spoke 2 |
XGE3/0/1 |
1::4/64 |
|
AAA server |
|
1::10/64 |
|
XGE3/0/2 |
192:168:2::1/64 |
|
Primary server |
XGE3/0/1 |
1::11/64 |
|
Tunnel1 |
192:168::4/64 |
|
Secondary server |
XGE3/0/1 |
1::12/64 |
|
|
|
Configuring the primary VAM server
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure AAA:
# Configure RADIUS scheme abc.
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812
[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# Configure AAA methods for ISP domain abc.
[PrimaryServer] domain name abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
3. Configure the VAM server:
# Create ADVPN domain abc.
[PrimaryServer] vam server advpn-domain abc id 1
# Create hub group 0.
[PrimaryServer-vam-server-domain-abc] hub-group 0
# Specify hub private IPv6 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2
# Specify a spoke private IPv6 network.
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64
# Set the preshared key to 123456.
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# Set the authentication mode to CHAP.
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# Enable the VAM server for the ADVPN domain.
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
Configuring the secondary VAM server
# Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)
Configuring Hub 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub1.
<Hub1> system-view
[Hub1] vam client name Hub1
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# Set both the username and password to hub1.
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] service slot 2
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub1] ospfv3 1
[Hub1-ospfv3-1] router-id 0.0.0.1
[Hub1-ospfv3-1] area 0
[Hub1-ospfv3-1-area-0.0.0.0] quit
[Hub1-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub1] interface tunnel1 mode advpn gre ipv6
[Hub1-Tunnel1] ipv6 address 192:168::1 64
[Hub1-Tunnel1] ipv6 address fe80::1 link-local
[Hub1-Tunnel1] vam ipv6 client Hub1
[Hub1-Tunnel1] service slot 2
[Hub1-Tunnel1] ospfv3 1 area 0
[Hub1-Tunnel1] ospfv3 network-type broadcast
[Hub1-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
Configuring Hub 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub2.
<Hub2> system-view
[Hub2] vam client name Hub2
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] service slot 2
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub2] ospfv3 1
[Hub2-ospfv3-1] router-id 0.0.0.2
[Hub2-ospfv3-1] area 0
[Hub2-ospfv3-1-area-0.0.0.0] quit
[Hub2-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub2] interface tunnel1 mode advpn gre ipv6
[Hub2-Tunnel1] ipv6 address 192:168::2 64
[Hub1-Tunnel1] ipv6 address fe80::2 link-local
[Hub2-Tunnel1] vam ipv6 client Hub2
[Hub2-Tunnel1] service slot 2
[Hub2-Tunnel1] ospfv3 1 area 0
[Hub2-Tunnel1] ospfv3 network-type broadcast
[Hub2-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
Configuring Spoke 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke1.
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# Specify ADVPN domain abc for the VAM client.
[Spoke1-vam-client-Spoke1] advpn-domain abc
# Set the preshared key to 123456.
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# Set both the username and password to spoke1.
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# Specify the primary and secondary VAM servers.
[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11
[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] service slot 2
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke1] ospfv3 1
[Spoke1-ospfv3-1] router-id 0.0.0.3
[Spoke1-ospfv3-1] area 0
[Spoke1-ospfv3-1-area-0.0.0.0] quit
[Spoke1-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 1 from participating in DR/BDR election.
[Spoke1] interface tunnel1 mode advpn gre ipv6
[Spoke1-Tunnel1] ipv6 address 192:168::3 64
[Spoke1-Tunnel1] ipv6 address fe80::3 link-local
[Spoke1-Tunnel1] vam ipv6 client Spoke1
[Spoke1-Tunnel1] service slot 2
[Spoke1-Tunnel1] ospfv3 1 area 0
[Spoke1-Tunnel1] ospfv3 network-type broadcast
[Spoke1-Tunnel1] ospfv3 dr-priority 0
[Spoke1-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
Configuring Spoke 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke2.
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# Specify ADVPN domain abc for the VAM client.
[Spoke2-vam-client-Spoke2] advpn-domain abc
# Set the preshared key to 123456.
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# Set both the username and password to spoke2.
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# Specify the primary and secondary VAM servers.
[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11
[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] service slot 2
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke2] ospfv3 1
[Spoke2-ospfv3-1] router-id 0.0.0.4
[Spoke2-ospfv3-1] area 0
[Spoke2-ospfv3-1-area-0.0.0.0] quit
[Spoke2-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 2 from participating in DR/BDR election.
[Spoke2] interface tunnel1 mode advpn gre ipv6
[Spoke2-Tunnel1] ipv6 address 192:168::4 64
[Spoke2-Tunnel1] ipv6 address fe80::4 link-local
[Spoke2-Tunnel1] vam ipv6 client Spoke2
[Spoke2-Tunnel1] service slot 2
[Spoke2-Tunnel1] ospfv3 1 area 0
[Spoke2-Tunnel1] ospfv3 network-type broadcast
[Spoke2-Tunnel1] ospfv3 dr-priority 0
[Spoke2-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
Verifying the configuration
# Display IPv6 address mapping information for all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
# Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 have all registered their address mapping information with the VAM servers.
# Display IPv6 ADVPN tunnel information on Hubs. This example uses Hub 1.
[Hub1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168::2 1::2 -- H-H Success 0H 46M 8S
192:168::3 1::3 -- H-S Success 0H 27M 27S
192:168::4 1::4 -- H-S Success 0H 18M 18S
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2.
# Display IPv6 ADVPN tunnel information on Spoke 1.
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168::1 1::1 -- S-H Success 0H 46M 8S
192:168::2 1::2 -- S-H Success 0H 46M 8S
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
# Verify that Spoke 1 can ping the private address 192:168::4 of Spoke 2.
[Spoke1] ping ipv6 192:168::4
Ping6(56 data bytes) 192:168::4 --> 192:168::4, press CTRL_C to break
56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms
56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms
56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms
--- Ping6 statistics for 192:168::4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms
# Display IPv6 ADVPN tunnel information on Spokes. This example uses Spoke 1.
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168::1 1::1 -- S-H Success 0H 46M 8S
192:168::2 1::2 -- S-H Success 0H 46M 8S
192.168::4 1::4 -- S-S Success 0H 0M 1S
The output shows the following information:
· Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
· Spoke 1 has established a temporary spoke-spoke tunnel to Spoke 2.
Example: Configuring IPv4 hub-spoke ADVPN
Network configuration
As shown in Figure 13, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange.
Establish a permanent ADVPN tunnel between each spoke and each hub.
Table 15 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Table 16 Interface and IP address assignment
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Hub 1 |
XGE3/0/1 |
1.0.0.1/24 |
Spoke 1 |
XGE3/0/1 |
1.0.0.3/24 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
XGE3/0/2 |
192.168.1.1/24 |
|
Hub 2 |
XGE3/0/1 |
1.0.0.2/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
|
Tunnel1 |
192.168.0.2/24 |
Spoke 2 |
XGE3/0/1 |
1.0.0.4/24 |
|
AAA server |
|
1.0.0.10/24 |
|
XGE3/0/2 |
192.168.2.1/24 |
|
Primary server |
XGE3/0/1 |
1.0.0.11/24 |
|
Tunnel1 |
192.168.0.4/24 |
|
Secondary server |
XGE3/0/1 |
1.0.0.12/24 |
|
|
|
Configuring the primary VAM server
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure AAA:
# Configure RADIUS scheme abc.
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812
[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# Configure AAA methods for ISP domain abc.
