CLI example: Configuring an IKEv2-based IPsec tunnel for IPv4 packets between gateways (preshared key authentication)

Network configuration

As shown in Figure 1, configure an IKE-based IPsec tunnel between Device A and Device B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.

Configure Device A and Device B to use the default IKEv2 proposal and the default IKEv2 policy in IKEv2 negotiation to set up IPsec SAs.

Configure the two devices to use the preshared key authentication method in IKEv2 negotiation.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device.

Procedures

Configuring Device A

1. Assign IP addresses to interfaces:

# Assign an IP address to interface GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.0.0

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

2. Configure settings for routing.

This example configures static routes, and the next hop in the routes is 1.1.1.2.

[DeviceA] ip route-static 10.1.2.0 24 1.1.1.2

[DeviceA] ip route-static 2.2.2.2 16 1.1.1.2

3. Add interfaces to security zones.

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

4. Configure a security policy:

Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:

# Configure a rule named ipseclocalout to allow Device A to send IPsec negotiation packets to Device B.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name ipseclocalout

[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 1.1.1.1

[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.2

[DeviceA-security-policy-ip-1-ipseclocalout] action pass

[DeviceA-security-policy-ip-1-ipseclocalout] quit

# Configure a rule named ipseclocalin to allow Device A to receive the IPsec negotiation packets sent from Device B.

[DeviceA-security-policy-ip] rule name ipseclocalin

[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.2

[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 1.1.1.1

[DeviceA-security-policy-ip-2-ipseclocalin] action pass

[DeviceA-security-policy-ip-2-ipseclocalin] quit

Configure rules to permit the traffic between Host A and Host B:

# Configure a rule named trust-untrust to permit the packets from Host A to Host B.

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure a rule named untrust-trust to permit the packets from Host B to Host A.

[DeviceA-security-policy-ip] rule name untrust-trust

[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24

[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-4-untrust-trust] action pass

[DeviceA-security-policy-ip-4-untrust-trust] quit

[DeviceA-security-policy-ip] quit

5. Define the data flows to be protected:

# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.

[DeviceA] acl advanced 3101

[DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[DeviceA-acl-ipv4-adv-3101] quit

6. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms.

The IPsec transform set settings at both sides of the IPsec tunnel must be the same.

[DeviceA] ipsec transform-set tran1

[DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel

[DeviceA-ipsec-transform-set-tran1] protocol esp

[DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc

[DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceA-ipsec-transform-set-tran1] quit

7. Configure an IKE keychain to specify the key information used for IKE communication.

The preshared key used by both sides of the communication must be the same.

[DeviceA] ikev2 keychain keychain1

[DeviceA-ikev2-keychain-keychain1] peer peer1

[DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16

[DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2

[DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde

[DeviceA-ikev2-keychain-keychain1-peer-peer1] quit

[DeviceA-ikev2-keychain-keychain1] quit

8. Configure an IKEv2 profile to specify the security parameters used for setting up IKE SAs.

[DeviceA] ikev2 profile profile1

[DeviceA-ikev2-profile-profile1] authentication-method local pre-share

[DeviceA-ikev2-profile-profile1] authentication-method remote pre-share

[DeviceA-ikev2-profile-profile1] keychain keychain1

[DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0

[DeviceA-ikev2-profile-profile1] quit

9. Configure an IPsec policy to establish an IPsec tunnel to protect the specified data.

[DeviceA] ipsec policy map1 10 isakmp

[DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2

[DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101

[DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1

[DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1

[DeviceA-ipsec-policy-isakmp-map1-10] quit

10. Apply the IPsec policy to GigabitEthernet 1/0/1 to protect the traffic on the interface.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ipsec apply policy map1

[DeviceA-GigabitEthernet1/0/1] quit

Configuring Device B

1. Assign IP addresses to interfaces:

# Assign an IP address to interface GigabitEthernet 1/0/1.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 2.2.2.2 255.255.0.0

[DeviceB-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

2. Configure settings for routing.

This example configures static routes, and the next hop in the routes is 2.2.2.1.

