As shown in Figure 1, establish an IPsec tunnel between Device A and Device B to protect data flows between subnet 333::/64 and subnet 555::/64. Configure the IPsec tunnel as follows:
Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
Set up SAs through IKE negotiation.
This configuration example was created and verified on E8371 of the F5000-AI160 device.
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ipv6 address 333::1/64
[DeviceA-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 111::2.
[DeviceA] ipv6 route-static 555::0 64 111::2
[DeviceA] ipv6 route-static 222::0 64 111::2
3. Add interfaces to security zones.
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
4. Configure a security policy:
Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:
# Configure a rule named ipseclocalout to allow Device A to send IPsec negotiation packets to Device B.
[DeviceA] security-policy ipv6
[DeviceA-security-policy-ipv6] rule name ipseclocalout
[DeviceA-security-policy-ipv6-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ipv6-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ipv6-1-ipseclocalout] source-ip-host 111::1
[DeviceA-security-policy-ipv6-1-ipseclocalout] destination-ip-host 222::1
[DeviceA-security-policy-ipv6-1-ipseclocalout] action pass
[DeviceA-security-policy-ipv6-1-ipseclocalout] quit
# Configure a rule named ipseclocalin to allow Device A to receive the IPsec negotiation packets sent from Device B.
[DeviceA-security-policy-ipv6] rule name ipseclocalin
[DeviceA-security-policy-ipv6-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ipv6-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ipv6-2-ipseclocalin] source-ip-host 222::1
[DeviceA-security-policy-ipv6-2-ipseclocalin] destination-ip-host 111::1
[DeviceA-security-policy-ipv6-2-ipseclocalin] action pass
[DeviceA-security-policy-ipv6-2-ipseclocalin] quit
Configure rules to permit the traffic between Host A and Host B:
# Configure a rule named trust-untrust to permit the packets from Host A to Host B.
[DeviceA-security-policy-ipv6] rule name trust-untrust
[DeviceA-security-policy-ipv6-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ipv6-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ipv6-3-trust-untrust] source-ip-subnet 333::1 64
[DeviceA-security-policy-ipv6-3-trust-untrust] destination-ip-subnet 555::1 64
[DeviceA-security-policy-ipv6-3-trust-untrust] action pass
[DeviceA-security-policy-ipv6-3-trust-untrust] quit
# Configure a rule named untrust-trust to permit the packets from Host B to Host A.
[DeviceA-security-policy-ipv6] rule name untrust-trust
[DeviceA-security-policy-ipv6-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ipv6-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ipv6-4-untrust-trust] source-ip-subnet 555::1 64
[DeviceA-security-policy-ipv6-4-untrust-trust] destination-ip-subnet 333::1 64
[DeviceA-security-policy-ipv6-4-untrust-trust] action pass
[DeviceA-security-policy-ipv6-4-untrust-trust] quit
[DeviceA-security-policy-ipv6] quit
5. Define the data flows to be protected:
# Configure an IPv6 advanced ACL to identify data flows from subnet 333::/64 to subnet 555::/64.
[DeviceA] acl ipv6 advanced 3101
[DeviceA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64
[DeviceA-acl-ipv6-adv-3101] quit
6. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms.
The IPsec transform set settings at both sides of the IPsec tunnel must be the same.
[DeviceA] ipsec transform-set tran1
[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-transform-set-tran1] protocol esp
[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceA-ipsec-transform-set-tran1] quit
7. Configure an IKE keychain to specify the key information used for IKE communication.
The preshared key used by both sides of the communication must be the same.
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
8. Configure an IKE profile to specify the security parameters used for setting up IKE SAs.
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] match remote identity address ipv6 222::1 64
[DeviceA-ike-profile-profile1] quit
9. Configure an IPsec policy, so as to establish the IPsec tunnel to protect data:
# Create an IKE-based IPsec policy entry, which specifies the ACL for IPsec, IPsec transform set, local and remote IP addresses, and IKE profile.
[DeviceA] ipsec ipv6-policy map1 10 isakmp
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] ike-profile profile1
[DeviceA-ipsec-ipv6-policy-isakmp-map1-10] quit
10. Apply the IPsec policy to GigabitEthernet 1/0/2 to protect traffic on the interface.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipsec apply ipv6-policy map1
[DeviceA-GigabitEthernet1/0/2] quit
1. Assign IP addresses to interfaces:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ipv6 address 555::1/64
[DeviceB-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Configure settings for routing.
This example configures static routes, and the next hop in the routes is 222::2.
[DeviceB] ipv6 route-static 333::0 64 222::2
[DeviceB] ipv6 route-static 111::0 64 222::2
3. Add interfaces to security zones.
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Untrust] quit
4. Configure a security policy:
Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:
# Configure a rule named ipseclocalout to allow Device B to send IPsec negotiation packets to Device A.
[DeviceB] security-policy ipv6
[DeviceB-security-policy-ipv6] rule name ipseclocalout
[DeviceB-security-policy-ipv6-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ipv6-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ipv6-1-ipseclocalout] source-ip-host 222::1
