01-05 Using VPN To Implement WAN Interconnection

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
2200&AR3200&AR3600 Series Enterprise Routers
Typical Configuration Examples 5 Using VPN to Implement WAN Interconnection
5 Using VPN to Implement WAN

Interconnection
About This Chapter
5.1 L2TP
5.2 GRE
5.3 DSVPN
5.4 IPSec
5.5 SSL VPN
5.6 BGP/MPLS IP VPN
5.7 VLL
5.8 PWE3
Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 145

Copyright © Huawei Technologies Co., Ltd.
Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.1 L2TP
5.1.1 Example for Configuring L2TP to Implement

Communication Between the Headquarters and Users in
Different Domains of the Branch
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-1, users on enterprise branches LAN1 and LAN2 connect to the LAC
using PPPoE and initiate connections with enterprise headquarters LAN3.
Two domains are configured on the LAC: aaa.com and bbb.com. Users in the domain aaa.com
are located on the network segment 10.1.1.0/24 and users in the domain bbb.com are located
on the network segment 10.2.1.0/24.
There is a reachable route from the LNS to the LAC and a tunnel is set up between the LNS
and the LAC. After access users are authenticated, the LNS allocates IP addresses and
gateway addresses to the access users.
Figure 5-1 Networking diagram of multi-domain access
LAN 1
PP
Po G
E E2/
PC1 LAC LNS

0
GE1/0/0 GE1/0/0 GE2/0/0

/0
user1@aaa.com
202.1.1.2/24 202.1.1.1/24 10.3.1.1/24
LAN 3
0
0/
/
E E3
lac1 L2TP Group1 Tunnel lns

Po G
PC3
VT1 10.1.1.1/24 10.3.1.2/24
PP
LAN 2 lac2 L2TP Group2 Tunnel lns

VT2 10.2.1.1/24
PC2
user2@bbb.com
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
l2tp enable //Enable L2TP.

#
aaa
authentication-scheme lmt
domain aaa.com
domain bbb.com
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@Ià%@%@
local-user user1@aaa.com service-type ppp
local-user user1@aaa.com privilege level 0
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp //Configure local user names and
passwords on the PPPoE server.
#
interface Virtual-Template1 //Create a virtual template interface VT1 and set
parameters for the PPPoE server.
ppp authentication-mode chap //Set the authentication mode to CHAP.
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
pppoe-server bind Virtual-Template 1 //Enable PPPoE server on the interface,
import parameters configured on VT1, and authenticate dialup users.
#
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set parameters for L2TP setup.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name lac1 //Set the tunnel name to lac1, which is identified by the peer
LNS.
start l2tp ip 202.1.1.1 domain aaa.com //Initiate L2TP tunnel setup to the peer
device. This example assumes that the domain name of access users is aaa.com.
#
l2tp-group 2
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lac2
start l2tp ip 202.1.1.1 domain bbb.com
#
Step 2 Configure the LNS.

#
sysname LNS
#
l2tp enable
#
ip pool 1 //Create IP address pool 1 from which IP addresses are allocated to
access users.
gateway-list 10.1.1.1 //Configure the gateway address.
network 10.1.1.0 mask 255.255.255.0 //Specify the IP address range.
#
ip pool 2
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@Ià%@%@
local-user user1@aaa.com privilege level 0
local-user user1@aaa.com service-type ppp
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp
#
interface Virtual-Template1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ppp authentication-mode chap

remote address pool 1 //Import the IP address pool. The PPPoE server then
allocates IP addresses from the IP address pool to the authenticated users.
ip address 10.1.1.1 255.255.255.0 //Configure the gateway address for the
address pool.
#
remote address pool 2
ip address 10.2.1.1 255.255.255.0
#
ip address 202.1.1.1 255.255.255.0
#
ip address 10.3.1.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote lac1 //Specify the name of the remote end
of the tunnel and the virtual template used by the remote end.
tunnel password cipher %@%@eS*)0t-0D!,~pa;IPll=3liC%@%@

tunnel name lns
#
l2tp-group 2
allow l2tp virtual-template 2 remote lac2
tunnel password cipher %@%@Cyor,=OAk#tWwA;%2\!W3lwj%@%@
tunnel name lns
#
Step 3 Verify the configuration.
# Run the display l2tp session command on the LNS. You can see that two sessions are set
up.
# PC1 and PC2 can ping PC3 successfully.
----End
Configuration Notes
l An L2TP group is created for each domain and different L2TP groups have different
tunnel names.
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
5.1.2 Example for Configuring L2TP to Implement

Communication Between the Headquarters and Branches and
IPSec to Encrypt Data Transmitted Between the Headquarters
Servers and Branches
Specifications
As shown in Figure 5-2, an enterprise has some branches located in other cities, and the
branches use the Ethernet network.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
The enterprise requires that the headquarters should provide VPDN services for branch users,
so that the branch users can access the headquarters network. When branch users access
intranet servers on the headquarters network, data should be encrypted to prevent data leaks.
To meet these requirements, you can configure the LAC to initiate an L2TP connection
request to the LNS. Then you can configure IPSec to protect data exchanged between branch
users and intranet servers. IPSec-encrypted data is transmitted over the L2TP tunnel between
the LAC and LNS.
Figure 5-2 IPSec over L2TP networking
VT1 LNS Headquarters

LAC Router_1
10.1.1.1/24 GE1/0/0
Internet 10.4.1.1/24
Branch
GE1/0/0 GE1/0/0 GE2/0/0 GE2/0/0
GE2/0/0 1.1.1.1/24 1.1.2.1/24 10.4.1.2/24 10.3.1.1/24
10.2.1.1/24
IPSec over L2TP
L2TP Tunnel Server

IPSec Tunnel
Procedure
#
sysname LAC
#
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.2.1.0 0.0.0.255 destination 10.3.1.0 0.0.0.255
#
ipsec proposal lac //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //Create an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
remote-address 10.4.1.1 //Specify an IP address for the remote IPSec interface.
#
ipsec policy lac 1 isakmp //Create an IPSec policy.
security acl 3000
ike-peer lac
proposal lac
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp chap user huawei //Set the user name of a virtual PPP user to huawei.
ppp chap password cipher %@%@\;#%<c~6Y%cNZK/h.pK%:>Uo%@%@ //Set the password of
the virtual PPP user to Huawei@1234.
ip address ppp-negotiate //Configure IP address negotiation.
l2tp-auto-client enable //Enable the virtual PPP user to initiate an L2TP
connection request.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipsec policy lac //Apply an IPSec policy.

#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
tunnel password cipher %@%@7v&1O#yr\#gl]w=RkûY:>@"%@%@ //Enable tunnel
authentication and set the cipher-text password to huawei, which is the same as
the password specified on the remote device.
tunnel name lac
start l2tp ip 1.1.2.1 fullusername huawei
#
ip route-static 10.3.1.0 255.255.255.0 Virtual-Template1 10.1.1.1 //Configure a
static route.
ip route-static 10.4.1.0 255.255.255.0 Virtual-Template1
#
return

#
sysname LNS
#
#
ip pool 1 //Create an IP address pool.
network 10.1.1.0 mask 255.255.255.0
#
aaa //Create a local user and set the user name and password to huawei and
Huawei@1234.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template.
ip address 10.1.1.1 255.255.255.0
#
ip address 1.1.2.1 255.255.255.0
#
ip address 10.4.1.2 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
allow l2tp virtual-template 1 remote lac
tunnel password cipher %@%@FN15@5D_BGc=v"2~0=iJ,b+H%@%@ //Enable tunnel
authentication and set the cipher-text password to huawei, which is the same as
the password specified on the remote device.
tunnel name lns
#
ip route-static 10.2.1.0 255.255.255.0 Virtual-Template1 //Configure a static
route.
ip route-static 10.3.1.0 255.255.255.0 10.4.1.1
#
return
Step 3 Configure Router_1.

#
sysname Router_1
#
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipsec proposal lac1 //Create an IPSec proposal.

#
ike peer lac1 v1 //Create an IKE peer.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set
#
ipsec policy-template temp 1 //Apply the IPSec policy template.
security acl 3000
ike-peer lac1
proposal lac1
#
ipsec policy lac1 1 isakmp template temp //Configure an IPSec policy.
#
ip address 10.4.1.1 255.255.255.0
ipsec policy lac1 //Bind the IPSec policy to the interface.
#
ip address 10.3.1.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 10.4.1.2 //Configure a static route.
ip route-static 10.2.1.0 255.255.255.0 10.4.1.2
#
return
# Run the display l2tp tunnel command on the LAC or LNS. You can see that an L2TP
tunnel and a session numbered 1 have been established.
# Run the display ike sa command on the LAC or Router_1. In the command output, Flag(s)
is displayed as RD, indicating that an SA has been established successfully; Phase is
displayed as 1 and 2.
# The headquarters and branch can ping each other.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l On the LAC, the IPSec policy must be bound to the VT1 interface.
l When you configure a static route on the LAC, the outbound interface in the route
destined to the headquarters network segment must be the VT1 interface.
5.1.3 Example for Configuring L2TP over IPSec to Implement

Secure Communication Between the Branch and Headquarters
Specifications
As shown in Figure 5-3, users connect to the LNS to access the headquarters network though
the LAC. Data exchanged between the LAC and LNS is encrypted by IPSec.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-3 Networking diagram of L2TP over IPSec
PC LAC LNS
GE1/0/0 GE1/0/0 GE2/0/0
LAN 12.1.1.2/24 12.1.1.1/24 192.168.0.1/24
192.168.1.0/24
lac L2TP Over IPSec lns Server

192.168.1.2/24 VT1 13.1.1.1/24 headquarters
192.168.0.2/24
Procedure
#
sysname LAC
#
l2tp enable //Enable
L2TP.
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 12.1.1.2 0 destination 12.1.1.1 0 //Configure an ACL
rule to define the source and destination IP addresses.
#
ipsec proposal lac //Configure an IPSec proposal.
#
ike peer lac v1 //Confiure an IKE
peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 12.1.1.1 //Configure the WAN-side interface address as the
remote address.
#
ipsec policy lac 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer lac
proposal lac
#
interface GigabitEthernet1/0/0 //Assign an IP address to the WAN-side
interface.
ip address 12.1.1.2 255.255.255.0
ipsec policy lac //Bind the IPSec
policy.
#
interface GigabitEthernet2/0/0 //Assign an IP address to the LAN-side
interface.
ip address 192.168.1.1
255.255.255.0
#
interface Virtual-Template1 //Configure the user name and password,
authentication mode, and IP address for the virtual PPP user.
ppp chap user huawei
ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%#
ip address ppp-negotiate //Configure an interface to obtain an IP address

through PPP negotiation.
l2tp-auto-client enable //Enable a virtual PPP user on the LAC to initiate an

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
L2TP tunnel.
#
l2tp-group 1 //Configure an L2TP group and set
attributes.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@ //Enable tunnel
on the peer device.
tunnel name LAC
#
route.
#
return

#
sysname LNS
#
l2tp enable
#
ACL.
rule 0 permit ip source 12.1.1.1 0 destination 12.1.1.2 0
#
ipsec proposal lns //Configure an IPSec proposal.
#
ike peer lns v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
remote-address 12.1.1.2
#
ipsec policy lns 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer lns
proposal lns
#
ip pool 1 //Configure an IP address
pool.
network 13.1.1.0 mask 255.255.255.0
#
aaa //Configure a local
user.
local-user huawei password cipher %@%@/|S75*sxcH2@FQL=wn#2@Ià%@%@
#
interface Virtual-Template1 //Configure a virtual template interface, and
configure the authentication mode, IP address, and interface address
pool.
ip address 13.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0 //Assign an IP address to the WAN-side
interface.
ip address 12.1.1.1 255.255.255.0
ipsec policy lns //Bind the IPSec
policy.
#
interface GigabitEthernet2/0/0 //Assign an IP address to the LAN-side
interface.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 192.168.0.2 255.255.255.0

#
attributes.
allow l2tp virtual-template 1 remote LAC
tunnel password cipher %@%@5j*=S&AGSK'J}kG])REK]_-o%@%@ //Enable tunnel
on the peer device.
tunnel name LNS
#
route.
#
return

# Run the display ike sa command on the LAC or LNS to view SA setup.
# Run the dis l2tp session command on the LAC or LNS to view L2TP session setup.
# The LAC and LNS can successfully ping each other.
----End
Configuration Notes
l The IPSec policy is bound to the external network interface. Packets are encapsulated
with the L2TP header, and then the IPSec header.
5.1.4 Example for Configuring an L2TP Tunnel for Remote Dial-

Up Users to Connect to the Headquarters
Specifications
As shown in Figure 5-4, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users. In this
example, the PC runs Windows 7 operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-4 Networking for configuring remote dialup users to connect to the external network
through the L2TP tunnel
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
dialup software) LNS
GE1/0/0 Enterprise
202.1.1.1/24 headquarters
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
#
sysname LNS
#
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
local-user huawei password cipher
local-user huawei server-type ppp
#
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Step 2 Configure Windows 7.

# Modify the Windows registry and disable the digital certificate authentication function.
Choose Start > Run and enter regedit to open the Registry Editor. Open Parameters in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\, create
DWORD and set the name and value to ProhibitIpSec and 1 respectively. After modifying
the parameters, restart the PC.
# Create an L2TP network connection.

Choose Start > Run > Network and Sharing Center, click Set Up a Connection or
Network, choose Connect to a workplace, and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Click Use my Internet connection (VPN).
Click I'll set up an Internet connection later.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Enter an Internet address which is the IP address of the LNS (202.1.1.1), enter a destination
name (for example, L2TP) as the network connection name, and click Next. You can
customize a destination name.
Enter the user name huawei and password Huawei@1234 and click Create.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
You do not need to set the domain.
Click Close.
# Set authentication parameters for the L2TP connection.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP and choose Properties to set
connection parameters.
You do not need to modify parameters on the General tab.
Select Display progress while connecting and Prompt for name and password certificate,
etc on the Options tab.
NOTE
Do not change the parameters that are displayed after you click PPP Settings.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec for Type
of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication Protocol
[CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow these protocols.
NOTE
If you click Advanced settings, a dialog box is displayed on which you can set the IPSec pre-shared
key. Do not set the IPSec pre-shared key here.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
You do not need to modify settings on the Networking and Sharing tabs.
Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP, enter the user name and password,
and click Connect.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.
----End
Example
Configuration Notes
Note the following points:

l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.1.5 Example for Establishing an L2TP Tunnel Between a Remote

Dialup User and the Headquarters Based on the Authentication
Domain (Windows XP)
Specifications
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows XP operating system.
on the LNS.
Figure 5-5 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
GE1/0/0 Enterprise
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
#
sysname LNS
#
#
#
network 192.168.1.0 mask 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
for L2TP access.
domain huawei.com
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
ip address 202.1.1.1 255.255.255.0
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Step 2 Configure Windows XP.