[PrimaryServer] domain name abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
3. Configure the VAM server:
# Create ADVPN domain abc.
[PrimaryServer] vam server advpn-domain abc id 1
# Create hub group 0.
[PrimaryServer-vam-server-domain-abc] hub-group 0
# Specify hub private IPv4 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# Specify a spoke private IPv4 network.
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# Set the preshared key to 123456.
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# Set the authentication mode to CHAP.
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# Enable the VAM server for the ADVPN domain.
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
Configuring the secondary VAM server
# Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)
Configuring Hub 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub1.
<Hub1> system-view
[Hub1] vam client name Hub1
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# Set both the username and password to hub1.
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] service slot 2
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub1] ip route-static 192.168.1.0 24 192.168.0.3
[Hub1] ip route-static 192.168.2.0 24 192.168.0.4
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub1] interface tunnel1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] service slot 2
[Hub1-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
Configuring Hub 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub2.
<Hub2> system-view
[Hub2] vam client name Hub2
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] service slot 2
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub2] ip route-static 192.168.1.0 24 192.168.0.3
[Hub2] ip route-static 192.168.2.0 24 192.168.0.4
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub2] interface tunnel1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] service slot 2
[Hub2-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
Configuring Spoke 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke1.
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# Specify ADVPN domain abc for the VAM client.
[Spoke1-vam-client-Spoke1] advpn-domain abc
# Set the preshared key to 123456.
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# Set both the username and password to spoke1.
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# Specify the primary and secondary VAM servers.
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] service slot 2
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
4. Configure a static route.
[Spoke1] ip route-static 192.168.2.0 24 192.168.0.4
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Spoke1] interface tunnel1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] service slot 2
[Spoke1-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
Configuring Spoke 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke2.
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# Specify ADVPN domain abc for the VAM client.
[Spoke2-vam-client-Spoke2] advpn-domain abc
# Set the preshared key to 123456.
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# Set both the username and password to spoke2.
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# Specify the primary and secondary VAM servers.
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] service slot 2
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
4. Configure a static route.
[Spoke2] ip route-static 192.168.1.0 24 192.168.0.3
5. Configure GRE-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Spoke2] interface tunnel1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] service slot 2
[Spoke2-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
Verifying the configuration
# Display IPv4 address mapping information for all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
# Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 have all registered their address mapping information with the VAM servers.
# Display IPv4 ADVPN tunnel information on Hubs. This example uses Hub 1.
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.2 -- H-H Success 0H 46M 8S
192.168.0.3 1.0.0.3 -- H-S Success 0H 27M 27S
192.168.0.4 1.0.0.4 -- H-S Success 0H 18M 18S
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2.
# Display IPv4 ADVPN tunnel information on Spokes. This example uses Spoke 1.
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S
192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
# Verify that Spoke 1 can ping the private address 192.168.0.4 of Spoke 2.
[Spoke1] ping 192.168.0.4
Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms
56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.0.4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms
Example: Configuring IPv6 hub-spoke ADVPN
Network configuration
As shown in Figure 14, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. The two hubs back up each other, and perform data forwarding and route exchange.
Establish a permanent ADVPN tunnel between each spoke and each hub.
Table 17 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
Table 18 Interface and IP address assignment
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Hub 1 |
XGE3/0/1 |
1::1/64 |
Spoke 1 |
XGE3/0/1 |
1::3/64 |
|
|
Tunnel1 |
192:168::1/64 |
|
XGE3/0/2 |
192:168:1::1/64 |
|
Hub 2 |
XGE3/0/1 |
1::2/64 |
|
Tunnel1 |
192:168::3/64 |
|
|
Tunnel1 |
192:168::2/64 |
Spoke 2 |
XGE3/0/1 |
1::4/64 |
|
AAA server |
|
1::10/64 |
|
XGE3/0/2 |
192:168:2::1/64 |
|
Primary server |
XGE3/0/1 |
1::11/64 |
|
Tunnel1 |
192:168::4/64 |
|
Secondary server |
XGE3/0/1 |
1::12/64 |
|
|
|
Configuring the primary VAM server
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure AAA:
# Configure RADIUS scheme abc.
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812
[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# Configure AAA methods for ISP domain abc.
[PrimaryServer] domain name abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
3. Configure the VAM server:
# Create ADVPN domain abc.
[PrimaryServer] vam server advpn-domain abc id 1
# Create hub group 0.
[PrimaryServer-vam-server-domain-abc] hub-group 0
# Specify hub private IPv6 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2
# Specify a spoke private IPv6 network.
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# Set the preshared key to 123456.
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# Set the authentication mode to CHAP.
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# Enable the VAM server for the ADVPN domain.
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
Configuring the secondary VAM server
# Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)
Configuring Hub 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub1.
<Hub1> system-view
[Hub1] vam client name Hub1
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# Set the username and password to hub1.
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] service slot 2
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub1] ospfv3 1
[Hub1-ospfv3-1] router-id 0.0.0.1
[Hub1-ospfv3-1] area 0
[Hub1-ospfv3-1-area-0.0.0.0] quit
[Hub1-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub1] interface tunnel1 mode advpn gre ipv6
[Hub1-Tunnel1] ipv6 address 192:168::1 64
[Hub1-Tunnel1] ipv6 address fe80::1 link-local
[Hub1-Tunnel1] vam ipv6 client Hub1
[Hub1-Tunnel1] service slot 2
[Hub1-Tunnel1] ospfv3 1 area 0
[Hub1-Tunnel1] ospfv3 network-type p2mp
[Hub1-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
Configuring Hub 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub2.
<Hub2> system-view
[Hub2] vam client name Hub2
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] service slot 2
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub2] ospfv3 1
[Hub2-ospfv3-1] router-id 0.0.0.2
[Hub2-ospfv3-1] area 0
[Hub2-ospfv3-1-area-0.0.0.0] quit
[Hub2-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub2] interface tunnel1 mode advpn gre ipv6
[Hub2-Tunnel1] ipv6 address 192:168::2 64
[Hub2-Tunnel1] ipv6 address fe80::2 link-local
[Hub2-Tunnel1] vam ipv6 client Hub2
[Hub2-Tunnel1] service slot 2
[Hub2-Tunnel1] ospfv3 1 area 0
[Hub2-Tunnel1] ospfv3 network-type p2mp
[Hub2-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
Configuring Spoke 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke1.
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# Specify ADVPN domain abc for the VAM client.
[Spoke1-vam-client-Spoke1] advpn-domain abc
# Set the preshared key to 123456.
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# Set both the username and password to spoke1.
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# Specify the primary and secondary VAM servers.
[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11
[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] service slot 2
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke1] ospfv3 1
[Spoke1-ospfv3-1] router-id 0.0.0.3
[Spoke1-ospfv3-1] area 0
[Spoke1-ospfv3-1-area-0.0.0.0] quit
[Spoke1-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Spoke1] interface tunnel1 mode advpn gre ipv6
[Spoke1-Tunnel1] ipv6 address 192:168::3 64
[Spoke1-Tunnel1] ipv6 address fe80::3 link-local
[Spoke1-Tunnel1] vam ipv6 client Spoke1
[Spoke1-Tunnel1] service slot 2
[Spoke1-Tunnel1] ospfv3 1 area 0
[Spoke1-Tunnel1] ospfv3 network-type p2mp
[Spoke1-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
Configuring Spoke 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke2.
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# Specify ADVPN domain abc for the VAM client.
[Spoke2-vam-client-Spoke2] advpn-domain abc
# Set the preshared key to 123456.
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# Set both the username and password to spoke2.
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# Specify the primary and secondary VAM servers.
