You are on page 1of 15

Configuring Data for Interworking with AAA

Server (Applying IPSec to the Gi Interface)


Contents
7.1.28.1.6 Configuring Data for Interworking with AAA Server (Applying IPSec to the Gi Interface)

7.1.28.1.6 Configuring Data for Interworking


with AAA Server (Applying IPSec to the Gi
Interface)

Scenarios

Prerequisites

Procedure

Verification

Example

Scenarios

The outband networking mode is used and IP Security (IPSec) is applied to the Gi interface.
Figure 1 shows the specific networking. After IPSec is applied to the Gi interface, an IPSec tunnel is established

between the UGW9811 and authentication, authorization and accounting (AAA) server to secure signaling flows
between the UGW9811 and AAA server.

Figure 1 Typical networking for the interworking with the AAA server (IPSec application on the Gi
interface)

NOTE:
The GGSN and P-GW support this scenario.
Prerequisites

Conditions

You are familiar with the IPSec, VRF, and routing functions.

The network environment between the UGW9811 and an NE is established.

The SPU that needs to be configured with logical interfaces works normally and no user is activated on the
SPU. No logical interface can be configured on the SPU if the SPU is not started or if it is starting.
You are familiar with the types and naming specifications of interfaces of the UGW9811. For details, see
Logical Interface and Rules for Naming Interfaces.

Data

Category

Access
control list
(ACL) rule

Parameter

protocol

Example
Value

udp

source-ip-address 81.10.254.22

How to Obtain

Negotiated with
the peer device

Description

This parameter is specified


using the rule command.

Planned based on The source IP address of the


the entire network IPSec tunnel is the IP address
of the Gi interface.
This parameter is specified
using the rule command.

destination-ipaddress

211.1.128.23

Planned based on The destination address of the


the entire network IPSec tunnel is the IP address
of the device on the terminal
end of the IPSec tunnel. In this
example, the destination
address is the IP address of the
AAA server.
This parameter is specified
using the rule command.

IPSec
proposal

esp
authenticationalgorithm

sha2

Negotiated with
the peer device

The authentication algorithm


on the UGW9811 must be the
same as that on the IKE peer.
This parameter is specified
using the esp authenticationalgorithm command.

esp encryptionalgorithm

3des

Negotiated with
the peer device

The encryption algorithm on


the UGW9811 must be the
same as that on the IKE peer.
This parameter is specified
using the esp encryption-

Category

Parameter

Example
Value

How to Obtain

Description

algorithm

encapsulationmode

transport

Negotiated with
the peer device

This parameter is specified


using the encapsulation-mode
command.

30

Negotiated with
the peer device

This parameter is specified


using the ike-proposal
command.

encryptionalgorithm

3des

Negotiated with
the peer device

This parameter is specified


using the encryption-algorithm
command.

dh

group2

Negotiated with
the peer device

This parameter is specified


using the dh command.

peer-name

ike1

Negotiated with
the peer device

This parameter is specified


using the ike peer command.

proposal-number

30

Obtained from the The proposal value on the


configured data
UGW9811 must be the same as
that on the IKE peer and as the
priority level of the IKE
proposal. The proposal value
can be displayed through
display ike proposal.

key

Local61L3

Negotiated with
the peer device

Internet Key priority-level


Exchange
(IKE)
proposal

IKE peer
attribute

command.

pre-shared-key

Category

Parameter

local-id-type

Example
Value

ip

How to Obtain

Negotiated with
the peer device

Description

In this example, the default


IKE negotiation mode, that is,
main mode, is used. Thus, the
local ID is expressed as an IP
address.
This parameter is specified
using the local-id-type
command.

ip-address

211.1.12 8.23

Planned based on This parameter specifies the IP


the entire network address of the IKE peer. In this
example, the AAA server is the
IKE peer.
This parameter is specified
using the remote-address
command.

IPSec policy proposal-name

proposal_propo Obtained from the It is the IPSec proposal used by


1
configured data
the IPSec policy and can be
checked through display ipsec
proposal.

acl-number

3101

Obtained from the It is the ACL used by the IPSec


configured data
policy and can be checked
through display acl.

peer-name

ike1

Obtained from the It is the IKE peer used by the


configured data
IPSec policy and can be
checked through display ike
peer.

time-based
seconds

3600

Negotiated with

This parameter is specified


using the sa duration

Category

Parameter

Example
Value

How to Obtain

the peer device

Gi interface

Description

command.

ip-address

81.10.254.22

Planned based on This parameter is specified


the entire network using the ip address command.

policy-name

policy1

Obtained from the You can run display ipsec


configured data
policy to inquire the policy.