1. Modify the Windows registry and disable the digital certificate authentication function.
Choose Start > Run, enter regedit, and find the HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\services\RasMan\Parameters directory. Right-click
Parameters and choose Create. In the dialog box that is displayed, click DWORD (32
bit) Value. In the dialog box that is displayed, set Value name to ProhibitIpSec and
Value data to 1. Restart the PC after modification is complete.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
2. # Create an L2TP network connection.

a. Access Network Connections, click Create a new connection to display New
Connection Wizard, and click Next.
b. Select Connect to the network at my workplace, and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
c. Select Virtual Private Network connection and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
d. Fill in the company name as the connection name. For example, fill in L2TP and
click Next.
e. Fill in the IP address 202.1.1.1 and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
f. Select My use only and click Next.
g. Click Finish. The Connect L2TP page is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
3. Configure authentication parameters for the L2TP connection.

a. Click L2TP Properties to configure parameters for the connection.
Do not change parameters on the General and Options tab pages.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
b. Click the Security tab page, select Advanced (custom settings), and click
Settings.
NOTE
If you click IPSec Settings on the page, the IPSec Settings page is displayed for you to set a
pre-shared key for authentication. Do not set a pre-shared key here.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Select the following items for Allow these protocols.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
c. Click Networking, and set Type of VPN to the default Auto or L2TP IPSec VPN.
Do not change any configurations on the Advanced tab page.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
d. On the Network Connections page, double-click L2TP you have created, enter a
user name and password, and click Connect.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
----End
Configuration Notes

Domain (Windows 7)
Specifications
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows 7 operating system.
on the LNS.
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
GE1/0/0 Enterprise
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
#
sysname LNS
#
#
#
network 192.168.1.0 mask 255.255.255.0
#
for L2TP access.
domain huawei.com
#
ip address 202.1.1.1 255.255.255.0
access.
#
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
ip address 192.168.1.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Step 2 Configure Windows 7.

1. Modify the Windows registry and disable the digital certificate authentication function.
Choose Start > Run, enter regedit, and find the HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\services\RasMan\Parameters directory. Right-click
Parameters and choose Create. In the dialog box that is displayed, click DWORD (32
bit) Value. In the dialog box that is displayed, set Value name to ProhibitIpSec and
Value data to 1. Restart the PC after modification is complete.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
2. Create an L2TP network connection.

a. Choose Start > Run > Network and Sharing Center, click Set Up a Connection
or Network, choose Connect to a workplace, and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
b. Click Use my Internet connection (VPN).
c. Set Internet address to 202.1.1.1 (the IP address of the LNS) and Destination
name such as L2TP. The destination name is used as the network connection name.
Select Don't connect now; just set it up so I can connect later and then click
Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
d. Enter the user name 123456789@huawei.com and password Huawei@1234 and

click Create.
NOTE
You do not need to set the domain.
e. Click Close.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
3. Set authentication parameters for the L2TP connection.

a. Choose Start > Run > Network and Sharing Center and click Connect to a
network. The created L2TP connection is displayed. Right-click L2TP and choose
Properties to set connection parameters.
You do not need to modify parameters on the General tab.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
b. Select Display progress while connecting and Prompt for name and password
certificate, etc on the Options tab.
NOTE
Do not change the parameters that are displayed after you click PPP Settings.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
c. On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec
for Type of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication
Protocol [CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow
these protocols.
NOTE
If you click Advanced settings, a dialog box is displayed on which you can set the IPSec
pre-shared key. Do not set the IPSec pre-shared key here.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
You do not need to modify settings on the Networking and Sharing tabs.
d. Choose Start > Run > Network and Sharing Center and click Connect to a
network. The created L2TP connection is displayed. Right-click L2TP, enter the
user name and password, and click Connect.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

----End
Configuration Notes

Domain (VPN Client)
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
headquarters gateway can identify and manage access users. In this example, the VPN client
is installed on the PC.
on the LNS.
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
GE1/0/0 Enterprise
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
#
sysname LNS
#
#
#
network 192.168.1.0 mask 255.255.255.0
#
for L2TP access.
domain huawei.com
#
ip address 202.1.1.1 255.255.255.0
access.
#
ppp authentication-mode chap domain huawei.com //Configure the authentication
mode and specify the domain name.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 192.168.1.1 255.255.255.0

#
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Step 2 Configure the VPN client.

1. # Create an L2TP network connection.
a. Double-click HUAWEI VPN Client to start the program and then click New. The
New Connection Wizard page is displayed.
b. Select Create a new connection by inputting parameters and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
c. Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.
d. Set Authentication Mode to CHAP and click Next.

NOTE
If the tunnel name is required, set Tunnel Name.

If tunnel authentication is required, select Enable Tunnel Authentication and set Tunnel
Authentication Password.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
e. Set The name is to the VPN connection name such as L2TP and click Finished.
2. Modify L2TP connection parameters.

a. After creating an L2TP connection, select the connection to be modified. L2TP is
taken as an example.
Select L2TP and click Property. The L2TP Properties page is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
b. Click the Basic Settings tab page and modify the user name and password based on
the actual situation.
c. Do not modify the parameters on the L2TP Settings tab page if configurations on
the LNS are not modified. The parameters must be the same as those on the LNS.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
d. In HUAWEI VPN Client, select the created L2TP and click Connect.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
----End
Configuration Notes
5.1.8 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Traverse NAT Devices and Connect to the
Headquarters over the Internet
Specifications
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users.
Traveling employees connect to the Internet through the NAT device. Traffic sent from
traveling employees to the headquarters needs to be encapsulated through IPSec to ensure
security. In addition, the LNS functions as the gateway and has the firewall service deployed.
NAT traversal in L2TP over IPSec can be configured to meet requirements. Because the L2TP
over IPSec configuration on the PC is complex, and settings such as the registry and services
need to be modified, Huawei dialup software Secoway VPN Client is used on the PC. You can
visit http://support.huawei.com to obtain the software version.
Figure 5-8 Networking of NAT traversal in L2TP over IPSec

PC2 NAT1
LNS Enterprise
GE1/0/0
headquarters
Traveling employees Internet 202.1.1.1/24
(L2TP dialup software)
PC3 NAT2
VT1 PC1
192.168.1.1/24 192.168.2.2/24
L2TP tunnel IPSec

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
#
sysname LNS
#
#
ike local-name xp //Use the local name for IKE
negotiation. The local name must be used for NAT traversal in IPSec.
#
rule 5 permit udp destination-port eq 1701 //Configure an ACL rule to allow
packets from a specified L2TP port.
packets from a specified L2TP port after NAT traveral in IPSec.
packets from a specified L2TP port before NAT traveral in IPSec.
#
ipsec proposal 1
#
ike peer xp v1
exchange-mode aggressive //Configure the aggressive mode. NAT
traversal can be only used in aggressive mode. In later versions of V200R005C00,
you do not need to perform this configuration.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure the authentication password in the pre-shared key
to huawei, in cipher text. This command in V200R003C00 and earlier versions is
pre-shared-key huawei, and the password is displayed in plain text.
local-id-type name //Set the local ID type to name in
IKE negotiation.
nat traversal //Enable NAT traversal. In V200R008
and later versions, the device supports NAT traversal by default, and this
command is not supported.
#
ipsec policy-template xptemp 2 //Configure an IPSec policy template
so that negotiation requests from multiple PCs can be processed.
ike-peer xp
proposal 1
#
ipsec policy xp 1 isakmp template xptemp //Reference an IPSec policy template
in an IPSec policy.
#
ip pool lns //Create an IP address pool named
lns from which IP addresses are allocated to access users.
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and
password for L2TP access.
local-user huawei server-type ppp
#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15
#
firewall interzone trust untrust
firewall enable
packet-filter 3001 inbound //Configure the firewall and enable
packet filtering.
#
ip address 202.1.1.1 255.255.255.0
ipsec policy xp //Bind the IPSec policy to the interface.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
zone untrust
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Step 2 Configure a PC.

# Create an L2TP connection.
Double-click Secoway VPN Client and click New. The New Connection Wizard page is
displayed.
Select Create a new connection by inputting parameters and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.
Select CHAP from the Authentication Mode drop-down list box, select Enable IPSec
Protocol, select Pre-Shared-Key, set Pre-shared-key to huawei (the pre-shared key must be
the same as that on the LNS), and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Select Use LNS Server Address and click Next.
Set IPSec and IKE attributes. Set ESP Authentication Algorithm to MD5 and ESP
Encryption Algorithm to AES-256. In IKE, set Authentication Algorithm to SHA-1,
Encryption Algorithm to DES-CBC, Negotiation Mode to Aggressive mode, ID Type to
Name, Local Gateway Name to a random value, and Remote Gateway Name to xp (the
value must be the same as the local name in IKE negotiation on the LNS), and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Enter the VPN connection name in The name is. The VPN connection name can be user-
defined. Here, the value is My connection. Then click Finished.
# Modify L2TP connection parameters.

Select the L2TP connection to be modified. Here, the L2TP connection My connection is
used as an example.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Select My connection and click Property. The My connection Properties page is displayed.
Click Basic Settings. Modify the user name and password according to the actual situation.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Parameters in L2TP Settings, IPSec Settings, IKE Settings, and Advanced are the same as
those on the LNS. If parameters on the LNS are not modified, parameters on these tab pages
do not need to be modified.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
On the Secoway VPN Client page, select My connection and click Connect.
# After the configurations are complete, PC2 and PC3 can obtain private IP addresses and
communicate with PC1.
----End
Configuration Notes
Note the following points:
l The settings on the dialup software and LNS must be the same; otherwise, IPSec and
L2TP tunnels may fail to be set up.
l A NAT device is deployed between enterprise users and LNS, so the aggressive mode
must be used to implement NAT traversal. In addition, use names for IKE negotiation. In
V2R5C00, there is no such limitation.
l When the firewall service is deployed on the LNS, configure an ACL to permit ports
1701, 4500, and 500 used by L2TP and IPSec.
5.1.9 Example for Configuring L2TP over IPSec for Remote Dial-
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-9, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through L2TP dialup. To ensure
security of traveling employees, the enterprise requires that an IPSec tunnel be set up between
the traveling employee's PC and headquarters gateway.
In this example, the PC runs Windows 7 operating system.
Figure 5-9 Networking for configuring L2TP over IPSec between a PC and a router
GE1/0/0 LNS
200.1.1.1/24 Enterprise
PC A headquarters
10.1.1.1/24 Internet
Traveling L2TP over IPSec
employee RouterA
Headquarters
gateway
NOTE
A host-to-gateway IPSec tunnel is established between a traveling employee and the headquarters; therefore,
the IPSec tunnel is based on the transport mode.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
#
ike peer peer1 v1 //Configure an IKE
peer.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
ip pool lns //Configure an IP address pool from which IP addresses are allocated
to access PCs.
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the local user name and service type on the LNS.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
interface Virtual-Template1 //Configure the user name and password of the
virtual PPP use, authentication mode, and IP address.
ip address 192.168.1.1 255.255.255.0
#
interface
GigabitEthernet1/0/0
ip address 200.1.1.1 255.255.255.0
ipsec policy policy1
#
attributes.
undo tunnel authentication
#
#
return
Step 2 Configure PC A.
# Modify the Windows registry.
Choose Start > Run, and enter regedit to open the registry. Find
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters,
create DWORD named ProhibitIpSec with the value of 1, as shown in Figure 5-10, and then
restart the PC.
Figure 5-10 Creating DWORD

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
# Create an L2TP connection. Choose Start > Control Panel > Network and Internet >
Network and Sharing Center, and select Set up a new connection or network, as shown in
Figure 5-11.
Figure 5-11 Setting up a new connection or network
On the Set up a Connection or Network page shown in Figure 5-12, select Connect to a
workplace and click Next.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-12 Set up a Connection or Network page
Select Use my Internet connection (VPN), as shown in Figure 5-13.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-13 Connect to a Workplace page
Enter the Internet address (IP address of RouterA) and click Next, as shown in Figure 5-14.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-14 Entering the Internet address
Enter the user name and password, as shown in Figure 5-15.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-15 Entering the user name and password
# Create an IPSec policy.

Choose Control Pane > System and Security > Administrative Tools > IP Security
Policies on Local Computer.
Right-click IP Security Policies on Local Computer shown in Figure 5-16. The IP security
policy wizard is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-16 Creating an IPSec policy
Figure 5-17, Figure 5-18, Figure 5-19, and Figure 5-20 show how to create an IPSec policy.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-17 Welcome to the IP Security Policy Wizard page
Figure 5-18 Editing the IP Security Policy Name page

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-19 Specifying the PC to respond to requests for secure communication

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-20 Completing the IP Security Policy Wizard page
On the IPSec Properties page shown in Figure 5-21, deselect Use Add Wizard and click
Add to add rules.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-21 IPSec Properties page
# Set attributes of an IPSec policy.

1. Configure an IP filter list.
On the IP Filter List tab page shown in Figure 5-22, click Edit to edit an IP filter list.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-22 Editing the New IP Filter List page
On the IP Filter List page shown in Figure 5-23, deselect Use Add Wizard and click
Add to add an IP filter list.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-23 Adding an IP filter list
Configure IP filter attributes. On the Addresses tab page shown in Figure 5-24, select
My IP Address as the source address, headquarters gateway IP address as the
destination address, and mirror data flows.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-24 Editing the Addresses tab page
On the Protocol tab page shown in Figure 5-25, select Any from the Select a protocol
type drop-down list box.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-25 Editing the Protocol tab page
On the Description tab page shown in Figure 5-26, configure a description for the IP
filter.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-26 Editing the Description tab page
Click OK. The IP Filter List page shown in Figure 5-27 is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-27 IP Filter List page
Click OK. The New Rule Properties page shown in Figure 5-28 is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-28 New Rule Properties page
2. Configure a filter action.

On the Filter Action tab page shown in Figure 5-29, click Edit.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-29 Editing the Filter Action tab page
The New Filter Action Properties page shown in Figure 5-30 is displayed. Select
Accept unsecured communication, but always respond using IPSec and click Add.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-30 Editing the Filter Action Properties page
The Security Methods page shown in Figure 5-31 is displayed. Select Custom and
click Settings.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-31 Editing the Security Methods page
The Custom Security Method Settings page shown in Figure 5-32 is displayed. Set
integrity and encryption algorithms, and perform session key settings.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-32 Editing the Custom Security Method Settings page
Click OK until the Filter Action tab page is displayed.

NOTE
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
3. Configure authentication methods.
On the Authentication Methods tab page shown in Figure 5-33, click Edit.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-33 Editing the Authentication Methods tab page
The Authentication Method Properties page shown in Figure 5-34 is displayed. Select
Use the string (preshared key) and use the pre-shared key huawei.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-34 Editing the Authentication Method Properties page
4. Configure an encapsulation mode.