[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11
[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] service slot 2
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke2] ospfv3 1
[Spoke2-ospfv3-1] router-id 0.0.0.4
[Spoke2-ospfv3-1] area 0
[Spoke2-ospfv3-1-area-0.0.0.0] quit
[Spoke2-ospfv3-1] quit
5. Configure GRE-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Spoke2] interface tunnel1 mode advpn gre ipv6
[Spoke2-Tunnel1] ipv6 address 192:168::4 64
[Spoke2-Tunnel1] ipv6 address fe80::4 link-local
[Spoke2-Tunnel1] vam ipv6 client Spoke2
[Spoke2-Tunnel1] service slot 2
[Spoke2-Tunnel1] ospfv3 1 area 0
[Spoke2-Tunnel1] ospfv3 network-type p2mp
[Spoke2-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
Verifying the configuration
# Display IPv6 address mapping information for all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
# Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 have all registered their address mapping information with the VAM servers.
# Display IPv6 ADVPN tunnel information on Hubs. This example uses Hub 1.
[Hub1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168::2 1::2 -- H-H Success 0H 46M 8S
192:168::3 1::3 -- H-S Success 0H 27M 27S
192:168::4 1::4 -- H-S Success 0H 18M 18S
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2.
# Display IPv6 ADVPN tunnel information on Spokes. This example uses Spoke 1.
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168::1 1::1 -- S-H Success 0H 46M 8S
192:168::2 1::2 -- S-H Success 0H 46M 8S
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
# Verify that Spoke 1 can ping the private address 192:168::4 of Spoke 2.
[Spoke1] ping ipv6 192:168::4
Ping6(56 data bytes) 192:168::4 --> 192:168::4, press CTRL_C to break
56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms
56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms
56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms
--- Ping6 statistics for 192:168::4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms
Example: Configuring IPv4 multi-hub-group ADVPN
Network configuration
As shown in Figure 15, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients.
· Configure three hub groups to accommodate all ADVPN nodes:
¡ Hub group 0 contains Hub 1, Hub 2, and Hub 3.
¡ Hub group 1 contains Hub 1, Hub 2, Spoke 1, and Spoke 2. Hub 1 and Hub 2 back up each other.
¡ Hub group 2 contains Hub 3, Spoke 3, and Spoke 4. Hub groups 1 and 2 use full-mesh networking.
· Allow any two spokes to establish a direct spoke-spoke tunnel.
Table 19 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
|
Interface3 |
Ten-GigabitEthernet3/0/3 |
Table 20 Interface and IP address assignment
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Hub 1 |
XGE3/0/1 |
1.0.0.1/24 |
Spoke 1 |
XGE3/0/1 |
1.0.0.4/24 |
|
|
Tunnel1 |
192.168.1.1/24 |
|
XGE3/0/2 |
192.168.10.1/24 |
|
|
Tunnel2 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.1.3/24 |
|
Hub 2 |
XGE3/0/1 |
1.0.0.2/24 |
Spoke 2 |
XGE3/0/1 |
1.0.0.5/24 |
|
|
Tunnel1 |
192.168.1.2/24 |
|
XGE3/0/2 |
192.168.20.1/24 |
|
|
Tunnel2 |
192.168.0.2/24 |
|
XGE3/0/3 |
192.168.30.1/24 |
|
Hub 3 |
XGE3/0/1 |
1.0.0.3/24 |
|
Tunnel1 |
192.168.1.4/24 |
|
|
Tunnel1 |
192.168.2.1/24 |
Spoke 3 |
XGE3/0/1 |
1.0.0.6/24 |
|
|
Tunnel2 |
192.168.0.3/24 |
|
XGE3/0/2 |
192.168.40.1/24 |
|
AAA server |
|
1.0.0.10/24 |
|
Tunnel1 |
192.168.2.2/24 |
|
Primary server |
XGE3/0/1 |
1.0.0.11/24 |
Spoke 4 |
XGE3/0/1 |
1.0.0.7/24 |
|
Secondary server |
XGE3/0/1 |
1.0.0.12/24 |
|
XGE3/0/2 |
192.168.50.1/24 |
|
|
|
|
|
XGE3/0/3 |
192.168.60.1/24 |
|
|
|
|
|
Tunnel1 |
192.168.2.3/24 |
Configuring the primary VAM server
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure AAA:
# Configure RADIUS scheme abc.
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812
[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# Configure AAA methods for ISP domain abc.
[PrimaryServer] domain name abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
3. Configure the VAM server:
# Create ADVPN domain abc.
[PrimaryServer] vam server advpn-domain abc id 1
# Create hub group 0.
[PrimaryServer-vam-server-domain-abc] hub-group 0
# Specify hub private IPv4 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# Create hub group 1.
[PrimaryServer-vam-server-domain-abc] hub-group 1
# Specify hub private IPv4 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.1
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.2
# Specify a spoke private IPv4 network.
[PrimaryServer-vam-server-domain-abc-hub-group-1] spoke private-address network 192.168.1.0 255.255.255.0
# Allow establishing direct spoke-spoke tunnels.
[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut interest all
[PrimaryServer-vam-server-domain-abc-hub-group-1] quit
# Create hub group 2.
[PrimaryServer-vam-server-domain-abc] hub-group 2
# Specify the hub private IPv4 address.
[PrimaryServer-vam-server-domain-abc-hub-group-2] hub private-address 192.168.2.1
# Specify a spoke private IPv4 network.
[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke private-address network 192.168.2.0 255.255.255.0
# Allow establishing direct spoke-spoke tunnels.
[PrimaryServer-vam-server-domain-abc-hub-group-2] shortcut interest all
[PrimaryServer-vam-server-domain-abc-hub-group-2] quit
# Set the preshared key to 123456.
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# Set the authentication mode to CHAP.
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# Enable the VAM server for the ADVPN domain.
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
Configuring the secondary VAM server
# Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)
Configuring Hub 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub1Group0.
<Hub1> system-view
[Hub1] vam client name Hub1Group0
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1Group0] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456
# Set both the username and password to hub1.
[Hub1-vam-client-Hub1Group0] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1Group0] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1Group0] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub1-vam-client-Hub1Group0] client enable
[Hub1-vam-client-Hub1Group0] quit
# Create VAM client Hub1Group1.
[Hub1] vam client name Hub1Group1
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1Group1] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456
# Set the username and password to hub1.
[Hub1-vam-client-Hub1Group1] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1Group1] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1Group1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub1-vam-client-Hub1Group1] client enable
[Hub1-vam-client-Hub1Group1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] service slot 2
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub1] ip route-static 192.168.10.0 24 192.168.1.3
[Hub1] ip route-static 192.168.20.0 24 192.168.1.4
[Hub1] ip route-static 192.168.30.0 24 192.168.1.4
[Hub1] ip route-static 192.168.40.0 24 192.168.0.3
[Hub1] ip route-static 192.168.50.0 24 192.168.0.3
[Hub1] ip route-static 192.168.60.0 24 192.168.0.3
5. Configure ADVPN tunnels:
# Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub1] interface tunnel1 mode advpn udp
[Hub1-Tunnel1] ip address 192.168.1.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1Group1
[Hub1-Tunnel1] service slot 2
[Hub1-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] advpn source-port 6000
[Hub1-Tunnel1] quit
# Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 2.
[Hub1] interface tunnel2 mode advpn udp
[Hub1-Tunnel2] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel2] vam client Hub1Group0
[Hub1-Tunnel2] service slot 2
[Hub1-Tunnel2] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel2] tunnel protection ipsec profile abc
[Hub1-Tunnel2] quit
Configuring Hub 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub2Group0.
