Professional Documents
Culture Documents
HUAWEI
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
ACCESS VPN(VPDN)
HUAWEI
datacomm.huawei.com
Intranet VPN
HUAWEI
R outer
datacomm.huawei.com
Extranet VPN
HUAWEI
datacomm.huawei.com
HUAWEI
NettoNet
GRE : General Routing Encapsulation IPSEC : IP Security Protocol Suite IPSEC/BGP : Border Gateway Protocol MPLS/BGP : Multi-Protocol Lable Switch
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
datacomm.huawei.com
Extranet VPN
HUAWEI
datacomm.huawei.com
HUAWEI
L2TP:Layer2TunnelProtocolisaprotocolforPPPmessagetransparenttransmissionbetween userseverandcompanysever. Characteristics: AcceptableforPointtoPointProtocol SupportingPrivateAddressAssignmentwithoutTakingUpPublicIPAddress In tegratewithPPPtoSupportAAA,IntegratewithRadiustoSupportVividLocalTerm inaland R e m o teTerminal In tegratewithIPSECtoSupportMessageEncryption C o n figurateSim p le,ConnectintoVivid
datacomm.huawei.com
HUAWEI
client
LAC LAC ISP ISP tunnel info info in in AV AV pairs pairs tunnel LAC local name name LAC local Tunnel password password Tunnel Tunnel type type Tunnel LNS IP IP address address LNS L2TP L2TP
Internet
Coporate network
LNS
LA AC C L
RA AD DI IU US S R
LN NS S L
RA AD DI IU US S R
PPP PPP
IP IP
HUAWEI
L2TP session is triggered by PPP while tunnel is triggered by session. Because several sessions can be in the same tunnel, tunnel establish need not repeat when it has been established before session.
Procedure of Tunnel Establish : Three Times Handshake
datacomm.huawei.com
HUAWEI
Basic Data Transmission Data Transmission with sequence number but without flow control Data Transmission with sequence number and flow control
datacomm.huawei.com
HUAWEI
L N SS ideDe-encapsulationProcess >
The three gray PPP data in the diagram are absolutely identical: it shows that the data is transparent transmitted by LAC side; The three IP are identical shows that VPN is realized at IP layer
datacomm.huawei.com
HUAWEI
V P D Nn e twork-buildingProject--switch-onserver(asaLAC)initiateit
datacomm.huawei.com
HUAWEI
In itiatebyUserorIntranetMachine(LACissetupinbothofthem )
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
HUAWEI
L 2 T PM isarrange
User Login Fail Data transm ission Fail
datacomm.huawei.com
datacomm.huawei.com
Ethernet0/0
GRE tunnel
R e m o teOffice Router
Ethernet0/0
10.1.3.3/24
Internet
Ethernet0/1
10.1.6.4/24
PC 10.1.4.3/2
datacomm.huawei.com
HUAWEI
Ethernet0/0
GRE tunnel
R e m o teOffice Router
10.1.3.3/24
Internet
Ethernet0/1
10.1.6.4/24
PC A
GRE/IPSEC tunnel
Internet
datacomm.huawei.com
HUAWEI
G R EisaCarrierProtocolofthree-layertunnel
Link Layer IP GRE IP/IPX payload
datacomm.huawei.com
GRE Implementation
HUAWEI
datacomm.huawei.com
datacomm.huawei.com
Construct Tunnel Interface Configurate Source Address of Tunnel Interface Configurate Opposite Terminal address of Tunnel Interface Configurate Net Address of Tunnel Interface
datacomm.huawei.com
HUAWEI
Quidway(config-if)#tunnel checksum
datacomm.huawei.com
Configuration Example
HUAWEI
erA
RouterB
Configurate physical interface for tunnel nfigurate physical interface for tunnel : RouterB(config)# interface serial 0 erA(config)# interface serial 0 Show interface address erface address: RouterB(config-if-serial0)# ip address 131.108.5.2 erA( config-if-serial0)# ip address 192.13.2.1 255.255.255.0 55.255.0 ! Construct interface tunnel0: nstruct interface tunnel0: RouterB(config)# interface tunnel 0 erA(config)# interface tunnel 0 Show tunnel0 interface address: nnel interface address: erA( config-if-tunnel0)# ip address 10.1.2.1 255.255.255.0 RouterB(config-if-tunnel0)#ip address 10.1.2.2 255.255.255.0 erA( config-if-tunnel0)# novell network 1f tional operation: designate GRE as the tunnel mode and RouterB(config-if-tunnel0)# novell network 1f Optional operation: designate GRE as the work modu transmission protocol : and IP as transmission protocol: erA( config-if-tunnel0)# tunnel mode gre ip urce address of tunnel interface(IP address of serial0) RouterB(config-if-tunnel0)# tunnel mode gre ip Source address of tunnel interface(IP address of erA( config-if-tunnel0)# tunnel source 192.13.2.1 posite terminal address of tunnel interface(IP address of serial0) RouterB(config-if-tunnel0)# tunnel source 131.108.5.2 erBserial0) Opposite terminal address of tunnel interface(IP addre erA(config-if-tunnel0) tunnel destination 131.108.5.2
datacomm.huawei.com