On the Tunnel Setting tab page shown in Figure 5-35, select This rule does not specify
an IPsec tunnel.. That is, the transport mode is used.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-35 Editing the Tunnel Setting tab page
5. Configure a connection mode.

On the Connection Type tab page shown in Figure 5-36, select All network
connections.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-36 Editing the Connection Type tab page
6. Configure an IKE proposal.

Click Apply. The IPSec Properties page is displayed. Click General and select
Settings, as shown in Figure 5-37.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-37 General tab page
On the Key Exchange Settings page, select Methods, as shown in Figure 5-38.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-38 Editing the Key Exchange Settings page
On the Key Exchange Security Methods page, select Add, as shown in Figure 5-39.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-39 Editing the Key Exchange Security Methods page
Add security methods, and click OK, as shown in Figure 5-40.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-40 Added key exchange methods
On the IPSec Properties page shown in Figure 5-41, click OK.

NOTE
non-authentication.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-41 Completing IPSec policy setting
# Apply the IPSec policy.

On the IP Security on Local Computer page, right-click the configured IPSec policy and
click Assign, as shown in Figure 5-42. That is, apply the IPSec policy to the PC.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-42 Assigning the configured IPSec policy
Select the configured L2TP connection in Connect to network. The Figure 5-43 page is
displayed. Enter the user name and password.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-43 L2TP connection
# After the configurations are complete, PC A can ping RouterA successfully. Data exchanged
between PC A and RouterA is encrypted. You can run the display ipsec statistics esp
command to view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA. You can view
information about successful IPSec tunnel setup.
----End
Configuration Notes
The IPSec configuration on the PC is much complex than that on the router, so you must be
familiar with the IPSec configuration on the router.
5.1.10 Example for Configuring PPPoE Users Connected to the

LAC to Establish an L2TP Tunnel to Communicate with the
Headquarters
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-44, an enterprise has some branches located in other cities, and
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters.
Figure 5-44 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
communicate with the headquarters
GE2/0/0
Enterprise LAC 10.1.2.1/24
branch (PPPoE server)
LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1
E GE2/0/0
Po
PP
L2TP Tunnel PC_2
PPP terminal 10.1.2.2/24
(PPPoE client) VT1
10.1.1.1/24
Procedure
#
sysname LAC
#
#
aaa //Configure an L2TP user name and password.
%#
#
#
ip address 1.1.2.1 255.255.255.0
#
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2

#
return

#
sysname LNS
#
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
network 10.1.1.0 mask 255.255.255.0
#
%#
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ip address 10.1.1.1 255.255.255.0
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
#
return

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
5.1.11 Example for Configuring PPPoE Users Connected to the

LAC to Establish an L2TP Tunnel to Access the RADIUS Server
in the Headquarters
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.
Figure 5-45 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
access the RADIUS server in the headquarters
GE2/0/0
Enterprise LAC 10.1.2.1/24
branch (PPPoE server)
LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1 hua
E GE2/0/0 RADIUS
Po
PP Server
10.2.1.2/24
L2TP Tunnel PC_2
PPP terminal
(PPPoE client) VT1 10.1.2.2/24
10.1.1.1/24
Procedure
#
sysname LAC
#
#
aaa //Configure a user name and password.
local-user l2tp@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
local-user l2tp@huawei.com privilege level 0
local-user l2tp@huawei.com service-type ppp
#
parameters.
#
ip address 1.1.2.1 255.255.255.0
#
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

start l2tp ip 1.1.1.1 fullusername l2tp1@huawei.com
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
#
return

#
sysname LNS
#
#
ip pool 1 //Create a global IP address pool.
network 10.1.1.0 mask 255.255.255.0
#
radius-server template l2tp //Create a RADIUS server template.
radius-server shared-key cipher %^%#}'|y>s-'m)@%$\X7QgS"Bc5M$iWmV:4aXREv:/~P%^%#
radius-server authentication 10.2.1.2 1645 weight 80
#
aaa //Configure RADIUS authentication.
authentication-scheme l2tp
authentication-mode radius
domain huawei.com
radius-server l2tp
#
parameters.
ppp authentication-mode chap domain huawei.com
ip address 10.1.1.1 255.255.255.0
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
#
return

----End
Configuration Notes
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.1.12 Example for Configuring the LAC to Establish an L2TP

Tunnel to Communicate with the Headquarters Through
Automatic Dial-up
Specifications
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS.
Figure 5-46 Configuring the LAC to establish an L2TP tunnel to communicate with the
headquarters through automatic dial-up
GE2/0/0
GE2/0/0 Enterprise
Enterprise 10.1.2.1/24
branch
LAC LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1
L2TP Tunnel PC_2

10.1.10.2/24
10.1.2.2/24
VT1
10.1.1.1/24
Procedure
#
sysname LAC
#
#
parameters.
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
ip address 1.1.2.1 255.255.255.0
#
ip address 10.1.10.1 255.255.255.0
#
tunnel name lac

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
#
return

#
sysname LNS
#
#
network 10.1.1.0 mask 255.255.255.0
#
aaa
%#
#
parameters.
ip address 10.1.1.1 255.255.255.0
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
#
return

----End
Configuration Notes

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.1.13 Example for Configuring the LAC to Establish an L2TP

Tunnel to Communicate with the RADIUS Server in the
Headquarters Through Automatic Dial-up
Specifications
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.
Figure 5-47 Configuring the LAC to establish an L2TP tunnel to communicate with the
RADIUS server in headquarters through automatic dial-up
GE2/0/0
GE2/0/0
Enterprise 10.1.10.1/24
branch headquarters
LAC LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1 c
RADIUS
Server
10.1.10.2/24 L2TP Tunnel
PC_2 10.2.1.2/24
VT1 10.1.2.2/24
10.1.1.1/24
Procedure
#
sysname LAC
#
#
parameters.
ppp chap user l2tp@huawei.com
#
ip address 1.1.2.1 255.255.255.0
#
ip address 10.1.10.1 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
start l2tp ip 1.1.1.1 fullusername l2tp@huawei.com
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
#
return

#
sysname LNS
#
#
network 10.1.1.0 mask 255.255.255.0
#
#
aaa //Configure RADIUS authentication.
domain huawei.com
radius-server l2tp
#
parameters.
ip address 10.1.1.1 255.255.255.0
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
#
return

----End
Configuration Notes

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.1.14 Example for Configuring Multiple L2TP Instances to

Implement Communication Between the Headquarters and
Branches
Specifications
As shown in Figure 5-48, many enterprises use the same LNS, and users from different
enterprises connect to LAC_1 and LAC_2 to communicate with their own headquarters sites.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC_1 and LAC_2 simultaneously, allowing enterprise
users to access their own internal networks.
Figure 5-48 Configuring multiple L2TP instances to implement communication between the
headquarters and branches
GE2/0/0 Enterprise A
Enterprise A 10.1.9.1/24
headquarters
branch
LAC_1
Site
GE1/0/0
VT1 PC_3
PC_1 1.1.2.1/24
10.1.1.1/24
L2TP Tunnel
GE1/0/0 LNS 10.1.2.2/24
GE2/0/0
10.1.9.2/24 1.1.1.1/24 10.1.2.1/24
Internet
GE2/0/0 Enterprise B
GE3/0/0
Enterprise B 10.1.10.1/24 headquarters
L2TP Tunnel 10.1.3.1/24
branch
GE1/0/0 VT2
Site
1.1.3.1/24 10.2.1.1/24
PC_4
PC_2
LAC_2
10.1.2.2/24
10.1.10.2/24
Procedure
Step 1 Configure LAC_1.
#
sysname LAC_1
#
#
parameters.
ppp chap user l2tp1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 1.1.2.1 255.255.255.0
#
ip address 10.1.9.1 255.255.255.0
#
tunnel name lac_1
start l2tp ip 1.1.1.1 fullusername l2tp1
#
#
return
Step 2 Configure LAC_2.

#
sysname LAC_2
#
#
parameters.
ppp chap user l2tp2
#
ip address 1.1.3.1 255.255.255.0
#
ip address 10.1.10.1 255.255.255.0
#
tunnel name lac_2
start l2tp ip 1.1.1.1 fullusername l2tp2
#
#
return

#
sysname LNS
#
#
ip vpn-instance vpn1 //Configure VPN instance VPN1.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2 //Configure VPN instance VPN2.
ipv4-family
#
vpn-instance vpn1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
network 10.1.1.0 mask 255.255.255.0

#
ip pool 2
vpn-instance vpn2
network 10.2.1.0 mask 255.255.255.0
#
aaa //Create a local user in the AAA view.
local-user l2tp1 password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp1 privilege level 0
local-user l2tp1 service-type ppp
local-user l2tp2 password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp2 privilege level 0
local-user l2tp2 service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template 1 and set dialup
parameters.
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template2 //Create a virtual tunnel template 2 and set dialup
parameters.
ip address 10.2.1.1 255.255.255.0
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
ip address 10.1.3.1 255.255.255.0
#
allow l2tp virtual-template 1 remote lac_1
tunnel name lns
#
allow l2tp virtual-template 2 remote lac_2
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2 //Configure static routes.
ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
#
return

----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Configuration Notes
l If the L2TP group ID is 1, you do not need to specify the remote tunnel name, and the
LNS accepts the L2TP connection request initiated by any LAC. If the L2TP group ID is
not 1, you must specify the tunnel name for the remote LAC.
5.1.15 Example for Configuring Multiple L2TP Instances to

Implement Communication Between Branches and the RADIUS
Server in the Headquarters
Applicability
This example applies to all AR models of V200R007C00 versions.
As shown in Figure 5-49, an enterprise has some branches located in other cities and the
branches connect to the same L2TP network server (LNS). Branches A, B, and C
communicate with the headquarters through LAC1, LAC2, and LAC3, respectively.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC1, LAC2, and LAC3 simultaneously, allowing users
of enterprise branches to access the internal network of the enterprise. Users in the same VPN
can communicate with each other. The RADIUS server in the headquarters authenticates
users, delivers VPN instances, and assigns IP addresses to users.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-49 Configuring the LACs to establish an L2TP tunnel to implement communication
between the headquarters and branches through automatic dial-up
VPN1
Branch A
GE1/0/0
1.1.1.1/24
Internet
LAC1 VT1
10.10.1.1/24
PC_1 GE2/0/0 L2TP Tunnel
10.1.1.1/24 10.4.4.4/24
GE1/0/0 VPN1
1.2.1.1/24 PC_4
VPN1 LNS
Branch B GE1/0/0 GE2/0/0
2.2.2.2/24 Headquarters
2.2.1.1/24
Internet
LAC2 GE3/0/0
3.2.1.1/24 PC_5
PC_2
GE2/0/0 L2TP Tunnel VPN2
10.2.2.1/24 10.5.5.5/24
VT1
10.10.1.1/24
Branch C VPN2
GE1/0/0
3.3.3.3/24
Internet
LAC3
PC_3 L2TP Tunnel

GE2/0/0
10.3.3.1/24
VT1
10.10.1.1/24
Procedure
Step 1 Configure LAC1.
#
sysname LAC1
#
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp chap user lac1@huawei.com
ppp chap password cipher %^%#U>upTZ}mQM:rhRL:4;s$,(xf%^%#
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
tunnel password cipher %^%#/-#)Lg[S4F:#2~ZNvqa$]\DL%^%#
tunnel name lac1
start l2tp ip 1.2.1.1 fullusername lac1@huawei.com
#
ip route-static 1.2.1.0 255.255.255.0 1.1.1.2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
return

#
sysname LAC2
#
#
dial-up parameters.
#
ip address 2.2.2.2 255.255.255.0
#
ip address 10.2.2.1 255.255.255.0
#
tunnel name lac2
#
ip route-static 2.2.1.0 255.255.255.0 2.2.2.3
#
return

#
sysname LAC3
#
#
dial-up parameters.
#
ip address 3.3.3.3 255.255.255.0
#
ip address 10.3.3.1 255.255.255.0
#
tunnel name lac3
#
ip route-static 3.2.1.0 255.255.255.0 3.3.3.4
#
return

#
sysname LNS
#
l2tp enable //Enbale L2TP.
#
ip vpn-instance vpn1 //Configure the VPN instance VPN1.
ipv4-family

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip vpn-instance vpn2 //Configure the VPN instance VPN2.
ipv4-family
#
ip pool 1 //Create an IP address pool and assign IP addresses to access users.
network 10.10.1.0 mask 255.255.255.0
#
#
aaa //Set the AAA mode to RADIUS.
domain huawei.com
radius-server l2tp
#
dial-up parameters.
ip address 10.10.1.1 255.255.255.0
#
ip address 1.2.1.1 255.255.255.0
#
ip address 2.2.1.1 255.255.255.0
#
ip address 3.2.1.1 255.255.255.0
#
tunnel password cipher %^%#EB~j7Je>;@>uNr''D=J<]\WL%^%#
tunnel name lns
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2
ip route-static 2.2.2.0 255.255.255.255 2.2.1.2
ip route-static 3.3.3.0 255.255.255.255 3.2.1.2
ip route-static vpn-instance vpn1 10.1.1.0 255.255.255.255 10.10.1.100 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC1 is
10.10.1.100
10.10.1.101
10.10.1.102
#
return
tunnel and a session numbered 1 has been established.
# PC_1, PC_2, and PC_4 can ping each other. PC_3 and PC_5 can ping each other.
----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Configuration Notes
l You need to configure the IP address assigned to the VT interfaces on the LACs on the
RADIUS server. In this example, no IP address is configured.
5.1.16 Example for Configuring the LAC Using a 3G Interface to

Establish an L2TP Tunnel to Communicate with the Headquarters
Through Automatic Dial-up
Specifications
As shown in Figure 5-50, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 3G cellular
interfaces to connect the Internet through the WCDMA network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.
Figure 5-50 Configuring the LAC using a 3G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up
3G Node B
Cellular0/0/0 Internet GE2/0/0

GE1/0/0 2.1.1.1/24 GE1/0/0
10.1.1.1/24 10.1.0.1/24
LAC LNS
L2TP Tunnel
PC Server
VT1 VT1
3.1.1.2/24 3.1.1.1/24 Enterprise
LAN headquarters
10.1.1.2/24 10.1.0.2/24
Procedure

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
sysname LAC
#
#
parameters.
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@Ià%@%@
ip address 3.1.1.2 255.255.255.0
#
interface Cellular0/0/0 //Configure a 3G interface.
link-protocol ppp
ip address ppp-negotiate //Configure the interface to obtain an IP address
from the carrier. The interface can use the IP address to connect to the public
network.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile 3GNET
dialer timer autodial 60 //Configure the user to dial up at an interval of 60s.
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
#
ip address 10.1.1.1 255.255.255.0
#
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile 3GNET
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
#
return