<Hub2> system-view
[Hub2] vam client name Hub2Group0
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2Group0] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2Group0] user hub2 password simple hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2Group0] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2Group0] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub2-vam-client-Hub2Group0] client enable
[Hub2-vam-client-Hub2Group0] quit
# Create VAM client Hub2Group1.
[Hub2] vam client name Hub2Group1
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2Group1] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2Group1] user Hub2 password simple Hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2Group1] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2Group1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub2-vam-client-Hub2Group1] client enable
[Hub2-vam-client-Hub2Group1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] service slot 2
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub2] ip route-static 192.168.10.0 24 192.168.1.3
[Hub2] ip route-static 192.168.20.0 24 192.168.1.4
[Hub2] ip route-static 192.168.30.0 24 192.168.1.4
[Hub2] ip route-static 192.168.40.0 24 192.168.0.3
[Hub2] ip route-static 192.168.50.0 24 192.168.0.3
[Hub2] ip route-static 192.168.60.0 24 192.168.0.3
5. Configure ADVPN tunnels:
# Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub2] interface tunnel 1 mode advpn udp
[Hub2-Tunnel1] ip address 192.168.1.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2Group1
[Hub2-Tunnel1] service slot 2
[Hub2-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] advpn source-port 6000
[Hub2-Tunnel1] quit
# Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 2.
[Hub2] interface tunnel2 mode advpn udp
[Hub2-Tunnel2] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel2] vam client Hub2Group0
[Hub2-Tunnel2] service slot 2
[Hub2-Tunnel2] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel2] tunnel protection ipsec profile abc
[Hub2-Tunnel2] quit
Configuring Hub 3
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub3Group0.
<Hub3> system-view
[Hub3] vam client name Hub3Group0
# Specify ADVPN domain abc for the VAM client.
[Hub3-vam-client-Hub3Group0] advpn-domain abc
# Set the preshared key to 123456.
[Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456
# Set both the username and password to hub3.
[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3
# Specify the primary and secondary VAM servers.
[Hub3-vam-client-Hub2Group0] server primary ip-address 1.0.0.11
[Hub3-vam-client-Hub2Group0] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub3-vam-client-Hub2Group0] client enable
[Hub3-vam-client-Hub2Group0] quit
# Create VAM client Hub3Group1.
[Hub3] vam client name Hub3Group1
# Specify ADVPN domain abc for the VAM client.
[Hub3-vam-client-Hub3Group1] advpn-domain abc
# Set the preshared key to 123456.
[Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456
# Set both the username and password to hub3.
[Hub3-vam-client-Hub3Group1] user hub3 password simple hub3
# Specify the primary and secondary VAM servers.
[Hub3-vam-client-Hub3Group1] server primary ip-address 1.0.0.11
[Hub3-vam-client-Hub3Group1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Hub3-vam-client-Hub2Group1] client enable
[Hub3-vam-client-Hub2Group1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub3] ike keychain abc
[Hub3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub3-ike-keychain-abc] quit
[Hub3] ike profile abc
[Hub3-ike-profile-abc] keychain abc
[Hub3-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub3] ipsec transform-set abc
[Hub3-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub3-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub3-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub3-ipsec-transform-set-abc] quit
[Hub3] ipsec profile abc isakmp
[Hub3-ipsec-profile-isakmp-abc] service slot 2
[Hub3-ipsec-profile-isakmp-abc] transform-set abc
[Hub3-ipsec-profile-isakmp-abc] ike-profile abc
[Hub3-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Hub3] ip route-static 192.168.10.0 24 192.168.0.1
[Hub3] ip route-static 192.168.20.0 24 192.168.0.1
[Hub3] ip route-static 192.168.30.0 24 192.168.0.1
[Hub3] ip route-static 192.168.40.0 24 192.168.2.2
[Hub3] ip route-static 192.168.50.0 24 192.168.2.3
[Hub3] ip route-static 192.168.60.0 24 192.168.2.3
5. Configure ADVPN tunnels:
# Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1.
[Hub3] interface tunnel1 mode advpn udp
[Hub3-Tunnel1] ip address 192.168.2.1 255.255.255.0
[Hub3-Tunnel1] vam client Hub3Group1
[Hub3-Tunnel1] service slot 2
[Hub3-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub3-Tunnel1] tunnel protection ipsec profile abc
[Hub3-Tunnel1] advpn source-port 6000
[Hub3-Tunnel1] quit
# Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 2.
[Hub3] interface tunnel2 mode advpn udp
[Hub3-Tunnel2] ip address 192.168.0.3 255.255.255.0
[Hub3-Tunnel2] vam client Hub3Group0
[Hub3-Tunnel2] service slot 2
[Hub3-Tunnel2] source ten-gigabitethernet 3/0/1
[Hub3-Tunnel2] tunnel protection ipsec profile abc
[Hub3-Tunnel2] quit
Configuring Spoke 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke1.
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# Specify ADVPN domain abc for the VAM client.
[Spoke1-vam-client-Spoke1] advpn-domain abc
# Set the preshared key to 123456.
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# Set both the username and password to spoke1.
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# Specify the primary and secondary VAM servers.
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] service slot 2
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Spoke1] ip route-static 192.168.20.0 24 192.168.1.4
[Spoke1] ip route-static 192.168.30.0 24 192.168.1.4
[Spoke1] ip route-static 192.168.40.0 24 192.168.1.1
[Spoke1] ip route-static 192.168.50.0 24 192.168.1.1
[Spoke1] ip route-static 192.168.60.0 24 192.168.1.1
5. Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 1 from participating in DR/BDR election.
[Spoke1] interface tunnel1 mode advpn udp
[Spoke1-Tunnel1] ip address 192.168.1.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] service slot 2
[Spoke1-Tunnel1] advpn network 192.168.10.0 255.255.255.0
[Spoke1-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
Configuring Spoke 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke2.
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# Specify ADVPN domain abc for the VAM client.
[Spoke2-vam-client-Spoke2] advpn-domain abc
# Set the preshared key to 123456.
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# Set both the username and password to spoke2.
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# Specify the primary and secondary VAM servers.
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] service slot 2
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Spoke2] ip route-static 192.168.10.0 24 192.168.1.3
[Spoke2] ip route-static 192.168.40.0 24 192.168.1.1
[Spoke2] ip route-static 192.168.50.0 24 192.168.1.1
[Spoke2] ip route-static 192.168.60.0 24 192.168.1.1
5. Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 2 from participating in DR/BDR election.
[Spoke2] interface tunnel1 mode advpn udp
[Spoke2-Tunnel1] ip address 192.168.1.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] service slot 2
[Spoke2-Tunnel1] advpn network 192.168.20.0 255.255.255.0
[Spoke2-Tunnel1] advpn network 192.168.30.0 255.255.255.0
[Spoke2-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
Configuring Spoke 3
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke3.
<Spoke3> system-view
[Spoke3] vam client name Spoke3
# Specify ADVPN domain abc for the VAM client.
[Spoke3-vam-client-Spoke3] advpn-domain abc
# Set the preshared key to 123456.
[Spoke3-vam-client-Spoke3] pre-shared-key simple 123456
# Set both the username and password to spoke3.
[Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3
# Specify the primary and secondary VAM servers.
[Spoke3-vam-client-Spoke3] server primary ip-address 1.0.0.11
[Spoke3-vam-client-Spoke3] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke3-vam-client-Spoke3] client enable
[Spoke3-vam-client-Spoke3] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke3] ike keychain abc
[Spoke3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke3-ike-keychain-abc] quit
[Spoke3] ike profile abc
[Spoke3-ike-profile-abc] keychain abc
[Spoke3-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke3] ipsec transform-set abc
[Spoke3-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke3-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke3-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke3-ipsec-transform-set-abc] quit
[Spoke3] ipsec profile abc isakmp
[Spoke3-ipsec-profile-isakmp-abc] service slot 2
[Spoke3-ipsec-profile-isakmp-abc] transform-set abc
[Spoke3-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke3-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Spoke3] ip route-static 192.168.10.0 24 192.168.2.1
[Spoke3] ip route-static 192.168.20.0 24 192.168.2.1
[Spoke3] ip route-static 192.168.30.0 24 192.168.2.1
[Spoke3] ip route-static 192.168.50.0 24 192.168.2.3
[Spoke3] ip route-static 192.168.60.0 24 192.168.2.3
5. Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 3 from participating in DR/BDR election.
