CLI example: Configuring IPsec smart link selection

Network configuration

As shown in Figure 1, Device A acts the IPsec gateway of the branch. Device B is the IPsec gateway of the headquarters. Configure IPsec smart link selection so the branch can establish an IPsec tunnel to the headquarters over link 1 or link 2, whichever has a better link quality.

• Device A first uses link 1 to establish the IPsec tunnel.

• When link 1 suffers high packet loss ratio or delay, Device A automatically switches traffic to the IPsec tunnel established based on link 2.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device.

Procedures

Configuring Device A

1.        Configure the IP addresses and gateway addresses for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2:

# Configure an IP address for GigabitEthernet 1/0/1 and specify the gateway address for the interface. This example uses 1.1.1.3 as the gateway address.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 24

[DeviceA-GigabitEthernet1/0/1] gateway 1.1.1.3

[DeviceA-GigabitEthernet1/0/1] quit

# Configure an IP address for GigabitEthernet 1/0/2 and specify the gateway address for the interface. This example uses 2.2.2.3 as the gateway address.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] ip address 2.2.2.2 24

[DeviceA-GigabitEthernet1/0/2] gateway 2.2.2.3

[DeviceA-GigabitEthernet1/0/2] quit

2.        Add interfaces to security zones.

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/3

[DeviceA-security-zone-Trust] quit

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Untrust] quit

3.        Configure a security policy:

Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:

# Configure a rule named ipseclocalout to allow Device A to send IPsec negotiation packets to Device B.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name ipseclocalout

[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2

[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 3.3.3.3

[DeviceA-security-policy-ip-1-ipseclocalout] action pass

[DeviceA-security-policy-ip-1-ipseclocalout] quit

# Configure a rule named ipseclocalin to allow Device A to receive the IPsec negotiation packets sent from Device B.

[DeviceA-security-policy-ip] rule name ipseclocalin

[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 3.3.3.3

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2

[DeviceA-security-policy-ip-2-ipseclocalin] action pass

[DeviceA-security-policy-ip-2-ipseclocalin] quit

Configure rules to permit the traffic between Host A and Host B:

# Configure a rule named trust-untrust to permit the packets from Host A to Host B.

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure a rule named untrust-trust to permit the packets from Host B to Host A.

[DeviceA-security-policy-ip] rule name untrust-trust

[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24

[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-4-untrust-trust] action pass

[DeviceA-security-policy-ip-4-untrust-trust] quit

[DeviceA-security-policy-ip] quit

4.        Configure an IPsec smart link policy, so that the device can select a qualified link to establish an IPsec tunnel with the headquarters.

[DeviceA] ipsec smart-link policy policy1

[DeviceA-ipsec-smart-link-policy-policy1] link 1 interface gigabitethernet 1/0/1 remote 3.3.3.3

[DeviceA-ipsec-smart-link-policy-policy1] link 2 interface gigabitethernet 1/0/2 remote 3.3.3.3

[DeviceA-ipsec-smart-link-policy-policy1] link-switch cycles 4

[DeviceA-ipsec-smart-link-policy-policy1] smart-link enable

[DeviceA-ipsec-smart-link-policy-policy1] quit

5.        Configure an ACL to define the data flows to be protected by IPsec.

[DeviceA] acl advanced 3000

[DeviceA-acl-ipv4-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[DeviceA-acl-ipv4-adv-3000] quit

6.        Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms.

The IPsec transform set settings at both sides of the IPsec tunnel must be the same.

[DeviceA] ipsec transform-set tran1

[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel

[DeviceA-ipsec-transform-set-tran1] protocol esp

[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-tran1] quit

7.        Configure an IKE keychain to specify the key information used for IKE communication.

The preshared key used by both sides of the communication must be the same.

[DeviceA] ike keychain keychain1

[DeviceA-ike-keychain-keychain1] pre-shared-key address 3.3.3.3 24 key simple 123456

[DeviceA-ike-keychain-keychain1] quit

8.        Configure an IKE profile to specify the security parameters used for setting up IKE SAs.

[DeviceA] ike profile profile1

[DeviceA-ike-profile-profile1] keychain keychain1

[DeviceA-ike-profile-profile1] match remote identity address 3.3.3.3 24

[DeviceA-ike-profile-profile1] quit

9.        Configure an IPsec policy, so as to establish the IPsec tunnel to protect data.

[DeviceA] ipsec policy policy1 10 isakmp

[DeviceA-ipsec-policy-isakmp-policy1-10] security acl 3000

[DeviceA-ipsec-policy-isakmp-policy1-10] transform-set tran1

[DeviceA-ipsec-policy-isakmp-policy1-10] ike-profile profile1

[DeviceA-ipsec-policy-isakmp-policy1-10] smart-link policy policy1

[DeviceA-ipsec-policy-isakmp-policy1-10] quit

Configuring Device B

1.        Assign an IP address to interface GigabitEthernet 1/0/1, and configure the gateway address. In this example, the gateway address is the direct next hop address 3.3.3.4.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 3.3.3.3 24