For details about all data, see Data Planning Table.


Procedure

1.

Create a VPN instance.


a.

Create a VPN instance.


ip vpn-instance

NOTE:
You must configure the router distinguisher (RD) when establishing a VPN. A VPN instance takes effect
only if the RD is configured.
RDs cannot be directly changed. To change the RD of a VPN instance, delete the VPN instance, create the
VPN instance again, and configure a desired RD for it.
b.

Optional: Modify the description information of a VPN instance.

NOTE:
Perform this step when the description of the VPN instance needs to be added or modified.
description

c.

Enter the VPN instance IPv4 address family view.


ipv4-family

d.

Specify the RD of a VPN instance.

route-distinguisher

e.

Return to the VPN view.


quit

f.

Return to the system view.


quit

2.

Configure an Eth-trunk interface that works in active/standby mode.


a.

In the system view, create an Eth-trunk interface and enter the view of the Eth-trunk interface.
interface eth-trunk

b.

Set the operating mode of the Eth-trunk interface to active/standby mode.


workmode

c.

Optional: Change the description of the Eth-trunk interface.


description

d.

Bind the Eth-trunk interface to a VPN instance.


ip binding vpn-instance

e.

Set the IP address for the Eth-trunk interface.


ip address

f.

Return to the system view.


quit

g.

Create a physical interface and enter the interface view.


interface

h.

Bind the physical interface to the Eth-trunk interface.


Eth-Trunk

i.

Optional: Change the description of the physical interface.


description

j.

Set the negotiation mode of the physical interface to auto negotiation.


negotiation auto

NOTE:
To establish a trunk link, the rate, duplex mode, and flow control mode of the two physical interfaces
connecting to the end devices must be the same. Therefore, after binding a physical interface to an Ethtrunk interface, you must set the negotiation mode of the physical interface to auto negotiation. In this
manner, two physical interfaces of one trunk link have the same rate, duplex mode and flow control mode,
thus ensuring normal communications over the Eth-trunk interface.Configuring optical interfaces to work
in auto negotiation mode is recommended. That is because the NE40E router does not support non-auto
negotiation and optical interfaces working in auto negotiation mode can prevent one-way audio caused by
single-fiber faults.
In the case that Ethernet electrical interfaces are used, you can run speed, duplex, and flow control to
modify the rate, duplex mode, and flow control mode of a physical interface on the UGW9811 the same as
the configurations on the peer physical interface.
In the case that Ethernet optical interfaces are used, the configurations on the two ends must be the same.
That is, if the local interface is configured to work in auto negotiation mode, the peer interface must also
work in this mode. If the rate of the local interface is set to 1000 Mbit/s and the duplex mode is set to fullduplex, the peer interface must also work at the same rate and in the same duplex mode.
k.

Return to the system view.


quit

l.
3.

Perform 2.g to 2.k to bind the other physical interface to the Eth-trunk interface.
Set IPSec data for IKE negotiation.

a.

Create an ACL and enter the ACL view.


acl

b.

Configure an ACL rule for data flows.


rule

c.

Return to the system view.


quit

d.

Create an IPSec proposal and enter the IPSec proposal view.


ipsec proposal

e.

Configure the encapsulation mode to be used by IPSec.


encapsulation-mode

f.

Configure the authentication algorithm to be employed by the encapsulating security payload


(ESP) protocol.
esp authentication-algorithm

g.

Configure the encryption algorithm to be used by ESP.


esp encryption-algorithm

h.

Return to the system view.


quit

i.

Create an IKE proposal and enter the IKE proposal view.


ike proposal

j.

Specify an encryption algorithm to be employed by IKE.


encryption-algorithm

k.

Specify the DH group ID to be used in first round key negotiation.


dh

l.

Configure the authentication algorithm to be employed by IKE.


authentication-algorithm

m.

Plan the lifetime of the IKE security association (SA).


sa duration

n.

Return to the system view.


quit

o.

Create an IKE peer and enter the IKE peer view.


ike peer

p.

Configure the IKE proposal to be used by the IKE peer.


ike-proposal

q.

Set an authentication key for the pre-shared key authentication mode.


pre-shared-key

NOTE:
If the IKE proposal employed by the IKE peer uses the pre-shared key authentication mode, you need to
configure a consistent authentication key. Otherwise, the IKE proposal cannot be used.
r.

Configure the ID type of the IKE peer.

local-id-type

NOTE:
In this example, the IKE negotiation mode is active and thus the ID type must be ip.
s.