#
sysname LNS
#
#
network 3.1.1.0 mask 255.255.255.0
#
%#
#
parameters.
ip address 3.1.1.1 255.255.255.0
#
ip address 10.1.0.1 255.255.255.0
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 2.1.1.1 255.255.255.0

#
tunnel password cipher %@%@5j*=S&AGXK'J}kG])REK]_-o%@%@
tunnel name LNS
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 //Create a static route.
#
return

----End
Configuration Notes
5.1.17 Example for Configuring the LAC Using a 4G Interface to

Establish an L2TP Tunnel to Communicate with the Headquarters
Through Automatic Dial-up
Specifications
As shown in Figure 5-51, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 4G cellular
interfaces to connect the Internet through the Long Term Evolution (LTE) network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-51 Configuring the LAC using a 4G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up
Cellular0/0/0 Internet GE2/0/0

GE1/0/0 2.1.1.1/24 GE1/0/0
10.1.1.1/24 10.1.0.1/24
LAC LNS
L2TP Tunnel
PC Server
VT1
LAN headquarters
10.1.1.2/24 10.1.0.2/24
Procedure
#
sysname LAC
#
#
parameters.
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@Ià%@%@
#
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/0 //Configure a 4G interface.
apn-profile lteprofile
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
#
dialer-rule //Create a dialer ACL.
#
apn profile lteprofile
apn ltenet
#
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
sysname LNS
#
#
network 3.1.1.0 mask 255.255.255.0
#
%#
#
parameters.
ip address 3.1.1.1 255.255.255.0
#
ip address 10.1.0.1 255.255.255.0
#
ip address 2.1.1.1 255.255.255.0
#
tunnel password cipher %@%@5j*=S&AGXK'J}kG])REK]_-o%@%@
tunnel name LNS
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 //Create a static route.
#
return

----End
Configuration Notes
5.2 GRE
5.2.1 Example for Configuring a GRE Tunnel and Static Routes on
the Tunnel to Implement Interworking
Specifications
This example applies to all versions and routers.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-52, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.
Figure 5-52 Configuring a static route for GRE
RouterB
GE1/0/0 GE2/0/0
20.1.1.2/24 30.1.1.1/24
RouterA GE1/0/0 GE1/0/0 RouterC

20.1.1.1/24 30.1.1.2/24
Tunnel
GE2/0/0 Tunnel0/0/1 Tunnel0/0/1 GE2/0/0
10.1.1.2/24 10.3.1.1/24 10.3.1.2/24 10.2.1.2/24
PC1 PC2
10.1.1.1/24 10.2.1.1/24
Procedure
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1 //Configure a public route.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 Configure a static route with
the next hop as the tunnel interface.
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Step 2 Configure RouterB.

#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
Step 3 Configure RouterC.

#
sysname RouterC
#
ip address 30.1.1.2 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
#
ip address 10.3.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
#
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 //Configure a static route
with the next hop as the tunnel interface.
#
return

# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.
# PC 1 and PC 2 can successfully ping each other.
----End
Configuration Notes
l Both ends must be configured with routes to private network segments, with the
outbound interface as the tunnel interface.
l The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.2.2 Example for Configuring a GRE Tunnel and OSPF on the

Tunnel to Implement Interworking
Specifications
As shown in Figure 5-53, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.
OSPF is enabled on the tunnel interfaces. OSPF process 1 is used for the VPN backbone
network and OSPF process 2 is used for user access.
Figure 5-53 Using a dynamic routing protocol for GRE
RouterB
GE1/0/0 GE2/0/0
20.1.1.2/24 30.1.1.1/24
OSPF 1
GE1/0/0 GE1/0/0
20.1.1.1/24 30.1.1.2/24
RouterA Tunnel RouterC
Tunnel0/0/1 OSPF 2 Tunnel0/0/1
GE2/0/0 GE2/0/0
10.3.1.1/24 10.3.1.2/24
10.1.1.2/24 10.2.1.2/24
10.2.1.1/24
10.1.1.1/24
PC1 PC2
Procedure
#
sysname RouterA
#
ip address 20.1.1.1 255.255.255.0
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

ip address 10.1.1.2 255.255.255.0
#
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0 //Configure private network routes.
network 10.3.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

#
sysname RouterC
#
ip address 30.1.1.2 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
#
ip address 10.3.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
#
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2 //CConfigure private network routes.
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.
# PC 1 and PC 2 can successfully ping each other.
----End
Configuration Notes
l Both ends must be configured with routes to private network segments.
the remote end.
5.2.3 Example for Configuring GRE over GRE to Implement Data

Encryption
Specifications
As shown in Figure 5-54,PE0 is the headquarters gateway of a bank, while PE1 and PE2 are
the bank's branch gateways. PE1 communicates with PE0 over a carrier network; PE2
communicates with PE1 over a private network; however, PE0 cannot communicate with
PE2. The bank requires data encryption over the public network as well as the private
network; therefore, GRE over GRE can be deployed in the headquarters to implement secure
communication among PE0, PE1, and PE2. After GRE over GRE is configured, data between
PE0 and PE1 is transmitted over the GRE tunnel, and data between PE0 and PE2 is
transmitted over the GRE over GRE tunnel along the carrier network.
Figure 5-54 Configuring GRE over GRE for communication between branches and
headquarters
Tunnel0/0/101 Tunnel0/0/0
10.2.5.1/24 10.3.5.1/24
Loopback1 Loopback1
10.2.5.1/32 GRE tunnel GRE tunnel 10.3.5.1/32
10.1.5.1/24 10.1.5.2/24
PE1
PE0 Internet1 Internet2 PE2
GE1/0/0 GE1/0/0 GE2/0/0 GE1/0/0
GE2/0/0 10.1.5.1/24 10.1.5.2/24 10.1.6.1/24 10.1.6.2/24 GE2/0/0
10.1.2.1/24 10.1.3.1/24
Headquarters Branch 1 Branch 2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
Step 1 Configure PE0.
#
sysname PE0
#
ip address 10.1.5.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack1
ip address 10.2.5.1 255.255.255.255
#
interface Tunnel0/0/100 //Configure a tunnel interface.
ip address unnumbered interface GigabitEthernet1/0/0 //Configure
Tunnel0/0/100 to borrow the IP address of GigabitEthernet1/0/0.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/100.
source 10.1.5.1 //Configure the source address for the tunnel.
destination 10.1.5.2 //Configure the destination address for the tunnel.
#
interface Tunnel0/0/101
ip address unnumbered interface Loopback1 //Configure Tunnel0/0/101 to
borrow the IP address of Loopback1.
#
ip route-static 10.3.5.1 255.255.255.255 Tunnel 0/0/100 //Configure
Tunnel0/0/100 as the outbound interface in the route to PE2's Tunnel0/0/0
destination address.
ip route-static 10.1.3.0 255.255.255.0 Tunnel 0/0/101 //Configure
Tunnel0/0/101 as the outbound interface in the route to data destination on PE2.
#
return

#
sysname PE1
#
ip address 10.1.5.2 255.255.255.0
#
ip address 10.1.6.1 255.255.255.0
#
ip address unnumbered interface GigabitEthernet1/0/0 //Configure Tunnel0/0/0
to borrow the IP address of GigabitEthernet1/0/0.
#
ip route-static 10.2.5.1 255.255.255.255 Tunnel0/0/0 //ConfigureTunnel0/0/0 as
the outbound interface in the route to the source address of Tunnel0/0/101.
ip route-static 10.3.5.1 255.255.255.255 10.1.6.2 //Configure the IP address
of the outbound interface in the route to the destination address of
Tunnel0/0/101 to 10.1.6.2.
#
return

#
sysname PE2
#
ip address 10.1.6.2 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 10.1.3.1 255.255.255.0
#
interface Loopback1
ip address 10.3.5.1 255.255.255.255
#
ip address unnumbered interface Loopback1 //Configure Tunnel0/0/0 to borrow
the IP address of Loopback1.
source Loopback1 //Configure the source address for the tunnel.
#
ip route-static 10.2.5.1 255.255.255.255 10.1.6.1 //Configure the IP address
of the outbound interface in the route to the source address of Tunnel0/0/101 to
10.1.6.1.
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 //Configure Tunnel0/0/0 as
the outbound interface in the route to data destination on PE0.
#
return

# The headquarters can successfully ping branch 1 and branch 2.
----End
Configuration Notes
1. The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
2. The local address of the tunnel interface at the local end must be the same as the remote
the remote end.
5.2.4 Example for Configuring IPSec over GRE to Implement

Secure Communication Between the Headquarters and Branch
Applicability
As shown in Figure 5-55, Router_1 is the gateway of an enterprise branch, and Router_2 is
the gateway of the headquarters. Router_1 and Router_2 communicate through the public
network.
The branch communicates with the headquarters through a GRE tunnel. The enterprise wants
to protect traffic excluding multicast data between the headquarters and branch. You can use
IPSec over GRE to establish a tunnel between virtual tunnel interfaces.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-55 IPSec over GRE networking

Branch Headquarters
gateway gateway
Router_1 GE1/0/0 GE1/0/0 Router_2
202.138.163.1/24 202.138.162.1/24
Internet
10.1.1.1/24 192.168.1.1/24 192.168.1.2/24 10.1.2.1/24
IPSec over GRE
192.168.2.1/24 192.168.2.2/24
PC_1 PC_2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
Procedure
#
sysname Router_1
#
ipsec proposal tran1 //Create an IPSec proposal.
#
ike proposal 5 //Create an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer spub v2 //Create an IKE peer.
ike-proposal 5
#
ipsec profile profile1 //Create an IPSec profile.
ike-peer spub
proposal tran1
#
interface Tunnel0/0/0 //Create a GRE tunnel interface.
ip address 192.168.1.1 255.255.255.0
tunnel-protocol gre
source 202.138.163.1
#
interface Tunnel0/0/1 //Create an IPSec tunnel interface.
ip address 192.168.2.1 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0 //Specify the GRE tunnel interface as the source tunnel
interface.
destination 192.168.1.2 //Set an IP address for the destination GRE tunnel.
ipsec profile profile1 //Apply the IPSec profile.
#
ip address 202.138.163.1 255.255.255.0
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 10.1.1.1 255.255.255.0

#
ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/1 //Configure a static route.
ip route-static 202.138.162.0 255.255.255.0 202.138.163.2 //Configure a static
route.
#
return

#
sysname Router_2
#
ipsec proposal tran1 //Create an IPSec proposal.
#
ike proposal 5 //Create an IKE proposal.
encryption-algorithm aes-cbc-128
#
ike peer spua v2 //Create an IKE peer.
ike-proposal 5
#
ipsec profile profile1 //Create an IPSec profile.
ike-peer spua
proposal tran1
#
ip address 192.168.1.2 255.255.255.0
tunnel-protocol gre
source 202.138.163.2
#
interface Tunnel0/0/1 //Create an IPSec tunnel interface.
ip address 192.168.2.2 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0 //Specify the GRE tunnel interface as the source tunnel
interface.
destination 192.168.1.1 //Set an IP address for the destination GRE tunnel.
ipsec profile profile1 //Apply the IPSec profile.
#
ip address 202.138.162.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/1 //Configure a static route.
route.
#
return

# Run the display ike sa command on the Router. In the command output, Flag(s) is
displayed as RD, indicating that an SA has been established successfully; Phase is displayed
as 1 and 2.
# PC_1 and PC_2 can ping each other.
----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Configuration Notes
When you create IPSec tunnel interfaces, specify the GRE tunnel interface as the source
interface of the IPSec tunnel and the outbound interface in the route to the destination address
of the IPSec tunnel must be the GRE tunnel interface.
5.2.5 Example for Configuring GRE Tunnels to Implement

Communication Between the Headquarters and Branches
Specifications
As shown in Figure 5-56, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters and branches. The service provider has allocated a public network IP address to
each gateway and the gateways can communicate with each other. The enterprise requires a
simple cost-effective mechanism to implement communication between the headquarters and
branches through private networks.
Generic Routing Encapsulation (GRE) tunnels can be established between the headquarters
and branches to meet this requirement. In this example, the Open Shortest Path First (OSPF)
protocol is configured to create routing entries with the tunnel interface as the source address
on the gateways.
Figure 5-56 Configuring GRE tunnels to implement communication between the

headquarters and branches
PC_1
10.1.1.2/24
Router_1
GE2/0/0
10.1.1.1/24 GE1/0/0
Headquarters 3.1.1.1/24
10.4.1.1/24 10.5.1.1/24
l
ne
l
ne
Internet
n
n
Tu
Tu
10.4.1.2/24 10.5.1.2/24
GE1/0/0 GE1/0/0
GE2/0/0 1.1.1.1/24 2.1.1.1/24 GE2/0/0
10.2.1.1/24 10.3.1.1/24
Router_2 Router_3
Branch Branch
PC_2 PC_3
10.2.1.2/24 10.3.1.2/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
#
sysname Router_1
#
interface GigabitEthernet1/0/0 //Configure a public network outbound interface.
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure a private network outbound interface.
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface and set the source and
destination addresses to the IP addresses of interfaces that send and receive
packets.
ip address 10.4.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 1.1.1.1
#
ip address 10.5.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 2.1.1.1
#
area 0.0.0.0
network 3.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0 //Configure private network routes.
network 10.1.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
return

#
sysname Router_2
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.2.1.1 255.255.255.0
#
packets.
ip address 10.4.1.2 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 3.1.1.1
#
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
ospf 2 //Configure private network routes.
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
sysname Router_3
#
ip address 2.1.1.1 255.255.255.0
#
ip address 10.3.1.1 255.255.255.0
#
packets.
ip address 10.5.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 3.1.1.1
#
area 0.0.0.0
network 2.1.1.0 0.0.0.255
#
ospf 2 //Configure private network routes.
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
return
# Run the display ip routing-table command on each router. You can find that the outbound
interface in routes to the peer is the tunnel interface.
# PC_1 can ping PC_2 and PC_3 successfully.
----End
Configuration Notes
l Routes from both ends to private network segments must be configured.
the remote end.
5.2.6 Example for Configuring an IPv6 over IPv4 GRE Tunnel
Specifications
This example applies to all routers of V200R003 and later versions.
As shown in Figure 5-57, RouterA, RouterB, and RouterC are connected through an IPv4
network. RouterA and RouterC connect to two IPv6 networks, respectively. IPv6 hosts PC1
and PC2 connect to RouterA and RouterC, respectively. It is required that an IPv6 over IPv4
GRE tunnel be configured between RouterA and RouterC so that PC1 and PC2 can
communicate with each other.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-57 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel
RouterB
GE1/0/0 GE2/0/0
10.1.1.2/24 10.1.2.1/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.1.2.2/24
RouterA GRE Tunnel RouterC
FC01::1/64 FC02::1/64 FC02::2/64 FC03::1/64
PC1 PC2
FC01::2/64 FC03::2/64
Procedure
#
sysname RouterA
#
ipv6
#
ip address 10.1.1.1 255.255.255.0 //Configure an IPv4 address for the
interface.
#
ipv6 enable
ipv6 address FC01::1/64 //Configure an IPv6 address for the interface.
#
interface Tunnel0/0/1 //Configure a tunnel interface of the GRE tunnel, set
the tunnel mode to GRE, configure an IPv6 address for the tunnel interface, and
configure IPv4 addresses as the source and destination IP addresses of the tunnel
interface.
ipv6 enable
ipv6 address FC02::1/64
tunnel-protocol gre
source 10.1.1.1
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2 //Configure an IPv4 static
route to ensure that RouterA has a reachable route to RouterC.
#
ipv6 route-static FC03:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterA has a reachable route to PC2.
#
return