[Spoke3] interface tunnel 1 mode advpn udp
[Spoke3-Tunnel1] ip address 192.168.2.2 255.255.255.0
[Spoke3-Tunnel1] vam client Spoke3
[Spoke3-Tunnel1] service slot 2
[Spoke3-Tunnel1] advpn network 192.168.40.0 255.255.255.0
[Spoke3-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke3-Tunnel1] tunnel protection ipsec profile abc
[Spoke3-Tunnel1] quit
Configuring Spoke 4
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke4.
<Spoke4> system-view
[Spoke4] vam client name Spoke4
# Specify ADVPN domain abc for the VAM client.
[Spoke4-vam-client-Spoke4] advpn-domain abc
# Set the preshared key to 123456.
[Spoke4-vam-client-Spoke4] pre-shared-key simple 123456
# Set both the username and password to spoke4.
[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4
# Specify the primary and secondary VAM servers.
[Spoke4-vam-client-Spoke4] server primary ip-address 1.0.0.11
[Spoke4-vam-client-Spoke4] server secondary ip-address 1.0.0.12
# Enable the VAM client.
[Spoke4-vam-client-Spoke4] client enable
[Spoke4-vam-client-Spoke4] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke4] ike keychain abc
[Spoke4-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke4-ike-keychain-abc] quit
[Spoke4] ike profile abc
[Spoke4-ike-profile-abc] keychain abc
[Spoke4-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke4] ipsec transform-set abc
[Spoke4-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke4-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke4-ipsec-transform-set-abc] quit
[Spoke4] ipsec profile abc isakmp
[Spoke4-ipsec-profile-isakmp-abc] service slot 2
[Spoke4-ipsec-profile-isakmp-abc] transform-set abc
[Spoke4-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke4-ipsec-profile-isakmp-abc] quit
4. Configure static routes.
[Spoke4] ip route-static 192.168.10.0 24 192.168.2.1
[Spoke4] ip route-static 192.168.20.0 24 192.168.2.1
[Spoke4] ip route-static 192.168.30.0 24 192.168.2.1
[Spoke4] ip route-static 192.168.40.0 24 192.168.2.4
5. Configure UDP-mode IPv4 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 4 from participating in DR/BDR election.
[Spoke4] interface tunnel1 mode advpn udp
[Spoke4-Tunnel1] ip address 192.168.2.3 255.255.255.0
[Spoke4-Tunnel1] vam client Spoke4
[Spoke4-Tunnel1] service slot 2
[Spoke4-Tunnel1] advpn network 192.168.50.0 255.255.255.0
[Spoke4-Tunnel1] advpn network 192.168.60.0 255.255.255.0
[Spoke4-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke4-Tunnel1] tunnel protection ipsec profile abc
[Spoke4-Tunnel1] quit
Verifying the configuration
# Display IPv4 address mapping information for all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Hub No 0H 28M 25S
1 192.168.1.1 1.0.0.1 Hub No 0H 52M 7S
1 192.168.1.2 1.0.0.2 Hub No 0H 47M 31S
1 192.168.1.3 1.0.0.4 Spoke No 0H 18M 26S
1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S
2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S
2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S
2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S
# Display IPv4 address mapping information for all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Hub No 0H 28M 25S
1 192.168.1.1 1.0.0.1 Hub No 0H 52M 7S
1 192.168.1.2 1.0.0.2 Hub No 0H 47M 31S
1 192.168.1.3 1.0.0.4 Spoke No 0H 18M 26S
1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S
2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S
2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S
2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S
The output shows that Hub 1, Hub 2, Hub3, Spoke 1, Spoke 2, Spoke 3, and Spoke4 have all registered their address mapping information with the VAM servers.
# Display IPv4 ADVPN tunnel information on Hubs. This example uses Hub 1.
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.1.2 1.0.0.2 18001 H-H Success 0H 46M 8S
192.168.1.3 1.0.0.3 18001 H-S Success 0H 27M 27S
192.168.1.4 1.0.0.4 18001 H-S Success 0H 18M 18S
Interface : Tunnel2
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.2 18001 H-H Success 0H 46M 8S
192.168.0.3 1.0.0.3 18001 H-H Success 0H 27M 27S
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Hub3, Spoke 1, and Spoke 2.
# Display IPv4 ADVPN tunnel information on Spoke 1 and Spoke 2. This example uses Spoke 1.
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.1.1 1.0.0.1 18001 S-H Success 0H 46M 8S
192.168.1.2 1.0.0.2 18001 S-H Success 0H 46M 8S
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
# Display IPv4 ADVPN tunnel information on Spoke 3 and Spoke 4. This example uses Spoke 3.
[Spoke3] display advpn session
Interface : Tunnel1
Number of sessions: 1
Private address Public address Port Type State Holding time
192.168.2.1 1.0.0.3 18001 S-H Success 0H 46M 8S
The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3.
Example: Configuring IPv6 multi-hub-group ADVPN
Network configuration
As shown in Figure 16, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients.
· Configure three hub groups to accommodate all ADVPN nodes:
¡ Hub group 0 contains Hub1, Hub2, and Hub3.
¡ Hub group 1 contains Hub1, Hub2, Spoke1, and Spoke2. Hub 1 and Hub 2 back up each other.
¡ Hub group 2 contains Hub3, Spoke3, and Spoke4. Hub groups 1 and 2 use full-mesh networking.
· Allow any two spokes to establish a direct spoke-spoke tunnel.
Table 21 Interface label and interface name mappings
|
Interface label |
Interface name |
|
Interface1 |
Ten-GigabitEthernet3/0/1 |
|
Interface2 |
Ten-GigabitEthernet3/0/2 |
|
Interface3 |
Ten-GigabitEthernet3/0/3 |
Table 22 Interface and IP address assignment
|
Device |
Interface |
IP address |
Device |
Interface |
IP address |
|
Hub 1 |
XGE3/0/1 |
1::1/64 |
Spoke 1 |
XGE3/0/1 |
1::4/64 |
|
|
Tunnel1 |
192:168:1::1/64 |
|
XGE3/0/2 |
192:168:10::1/64 |
|
|
Tunnel2 |
192:168::1/64 |
|
Tunnel1 |
192:168:1::3/64 |
|
Hub 2 |
XGE3/0/1 |
1::2/64 |
Spoke 2 |
XGE3/0/1 |
1::5/64 |
|
|
Tunnel1 |
192:168:1::2/64 |
|
XGE3/0/2 |
192:168:20::1/64 |
|
|
Tunnel2 |
192:168::2/64 |
|
XGE3/0/3 |
192:168:30::1/64 |
|
Hub 3 |
XGE3/0/1 |
1::3/64 |
|
Tunnel1 |
192:168:1::4/64 |
|
|
Tunnel1 |
192:168:2::1/64 |
Spoke 3 |
XGE3/0/1 |
1::6/64 |
|
|
Tunnel2 |
192:168::3/64 |
|
XGE3/0/2 |
192:168:40::1/64 |
|
AAA server |
|
1::10/64 |
|
Tunnel1 |
192:168:2::2/64 |
|
Primary server |
XGE3/0/1 |
1::11/64 |
Spoke 4 |
XGE3/0/1 |
1::7/64 |
|
Secondary server |
XGE3/0/1 |
1::12/64 |
|
XGE3/0/2 |
192:168:50::1/64 |
|
|
|
|
|
XGE3/0/3 |
192:168:60::1/64 |
|
|
|
|
|
Tunnel1 |
192:168:2::3/64 |
Configuring the primary VAM server
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure AAA:
# Configure RADIUS scheme abc.
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812
[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# Configure AAA methods for ISP domain abc.
