The document describes how to configure an IPSec VPN tunnel between two Huawei routers to securely encrypt traffic between two network sites connected over the internet. It provides configuration details for setting up the IPSec proposal, IKE peers, security policies and attaching the policy to interfaces on both routers. It also lists commands to verify that the VPN tunnel is successfully established and traffic is being encrypted between the sites.
The document describes how to configure an IPSec VPN tunnel between two Huawei routers to securely encrypt traffic between two network sites connected over the internet. It provides configuration details for setting up the IPSec proposal, IKE peers, security policies and attaching the policy to interfaces on both routers. It also lists commands to verify that the VPN tunnel is successfully established and traffic is being encrypted between the sites.
The document describes how to configure an IPSec VPN tunnel between two Huawei routers to securely encrypt traffic between two network sites connected over the internet. It provides configuration details for setting up the IPSec proposal, IKE peers, security policies and attaching the policy to interfaces on both routers. It also lists commands to verify that the VPN tunnel is successfully established and traffic is being encrypted between the sites.
The document describes how to configure an IPSec VPN tunnel between two Huawei routers to securely encrypt traffic between two network sites connected over the internet. It provides configuration details for setting up the IPSec proposal, IKE peers, security policies and attaching the policy to interfaces on both routers. It also lists commands to verify that the VPN tunnel is successfully established and traffic is being encrypted between the sites.
How to secure communication between two sites connected to the Internet?
Use Site-to-Site IPsec VPN tunnel between two Huawei routers. IPsec VPN is an open standard protocol suite, defined by the IETF in the following RFCs: 2401, 2402-2412, 2451. IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.
How to configure IPsec VPN using Huawei CLI?
Lets assume that we have two sites, Site1 and Site2. Both sites have PCs connected to the LAN network, PC1 and PC2 respectively. The sites are connected through WAN network (in our case labnarioR2 router simulates WAN). We want to secure communication between PC1 and PC2. To do so, we have to configure IPSec VPN tunnel between both sites. In our case tunnel will be established between labnarioR1 and labnarioR3 routers. Both routers will be responsible for data encryption and decryption using specified algorithms.
To secure IPSec tunnel, I will use:
shared key between labnarioR1 and labnarioR3 routers
ESP protocol for security algorithms negotiation SHA1 for authentication and 3DES for encryption IKE for key exchange and SA establishment. Traffic encryption/decryption will be done on both, labnarioR1 and labnarioR3 routers. So I have to configure those two routers, to be able to establish IPsec VPN tunnel. LabnarioR2 router simulates WAN cloud. It has nothing to do with IPSec.
Do not forget to provide IP connectivity between routers and PCs. This is omitted here.
I want to encrypt IP traffic travelling between LAN networks 10.1.1.0/24 and 172.16.1.0/24. To do so, I need to match this traffic using ACL on labnarioR1 and labnarioR3:
Now I can configure IPSec proposal and define the following parameters:
Packet encapsulation format (tunnel or transport, I will use tunnel as this is site-to-site model) Security protocol (I will use ESP) Encryption and authentication algorithms (as mentioned above, SHA1 and 3DES respectively).
To bring IPsec VPN tunnel up, IP traffic should be generated between PC1 and PC2. To do so, just ping PC2 from PC1 or vice versa. Lets verify if our tunnel is up.
To display IKE security associations:
[labnarioR1]display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------------- 52 150.100.23.3 0 RD|ST 2 28 150.100.23.3 0 RD|ST 1
Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
Number of total peers : 18 Number of policy peers : 1 Number of profile peers : 17 Number of proposals : 1 Number of established V1 phase 1 SAs : 1 Number of established V1 phase 2 SAs : 1 Number of total V1 phase 1 SAs : 1 Number of total V1 phase 2 SAs : 1 Number of total SAs : 2 Keep alive time : 0 Keep alive interval : 0 keepalive spi list : Disable ----------------------------------------------------------
As you see, IPsec statistics look a little bit strange. This is because these commands were done on eNSP. It looks like IPsec is not working on eNSP even though there are all configuration and display commands. When tested on AR19 routers, everything was fine.
Debugging commands:
<labnarioR1>debugging ike ? all All IKE debugging functions dpd IKE debug for dpd error Error debugging functions exchange IKE exchange debugging functions message IKE message debugging functions misc All other debugging functions packet IKE packet content debugging function sa Security Association sysdep Information with IPSec debugging functions task IKE debug for main task entry transport Transport debugging functions xauth Information with IPSec debugging functions
<labnarioR1>debugging ipsec ? all All switches hw Hardware infomation misc All other debugging function packet Packet debugging function sa SA debugging function