RouterA#show interface tunnel 0 tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.1.2.1 255.255.255.0 Encapsulation TUNNEL Tunnel source 192.13.2.1, destination 131.108.5.2 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Checksumming of packets disabled
datacomm.huawei.com
HUAWEI
Queueing strategy:fifo Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 29 packets output, 2348 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out
datacomm.huawei.com
Misarranging Example
HUAWEI
datacomm.huawei.com
Description
HUAWEI
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
Security Association Security Parameter Index Sequence Number Lifetime Data Flow Crypto Map
datacomm.huawei.com
Message Format of AH
HUAWEI
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
Link layer
datacomm.huawei.com
Link layer
datacomm.huawei.com
datacomm.huawei.com
HUAWEI
HUAWEI
HUAWEI
Quidway(config)#crypto ipsec transform name Quidway(config-crypto-transform)#transform proto Quidway(config-crypto-transform)#proto{encryption|hash} algorithm Quidway(config-crypto-transform)#mode {transport|tunnel}
datacomm.huawei.com
HUAWEI
HUAWEI
Quidway(config-crypto-map)#set session-key {inbound | outbound} ah {string-key | hex-key-string} key-string Quidway(config-crypto-map)#set session-key {inbound | outbound} esp {string-key | auth-key | cipher-key} key-string
datacomm.huawei.com
HUAWEI
datacomm.huawei.com
Configuration Diagram
HUAWEI
datacomm.huawei.com
Hand-configuration
HUAWEI
Configurating Router-A as follows: Configurate access list and define data flow from subnet 10.1.1.x to subnet 10.1.2.x Quidway(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Construct conversion mode named tran1 Quidway(config)#crypto ipsec transform-set tran1 Adopt tunnel mode for message encapsulation format Quidway(config-crypto-transform-tran1)#mode tunnel Adopt ESP as security protocol Quidway(config-crypto-transform-tran1)#transform esp-new Select algorithm Quidway(config-crypto-transform-tran1)#esp-new encrypt des Quidway(config-crypto-transform-tran1)#esp-new hash sha1-hmac-96 Exit to global configuration mode Quidway(config-crypto-transform-tran1)#exit Construct a security strategy with manual negotiation mode Quidway(config)#crypto map map1 10 manual Introduce access list Quidway(config-crypto-map-map1-10)#match address 101
datacomm.huawei.com
Hand-configuration
HUAWEI
Set opposite terminal address idway(config-crypto-map-map1-10)#set peer 202.38.162.1 Set local terminal address idway(config-crypto-map-map1-10)#set local-address 202.38.163.1 ntroduce conversion mode idway(config-crypto-map-map1-10)#set transform-set tran1 Set SPI idway(config-crypto-map-map1-10)#set session-key outbound esp spi 12345 idway(config-crypto-map-map1-10)#set session-key inbound esp spi 54321 Set cryptographic key idway(config-crypto-map-map1-10)#set session-key outbound esp string-key abcdefg idway(config-crypto-map-map1-10)#set session-key inbound esp string-key gfedcba Exit to global configuration mode idway(config-crypto-map-map1-10)#exit Enter serial port configuration mode idway(config)#interface serial 0 Apply security strategy library to serial port idway(config-if-serial0)#crypto map map1
datacomm.huawei.com
Hand-configuration
HUAWEI
Configurate Router-B as follows: Configurate an access list and define data flow from subnet 10.1.2.x to subnet 10.1.1.x Quidway(config)#access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Construct conversion named tran1 Quidway(config)#crypto ipsec transform-set tran1 Adopt tunnel mode for message encapsulation format Quidway(config-crypto-transform-tran1)#mode tunnel Adopt ESP as security protocol Quidway(config-crypto-transform-tran1)#transform esp-new Select algorithm Quidway(config-crypto-transform-tran1)#esp-new encrypt des Quidway(config-crypto-transform-tran1)#esp-new hash sha1-hmac-96 Exit to global configuration mode Quidway(config-crypto-transform-tran1)#exit Construct a security strategy with manual negotiation mode Quidway(config)#crypto map use1 10 manual Introduce access list Quidway(config-crypto-map-use1-10)#match address 101
datacomm.huawei.com
Hand-configuration
HUAWEI