[PrimaryServer] domain name abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
3. Configure the VAM server:
# Create ADVPN domain abc.
[PrimaryServer] vam server advpn-domain abc id 1
# Create hub group 0.
[PrimaryServer-vam-server-domain-abc] hub-group 0
# Specify hub private IPv6 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::3
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# Create hub group 1.
[PrimaryServer-vam-server-domain-abc] hub-group 1
# Specify hub private IPv6 addresses.
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::1
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::2
# Specify a spoke private IPv6 network.
[PrimaryServer-vam-server-domain-abc-hub-group-1] spoke ipv6 private-address network 192:168:1::0 64
# Allow establishing spoke-spoke tunnels.
[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut ipv6 interest all
[PrimaryServer-vam-server-domain-abc-hub-group-1] quit
# Create hub group 2.
[PrimaryServer-vam-server-domain-abc] hub-group 2
# Specify the hub private IPv6 address.
[PrimaryServer-vam-server-domain-abc-hub-group-2] hub ipv6 private-address 192:168:2::1
# Specify a spoke private IPv6 network.
[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64
[PrimaryServer-vam-server-domain-abc-hub-group-2] quit
# Set the preshared key to 123456.
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# Set the authentication mode to CHAP.
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# Enable the VAM server for the ADVPN domain.
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
Configuring the secondary VAM server
# Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.)
Configuring Hub 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub1Group0.
<Hub1> system-view
[Hub1] vam client name Hub1Group0
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1Group0] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456
# Set both the username and password to hub1.
[Hub1-vam-client-Hub1Group0] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1Group0] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1Group0] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub1-vam-client-Hub1Group0] client enable
[Hub1-vam-client-Hub1Group0] quit
# Create VAM client Hub1Group1.
[Hub1] vam client name Hub1Group1
# Specify ADVPN domain abc for the VAM client.
[Hub1-vam-client-Hub1Group1] advpn-domain abc
# Set the preshared key to 123456.
[Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456
# Set both the username and password to hub1.
[Hub1-vam-client-Hub1Group1] user hub1 password simple hub1
# Specify the primary and secondary VAM servers.
[Hub1-vam-client-Hub1Group1] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1Group1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub1-vam-client-Hub1Group1] client enable
[Hub1-vam-client-Hub1Group1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] service slot 2
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub1] ospfv3 1
[Hub1-ospfv3-1] router-id 0.0.0.1
[Hub1-ospfv3-1] area 0
[Hub1-ospfv3-1-area-0.0.0.0] quit
[Hub1-ospfv3-1] area 1
[Hub1-ospfv3-1-area-0.0.0.1] quit
[Hub1-ospfv3-1] quit
5. Configure ADVPN tunnels:
# Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub1] interface tunnel1 mode advpn udp ipv6
[Hub1-Tunnel1] ipv6 address 192:168:1::1 64
[Hub1-Tunnel1] ipv6 address fe80::1:1 link-local
[Hub1-Tunnel1] vam ipv6 client Hub1Group1
[Hub1-Tunnel1] service slot 2
[Hub1-Tunnel1] ospfv3 1 area 1
[Hub1-Tunnel1] ospfv3 network-type broadcast
[Hub1-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] advpn source-port 6000
[Hub1-Tunnel1] quit
# Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 2.
[Hub1] interface tunnel2 mode advpn udp ipv6
[Hub1-Tunnel2] ipv6 address 192:168::1 64
[Hub1-Tunnel2] ipv6 address fe80::1 link-local
[Hub1-Tunnel2] vam ipv6 client Hub1Group0
[Hub1-Tunnel2] ospfv3 1 area 0
[Hub1-Tunnel2] ospfv3 network-type broadcast
[Hub1-Tunnel2] source ten-gigabitethernet 3/0/1
[Hub1-Tunnel2] tunnel protection ipsec profile abc
[Hub1-Tunnel2] quit
Configuring Hub 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub2Group0.
<Hub2> system-view
[Hub2] vam client name Hub2Group0
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2Group0] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2Group0] user hub2 password simple hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2Group0] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2Group0] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub2-vam-client-Hub2Group0] client enable
[Hub2-vam-client-Hub2Group0] quit
# Create VAM client Hub2Group1.
[Hub2] vam client name Hub2Group1
# Specify ADVPN domain abc for the VAM client.
[Hub2-vam-client-Hub2Group1] advpn-domain abc
# Set the preshared key to 123456.
[Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456
# Set both the username and password to hub2.
[Hub2-vam-client-Hub2Group1] user Hub2 password simple Hub2
# Specify the primary and secondary VAM servers.
[Hub2-vam-client-Hub2Group1] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2Group1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub2-vam-client-Hub2Group1] client enable
[Hub2-vam-client-Hub2Group1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] service slot 2
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] area 1
[Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.1] quit
[Hub2-ospf-1] quit
5. Configure ADVPN tunnels:
# Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub2] interface tunnel1 mode advpn udp ipv6
[Hub2-Tunnel1] ipv6 address 192:168:1::2 64
[Hub2-Tunnel1] ipv6 address fe80::1:2 link-local
[Hub2-Tunnel1] vam ipv6 client Hub2Group1
[Hub2-Tunnel1] service slot 2
[Hub2-Tunnel1] ospfv3 1 area 1
[Hub2-Tunnel1] ospfv3 network-type broadcast
[Hub2-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] advpn source-port 6000
[Hub2-Tunnel1] quit
# Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 2.
[Hub2] interface tunnel2 mode advpn udp ipv6
[Hub2-Tunnel2] ipv6 address 192:168::2 64
[Hub2-Tunnel2] ipv6 address fe80::2 link-local
[Hub2-Tunnel2] vam ipv6 client Hub2Group0
[Hub2-Tunnel2] ospfv3 1 area 0
[Hub2-Tunnel2] ospfv3 network-type broadcast
[Hub2-Tunnel2] source ten-gigabitethernet 3/0/1
[Hub2-Tunnel2] tunnel protection ipsec profile abc
[Hub2-Tunnel2] quit
Configuring Hub 3
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Hub3Group0.