#
sysname RouterB
#
ip address 10.1.1.2 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 10.1.2.1 255.255.255.0
#
return

#
sysname RouterC
#
ipv6
#
ip address 10.1.2.2 255.255.255.0
#
ipv6 enable
#
ipv6 enable
tunnel-protocol gre
source 10.1.2.2
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1 //Configure an IPv4 static
route to ensure that RouterC has a reachable route to RouterA.
#
ipv6 route-static FC01:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterC has a reachable route to PC1
#
return
# PC1 and PC2 can successfully ping each other.
----End
Configuration Notes
l The devices on the IPv4 network have reachable routes to each other.
l The source and destination IP addresses of devices at both ends of the tunnel must be
configured. The source and destination IP addresses of the local device must be the same
as the destination and source IP addresses of the remote device, respectively.
5.3 DSVPN
5.3.1 Example for Configuring DSVPN to Allow Branches to

Learn Routes from Each Other and Implement Communication
Between the Branches (Applicable When There Are a Small
Number of Branches)
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-58, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.
Figure 5-58 Configuring DSVPN when branches learn routes from each other
Branch Spoke1
Eth1/0/0 44.3.1.2/24
NHRP
Tunnel 0/0/0 Eth1/0/0 Hub
172.16.1.101/24 44.1.1.1/24
NHRP Tunnel 0/0/0 Tunnel 0/0/0
172.16.1.102/24 172.16.1.1/24
NHRP
Eth1/0/0 44.4.1.2/24
Branch Spoke 2
Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 44.3.1.2 255.255.255.0
#
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 44.1.1.1 register //Configure an NHRP mapping table.
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
ospf dr-priority 8
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 44.3.1.0 0.0.0.255
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return

#
ip address 44.4.1.2 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 172.16.1.102 255.255.255.0
interface.
broadcast.
ospf dr-priority 8
#
area 0.0.0.1
network 44.4.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
Step 3 Configure the hub.

#
ip address 44.1.1.1 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
interface.
nhrp entry multicast dynamic //Add dynamically registered branch devices to the
NHRP multicast member table of the central office device.
broadcast.
ospf dr-priority 10
#
area 0.0.0.1
network 44.4.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return

Ping the IP address 172.16.1.102 of Spoke2 from Spoke1, you can see that Spoke1 and
Spoke2 have learned NHRP mapping entries from each other.
----End
Configuration Notes
l If OSPF is configured, the OSPF network type of the tunnel interface must be broadcast.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.3.2 Example for Configuring DSVPN to Allow Branches to

Learn Only Summarized Routes to the Headquarters and
Implement Communication Between the Branches (Applicable
When There Are a Large Number of Branches)
Specifications
As shown in Figure 5-59, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.
Figure 5-59 Configuring DSVPN when branches have only summarized routes to the central
office
Branch Spoke1
Eth1/0/0 44.3.1.2/24
NHRP Hub
Tunnel 0/0/0 Eth1/0/0
172.16.1.101/24 44.1.1.1/24
NHRP Tunnel 0/0/0 Tunnel 0/0/0
172.16.1.102/24 172.16.1.1/24
NHRP
Eth1/0/0 44.4.1.2/24
Branch Spoke2
Procedure
#
ip address 44.3.1.2 255.255.255.0
#
ip address 172.16.1.101 255.255.255.0
interface.
nhrp shortcut //Enable the NHRP shortcut function.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
rip 1 //Configure RIP.

version 2
network 172.16.0.0
#
ospf 2
area 0.0.0.1
network 44.3.1.0 0.0.0.255
#
return

#
ip address 44.4.1.2 255.255.255.0
#
ip address 172.16.1.102 255.255.255.0
interface.
nhrp shortcut //Enable the NHRP shortcut function.
#
version 2
network 172.16.0.0
#
ospf 2
area 0.0.0.1
network 44.4.1.0 0.0.0.255
#
return
Step 3 Configure the hub.

#
ip address 44.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
rip version 2 multicast
rip summary-address 192.168.0.0 255.255.0.0
interface.
nhrp redirect //Enable the NHRP redirect function.
nhrp entry multicast dynamic //Add dynamically registered branch devices to the
NHRP multicast member table of the central office device.
#
version 2
network 172.16.0.0
network 192.168.0.0
#
ospf 2
area 0.0.0.1
network 44.1.1.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Ping Spoke1 and Spoke2, you can see that Spoke1 and Spoke2 have learned NHRP mapping
entries from each other.
----End
Configuration Notes
l If the dynamic routing protocol RIP is used, enable the split horizon and automatic route
aggregation functions on the tunnel interface of the hub.
5.3.3 Example for Configuring DSVPN to Implement Stable

Communication Between the Branches Through Dual Hubs in the
Headquarters
Specifications
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which
are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The
subnets of the central office and branches frequently change. The Spokes use dynamic
addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the
enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master
device and Hub2 functions as the backup device. Hub2 takes over the services and forwards
protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.
Figure 5-60 Networking diagram for dual-Hub DSVPN configuration
Branch 1 subnet Tunnel0/0/0

192.168.1.0/24 172.16.1.2/24 LoopBack0
GE1/0/0 192.168.0.1/24
202.1.2.10/24 Tunnel0/0/0
172.16.1.1/24
Spoke1 GE1/0/0
LoopBack0 202.1.1.10/24
192.168.1.1/24 Hub1
Central office
subnet
LoopBack0 Hub2
192.168.2.1/24 GE1/0/0
202.1.254.10/24
Spoke2
Tunnel0/0/0
GE1/0/0 172.16.1.254/24
202.1.3.10/24
LoopBack0
Branch 2 subnet Tunnel0/0/0 192.168.0.2/24
192.168.2.0/24 172.16.1.3/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
Step 1 Configure Hub1.
#
sysname Hub1
#
ip address 202.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf cost 1000 //Configure a smaller OSPF cost value on Hub1 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
ospf dr-priority 100
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.1.1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 202.1.1.0 0.0.0.255
#
return
Step 2 Configure Hub2.

#
sysname Hub2
#
ip address 202.1.254.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.2 255.255.255.0
#
ip address 172.16.1.254 255.255.255.0
ospf cost 3000 //Configure a larger OSPF cost value on Hub2 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
ospf dr-priority 99
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
area 0.0.0.1
network 202.1.1.0 0.0.0.255
#
return
Step 3 Configure Spoke1.

#
sysname Spoke1
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 202.1.2.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
ip address 172.16.1.2 255.255.255.0
ospf network-type p2mp //Configure the OSPF network type to Point-to-Multipoint
(P2MP) to provide reachable routes to the Hub.
ospf dr-priority 10
nhrp shortcut //The shortcut function must be configured on the Spoke.
nhrp registration interval 300 //When Hub1 recovers, it restarts to learn
routes to Hub1 when it receives NHRP Registration Request packets from Spokes.
Set the interval for sending NHRP Registration Request packets to a proper value
to ensure that the Spokes can quickly detect Hub1 recovery. The interval for
sending NHRP Registration Request packets is 1800 seconds by default.
nhrp entry 172.16.1.1 202.1.1.10 register
#
ospf 1 router-id 172.16.1.2 //Configure branch subnets to learn routes from each
other.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
area 0.0.0.1
network 202.1.2.0 0.0.0.255
#
return

#
sysname Spoke2
#
ip address 202.1.3.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.0
#
ip address 172.16.1.3 255.255.255.0
ospf network-type p2mp //Configure the OSPF network type to Point-to-Multipoint
(P2MP) to provide reachable routes to the Hub.
ospf dr-priority 10
nhrp shortcut //The shortcut function must be configured on the Spoke.
nhrp registration interval 300 //When Hub1 recovers, it restarts to learn
routes to Hub1 when it receives NHRP Registration Request packets from Spokes.
Set the interval for sending NHRP Registration Request packets to a proper value
to ensure that the Spokes can quickly detect Hub1 recovery. The interval for
sending NHRP Registration Request packets is 1800 seconds by default.
#
ospf 1 router-id 172.16.1.3 //Configure branch subnets to learn routes from each
other.
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
area 0.0.0.1
network 202.1.3.0 0.0.0.255

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
return

l Verify the DSVPN configuration.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:35:50
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Expire time : --
Number of nhrp peers: 2

follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Expire time : --
NOTE
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the
NHRP mapping entry of Hub1 and Hub2.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
On Hub, check the NHRP mapping entries of Spoke1 and Spoke2.

Run the display nhrp peer all command on Hub1. The command output is as follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Expire time : 01:59:12
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Run the display nhrp peer all command on Hub2. The command output is as follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
l Check OSPF routing information.

Check the OSPF routing information on Hub.
Run the display ospf 1 routing command on Hub1. The command output is as follows:
[Huawei] display ospf 1 routing
OSPF Process 1 with Router ID 172.16.1.1

Routing Tables

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Routing for Network

Destination Cost Type NextHop AdvRouter Area
172.16.1.1/32 0 Stub 172.16.1.1 172.16.1.1 0.0.0.0
172.16.1.2/32 1000 Stub 172.16.1.2 172.16.1.2 0.0.0.0
172.16.1.3/32 5562 Stub 172.16.1.2 172.16.1.3 0.0.0.0
172.16.1.254/32 2562 Stub 172.16.1.2 172.16.1.254 0.0.0.0
192.168.1.1/32 1000 Stub 172.16.1.2 172.16.1.2 0.0.0.0
192.168.2.1/32 5562 Stub 172.16.1.2 172.16.1.3 0.0.0.0
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Hub2. The command output is as follows:

Routing Tables
Routing for Network

172.16.1.254/32 0 Stub 172.16.1.254 172.16.1.254 0.0.0.0
172.16.1.1/32 4562 Stub 172.16.1.3 172.16.1.1 0.0.0.0
172.16.1.2/32 5562 Stub 172.16.1.3 172.16.1.2 0.0.0.0
172.16.1.3/32 3000 Stub 172.16.1.3 172.16.1.3 0.0.0.0
192.168.1.1/32 5562 Stub 172.16.1.3 172.16.1.2 0.0.0.0
192.168.2.1/32 3000 Stub 172.16.1.3 172.16.1.3 0.0.0.0
Total Nets: 6
Check the OSPF routing information on Spoke1 and Spoke2.

Run the display ospf 1 routing command on Spoke1. The command output is as
follows:

Routing Tables
Routing for Network

172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2 0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2 0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1 0.0.0.0
172.16.1.3/32 2562 Stub 172.16.1.1 172.16.1.3 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.2.1/32 2562 Stub 172.16.1.1 172.16.1.3 0.0.0.0
Total Nets: 6
follows:

Routing Tables
Routing for Network

172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3 0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3 0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1 0.0.0.0
172.16.1.2/32 2562 Stub 172.16.1.1 172.16.1.2 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.1.1/32 2562 Stub 172.16.1.1 172.16.1.2 0.0.0.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Total Nets: 6
l Run the ping command to check the configuration result.

Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output
is as follows:
[Huawei] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic route

tunnel
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic local
------------------------------------------------------------------------------
-
follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic local
------------------------------------------------------------------------------
-
l Shutdown the physical interface GE1/0/0 of Hub1. Check the OSPF routing information.
# Run the shutdown command on the interface GE1/0/0 of Hub1.
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] shutdown
[Huawei-GigabitEthernet1/0/0] quit
Check the routing entries on the Spokes if Hub1 fails. The next hop switches to Hub2.
follows:

Routing Tables
Routing for Network

172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2 0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2 0.0.0.0
172.16.1.3/32 4562 Stub 172.16.1.254 172.16.1.3 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.2.1/32 4562 Stub 172.16.1.254 172.16.1.3 0.0.0.0
Total Nets: 5
follows:

Routing Tables
Routing for Network

172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3 0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3 0.0.0.0
172.16.1.2/32 4562 Stub 172.16.1.254 172.16.1.2 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.1.1/32 4562 Stub 172.16.1.254 172.16.1.2 0.0.0.0
Total Nets: 5
l Run the ping command to check the configuration result.

Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTICE
Before you run the ping command, ensure that no default route to Hub1 exists on the
local device.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output
is as follows:
[Huawei] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/2 ms
follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic route

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
tunnel
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic local
------------------------------------------------------------------------------
-
follows:
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Expire time : --
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic local
------------------------------------------------------------------------------
-
NOTE
Before you run the Ping command, clear NHRP mapping entries existing on the Spokes.
----End
Configuration Notes
Different OSPF cost values must be configured on the mGRE interfaces of Hub1 and Hub2 to
ensure that the Spokes learn routes to the interface with a smaller cost value and prefer to use
the master Hub as the next hop device. When the cost value of the route to the master Hub is
larger than that to the backup Hub, Spokes prefer to forward packets through the backup Hub.
FAQ
l Q: Do I need to ensure that routes to the public network are reachable when configuring
DSVPN?
A: Yes. Ensuring reachable routes to the public network is the prerequisite for
implementing DSVPN.
l Q: Should I configure the master and backup Hubs on the same network segment?
A: No. You must not configure the master and backup Hubs on the same network
segment.
l Q: When the master Hub works normally, the backup Hub is in the Inactive state,
wasting sources. Can I configure the backup Hub as a Spoke?
A: Yes. When the master Hub works normally, the backup Hub is in the Inactive state. If
an enterprise has limited resources, you can configure the backup Hub as a Spoke. In this
case, the backup Hub registers with the master Hub in the same way as the other Spokes.
When the master Hub fails, the backup Hub takes over the role of the master and
transmits packets between Spokes.
5.4 IPSec
5.4.1 Example for Manually Establishing an IPSec Tunnel
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-61, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters
subnet is 10.1.2.0/24.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be manually set up between the branch gateway and headquarters
gateway because they communicate over the Internet and only a few branches gateway need
to be maintained.
Figure 5-61 Manually establishing an IPSec tunnel
GE1/0/0 GE1/0/0
202.138.163.1/24 202.138.162.1/24
RouterA RouterB
Branch gateway Headquarters gateway
GE2/0/0 GE2/0/0
10.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC A PC B
10.1.1.2/24 10.1.2.2/24
Branch Subnet Headquarters Subnet
Procedure
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.
#
ipsec proposal tran1 //Configure an IPSec proposal.
#
ipsec policy map1 10 manual //Manually create an IPSec policy.
security acl 3101
proposal tran1
tunnel local 202.138.163.1
tunnel remote 202.138.162.1
sa spi inbound esp 54321
sa string-key inbound esp cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure authentication key for the inbound SA to huawei.
sa spi outbound esp 12345
sa string-key outbound esp cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^
%# //Configure authentication key for the outbound SA to huawei.
#
ip address 202.138.163.1 255.255.255.0
ipsec policy map1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 10.1.1.1 255.255.255.0
#
route with the destination address as the WAN-side interface of the headquarters.
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2 //Configure a static route
with the destination address as the LAN-side interface of the headquarters.
#
return

#
sysname RouterB
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Headquarters
subnet to Branch subnet.
#
#
ipsec policy use1 10 manual //Manually create an IPSec policy.
security acl 3101
proposal tran1
sa spi inbound esp 12345
sa string-key inbound esp cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^
%# //Configure authentication key for the inbound SA to huawei.
sa spi outbound esp 54321
sa string-key outbound esp cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^
%# //Configure authentication key for the outbound SA to huawei.
#
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
ip address 10.1.2.1 255.255.255.0
#
route with the destination address as the WAN-side interface of the branch.
with the destination address as the LAN-side interface of the branch.
#
return

Run the display ipsec sa command on RouterA to view the IPSec tunnel configuration.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.4.2 Example for Establishing an IPSec Tunnel Between Two

Devices Using IKE Negotiation (Without DPD)
Specifications
As shown in Figure 5-62, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
Figure 5-62 Network diagram for configuring IKE negotiation

Eth 1/0/0 Eth 1/0/0
202.138.163.1/24 202.138.162.1/24
RouterA RouterB
202.138.163.2 202.138.162.2
Eth 2/0/0 Eth 2/0/0
10.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC A PC B
10.1.1.2/24 10.1.2.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
#
ACL.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipsec proposal tran1 //Configure an IPSec

proposal.
#
ike proposal 1 //Configure an IKE
proposal.
#
ike local-name huawei01
#
ike peer spub v1 //Configure an IKE
peer.
exchange-mode aggressive
the password is displayed in plain
text.
ike-proposal 1
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name huawei02 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 202.138.163.1
#
ipsec policy map1 10 isakmp //Configure an IPSec
policy.
security acl 3101
ike-peer spub
proposal tran1
#
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2

ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
#
interface Ethernet1/0/0 //Configure an external network
interface.
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
interface Ethernet2/0/0 //Configure an internal network
interface.
ip address 10.1.1.1 255.255.255.0
#
return

#
ACL.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec
proposal.
#
proposal.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ike peer spua v1 //Configure an IKE
peer.
the password is displayed in plain
text.
ike-proposal 1
local-id-type name
#
ipsec policy use1 10 isakmp //Configure an IPSec
policy.
security acl 3101
ike-peer spua
proposal tran1
#
ip route-static 10.1.1.0 255.255.255.0 202.138.162.2

ip route-static 202.138.163.0 255.255.255.0 202.138.162.2
#
interface.
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
interface Ethernet2/0/0 //Configure an internal network
interface.
ip address 10.1.2.1 255.255.255.0
#
return
----End
Configuration Notes
5.4.3 Example for Establishing an IPSec Tunnel Between Two

Devices Using IKE Negotiation (with DPD)
Specifications
The Headquarters and Branch establish an IPSec connection and both of them are configured
with DPD. DPD is configured on a branch to check whether the IPSec peers between the
Headquarters and Branch are alive. This prevents communication interruption between the
Headquarters and Branch in the case that the IPSec SA of the Branch is deleted incorrectly
from the router in the Headquarters. If DPD is not configured, the Branch still sends
encrypted data to the Headquarters, but the Headquarters cannot correctly decrypt the data,
causing communication interruption.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-63 Networking diagram of IKE DPD

Headquarters Branch
Headquarters Branch
gateway gateway
Eth 1/0/0 Eth 1/0/0
Eth2/0/0 191.2.1.1/24 191.2.2.1/24 Eth2/0/0
10.1.0.1/24 10.2.0.1/24
IPSec Tunnel
PC A PC B
10.1.0.2/24 10.2.0.2/24
Headquarters subnet Branch subnet
NOTE
version.
Procedure
Step 1 Configure the Headquarters.
#
sysname Headquarters
#
#
ipsec proposal def //Configure an IPSec proposal.
#
ike peer Center v1 //Configure an IKE peer.
remote-address 191.2.2.1 //Configure an IP address for the remote IKE peer.
dpd type on-demand //Set the on-demand DPD mode.
#
ipsec policy center 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer Center
proposal def
#
ip address 191.2.1.1 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipsec policy center

#
ip address 10.1.0.1 255.255.255.0
#
with the destination address as the WAN-side interface of the Branch.
ip route-static 10.2.0.0 255.255.255.0 191.2.1.2 //Configure a static route with
the destination address as the LAN-side interface of the Branch.
#
return
Step 2 Configure the Branch.

#
sysname Branch
#
#
ipsec proposal def //Configure IPSec proposal.
#
ike peer Branch v1 //Configure an IKE Peer
remote-address 191.2.1.2 //Configure an IP address for the remote IKE peer.
dpd type on-demand //Set the on-demand DPD mode.
#
ipsec policy branch 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer Branch
proposal def
#
ip address 191.2.2.1 255.255.255.0
ipsec policy branch
#
ip address 10.2.0.1 255.255.255.0
#
with the destination address as the WAN-side interface of the Headquarters.
the destination address as the LAN-side interface of the Headquarters.
#
return

1. Run the display ike sa verbose and display ipsec sa commands on the Headquarters to
view the IPSec tunnel configuration.
2. Shut down the link on the Branch and ping the Branch from the Headquarters. You can
see DPD requests initiated by the Headquarters.
----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.4.4 Example for Establishing an IPSec Tunnel that Traverses

NAT Devices
Specifications
When a NAT gateway is deployed between two devices of the IPSec tunnel, the two devices
are required to support NAT traversal.
As shown in Figure 5-64, RouterA is the egress gateway of a branch network and RouterB is
the egress gateway of the headquarters network. RouterA and RouterB translate addresses
through the NATER and they establish an IPSec tunnel in aggressive mode. The IPSec tunnel
supports NAT traversal.
Figure 5-64 Networking diagram of NAT traversal

NATER
Eth1/0/0 Eth2/0/0
1.2.0.2/24 192.168.0.1/24
Eth1/0/0 IPSec Eth1/0/0

1.2.0.1/24 Tunnel 192.168.0.2/24
RouterA RouterB
Eth2/0/0 Eth2/0/0
10.1.0.1/24 10.2.0.1/24
Branch HQ
NOTE
version.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
#
sysname RouterA //Configure the host name of the device.
#
ike local-name RouterA //Configure the local host name used in IKE negotiation.
#
ipsec proposal rta //Configure an IPSec proposal.
#
ike peer rta v1 //Configure an IKE peer.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
Configure the pre-shared key, this cliref is "pre-shared-key huawei" before the
version V2R3C00.
local-id-type name //Configure the local ID type of the IKE peer as name.
remote-name RouterB //Configure the IKE peer name. //Configure the IKE peer
name. In V200R008 and later versions, the device does not support the remote-name
command. This command provides teh same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008 and later versions, the
device supports NAT traversal by default, and this command is not supported.
#
ipsec policy-template rta_temp 1 //Create an IPSec policy template.
ike-peer rta
proposal rta
#
ipsec policy rta 1 isakmp template rta_temp //Specify the IPSec policy template
used to create SAs.
#
ip address 1.2.0.1 255.255.255.0
ipsec policy rta
#
ip address 10.1.0.1 255.255.255.0
#
ip route-static 10.2.0.0 255.255.255.0 1.2.0.2 //Configure a static route to
10.2.0.0
#
return

#
sysname RouterB //Configure the host name of the device.
#
ike local-name RouterB //Configure the local host name used in IKE
negotiation.
#
0.255.255.255
#
ipsec proposal rtb //Configure an IPSec proposal.
#
ike peer rtb v1 //Configure an IKE peer.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
local-id-type name //Configure the local ID type of the IKE peer as name.
remote-name RouterA //Configure the IKE peer name. In V200R008 and later

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
remote-address 1.2.0.1 //Configure the IKE peer address.

#
ipsec policy rtb 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rtb
proposal rtb
#
ip address 192.168.0.2 255.255.255.0
ipsec policy rtb
#
ip address 10.2.0.1 255.255.255.0
#
#
return
Step 3 Configure the NATER.

#
sysname NATER //Configure the host name of the device.
#
#
ip address 1.2.0.2 255.255.255.0
nat outbound 3000 //Configure outbound NAT.
#
ip address 192.168.0.1 255.255.255.0
#
return
Run the ping command to trigger IPSec session setup. Run the display ike sa verbose and
display ipsec sa commands on RouterA to view the IPSec tunnel configuration.
----End
Configuration Notes
l Ensure that RouterA and RouterB can communicate through the NATER.
l RouterA functions as the IPSec responder and needs to be configured with an IPSec
template.
l RouterA and RouterB must support NAT traversal.
l When NAT traversal is enabled, the data encapsulation mode must be set to the tunnel
mode.
5.4.5 Example for Establishing an IPSec Tunnel Between the

Branch and Headquarters to Implement Separate Protection of
Multiple Access Resources in the Headquarters
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-65, there are multiple network segments in the headquarters. The
branch needs to use different keys to access different network segments in the headquarters.
NOTE
version.
Figure 5-65 Configuring IPSec to protect flows on multiple network segments
LAN
10.6.0.1/24
PC
RouterA RouterB
Eth1/0/0 Eth1/0/0
LAN 1.0.1.1/24 1.0.2.254/24
192.168.1.1/24
IPSec Tunnel
LAN
10.6.1.1/24
Procedure
#
sysname RouterA
#
acl number 3000 //Configure ACL 3000 to match traffic sent from 192.168.1.0/24
to 10.6.0.0/24.
#
acl number 3001 //Configure ACL 3001 to match traffic sent from 192.168.1.0/24
to 10.6.1.0/24.
#
ipsec proposal default //Configure an IPSec proposal.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
ike peer center1 v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#pf$s.~E0h*hws%-7cwv&ItP3Bfw7DN`{)~~Sh'H'%^%# //
Configure the authentication password in the pre-shared key to huawei@123, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@123, and the password is
displayed in plain text.
#
ike peer center2 v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#19+-M|4}f2,%g3/9IT#C46mnQm+@3;,Eh^"3>eVI%^%# //
cipher text. This
command
#
ipsec policy center 10 isakmp //Configure an IPSec policy center with sequence
number 10 to protect the traffic sent from the branch to network segment
10.6.0.0/24.
security acl 3000
ike-peer center1
proposal default
#
ipsec policy center 20 isakmp //Configure an IPSec policy center with sequence
10.6.1.0/24.
security acl 3001
ike-peer center2
proposal default
#
interface Ethernet1/0/0 //Configure the WAN-side interface of the
branch.
ip address 1.0.1.1 255.255.255.0
ipsec policy center //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface of the
branch.
ip address 192.168.1.1 255.255.255.0
#
ip route-static 10.0.0.0 255.0.0.0 1.0.1.2 //Configure a static route with the
destination address as the interface IP address of the headquarters.
#
return

#
sysname RouterB
#
acl number 3000 //Configure ACL 3000 to match traffic sent from 10.6.0.0/24 to
192.168.1.0/24.
#
acl number 3001 //Configure ACL 3001 to match traffic sent from 10.6.1.0/24 to
192.168.1.0/24.
#
ipsec proposal default //Configure an IPSec proposal.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ike peer branch1 v1 //Configure an IKE

peer.
pre-shared-key cipher %^%#&,/=<KeGs@/vTKYku>`HM:$CU,_!P<Ijhb~*U[PU%^%# //
cipher text. This
command
#
ike peer branch2 v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#e6'U*sl_&<I-qIL>}zr9W-r8(RR:#A*{4WC~j2|W%^%# //
cipher text. This
command
#
ipsec policy branch 10 isakmp //Configure an IPSec policy branch with sequence
10.6.0.0/24.
security acl 3000
ike-peer branch1
proposal default
#
ipsec policy branch 20 isakmp //Configure an IPSec policy branch with sequence
10.6.1.0/24.
security acl 3001
ike-peer branch2
proposal default
#
interface Ethernet1/0/0 //Configure the WAN-side interface of the
headquarters.
ip address 1.0.2.254 255.255.255.0
ipsec policy branch //Configure an IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure LAN-side interface 1 of the
headquarters.
ip address 10.6.0.1 255.255.255.0
#
ip address 10.6.1.1 255.255.255.0 //Configure LAN-side interface 2 of the
headquarters.
#
with the destination address as the interface IP address of the branch.
#
return
Run the display ike sa command to view SA information.
Devices at both ends can exchange encrypted data.
----End
Configuration Notes
l Both routers must be configured with IPSec policies.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

l Ensure that outbound interfaces in the headquarters and branch can exchange packets.
5.4.6 Example for Configuring an IPSec Tunnel for Remote Dial-

Specifications
An enterprise establishes multiple branches in different areas due to service expansion. The
branch gateways connect to the Internet using PPPoE. As shown in Figure 5-66,
PPPoE_Client is the branch gateway, and PPPoE_Server is the headquarters gateway. The
branch subnet is 192.168.0.0/24 and the headquarters subnet is 172.16.0.0/24. Branch devices
need to access service servers in the headquarters to carry out services. Data transmitted
between the headquarters and branches need to be encrypted to ensure service security.
Figure 5-66 Networking diagram for configuring IPSec on the dialer interface
PPPoE_Client PPPoE_Server
Eth2/0/0
Branch GE0/0/1 1.1.1.1/24 Headquarters
gateway gateway
GE0/0/2 GE0/0/1
192.168.0.1/24 172.16.0.1/24
IPSec Tunnel
PC A PC B
192.168.0.2/24 172.16.0.2/24
NOTE
version.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
Step 1 Configure the PPPoE_Client.
#
sysname
PPPoE_Client
#
Headquarters
subnet.
#
ipsec proposal pppoeserver //Configure an IPSec proposal.
esp encryption-algorithm
aes-192
#
ike peer pppoeserver v1 //Configure an IKE
peer.
#
ipsec policy pppoeserver 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer pppoeserver
proposal pppoeserver
#
interface Dialer0 //Configure a dialer
interface.
link-protocol ppp
ppp chap user vpdnuser@huawei.com //Configure CHAP authentication.
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@Ià%@%@ //Set the CHAP
authentication password to Huawei@2012.
dialer user anyone //Configure a dialer user.
dialer bundle 1 //Specify the dialer group.
dialer-group 1 //Specify a dialer ACL.
ipsec policy pppoeserver //Configure an IPSec policy.
#
pppoe-client dial-bundle-number 1 //Bind dialer group 1 to the PPPoE_Client.
#
ip address 192.168.0.1 255.255.255.0 //Configure an internal network
interface.
#
dialer-rule //Configure a dialer ACL.
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure a default route pointing to
the dialer interface.
#
return
Step 2 Configure the PPPoE_Server.