Set opposite terminal address idway(config-crypto-map-use1-10)#set peer 202.38.163.1 Set local terminal address idway(config-crypto-map-use1-10)#set local-address 202.38.162.1 ntroduce conversion mode idway(config-crypto-map-use1-10)#set transform-set tran1 Set SPI idway(config-crypto-map-use1-10)#set session-key outbound esp spi 54321 idway(config-crypto-map-use1-10)#set session-key inbound esp spi 12345 Set cryptographic key idway(config-crypto-map-use1-10)#set session-key outbound esp string-key gfedcba idway(config-crypto-map-use1-10)#set session-key inbound esp string-key abcdefg Exit to global configuration mode idway(config-crypto-map-use1-10)#exit Enter serial port configuration mode idway(config)#interface serial 0 Aplly security strategy library to serial port idway(config-if-serial0)#crypto map use1
datacomm.huawei.com
Hand-configuration
HUAWEI
Set opposite terminal address idway(config-crypto-map-use1-10)#set peer 202.38.163.1 Set local terminal address idway(config-crypto-map-use1-10)#set local-address 202.38.162.1 ntroduce conversion mode idway(config-crypto-map-use1-10)#set transform-set tran1 Set SPI idway(config-crypto-map-use1-10)#set session-key outbound esp spi 54321 idway(config-crypto-map-use1-10)#set session-key inbound esp spi 12345 Set cryptographic key idway(config-crypto-map-use1-10)#set session-key outbound esp string-key gfedcba idway(config-crypto-map-use1-10)#set session-key inbound esp string-key abcdefg Exit to global configuration mode idway(config-crypto-map-use1-10)#exit Enter serial port configuration mode idway(config)#interface serial 0 Aplly security strategy library to serial port idway(config-if-serial0)#crypto map use1
datacomm.huawei.com
Self Negotiation
HUAWEI
Construct a security strategy with isakmp negotiation mode Quidway(config)#crypto map map1 10 isakmp Introduce access list Quidway(config-crypto-map-map1-10)#match address 101 Set opposite terminal address Quidway(config-crypto-map-map1-10)#set peer 202.38.162.1 Introduce conversion mode Quidway(config-crypto-map-map1-10)#set transform-set tran1 Exit to global configuration mode Quidway(config-crypto-map-map1-10)#exit Enter serial port configuration mode Quidway(config)#interface serial 0 Apply security strategy library to serial port Quidway(config-if-serial0)#crypto map map1 Corresponding IKE configuration Quidway(config)#crypto ike key abcde address 202.38.162.1
datacomm.huawei.com
Self Negotiation
HUAWEI
Configurate Router-B as follows Configurate a access list and define date flow from subnet 10.1.2.x to subnet 10.1.1.x Quidway(config)#access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Construct conversion mode named tran1 Quidway(config)#crypto ipsec transform-set tran1 Adopt tunnel mode for message encapsulation format Quidway(config-crypto-transform-tran1)#mode tunnel Adopt ESP as security protocol Quidway(config-crypto-transform-tran1)#transform esp-new Select algorithm Quidway(config-crypto-transform-tran1)#esp-new encrypt des Quidway(config-crypto-transform-tran1)#esp-new hash sha1-hmac-96 Exit to global configuration mode Quidway(config-crypto-transform-tran1)#exit
datacomm.huawei.com
Self Negotiation
HUAWEI
Construct a security strategy with isakmp negotiation mode uidway(config)#crypto map use1 10 isakmp Introduce access list uidway(config-crypto-map-use1-10)#match address 101 Set opposite terminal address uidway(config-crypto-map-use1-10)#set peer 202.38.163.1 Introduce conversion mode uidway(config-crypto-map-use1-10)#set transform-set tran1 Exit to global configuration mode uidway(config-crypto-map-use1-10)#exit Enter serial port configuration mode uidway(config)#interface serial 0 Apply security strategy library to serial port uidway(config-if-serial0)#crypto map use1 Corresponding IKE configuration uidway(config)#crypto ike key abcde address 202.38.163.1
datacomm.huawei.com
Quidway(config)#clear crypto sa
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
HUAWEI
g, p
Peer 2
1
c=gamod p damod p
4
d=gbmod p cbmod p
4
datacomm.huawei.com
datacomm.huawei.com
datacomm.huawei.com
Quidway(config-ike-policy)#hash {md5|sha}
Quidway(config-ike-policy)#encryption des
Quidway(config-ike-policy)#group {1|2}
Quidway(config-ike-policy)#ahthentication pre-shared
datacomm.huawei.com
datacomm.huawei.com
Configuration Example
HUAWEI
! Configurate an IKE crypto map Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# hash md5 Quidway(config-crypto-ike-policy-10)# authentication pre-share Quidway(config-crypto-ike-policy-10)# lifetime 5000 Quidway(config-crypto-ike-policy-10)# exit !Configurate pre-shared key Quidway(config)# crypto ike key abcde address 202.38162.1
datacomm.huawei.com
datacomm.huawei.com
IKE Debug
HUAWEI
datacomm.huawei.com