When the ID type of the IKE peer is IP, you need to configure the peer IP address for the IKE peer.
remote-address

t.

Optional: Enable the IKE dead peer detection (DPD) function to set the transmission interval,
retransmission interval, and number of times that DPD packets are retransmitted.
ike dpd

u.

Return to the system view.


quit

v.

Create an IPSec policy and enter the IPSec policy view.


ipsec policy

w.

Set the IPSec policy to be employed by the ACL.


security acl

x.

Configure an IPSec proposal to be employed by the IPSec policy.


proposal

y.

Configure an IKE peer to be employed by the IPSec policy in IKE negotiation.


ike-peer

z.

Set the lifetime of the SA.


sa duration

aa.

Return to the system view.


quit

4.

Configure the Gi interface.


a.

Create a Gi interface and enter the interface view.


interface

b.

Optional: Bind the current interface with the specified VPN instance.

ip binding vpn-instance

c.

Set the IP address and subnet mask for the Gi interface.


ip address

d.

Apply the IPSec policy on the Gi interface.


ipsec policy

e.

Return to the system view.


quit

5.

Configure the default route to the AAA server.


ip route-static vpn-instance

NOTE:
A static route to the UGW9811 needs to be configured on the AAA server. The destination IP address is the IP
address of the Gi interface of the UGW9811. The next hop is the IP address of the Eth-trunk interface used for
the interworking between the UGW9811 and AAA server.
6.

Configure the AAA authentication/accounting servers.


a.

Enter the access view.


access-view

b.

Enter the RADIUS view.


radius-server group

c.

Set the operating mode for AAA servers in the RADIUS group.
radius-server mode

d.

Set the IP address, port number, key, and VPN instance of the active AAA authentication server. If
you run this command several times, you can configure multiple active AAA authentication servers.
radius-server authentication

e.

Optional: Set the IP address, port number, key, and VPN instance of the standby AAA
authentication server. If you run this command several times, you can configure multiple standby AAA
authentication servers.
radius-server authentication

f.

Set the IP address, port number, key, and VPN instance of the active AAA accounting server. If
you run this command several times, you can configure multiple active AAA accounting servers.

radius-server accounting

g.

Optional: Set the IP address, port number, key, and VPN instance of the standby AAA accounting
server. If you run this command several times, you can configure multiple standby AAA accounting
servers.
radius-server accounting

h.

Return to the access view.


quit

i.

Return to the system view.


quit

j.

Specify an APN instance name and enter the APN view.


apn

k.

Configure the VPN instance to which the APN belongs.


vpn-instance

l.

Configure a client IP address for the APN.


radius-client-ip

m.

Bind a RADIUS server group to the APN.


radius-server group

n.

Return to the system view.


quit

Verification

For details about how to verify the configurations, see Commissioning the IPSec Feature.
Example

Task Description
This example shows interworking configurations between the UGW9811 andAAA server in the networking of
outbound networking + IPSec application on the Gi interface.
In this example, ensure that the following requirements are met through data configuration on the UGW9811:

The UGW9811 uses the Eth-trunk interface working in active/standby mode to interwork with the AAA
server.

The UGW9811 uses the default route to establish an IP connection with the AAA server.

The IPSec policy is applied to the Gi interface to secure data transmission between the UGW9811 and
AAA server.

Scripts
1.

Create a VPN instance.


# Configure the VPN instance to which RADIUS signaling packets belong.
<UGW>system-view
[UGW]ip vpn-instance vpn_aaa
[UGW-vpn-instance-vpn_aaa]description vpn_aaa
[UGW-vpn-instance-vpn_aaa]ipv4-family
[UGW-vpn-instance-vpn_aaa-af-ipv4]route-distinguisher 1050:1
[UGW-vpn-instance-vpn_aaa-af-ipv4]quit
[UGW-vpn-instance-vpn_aaa]quit
# Configure the VPN instance to which data packets belong.
[UGW]ip vpn-instance vpn_pdn
[UGW-vpn-instance-vpn_pdn]description vpn_pdn
[UGW-vpn-instance-vpn_pdn]ipv4-family
[UGW-vpn-instance-vpn_pdn-af-ipv4]route-distinguisher 200:1
[UGW-vpn-instance-vpn_pdn-af-ipv4]quit
[UGW-vpn-instance-vpn_pdn]quit

2.

Configure an Eth-trunk interface working in active/standby mode.