#
sysname
PPPoE_Server
#
subnet to Branch
subnet.
0.0.0.255

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ipsec proposal pppoeclient //Configure an IPSec proposal.
aes-192
#
ike peer pppoeclient v1 //Configure an IKE
peer.
#
ipsec policy-template temp 1 //Configure an IPSec policy template.
security acl 3000 //Configure an ACL.
ike-peer pppoeclient //Configure an IKE peer.
proposal pppoeclient //Specify the IPSec proposal.
#
ipsec policy pppoeclient 1 isakmp template temp //Bind the IPSec policy template
to the IPSec policy.
#
ip pool 0 //Configure IP address pool
0.
network 1.1.1.0 mask 255.255.255.0
#
aaa //Configure PPP authentication
users.
authentication-scheme default
domain huawei.com
authentication-scheme
default
local-user vpdnuser@huawei.com password cipher %^%#Uj3KQ|TGS%KK$)'A*4s.P"G{D/
t1]+qh'0&-M4hW%^%# //Set the login password for PPP authentication users to
Huawei@2012, which is displayed in cipher text.
local-user vpdnuser@huawei.com privilege level 0
local-user vpdnuser@huawei.com service-type ppp
#
interface Ethernet2/0/0 //Bind the PPPoE_Server to virtual template interface
0.
ipsec policy pppoeclient
#
interface Virtual-Template0 //Create virtual template interface
0.
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure internal network interface
address.
ip address 172.16.0.1 255.255.255.0
#
route to the internal network of the remote side.
#
return
Run the display ike sa verbose and display ipsec sa commands to view the IPSec tunnel
configuration.
----End
Configuration Notes
l The PPPoE_Server address must be specified on the PPPoE_Client.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
l On the PPPoE_Client, the IKE peer address must be specified because an IPSec policy is
used. On the PPPoE_Server, you do not need to specify the IKE peer address because an
IPSec policy template is used.
5.4.7 Example for Configuring Two Devices to Pass PKI Identity

Authentication Before Establishing an IPSec Tunnel
Specifications
As shown in Figure 5-67, devices in two subnets communicate with the Internet using
respective gateways and need to establish an IPSec tunnel to transmit data flows. To meet this
requirement, perform the following operations:
l Establish an IPSec tunnel between the two gateways to protect security of data flows
transmitted between subnet Group1 at 10.1.1.0/24 and subnet Group2 at 10.2.1.0/24.
l Establish a security tunnel between the two gateways using Internet Key Exchange (IKE)
negotiation. During IKE negotiation, PKI certificates are used for identity authentication.
Figure 5-67 Configuring PKI in IPSec
CA
RouterA RouterB
GE0/0/1 GE0/0/1
1.1.1.1/24 2.2.2.1/24
Eth2/0/0 Eth2/0/0
10.1.1.1/24 IPSec Tunnel 10.2.1.1/24
10.1.1.2/24 10.2.1.2/24
Group1 Group2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Table 5-1 Data plan of RouterA

Item Data
PKI entity PKI entity name: routera

l Entity's common name: helloa
l Country code: CN
l Entity's province name: jiangsu
l Entity's organization name: huawei
l Entity's department name: info
PKI domain PKI domain name: testa

l Trusted CA: ca_root
l Certificate's enrollment URL: http://
10.137.145.158:8080/certsrv/mscep/mscep.dll
l Bound entity name: routera
l CA's fingerprint algorithm: SHA2
Fingerprint:
17A34D94624B1C1BCBF6D763C4A67035D17A34D9
4624B1C1BCBF6D763C4A67035D
IKE proposal l Encryption algorithm: AES-CBC-128

l Authentication mode: rsa-signature
l Authentication algorithm: AES-XCBC-MAC-96
IKE peer l IKE peer name: routera

l Local peer ID type: IP address
l Local IP address: 1.1.1.1
l Remote IP address: 2.2.2.1
l Negotiation mode: main
IPSec proposal l Transport protocol: ESP

l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l Encapsulation mode: tunnel
IPSec policy SA triggering mode: automatic

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Table 5-2 Data plan of RouterB

Item Data
PKI entity PKI entity name: routerb

l Entity's common name: hellob
l Country code: CN
l Entity's province name: jiangsu
l Entity's organization name: huawei
l Entity's department name: marketing
PKI domain PKI domain name: testb

l Trusted CA: ca_root
l Certificate's enrollment URL: http://
10.137.145.158:8080/certsrv/mscep/mscep.dll
l Bound entity name: routerb
l CA's fingerprint algorithm: SHA2
Fingerprint:
17A34D94624B1C1BCBF6D763C4A67035D17A34D9
4624B1C1BCBF6D763C4A67035D
IKE proposal l Encryption algorithm: AES-CBC-128

l Authentication mode: rsa-signature
l Authentication algorithm: AES-XCBC-MAC-96
IKE peer l IKE peer name: routerb

l Negotiation mode: main
l Local peer ID type: IP address
l Local IP address: 2.2.2.1
l Remote IP address: 1.1.1.1
IPSec proposal l Transport protocol: ESP

l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l Encapsulation mode: tunnel
IPSec policy SA triggering mode: automatic

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
version.
Procedure
#
router id 10.1.1.1
#
pki entity routera //Configure a PKI
entity.
country CN
state jiangsu
organization huawei
organization-unit info
common-name helloa
#
pki realm testa //Configure a PKI
domain.
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity routera
fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d7a34d94624b1c1bcbf6d763c4a67035d
certificate-check none
rsa local-key-pair rsa_scep //Use the RSA key pair in SCEP certificate
application. This key pair is created in advance by running the pki rsa local-key-
pair create command. This command is supported in V200R008 and later versions.
password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$ //Set the challenge password
used in SCEP certificate application to 6AE73F21E6D3571D. This command is
supported in V200R008 and later versions.
auto-enroll 60 regenerate //Enable automatic certificate enrollment and update.
This command is supported in V200R008 and later versions.
#
acl number 3000 //Configure an ACL to define the data flows to be
protected.
#
ipsec proposal routera //Configure an IPSec
proposal.
esp authentication-algorithm
sha2-256
aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.
authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#
ike peer routera v2 //Configure an IKE

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
peer.
ike-proposal 1
pki realm testa
#
ipsec policy routera 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer routera
proposal routera
#
interface Ethernet2/0/0 //Configure an external network interface.
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure an internal network interface.

ip address 1.1.1.1 255.255.255.0
ipsec policy routera
#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

#
router id 10.2.1.1
#
pki entity routerb //Configure a PKI
entity.
country CN
state jiangsu
organization huawei
organization-unit marketing
common-name hellob
#
pki realm testb //Configure a PKI
domain.
ca id ca_root
entity routerb
fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d7a34d94624b1c1bcbf6d763c4a67035d
certificate-check none
rsa local-key-pair rsa_scep //Use the RSA key pair in SCEP certificate
application. This key pair is created in advance by running the pki rsa local-key-
pair create command. This command is supported in V200R008 and later versions.
used in SCEP certificate application to 6AE73F21E6D3571D. This command is
supported in V200R008 and later versions.
auto-enroll 60 regenerate //Enable automatic certificate enrollment and update.
This command is supported in V200R008 and later versions.
#
acl number 3000 //Configure an ACL to define the data flows to be protected.
#
ipsec proposal routerb //Configure an IPSec
proposal.
esp authentication-algorithm
sha2-256
aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#
ike peer routerb v2 //Configure an IKE
peer.
ike-proposal 1
pki realm testb
#
ipsec policy routerb 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer routerb
proposal routerb
#
interface.
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure an internal network interface.

ip address 2.2.2.1 255.255.255.0
ipsec policy routerb
#
ospf 1
area 0.0.0.0
network 2.2.2.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
----End
Configuration Notes
l During IKE negotiation, if RouterA and RouterB do not obtain CA certificates or local
certificates, IKE negotiation fails.
5.4.8 Example for Configuring VRRP in the Headquarters to

Allow the Branch to Establish an IPSec Tunnel with the
Headquarters Using the VRRP Virtual Address
Specifications
As shown in Figure 5-68, RouterA, RouterB, and RouterC connect to one switch, RTA and
RTB constitute a VRRP group with virtual IP address 1.0.2.128. RouterA functions as the
VRRP master and RouterB functions as the backup. An IPSec session is set up between
RouterC and the virtual IP address of the VRRP group.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-68 Networking diagram for configuring an IPSec session
2. /1
0. /0
24
1. th1
1/
E
RouterA
RouterC
Eth2/0/0
1.0.2.128/24
IPSec Tunnel
Eth2/0/0
1.0.1.254/24
RouterB
G .2.
E0 2/
1.
0
/0 24
NOTE
/1
version.
Procedure
#
sysname RouterA
#
ACL.
#
#
ike peer branch v1 //Configure an IKE
peer.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ipsec policy branch 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet1/0/1 //Configure the connected
interface.
ip address 1.0.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1 and use the default
priority.
ipsec policy branch //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure an internal network
interface.
ip address 192.168.0.1 255.255.255.0
#
the branch gateway.
the branch network.
#
return

#
sysname RouterB
#
ACL.
#
#
ike peer branch v1 //Configure an IKE
peer.
#
ipsec policy branch 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet2/0/0 //Configure the internal network
interface.
ip address 192.168.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure the connected
interface.
ip address 1.0.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1.
vrrp vrid 1 priority 80 //Set the priority of VRRP group 1 to 80 so that
RouterB becomes the backup.
ipsec policy branch //Bind the IPSec
policy.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

the branch gateway.
the branch network.
#
return

#
sysname RouterC
#
ACL.
#
#
ike peer center v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
#
ipsec policy center 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer center
proposal def
#
interface Ethernet2/0/0 //Configure the connected
interface.
ip address 1.0.1.254 255.255.255.0
ipsec policy center //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure the internal network
interface.
ip address 192.168.1.1 255.255.255.0
#
to the headquarters gateway.
to the headquarters network.
#
return

Run the display ike sa command on RouterA, RouterB, or RouterC to view SA information.
Run the display vrrp command on RouterA or RouterB to view the VRRP status.
The routers in the branches can successfully ping the VRRP virtual IP address.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.4.9 Example for Establishing Multiple IPSec Tunnels Between

the Headquarters and Branches Using the IPSec Policy Template
Specifications
As shown in Figure 5-69, RouterA functions as the headquarters gateway, and RouterB and
RouterC function as branch gateways. Branches connect to multiple private networks and
secure channels need to be set up between the headquarters and branches. An IPSec policy
template is configured on RouterA and is used for establishing IPSec tunnels.
Figure 5-69 Networking diagram for configuring access to multiple branches using an IPSec
policy template
10.1.1.2/24 10.11.1.2/24
GE0/0/1 RouterA
GE0/0/2
10.1.1.1/24
10.11.1.1/24
Eth2/0/0
1.1.1.1/24
IP
l
ne
Se
10.2.2.2/24 10.4.4.2/24
n
c
Tu
Tu
c
n
Se
ne
IP
GE0/0/1 GE0/0/2
10.2.2.1/24 1.1.1.2/24
10.4.4.1/24
RouterB 1.2.1.2/24 Internet 1.4.1.2/24

RouterC
Eth1/0/1 IPSec Session GE 0/0/1
GE0/0/0 1.2.1.1/24 1.4.1.1/24 Eth2/0/0
10.22.2.1/24 10.44.4.1/24
10.22.2.2/24 10.44.4.2/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
version.
Procedure
#
sysname RouterA
#
ipsec proposal def
#
ike peer branch v1 //Configure an IKE peer. You do not need to configure the
remote address or remote name.
#
ipsec policy-template branch 1 //Configure an IPSec policy
template.
ike-peer branch
proposal def
#
ipsec policy hk 1 isakmp template branch //Configure an IPSec
policy.
#
interface Ethernet2/0/0 //Configure an interconnection interface for setting up
an IKE connection and encapsulating the outer IP address.
ip address 1.1.1.1 255.255.255.0
ipsec policy hk //Bind the IPSec policy to the
interface.
#
ip address 10.1.1.1 255.255.255.0 //Configure the router interface connected to
a private network.
#
ip address 10.11.1.1 255.255.255.0 //Configure the router interface connected
to another private network.
#
#
return

#
sysname RouterB
#
acl number 3000 //Configure ACL 3000 and define two
rules.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
ipsec proposal def
aes-192
#
ike peer center v1 //Configure an IKE peer. You must configure the remote
address.
#
ipsec policy hk 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer center
proposal def
#
ip address 1.2.1.1 255.255.255.0
ipsec policy hk
#
to a private network.
#
another private network.
#
route.
#
return

#
sysname RouterC
#
acl number 3000 //Configure ACL 3000 and define two
rules.
#
ipsec proposal def
aes-192
#
ike peer center v1 //Configure an IKE peer. You must specify the remote
address.
#
ipsec policy hk 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer center
proposal def
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
interface GigabitEthernet0/0/1 //Configure a WAN interface.

ip address 1.4.1.1 255.255.255.0
ipsec policy hk
#
to a private network.
#
another private network.
#
route.
#
return
Run the display ike sa command on the LAC or LNS to view SA information.
Devices at both ends can exchange encrypted data.
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.
5.4.10 Example for Configuring the Branch to Access the Internet

Through the 3G Interface and Configuring the Headquarters to
Establish an IPSec Tunnel with the Branch Using the IPSec Policy
Template
Specifications
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 3G interface to dynamically obtain an IP address from a provider. When
deploying an IPSec policy, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
After an IPSec tunnel is established, branch users can only access internal resources of the
headquarters. The NAT function can be configured on RouterA to allow branch users to
access external networks.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-70 Establishing an SA using an IPSec policy template
3G NodeB
RouterA RouterB
Cellular0/0/1 Internet Serial1/0/0
Eth1/0/0 13.1.1.1/24 Eth1/0/0
192.168.1.1/24 192.168.2.1/24
IPSec
PC1
PC2
LAN LAN
192.168.1.0/24 192.168.2.0/24
NOTE
version.
Procedure
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
acl number 3001 //Configure an ACL to protect data flows to an external network.
rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.1.0 0.0.0.255
#
#
#
ike peer rta v1 //Configure an IKE peer for establishing an IPSec connection
with RouterB.
ike-proposal 5
remote-address 13.1.1.1 //Configure the remote address used for initiating IKE

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
dialer-rule //Create a dilaer ACL.
#
apn profile 3gprofile //Create a APN profile.
user name 3guser password cipher %@%@,)AK/L"R0'^5%YUBDqKP#^y>%@%@ authentication-
mode auto
apn 3GNET
#
interface Cellular0/0/1 //Set dial parameters for the 3G interface.
link-protocol ppp
ip address ppp-negotiate //Enable PPP negotiation to automatically obtain the
IP address allocated by the carrier and connect to the public network.
dialer enable-circular //Enable the C-DCC function.
dialer-group 1 //Add the interface to a dialer group. The number must be the
same as that in the dialer group.
apn-profile 3gprofile
dialer timer autodial 60 //Set the auto-dial interval to 60s.
dialer number *99# autodial //Enable the auto-dial function.
mode wcdma wcdma-precedence //Configure a WCDMA network connection mode for a 3G
modem.
ipsec policy rta //Bind the IPSec policy to the interface.
nat outbound 3001 //Configure NAT to enable access to the public network.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return
Step 2 Configure Router B.