[DeviceB] ip route-static 10.1.1.0 24 2.2.2.1

[DeviceB] ip route-static 1.1.1.1 16 2.2.2.1

3. Add interfaces to security zones.

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

4. Configure a security policy:

Configure rules to permit traffic between the Untrust and Local security zones, so the devices can set up an IPsec tunnel:

# Configure a rule named ipseclocalout to allow Device B to send IPsec negotiation packets to Device A.

[DeviceB] security-policy ip

[DeviceB-security-policy-ip] rule name ipseclocalout

[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local

[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust

[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.2

[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 1.1.1.1

[DeviceB-security-policy-ip-1-ipseclocalout] action pass

[DeviceB-security-policy-ip-1-ipseclocalout] quit

# Configure a rule named ipseclocalin to allow Device B to receive the IPsec negotiation packets sent from Device A.

[DeviceB-security-policy-ip] rule name ipseclocalin

[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust

[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local

[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 1.1.1.1

[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.2

[DeviceB-security-policy-ip-2-ipseclocalin] action pass

[DeviceB-security-policy-ip-2-ipseclocalin] quit

Configure rules to permit the traffic between Host B and Host A:

# Configure a rule named trust-untrust to permit the packets from Host B to Host A.

[DeviceB-security-policy-ip] rule name trust-untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24

[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24

[DeviceB-security-policy-ip-3-trust-untrust] action pass

[DeviceB-security-policy-ip-3-trust-untrust] quit

# Configure a rule named untrust-trust to permit the packets from Host A to Host B.

[DeviceB-security-policy-ip] rule name untrust-trust

[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust

[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust

[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24

[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24

[DeviceB-security-policy-ip-4-untrust-trust] action pass

[DeviceB-security-policy-ip-4-untrust-trust] quit

[DeviceB-security-policy-ip] quit

5. Define the data flows to be protected:

# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.

[DeviceB] acl advanced 3101

[DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

[DeviceB-acl-ipv4-adv-3101] quit

6. Configure an IPsec transform set to specify the packet encapsulation mode, security protocols, and algorithms.

The IPsec transform set settings at both sides of the IPsec tunnel must be the same.

[DeviceB] ipsec transform-set tran1

[DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel

[DeviceB-ipsec-transform-set-tran1] protocol esp

[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc

[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-tran1] quit

7. Configure an IKE keychain to specify the key information used for IKE communication.

The preshared key used by both sides of the communication must be the same.

[DeviceB] ikev2 keychain keychain1

[DeviceB-ikev2-keychain-keychain1] peer peer1

[DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16

[DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 1.1.1.1

[DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext abcde

[DeviceB-ikev2-keychain-keychain1-peer-peer1] quit

[DeviceB-ikev2-keychain-keychain1] quit

8. Configure an IKEv2 profile to specify the security parameters used for setting up IKE SAs.

[DeviceB] ikev2 profile profile1

[DeviceB-ikev2-profile-profile1] authentication-method local pre-share

[DeviceB-ikev2-profile-profile1] authentication-method remote pre-share

[DeviceB-ikev2-profile-profile1] keychain keychain1

[DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0

[DeviceA-ikev2-profile-profile1] quit

9. Configure an IPsec policy to establish an IPsec tunnel to protect the specified data.

[DeviceB] ipsec policy use1 10 isakmp

[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1

[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101

[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1

[DeviceB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1

[DeviceB-ipsec-policy-isakmp-use1-10] quit

10. Apply the IPsec policy to GigabitEthernet 1/0/1 to protect the traffic on the interface.

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ipsec apply policy use1

[DeviceB-GigabitEthernet1/0/1] quit

# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec-protected.

# Display the IKEv2 proposal and IKEv2 policy on Device A.

[DeviceA] display ikev2 proposal

IKEv2 proposal : default

Encryption: AES-CBC-128 3DES-CBC

Integrity: SHA1 MD5

PRF: SHA1 MD5

DH Group: MODP1536/Group5 MODP1024/Group2

[DeviceA] display ikev2 policy

IKEv2 policy : default

Match VRF : any

Proposal: default

# Display the IKEv2 SA on Device A.

[DeviceA] display ikev2 sa

Tunnel ID Local Remote Status

---------------------------------------------------------------------------

1 1.1.1.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating, EST: Established, DEL:Deleting

# Display the IPsec SAs on Device A.

[DeviceA] display ipsec sa

-------------------------------

Interface: GigabitEthernet1/0/1

-------------------------------

-----------------------------

IPsec policy: map1

Sequence number: 10

Mode: ISAKMP

-----------------------------

Tunnel id: 0

Encapsulation mode: tunnel

Perfect Forward Secrecy:

Inside VPN:

Extended Sequence Numbers enable: N

Traffic Flow Confidentiality enable: N

Path MTU: 1456

Tunnel:

local address/port: 1.1.1.1/500

remote address/port: 2.2.2.2/500

Flow:

sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip

dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip

[Inbound ESP SAs]

SPI: 3264152513 (0xc28f03c1)

Connection ID: 141733920771

Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843200/3484

Max received sequence-number:

Anti-replay check enable: Y

Anti-replay window size: 64

UDP encapsulation used for NAT traversal: N

Status: Active

[Outbound ESP SAs]