[DeviceB-GigabitEthernet1/0/1] gateway 3.3.3.4

[DeviceB-GigabitEthernet1/0/1] quit

2.        Add interfaces to security zones.

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

3.        Configure a security policy:

Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:

# Configure a rule named ipseclocalout to allow Device B to send IPsec negotiation packets to Device A.

[DeviceB] security-policy ip

[DeviceB-security-policy-ip] rule name ipseclocalout

[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 3.3.3.3

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2

[DeviceB-security-policy-ip-1-ipseclocalout] action pass

[DeviceB-security-policy-ip-1-ipseclocalout] quit

# Configure a rule named ipseclocalin to allow Device B to receive the IPsec negotiation packets sent from Device A.

[DeviceB-security-policy-ip] rule name ipseclocalin

[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2

[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 3.3.3.3

[DeviceB-security-policy-ip-2-ipseclocalin] action pass

[DeviceB-security-policy-ip-2-ipseclocalin] quit

Configure rules to permit the traffic between Host A and Host B:

# Configure a rule named trust-untrust to permit the packets from Host B to Host A.

[DeviceB-security-policy-ip] rule name trust-untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24

[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24

[DeviceB-security-policy-ip-3-trust-untrust] action pass

[DeviceB-security-policy-ip-3-trust-untrust] quit

# Configure a rule named untrust-trust to permit the packets from Host A to Host B.

[DeviceB-security-policy-ip] rule name untrust-trust

[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24

[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24

[DeviceB-security-policy-ip-4-untrust-trust] action pass

[DeviceB-security-policy-ip-4-untrust-trust] quit

[DeviceB-security-policy-ip] quit

4.        Configure an ACL to define the data flows to be protected by IPsec.

[DeviceB] acl advanced 3000

[DeviceB-acl-ipv4-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

[DeviceB-acl-ipv4-adv-3000] rule permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255

[DeviceB-acl-ipv4-adv-3000] rule permit ip source 3.3.3.0 0.0.0.255 destination 2.2.2.0 0.0.0.255

[DeviceB-acl-ipv4-adv-3000] quit

5.        Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms.

The IPsec transform set settings at both sides of the IPsec tunnel must be the same.

[DeviceB] ipsec transform-set tran1

[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel

[DeviceB-ipsec-transform-set-tran1] protocol esp

[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-tran1] quit

6.        Configure an IKE keychain to specify the key information used for IKE communication.

The preshared key used by both sides of the communication must be the same.

[DeviceB] ike keychain keychain1

[DeviceB-ike-keychain-keychain1] pre-shared-key address 0.0.0.0 0 key simple 123456

[DeviceB-ike-keychain-keychain1] quit

7.        Configure an IKE profile to specify the security parameters used for setting up IKE SAs.

[DeviceB] ike profile profile1

[DeviceB-ike-profile-profile1] keychain keychain1

[DeviceB-ike-profile-profile1] match remote identity address 0.0.0.0 0

[DeviceB-ike-profile-profile1] quit

8.        Configure an IPsec policy template, which is used to create IPsec policies.

[DeviceB] ipsec policy-template template1 10

[DeviceB-ipsec-policy-template-template1-10] security acl 3000

[DeviceB-ipsec-policy-template-template1-10] transform-set tran1

[DeviceB-ipsec-policy-template-template1-10] local-address 3.3.3.3

[DeviceB-ipsec-policy-template-template1-10] ike-profile profile1

[DeviceB-ipsec-policy-template-template1-10] quit

9.        Create an IKE-based IPsec policy by using IPsec policy template template1, so as to establish the IPsec tunnel to proctect data.

[DeviceB] ipsec policy policy1 10 isakmp template template1

10.     Apply the IPsec policy to GigabitEthernet 1/0/1 to protect traffic on the interface.

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ipsec apply policy policy1

[DeviceB-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display IPsec smart link policy information on Device A.

[DeviceA] display ipsec smart-link policy

--------------------------------------------------------------------------

Policy name                  : policy1

State                        :Enabled

Probe count                  :10

Probe interval               :1 sec

Probe source IP address      :1.1.1.1

Probe destination IP address :3.3.3.3

Max link switch cycles       :4

IPsec policy name            :policy1

Interface                    :GigabitEthernet1/0/1

IPsec policy sequence number :10

Link ID   Local address   Remote address   Loss(%)   Delay(ms)   State

1         1.1.1.1         3.3.3.3          0.0         1.0       Active

2         2.2.2.2         3.3.3.3          25.0        1.0       Inactive(Available)