<Hub3> system-view
[Hub3] vam client name Hub3Group0
# Specify ADVPN domain abc for the VAM client.
[Hub3-vam-client-Hub3Group0] advpn-domain abc
# Set the preshared key to 123456.
[Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456
# Set both the username and password to hub3.
[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3
# Specify the primary and secondary VAM servers.
[Hub3-vam-client-Hub3Group0] server primary ipv6-address 1::11
[Hub3-vam-client-Hub3Group0] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub3-vam-client-Hub2Group0] client enable
[Hub3-vam-client-Hub2Group0] quit
# Create VAM client Hub3Group1.
[Hub3] vam client name Hub3Group1
# Specify ADVPN domain abc for the VAM client.
[Hub3-vam-client-Hub3Group1] advpn-domain abc
# Set the preshared key to 123456.
[Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456
# Set both the username and password to hub3.
[Hub3-vam-client-Hub3Group1] user hub3 password simple hub3
# Specify the primary and secondary VAM servers.
[Hub3-vam-client-Hub3Group1] server primary ipv6-address 1::11
[Hub3-vam-client-Hub3Group1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Hub3-vam-client-Hub2Group1] client enable
[Hub3-vam-client-Hub2Group1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Hub3] ike keychain abc
[Hub3-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub3-ike-keychain-abc] quit
[Hub3] ike profile abc
[Hub3-ike-profile-abc] keychain abc
[Hub3-ike-profile-abc] quit
# Configure the IPsec profile.
[Hub3] ipsec transform-set abc
[Hub3-ipsec-transform-set-abc] encapsulation-mode tunnel
[Hub3-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Hub3-ipsec-transform-set-abc] esp authentication-algorithm md5
[Hub3-ipsec-transform-set-abc] quit
[Hub3] ipsec profile abc isakmp
[Hub3-ipsec-profile-isakmp-abc] service slot 2
[Hub3-ipsec-profile-isakmp-abc] transform-set abc
[Hub3-ipsec-profile-isakmp-abc] ike-profile abc
[Hub3-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Hub3] ospfv3 1
[Hub3-ospfv3-1] router-id 0.0.0.3
[Hub3-ospfv3-1] area 0
[Hub3-ospfv3-1-area-0.0.0.0] quit
[Hub3-ospfv3-1] area 2
[Hub3-ospfv3-1-area-0.0.0.2] quit
[Hub3-ospfv3-1] quit
5. Configure ADVPN tunnels:
# Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1.
[Hub3] interface tunnel1 mode advpn udp ipv6
[Hub3-Tunnel1] ipv6 address 192:168:2::1 64
[Hub3-Tunnel1] ipv6 address fe80::2:1 link-local
[Hub3-Tunnel1] vam ipv6 client Hub3Group1
[Hub3-Tunnel1] ospfv3 1 area 2
[Hub3-Tunnel1] ospfv3 network-type broadcast
[Hub3-Tunnel1] source ten-gigabitethernet 3/0/1
[Hub3-Tunnel1] tunnel protection ipsec profile abc
[Hub3-Tunnel1] advpn source-port 6000
[Hub3-Tunnel1] quit
# Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 2.
[Hub3] interface tunnel2 mode advpn udp ipv6
[Hub3-Tunnel2] ipv6 address 192:168::3 64
[Hub3-Tunnel2] ipv6 address fe80::3 link-local
[Hub3-Tunnel2] vam ipv6 client Hub3Group0
[Hub3-Tunnel2] ospfv3 1 area 0
[Hub3-Tunnel2] ospfv3 network-type broadcast
[Hub3-Tunnel2] source ten-gigabitethernet 3/0/1
[Hub3-Tunnel2] tunnel protection ipsec profile abc
[Hub3-Tunnel2] quit
Configuring Spoke 1
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke1.
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# Specify ADVPN domain abc for the VAM client.
[Spoke1-vam-client-Spoke1] advpn-domain abc
# Set the preshared key to 123456.
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# Set both the username and password to spoke1.
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# Specify the primary and secondary VAM servers.
[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11
[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] service slot 2
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke1] ospfv3 1
[Spoke1-ospfv3-1] router-id 0.0.0.4
[Spoke1-ospfv3-1] area 0
[Spoke1-ospfv3-1-area-0.0.0.0] quit
[Spoke1-ospfv3-1] area 1
[Spoke1-ospfv3-1-area-0.0.0.1] quit
[Spoke1-ospfv3-1] quit
[Spoke1] interface ten-gigabitethernet 3/0/2
[Spoke1-Ten-GigabitEthernet3/0/2] ospfv3 1 area 1
[Spoke1-Ten-GigabitEthernet3/0/2] quit
5. Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 1 from participating in DR/BDR election.
[Spoke1] interface tunnel1 mode advpn udp ipv6
[Spoke1-Tunnel1] ipv6 address 192:168:1::3 64
[Spoke1-Tunnel1] ipv6 address fe80::1:3 link-local
[Spoke1-Tunnel1] vam ipv6 client Spoke1
[Spoke1-Tunnel1] service slot 2
[Spoke1-Tunnel1] ospfv3 1 area 1
[Spoke1-Tunnel1] ospfv3 network-type broadcast
[Spoke1-Tunnel1] ospfv3 dr-priority 0
[Spoke1-Tunnel1] advpn ipv6 network 192:168:10::0 64
[Spoke1-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
Configuring Spoke 2
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke2.
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# Specify ADVPN domain abc for the VAM client.
[Spoke2-vam-client-Spoke2] advpn-domain abc
# Set the preshared key to 123456.
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# Set both the username and password to spoke2.
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# Specify the primary and secondary VAM servers.
[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11
[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] service slot 2
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke2] ospfv3 1
[Spoke2-ospfv3-1] router-id 0.0.0.5
[Spoke2-ospfv3-1] area 0
[Spoke2-ospfv3-1-area-0.0.0.0] quit
[Spoke2-ospfv3-1] area 1
[Spoke2-ospfv3-1-area-0.0.0.1] quit
[Spoke2-ospfv3-1] quit
[Spoke2] interface ten-gigabitethernet 3/0/2
[Spoke2-Ten-GigabitEthernet3/0/2] ospfv3 1 area 1
[Spoke2-Ten-GigabitEthernet3/0/2] quit
[Spoke2] interface ten-gigabitethernet 3/0/3
[Spoke2-Ten-GigabitEthernet3/0/3] ospfv3 1 area 1
[Spoke2-Ten-GigabitEthernet3/0/3] quit
5. Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 2 from participating in DR/BDR election.
[Spoke2] interface tunnel1 mode advpn udp ipv6
[Spoke2-Tunnel1] ipv6 address 192:168:1::4 64
[Spoke2-Tunnel1] ipv6 address fe80::1:4 link-local
[Spoke2-Tunnel1] vam ipv6 client Spoke2
[Spoke2-Tunnel1] service slot 2
[Spoke2-Tunnel1] ospfv3 1 area 1
[Spoke2-Tunnel1] ospfv3 network-type broadcast
[Spoke2-Tunnel1] ospfv3 dr-priority 0
[Spoke2-Tunnel1] advpn ipv6 network 192:168:20::0 64
[Spoke2-Tunnel1] advpn ipv6 network 192:168:30::0 64
[Spoke2-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
Configuring Spoke 3
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke3.
<Spoke3> system-view
[Spoke3] vam client name Spoke3
# Specify ADVPN domain abc for the VAM client.
[Spoke3-vam-client-Spoke3] advpn-domain abc
# Set the preshared key to 123456.
[Spoke3-vam-client-Spoke3] pre-shared-key simple 123456
# Set both the username and password to spoke3.
[Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3
# Specify the primary and secondary VAM servers.
[Spoke3-vam-client-Spoke3] server primary ipv6-address 1::11
[Spoke3-vam-client-Spoke3] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke3-vam-client-Spoke3] client enable
[Spoke3-vam-client-Spoke3] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke3] ike keychain abc
[Spoke3-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke3-ike-keychain-abc] quit
[Spoke3] ike profile abc
[Spoke3-ike-profile-abc] keychain abc
[Spoke3-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke3] ipsec transform-set abc
[Spoke3-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke3-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke3-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke3-ipsec-transform-set-abc] quit
[Spoke3] ipsec profile abc isakmp
[Spoke3-ipsec-profile-isakmp-abc] service slot 2
[Spoke3-ipsec-profile-isakmp-abc] transform-set abc
[Spoke3-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke3-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke3] ospfv3 1
[Spoke3-ospfv3-1] router-id 0.0.0.6
[Spoke3-ospfv3-1] area 0
[Spoke3-ospfv3-1-area-0.0.0.0] quit
[Spoke3-ospfv3-1] area 2
[Spoke3-ospfv3-1-area-0.0.0.2] quit
[Spoke3-ospfv3-1] quit
[Spoke3] interface ten-gigabitethernet 3/0/2
[Spoke3-Ten-GigabitEthernet3/0/2] ospfv3 1 area 2
[Spoke3-Ten-GigabitEthernet3/0/2] quit
5. Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 3 from participating in DR/BDR election.