[UGW]interface eth-trunk5
[UGW-Eth-Trunk5]workmode backup
[UGW-Eth-Trunk5]description aaa_eth_trunk
[UGW-Eth-Trunk5]ip binding vpn-instance vpn_aaa
[UGW-Eth-Trunk5]ip address 10.3.37.94 255.255.255.240
[UGW-Eth-Trunk5]quit
[UGW]interface GigabitEthernet1/0/5
[UGW-GigabitEthernet1/0/5]eth-trunk 5
[UGW-GigabitEthernet1/0/5]description To_Router_A
[UGW-GigabitEthernet1/0/5]negotiation auto
[UGW-GigabitEthernet1/0/5]quit
[UGW]interface GigabitEthernet2/0/5
[UGW-GigabitEthernet2/0/5]eth-trunk 5
[UGW-GigabitEthernet2/0/5]description To_Router_B
[UGW-GigabitEthernet2/0/5]negotiation auto
[UGW-GigabitEthernet2/0/5]quit

3.

Configure the IPSec data.


# Configure the data flows to be protected.

[UGW]acl number 3101


[UGW-acl-ipsec-3101]rule 10 permit udp source 81.10.254.22 0 source-port
eq 1701 destination 211.1.128.23 0 destination-port eq 1701
[UGW-acl-ipsec-3101]quit
# Configure an IPSec proposal.
[UGW]ipsec proposal proposal_propo1
[UGW-ipsec-proposal-proposal_propo1]encapsulation-mode transport
[UGW-ipsec-proposal-proposal_propo1]esp authentication-algorithm sha2
[UGW-ipsec-proposal-proposal_propo1]esp encryption-algorithm 3des
[UGW-ipsec-proposal-proposal_propo1]quit
# Configure an IKE proposal.
[UGW]ike proposal 30
[UGW-ike-proposal-30]encryption-algorithm 3des
[UGW-ike-proposal-30]dh group2
[UGW-ike-proposal-30]authentication-algorithm sha2
[UGW-ike-proposal-30]sa duration 7200
[UGW-ike-proposal-30]quit
# Configure the IKE peer information.
[UGW]ike peer ike1
[UGW-ike-peer-ike1]ike-proposal 30
[UGW-ike-peer-ike1]pre-shared-key Local61L3
[UGW-ike-peer-ike1]local-id-type ip check disable
[UGW-ike-peer-ike1]remote-address 211.1.128.23
[UGW-ike-peer-ike1]ike dpd retry-interval 10
[UGW-ike-peer-ike1]quit
# Configure an IPSec policy.
[UGW]ipsec policy policy1 100 isakmp
[UGW-ipsec-policy-isakmp-policy1-100]security acl 3101
[UGW-ipsec-policy-isakmp-policy1-100]ike-peer ike1
[UGW-ipsec-policy-isakmp-policy1-100]proposal proposal_propo1
[UGW-ipsec-policy-isakmp-policy1-100]sa duration time-based 3600
[UGW-ipsec-policy-isakmp-policy1-100]quit
4.

Configure the Gi interface.


[UGW]interface Giif3/1/6
[UGW-Giif3/1/6]ip binding vpn-instance vpn_aaa
[UGW-Giif3/1/6]ip address 81.10.254.22 255.255.255.255
[UGW-Giif3/1/6]ipsec policy policy1
[UGW-Giif3/1/6]quit

5.

Configure the default route to the AAA server. The next hop is the virtual IP address of the VRRP group.

[UGW]ip route-static vpn-instance vpn_aaa 0.0.0.0 0.0.0.0 10.3.37.81

NOTE:
On the routers, you need to configure the static route to the Gi interface. The next hop is the IP address of the
Eth-trunk interface on the UGW9811.
6.

Configure the AAA authentication/accounting servers.


[UGW]access-view
[UGW-access]radius-server group isprg
[UGW-access]radius-server mode backup
[UGW-access-radius-isprg]radius-server authentication 10.168.10.1 port
1812 vpn-instance vpn_aaa key ispchina
[UGW-access-radius-isprg]radius-server accounting 10.168.10.1 port 1813
vpn-instance vpn_aaa key ispchina
[UGW-access-radius-isprg]quit
[UGW-access]quit
[UGW]apn apn1
[UGW-apn-apn1]vpn-instance vpn_pdn
[UGW-apn-apn1]radius-client-ip auth interface giif3/1/0
[UGW-apn-apn1]radius-client-ip acct interface giif3/1/0
[UGW-apn-apn1]radius-server group isprg
[UGW-apn-apn1]quit
[UGW]quit

7.

Save the configurations.


<UGW>save

Parent topic: Activating the RADIUS Feature