--------------------------------------------------------------------------

# Display information about the IPsec policy to which IPsec smart link policy policy1 is applied.

[DeviceA] display ipsec policy

-------------------------------------------

IPsec Policy: policy1

Interface: GigabitEthernet1/0/1

-------------------------------------------

  -----------------------------

  Sequence number: 10

  Alias: map1-10

  Mode: ISAKMP

  -----------------------------

  Traffic Flow Confidentiality: Disabled

  Security data flow: 3000

  Selector mode: standard

  Local address: 1.1.1.1

  Remote address: 3.3.3.3

  Transform set:  tran1

  IKE profile: profile1

  IKEv2 profile:

  smart-link policy: policy1

  SA trigger mode: Auto

  SA duration(time based): 3600 seconds

  SA duration(traffic based): 1843200 kilobytes

  SA idle time: 100 seconds

# Display the ACL rules in the ACL used by IPsec policy policy1.

[DeviceA] display acl 3000

Advanced IPv4 ACL 3000, 3 rules,

ACL's step is 5

rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

rule 5 permit ip source 1.1.1.0 0.0.0.255 destination 3.3.3.3 0 (Dynamic) (10 times matched)

The command output shows that an ACL rule (rule 5) is automatically added to permit the link quality probe packets.

# Verify that IPsec SAs are established on Device A.

[DeviceA]display ipsec sa

-------------------------------

Interface: GigabitEthernet1/0/1

-------------------------------

  -----------------------------

  IPsec policy: policy1

  Sequence number: 10

  Mode: ISAKMP

  -----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect Forward Secrecy:

    Inside VPN:

    Extended Sequence Numbers enable: N

    Traffic Flow Confidentiality enable: N

    Transmitting entity: Initiator

    Path MTU: 1428

    Tunnel:

        local  address/port: 1.1.1.1/500

        remote address/port: 3.3.3.3/500

    Flow:

        sour addr: 1.1.1.0/255.255.255.0  port: 0  protocol: ip

        dest addr: 3.3.3.3/255.255.255.255  port: 0  protocol: ip

    [Inbound ESP SAs]

      SPI: 2443816215 (0x91a9ad17)

      Connection ID: 38654705665

      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843194/3368

      Max received sequence-number: 64

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

    [Outbound ESP SAs]

      SPI: 4220315517 (0xfb8ce77d)

      Connection ID: 38654705664

      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843194/3368

      Max sent sequence-number: 64

      UDP encapsulation used for NAT traversal: N

      Status: Active

Configuration files

• Device A

#

interface GigabitEthernet1/0/1

 ip address 1.1.1.1 255.255.255.0

 gateway 1.1.1.3

#

interface GigabitEthernet1/0/2

 ip address 2.2.2.2 255.255.255.0

 gateway 2.2.2.3

#

interface GigabitEthernet1/0/3

 ip address 10.1.1.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/3

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

 import interface GigabitEthernet1/0/2

#

acl advanced 3000

 rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

#

ipsec transform-set tran1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec smart-link policy policy1

 smart-link enable

 link-switch cycles 4

 link 1 interface GigabitEthernet1/0/1 remote 3.3.3.3

 link 2 interface GigabitEthernet1/0/2 remote 3.3.3.3

#

ipsec policy policy1 10 isakmp

 transform-set tran1

 security acl 3000

 ike-profile profile1

 smart-link policy policy1

#

ike profile profile1

 keychain keychain1

 match remote identity address 3.3.3.3 255.255.255.0

#

ike keychain keychain1

 pre-shared-key address 3.3.3.3 255.255.255.0 key simple 123456

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 3.3.3.3

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 3.3.3.3

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 10.1.1.0 255.255.255.0

  destination-ip-subnet 10.1.2.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 10.1.2.0 255.255.255.0

  destination-ip-subnet 10.1.1.0 255.255.255.0

#

• Device B

#

interface GigabitEthernet1/0/1

 ip address 3.3.3.3 255.255.255.0

 ipsec apply policy policy1

 gateway 3.3.3.4

#

interface GigabitEthernet1/0/2

 ip address 10.1.2.1 255.255.255.0

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

acl advanced 3000

 rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

 rule 5 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255

 rule 10 permit ip source 3.3.3.0 0.0.0.255 destination 2.2.2.0 0.0.0.255

#

ipsec transform-set tran1

 encapsulation-mode tunnel

 protocol esp

 esp encryption-algorithm aes-cbc-128

 esp authentication-algorithm sha1

#

ipsec policy-template template1 10

 transform-set tran1

 security acl 3000

 local-address 3.3.3.3

 ike-profile profile1

#

ipsec policy policy1 10 isakmp template template1

#

ike profile profile1

 keychain keychain1

 match remote identity address 0.0.0.0 0.0.0.0

#

ike keychain keychain1

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

security-policy ip

 rule 0 name ipseclocalout

  action pass

  source-zone local

  destination-zone untrust

  source-ip-host 3.3.3.3

  destination-ip-host 1.1.1.1

  destination-ip-host 2.2.2.2

 rule 1 name ipseclocalin

  action pass

  source-zone untrust

  destination-zone local

  source-ip-host 1.1.1.1

  source-ip-host 2.2.2.2

  destination-ip-host 3.3.3.3

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 10.1.2.0 255.255.255.0

  destination-ip-subnet 10.1.1.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 10.1.1.0 255.255.255.0

  destination-ip-subnet 10.1.2.0 255.255.255.0

#