[Spoke3] interface tunnel1 mode advpn udp ipv6
[Spoke3-Tunnel1] ipv6 address 192:168:2::2 64
[Spoke3-Tunnel1] ipv6 address fe80::2:2 link-local
[Spoke3-Tunnel1] vam ipv6 client Spoke3
[Spoke3-Tunnel1] service slot 2
[Spoke3-Tunnel1] ospfv3 1 area 2
[Spoke3-Tunnel1] ospfv3 network-type broadcast
[Spoke3-Tunnel1] ospfv3 dr-priority 0
[Spoke3-Tunnel1] advpn ipv6 network 192:168:40::0 64
[Spoke3-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke3-Tunnel1] tunnel protection ipsec profile abc
[Spoke3-Tunnel1] quit
Configuring Spoke 4
1. Configure IP addresses for the interfaces. (Details not shown.)
2. Configure the VAM client:
# Create VAM client Spoke4.
<Spoke4> system-view
[Spoke4] vam client name Spoke4
# Specify ADVPN domain abc for the VAM client.
[Spoke4-vam-client-Spoke4] advpn-domain abc
# Set the preshared key to 123456.
[Spoke4-vam-client-Spoke4] pre-shared-key simple 123456
# Set both the username and password to spoke4.
[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4
# Specify the primary and secondary VAM servers.
[Spoke4-vam-client-Spoke4] server primary ipv6-address 1::11
[Spoke4-vam-client-Spoke4] server secondary ipv6-address 1::12
# Enable the VAM client.
[Spoke4-vam-client-Spoke4] client enable
[Spoke4-vam-client-Spoke4] quit
3. Configure an IPsec profile:
# Configure IKE.
[Spoke4] ike keychain abc
[Spoke4-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke4-ike-keychain-abc] quit
[Spoke4] ike profile abc
[Spoke4-ike-profile-abc] keychain abc
[Spoke4-ike-profile-abc] quit
# Configure the IPsec profile.
[Spoke4] ipsec transform-set abc
[Spoke4-ipsec-transform-set-abc] encapsulation-mode tunnel
[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm AES-CBC-256
[Spoke4-ipsec-transform-set-abc] esp authentication-algorithm md5
[Spoke4-ipsec-transform-set-abc] quit
[Spoke4] ipsec profile abc isakmp
[Spoke4-ipsec-profile-isakmp-abc] service slot 2
[Spoke4-ipsec-profile-isakmp-abc] transform-set abc
[Spoke4-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke4-ipsec-profile-isakmp-abc] quit
4. Configure OSPFv3.
[Spoke4] ospfv3 1
[Spoke4-ospfv3-1] router-id 0.0.0.7
[Spoke4-ospfv3-1] area 0
[Spoke4-ospfv3-1-area-0.0.0.0] quit
[Spoke4-ospfv3-1] area 2
[Spoke4-ospfv3-1-area-0.0.0.2] quit
[Spoke4-ospfv3-1] quit
[Spoke4] interface ten-gigabitethernet 3/0/2
[Spoke4-Ten-GigabitEthernet3/0/2] ospfv3 1 area 2
[Spoke4-Ten-GigabitEthernet3/0/2] quit
[Spoke4] interface ten-gigabitethernet 3/0/3
[Spoke4-Ten-GigabitEthernet3/0/3] ospfv3 1 area 2
[Spoke4-Ten-GigabitEthernet3/0/3] quit
5. Configure UDP-mode IPv6 ADVPN tunnel interface Tunnel 1. Set its DR priority to 0 to prevent Spoke 4 from participating in DR/BDR election.
[Spoke4] interface tunnel1 mode advpn udp ipv6
[Spoke4-Tunnel1] ipv6 address 192:168:2::3 64
[Spoke4-Tunnel1] ipv6 address fe80::2:3 link-local
[Spoke4-Tunnel1] vam ipv6 client Spoke4
[Spoke4-Tunnel1] service slot 2
[Spoke4-Tunnel1] ospfv3 1 area 2
[Spoke4-Tunnel1] ospfv3 network-type broadcast
[Spoke4-Tunnel1] ospfv3 dr-priority 0
[Spoke4-Tunnel1] advpn ipv6 network 192:168:50::0 64
[Spoke4-Tunnel1] advpn ipv6 network 192:168:60::0 64
[Spoke4-Tunnel1] source ten-gigabitethernet 3/0/1
[Spoke4-Tunnel1] tunnel protection ipsec profile abc
[Spoke4-Tunnel1] quit
Verifying the configuration
# Display IPv6 address mapping information for all VAM clients registered with the primary VAM server.
[PrimaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Hub No 0H 28M 25S
1 192:168:1::1 1::1 Hub No 0H 52M 7S
1 192:168:1::2 1::2 Hub No 0H 47M 31S
1 192:168:1::3 1::4 Spoke No 0H 18M 26S
1 192:168:1::4 1::5 Spoke No 0H 28M 25S
2 192:168:2::1 1::3 Hub No 0H 28M 25S
2 192:168:2::2 1::6 Spoke No 0H 25M 40S
2 192:168:2::3 1::7 Spoke No 0H 25M 31S
# Display IPv6 address mapping information for all VAM clients registered with the secondary VAM server.
[SecondaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Hub No 0H 28M 25S
1 192:168:1::1 1::1 Hub No 0H 52M 7S
1 192:168:1::2 1::2 Hub No 0H 47M 31S
1 192:168:1::3 1::4 Spoke No 0H 18M 26S
1 192:168:1::4 1::5 Spoke No 0H 28M 25S
2 192:168:2::1 1::3 Hub No 0H 28M 25S
2 192:168:2::2 1::6 Spoke No 0H 25M 40S
2 192:168:2::3 1::7 Spoke No 0H 25M 31S
The output shows that Hub 1, Hub 2, Hub3, Spoke 1, Spoke 2, Spoke 3, and Spoke4 have all registered their address mapping information with the VAM servers.
# Display IPv6 ADVPN tunnel information on Hubs. This example uses Hub 1.
[Hub1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168:1::2 1::2 18001 H-H Success 0H 46M 8S
192:168:1::3 1::3 18001 H-S Success 0H 27M 27S
192:168:1::4 1::4 18001 H-S Success 0H 18M 18S
Interface : Tunnel2
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168::2 1::2 18001 H-H Success 0H 46M 8S
192:168::3 1::3 18001 H-H Success 0H 27M 27S
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Hub3, Spoke 1, and Spoke 2.
# Display IPv6 ADVPN tunnel information on Spoke 1 and Spoke 2. This example uses Spoke 1.
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168:1::1 1::1 18001 S-H Success 0H 46M 8S
192:168:1::2 1::2 18001 S-H Success 0H 46M 8S
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2.
# Display IPv6 ADVPN tunnel information on Spoke 3 and Spoke 4. This example uses Spoke 4.
[Spoke3] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 1
Private address Public address Port Type State Holding time
192:168:2::1 1::3 18001 S-H Success 0H 46M 8S
The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3.