SPI: 738451674 (0x2c03e0da)

Connection ID: 64424509441

Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1

SA duration (kilobytes/sec): 1843200/3600

SA remaining duration (kilobytes/sec): 1843200/3484

Max sent sequence-number:

UDP encapsulation used for NAT traversal: N

Status: Active

# Display the IKEv2 proposal, IKEv2 policy, IKEv2 SA and IPsec SAs on Device B.

[DeviceB] display ikev2 proposal

[DeviceB] display ikev2 policy

[DeviceB] display ikev2 sa

[DeviceB] display ipsec sa

Configuration files

Device A

interface GigabitEthernet1/0/1

ip address 1.1.1.1 255.255.0.0

ipsec apply policy map1

interface GigabitEthernet1/0/2

ip address 10.1.1.1 255.255.255.0

security-zone name Trust

import interface GigabitEthernet1/0/2

security-zone name Untrust

import interface GigabitEthernet1/0/1

ip route-static 2.2.0.0 16 1.1.1.2

ip route-static 10.1.2.0 24 1.1.1.2

acl advanced 3101

rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

ipsec transform-set tran1

encapsulation-mode tunnel

protocol esp

esp encryption-algorithm des-cbc

esp authentication-algorithm sha1

ipsec policy map1 10 isakmp

transform-set tran1

security acl 3101

remote-address 2.2.2.2

ikev2-profile profile1

ikev2 keychain keychain1

peer peer1

address 2.2.2.2 255.255.0.0

identity address 2.2.2.2

pre-shared-key plaintext abcde

ikev2 profile profile1

authentication-method local pre-share

authentication-method remote pre-share

keychain keychain1

match remote identity address 2.2.2.2 255.255.0.0

security-policy ip

rule 0 name ipseclocalout

action pass

source-zone local

destination-zone untrust

source-ip-host 1.1.1.1

destination-ip-host 2.2.2.2

rule 1 name ipseclocalin

action pass

source-zone untrust

destination-zone local

source-ip-host 2.2.2.2

destination-ip-host 1.1.1.1

rule 2 name trust-untrust

action pass

source-zone trust

destination-zone untrust

source-ip-subnet 10.1.1.0 255.255.255.0

destination-ip-subnet 10.1.2.0 255.255.255.0

rule 3 name untrust-trust

action pass

source-zone untrust

destination-zone trust

source-ip-subnet 10.1.2.0 255.255.255.0

destination-ip-subnet 10.1.1.0 255.255.255.0

Device B

interface GigabitEthernet1/0/1

ip address 2.2.2.2 255.255.0.0

ipsec apply policy use1

interface GigabitEthernet1/0/2

ip address 10.1.2.1 255.255.255.0

security-zone name Trust

import interface GigabitEthernet1/0/2

security-zone name Untrust

import interface GigabitEthernet1/0/1

ip route-static 1.1.0.0 16 2.2.2.1

ip route-static 10.1.1.0 24 2.2.2.1

acl advanced 3101

rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

ipsec transform-set tran1

encapsulation-mode tunnel

protocol esp

esp encryption-algorithm des-cbc

esp authentication-algorithm sha1

ipsec policy use1 10 isakmp

transform-set tran1

security acl 3101

remote-address 1.1.1.1

ikev2-profile profile1

ikev2 keychain keychain1

peer peer1

address 1.1.1.1 255.255.0.0

identity address 1.1.1.1

pre-shared-key plaintext abcde

ikev2 profile profile1

authentication-method local pre-share

authentication-method remote pre-share

keychain keychain1

match remote identity address 1.1.1.1 255.255.0.0

security-policy ip

rule 0 name ipseclocalout

action pass

source-zone local

destination-zone untrust

source-ip-host 2.2.2.2

destination-ip-host 1.1.1.1

rule 1 name ipseclocalin

action pass

source-zone untrust

destination-zone local

source-ip-host 1.1.1.1

destination-ip-host 2.2.2.2

rule 2 name trust-untrust

action pass

source-zone trust

destination-zone untrust

source-ip-subnet 10.1.2.0 255.255.255.0

destination-ip-subnet 10.1.1.0 255.255.255.0

rule 3 name untrust-trust

action pass

source-zone untrust

destination-zone trust

source-ip-subnet 10.1.1.0 255.255.255.0

destination-ip-subnet 10.1.2.0 255.255.255.0

CLI example: Configuring an IKEv2-based IPsec tunnel for IPv4 packets between gateways (preshared key authentication)

Network configuration

Software versions used

Procedures

Configuring Device A

Configuring Device B

Verifying the configuration

Configuration files