[DeviceB-security-policy-ipv6-1-ipseclocalout] destination-ip-host 111::1
[DeviceB-security-policy-ipv6-1-ipseclocalout] action pass
[DeviceB-security-policy-ipv6-1-ipseclocalout] quit
# Configure a rule named ipseclocalin to allow Device B to receive the IPsec negotiation packets sent from Device A.
[DeviceB-security-policy-ipv6] rule name ipseclocalin
[DeviceB-security-policy-ipv6-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ipv6-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ipv6-2-ipseclocalin] source-ip-host 111::1
[DeviceB-security-policy-ipv6-2-ipseclocalin] destination-ip-host 222::1
[DeviceB-security-policy-ipv6-2-ipseclocalin] action pass
[DeviceA-security-policy-ipv6-2-ipseclocalin] quit
Configure rules to permit traffic between Host B and Host A:
# Configure a rule named trust-untrust to permit the packets from Host A to Host B.
[DeviceB-security-policy-ipv6] rule name trust-untrust
[DeviceB-security-policy-ipv6-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ipv6-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ipv6-3-trust-untrust] source-ip-subnet 333::1 64
[DeviceB-security-policy-ipv6-3-trust-untrust] destination-ip-subnet 555::1 64
[DeviceB-security-policy-ipv6-3-trust-untrust] action pass
[DeviceB-security-policy-ipv6-3-trust-untrust] quit
# Configure a rule named untrust-trust to permit the packets from Host B to Host A.
[DeviceB-security-policy-ipv6] rule name untrust-trust
[DeviceB-security-policy-ipv6-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ipv6-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ipv6-4-untrust-trust] source-ip-subnet 555::1 64
[DeviceB-security-policy-ipv6-4-untrust-trust] destination-ip-subnet 333::1 64
[DeviceB-security-policy-ipv6-4-untrust-trust] action pass
[DeviceB-security-policy-ipv6-4-untrust-trust] quit
[DeviceB-security-policy-ipv6] quit
5. Define the data flows to be protected:
# Configure an IPv6 advanced ACL to identify data flows from subnet 555::/64 to subnet 333::/64.
[DeviceB] acl ipv6 advanced 3101
[DeviceB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64
[DeviceB-acl-ipv6-adv-3101] quit
6. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms.
The IPsec transform set settings at both sides of the IPsec tunnel must be the same.
[DeviceB] ipsec transform-set tran1
[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-transform-set-tran1] protocol esp
[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[DeviceB-ipsec-transform-set-tran1] quit
7. Configure an IKE keychain to specify the key information used for IKE communication.
The preshared key used by both sides of the communication must be the same.
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
8. Configure an IKE profile to specify the security parameters used for setting up IKE SAs.
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] match remote identity address ipv6 111::1 64
[DeviceB-ike-profile-profile1] quit
9. Configure an IPsec policy, so as to establish the IPsec tunnel to protect data:
# Create an IKE-based IPsec policy entry, which specifies the ACL for IPsec, IPsec transform set, local and remote IP addresses, and IKE profile.
[DeviceB] ipsec ipv6-policy use1 10 isakmp
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1
[DeviceB-ipsec-ipv6-policy-isakmp-use1-10] quit
10. Apply the IPsec policy to GigabitEthernet 1/0/2 to protect traffic on the interface.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipsec apply ipv6-policy use1
[DeviceB-GigabitEthernet1/0/2] quit
# Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec-protected.
# Display IPsec SAs on Device A and Device B. This example uses Device A to verify the configuration.
[DeviceA] display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Alisa: map1-10
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1423
Tunnel:
local address/port: 111::1/500
remote address/port: 222::1/500
Flow:
sour addr: 111::1/0 port: 0 protocol: ipv6
dest addr: 222::1/0 port: 0 protocol: ipv6
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Connection ID: 1
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2300/797
Max received sequence-number: 1
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3840956402 (0xe4f057f2)
Connection ID: 2
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 3000/28800
SA remaining duration (kilobytes/sec): 2312/797
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
Status: Active
Device A
#
interface GigabitEthernet1/0/1
ipv6 address 333::1/64
#
interface GigabitEthernet1/0/2
ipv6 address 111::1/64
ipsec apply ipv6-policy map1
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
ipv6 route-static 222:: 64 111::2
ipv6 route-static 555:: 64 111::2
#
acl ipv6 advanced 3101
rule 0 permit ipv6 source 333::/64 destination 555::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec ipv6-policy map1 10 isakmp
transform-set tran1
security acl ipv6 3101
local-address ipv6 111::1
remote-address ipv6 222::1
ike-profile profile1
#
ike profile profile1
keychain keychain1
match remote identity address ipv6 222::1 64
#
ike keychain keychain1
pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&!
#
security-policy ipv6
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 111::1
destination-ip-host 222::1
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 222::1
destination-ip-host 111::1
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 333::/64
destination-ip-subnet 555::/64
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 555::/64
destination-ip-subnet 333::/64
#
Device B
#
interface GigabitEthernet1/0/1
ipv6 address 555::1/64
#
interface GigabitEthernet1/0/2
ipv6 address 222::1/64
ipsec apply ipv6-policy use1
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
ipv6 route-static 111:: 64 222::2
ipv6 route-static 333:: 64 222::2
#
acl ipv6 advanced 3101
rule 0 permit ipv6 source 555::/64 destination 333::/64
#
ipsec transform-set tran1
encapsulation-mode tunnel
protocol esp
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec ipv6-policy use1 10 isakmp
transform-set tran1
security acl ipv6 3101
local-address ipv6 222::1
remote-address ipv6 111::1
ike-profile profile1
#
ike profile profile1
keychain keychain1
match remote identity address ipv6 111::1 64
#
ike keychain keychain1
pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&!
#
security-policy ipv6
rule 0 name ipseclocalout
action pass
source-zone local
destination-zone untrust
source-ip-host 222::1
destination-ip-host 111::1
rule 1 name ipseclocalin
action pass
source-zone untrust
destination-zone local
source-ip-host 111::1
destination-ip-host 222::1
rule 2 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 333::/64
destination-ip-subnet 555::/64
rule 3 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 555::/64
destination-ip-subnet 333::/64