#
sysname RouterB
#
acl number 3000
#
ipsec proposal rtb
#
#
ike peer rtb v1 //Configure an IKE peer. You do not need to configure the remote
address.
ike-proposal 5
#
ipsec policy-template temp 1 //Configure an IPSec policy template.
security acl 3000
ike-peer rtb
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and
reference the IPSec policy template.
#
interface Serial1/0/0 //Configure an IP address for the WAN-side interface.
link-protocol ppp
ip address 13.1.1.1 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipsec policy rtb

#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return

After the configuration, users in the headquarters and branch can communicate with each
other.
----End
Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
5.4.11 Example for Configuring GRE Over IPSec to Implement

Communication Between Devices
Specifications
As shown in Figure 5-71, RouterA and RouterB establish an IPSec session, a GRE tunnel is
set up, and traffic on the network segment connected to GE0/0/1 is imported to the GRE
tunnel.
Figure 5-71 Networking diagram for configuring GRE over IPSec
Eth 1/0/1 GRE Tunnel Eth 1/0/1

1.2.1.1/30 1.2.2.1/30
RouterA IPSec Session RouterB
GE0/0/1 Internet GE0/0/1
10.1.0.1/24 10.2.0.1/24
PC A PC B
10.1.0.2/24 10.2.0.2/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
version.
Procedure
#
sysname RouterA
#
ACL.
#
ipsec proposal rtb //Configure an IPSec
proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
#
proposal.
#
ike peer rtb v1 //Configure an IKE
peer.
ike-proposal 1
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE
negotiation.
security acl 3000 //Specify the
ACL.
ike-peer rtb //Specify the IKE
peer.
proposal rtb //Specify the IPSec
proposal.
#
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the
interface.
#
ip address 10.1.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
interface.
destination 1.2.2.1 //Specify the destination address of the tunnel
interface.
#
ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static
route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
return

#
sysname RouterB
#
ACL.
#
ipsec proposal rta //Configure an IPSec
proposal.
encapsulation-mode transport ///Set the encapsulation mode to transport.
#
proposal.
#
ike peer rta v1 //Configure an IKE
peer.
ike-proposal 1
#
ipsec policy rta 1 isakmp //Configure an IPSec policy and define IKE
negotiation.
security acl 3000 //Specify the
ACL.
ike-peer rta //Specify the IKE
peer.
proposal rta //Specify the IPSec
proposal.
#
ip address 1.2.2.1 255.255.255.252
ipsec policy rta //Bind the IPSec policy to the
interface.
#
ip address 10.2.0.1 255.255.255.0
#
interface.
ip address 1.3.1.2 255.255.255.252
tunnel-protocol gre
source 1.2.2.1 //Specify the source address of the tunnel
interface.
destination 1.2.1.1 //Specify the destination address of the tunnel
interface.
#
ip route-static 10.1.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static
route.
ip route-static 0.0.0.0 0.0.0.0 1.2.2.2
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Run the display ike sa command on RouterA or RouterB to view SA information.

Run the display ip routing-table command on RouterA or Router B. You can view the route
from the tunnel interface to the user-side interface.
Users at both ends can communicate.
----End
Configuration Notes
l The ACL is configured to match the WAN-side interface IP address.
l The encapsulation mode in the IPSec proposal must be transport.
l The source and destination IP addresses of the GRE tunnel interface must be the same as
those of the data flow protected by IPSec (that is, defined in the ACL referenced by the
IPSec policy).
5.4.12 Example for Configuring OSPF and GRE Over IPSec to

Implement Communication Between the Branch and
Headquarters
Specifications
As shown in Figure 5-72, RouterA functions as the egress router of the headquarters network
and provides GRE over IPSec access for two branches. RouterB and RouterC are egress
routers of the two branches and connect to the headquarters network using GRE over IPSec.
OSPF is enabled on GRE tunnels of the headquarters and each branch. Traffic exchanged
between the headquarters and branches must be encrypted.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-72 Networking diagram for configuring GRE over IPSec and OSPF
PC A
10.0.0.2/24
GE0/0/1
10.0.0.1/24
RouterA
Eth2/0/1
1.0.1.254/24
el
nn
G
Tu
R
E
ta
c
se
ov
En
da
Ip
er
cr
w E
y
er
flo R
Ip
pt low
tG
ov
se
s
G s
f
yp
c
E
Tu
R
E
cr
G
En
da
nn
ta
el
RouterC RouterB
GE 0/0/1 GE 0/0/2
GE 0/0/2 1.0.3.1/24 IPSec Session 1.0.2.1/24 GE 0/0/1
192.168.2.1/24 192.168.1.1/24
PC C PC B
192.168.2.2/24 192.168.1.2/24
NOTE
version.
Procedure
#
sysname RouterA
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
router id 192.168.255.255 //Configure the OSPF router

ID.
#
acl number 3000 //Configure ACL 3000 to permit packets from the outbound
interfaces on egress routers of the headquarters and branch 1.
#
acl number 3001 //Configure ACL 3001 to permit packets from the outbound
interfaces on egress routers of the headquarters and branch 2.
#
ipsec proposal default
aes-192
#
ike peer branch1 v1 //Configure an IKE peer for the egress router of branch
1.
#
ike peer branch2 v1 //Configure an IKE peer for the egress router of branch
2.
#
ipsec policy branch 10 isakmp //Create an IPSec policy branch and set the
sequence number to 10.
security acl 3000
ike-peer branch1
proposal default
#
ipsec policy branch 20 isakmp //Create an IPSec policy branch and set the
sequence number to 20.
security acl 3001
ike-peer branch2
proposal default
#
interface Ethernet2/0/1 //Configure the WAN-side interface on the egress router
of the headquarters.
ip address 1.0.1.254 255.255.255.0
ipsec policy branch
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 10.0.0.1 255.255.255.0
#
interface LoopBack0 //Configure the loopback interface IP address as the router
ID.
ip address 192.168.255.255 255.255.255.255
#
interface Tunnel0/0/0 //Configure the tunnel interface between the headquarters
and branch 1.
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre
source Ethernet2/0/1
destination 1.0.2.1
#
and branch 2.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 192.168.0.5 255.255.255.252

tunnel-protocol gre
source Ethernet2/0/1
destination 1.0.3.1
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 192.168.255.255 0.0.0.0
network 192.168.0.0 0.0.0.3
network 192.168.0.4 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0
1.0.1.253
#
return

#
sysname RouterB
#
ID.
#
acl number 3000 //Configure ACL 3000 to mirror ACL 3000 configured on the egress
#
ipsec proposal default //Configure an IPSec proposal to be the same as that
configured on the egress router of the headquarters.
aes-192
#
ike peer center v1 //Configure an IKE peer to be the same as that configured on
the egress router of the headquarters.
#
ipsec policy center 1 isakmp //Configure an IPSec policy center, set the
sequence number to 1, and use ISAKMP.
security acl 3000
ike-peer center
proposal default
#
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2 //Configure the WAN-side interface on the egress
router of the branch 1.
ip address 1.0.2.1 255.255.255.0
ipsec policy center
#
ID.
ip address 192.168.255.1 255.255.255.255
#
interface.
ip address 192.168.0.2 255.255.255.252
tunnel-protocol gre

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
#
routes.
area 0.0.0.0
network 192.168.255.1 0.0.0.0
network 192.168.0.0 0.0.0.3
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.2.2
#
return

#
sysname RouterC
#
ID.
#
acl number 3001 //Configure ACL 3001 to mirror ACL 3001 configured on the egress
#
ipsec proposal default //Configure an IPSec proposal to be the same as that
configured on the egress router of the headquarters.
aes-192
#
ike peer center v1 //Configure an IKE peer to be the same as that configured on
the egress router of the headquarters.
pre-shared-key cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%# //
#
ipsec policy center 1 isakmp //Configure an IPSec policy center, set the
sequence number to 1, and use ISAKMP.
security acl 3001
ike-peer center
proposal default
#
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface on the egress
router of the branch 2.
ip address 1.0.3.1 255.255.255.0
ipsec policy center
#
ID.
ip address 192.168.255.2
255.255.255.255
#
interface.
ip address 192.168.0.6 255.255.255.252
tunnel-protocol gre
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
routes.
area 0.0.0.0
network 192.168.255.2 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.3.2
#
return
Run the display ike sa command on RouterA or RouterB to view SA information.
Users in the headquarters and branches can communicate.
----End
Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l The WAN-side interface IP addresses in the headquarters and branches can be pinged.
5.4.13 Example for Configuring GRE Over IPSec to Implement

Communication Between the Branches and Headquarters and
NAT to Implement Communication Between Branches (Running
OSPF)
Specifications
As shown in Figure 5-73, the egress router in the headquarters provides IPSec VPN access
for branches. NAT devices exist between the branches and the Internet, so the aggressive
mode and NAT traversal are configured on egress routers of the headquarters and branches.
The headquarters egress router uses an IPSec policy template but not the ACL. The three
egress routers use loopback interface IP addresses to establish GRE over IPSec tunnels. ACLs
are configured on branch egress routers to implement communication between the
headquarters and branches through GRE over IPSec tunnels. OSPF is used on GRE over
IPSec tunnels so that traffic exchanged between branches is forwarded through the
headquarters egress router.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-73 Networking diagram for configuring GRE over IPSec and OSPF to implement
NAT traversal
172.16.1.2/24
GE0/0/1 PC A
172.16.1.1/24
Lookback0 RouterA
172.16.0.1/32 Eth2/0/1
1.0.1.60/24
l GR
ne E
un ov
e cT er
S PS I
GE0/0/1 r IP En ec GE0/0/1
ve E cry Tu
10.0.2.2/24 R Eo t GR da pt G nn 10.0.1.2/24
p s ta el
G cry low flo R E
En ata f ws
d
RouterC RouterB
Lookback0 Lookback0
192.168.2.1/32 192.168.1.1/32
Eth1/0/1 IPSec Session Eth1/0/1
1.0.3.1/24 1.0.2.1/24 NAT2
GE0/0/2 NAT1 GE0/0/2
192.168.12.1/24 GE0/0/1 GE0/0/1 192.168.11.1/24
10.0.2.1/24 10.0.1.1/24
PC B
PC C
192.168.12.2/24 192.168.11.2/24
NOTE
version.
Procedure
#
sysname RouterA
#
router id 172.16.0.1 //Configure the OSPF router ID.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ike local-name rta

#
ipsec proposal default //Configure a default IPSec proposal.
#
ike peer branch v1 //Configure an IKE peer for the egress router of
branch.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
#
ipsec policy-template branch 1 //Configure an IPSec policy template branch and
set the sequence number to 1.
ike-peer branch
proposal default
#
ipsec policy policy1 1 isakmp template branch //Configure an IPSec policy
policy1 and set the sequence number to 1 based on the IPSec policy template
branch.
#
interface Ethernet2/0/1 //Configure the WAN-side interface on the egress router
of the headquarters
ip address 1.0.1.60 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 172.16.0.1 255.255.255.255
#
and branch 1.
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre
source LoopBack0
#
and branch 2.
ip address 192.168.0.5 255.255.255.252
tunnel-protocol gre
source LoopBack0
#
ospf 1 //Configure
routes.
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 1.0.1.61 //Configure a default route.
#
return

#
sysname RouterB

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
#
ike local-name rtb
#
acl number 3000
rule 0 permit gre source 192.168.1.1 0 destination 172.16.0.1 0
#
#
ike peer center v1 //Configure an IKE peer.
aggressive.
remote-name rta //Configure the IKE peer name. In V200R008 and later versions,
the device does not support the remote-name command. This command provides teh
same function as the remote-id command.
#
ipsec policy center 1 isakmp //Configure an IPSec policy and set the sequence
number to 1.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface in branch
1.
ip address 10.0.1.2 255.255.255.0
ipsec policy center
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface in branch
1.
ip address 192.168.11.1 255.255.255.0
#
ip address 192.168.1.1 255.255.255.255
#
interface.
ip address 192.168.0.2 255.255.255.252
tunnel-protocol gre
source LoopBack0
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.11.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
#
return

#
sysname RouterC
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ike local-name rtc
#
acl number 3000
rule 0 permit gre source 192.168.2.1 0 destination 172.16.0.1 0
#
#
ike peer center v1 //Configure an IKE
peer.
aggressive.
remote-name rta //Configure the IKE peer name. In V200R008 and later versions,
the device does not support the remote-name command. This command provides teh
same function as the remote-id command.
#
ipsec policy center 1 isakmp //Configure an IPSec policy and set the sequence
number to 1.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface in branch
2.
ip address 10.0.2.2 255.255.255.0
ipsec policy center
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface in branch
2.
ip address 192.168.12.1 255.255.255.0
#
ip address 192.168.2.1 255.255.255.255
#
interface.
ip address 192.168.0.6 255.255.255.252
tunnel-protocol gre
source LoopBack0
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.12.0 0.0.0.255
#
#
return
Step 4 Configure NAT1.

#
sysname NAT1
#
acl number 2000 //Configure rule for mapping with NAT address pool.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
nat address-group 0 11.0.0.1 11.0.0.10 //Configure a NAT address
pool.
#
interface Ethernet1/0/1 //Configure the WAN-side
interface.
ip address 1.0.3.1 255.255.255.0
nat outbound 2000 address-group 0
#
interface GigabitEthernet0/0/1 //Configure the NAT device interface connected to
the router in branch 2.
ip address 10.0.2.1 255.255.255.0
#
#
return
Step 5 Configure NAT2.

#
sysname NAT2
#
acl number 2000 //Configure rule for mapping with NAT address pool.
#
nat address-group 0 12.0.0.1 12.0.0.10 //Configure a NAT address
pool.
#
interface Ethernet1/0/1 //Configure the WAN-side
interface.
ip address 1.0.2.1 255.255.255.0
nat outbound 2000 address-group 0
#
interface GigabitEthernet0/0/1 //Configure the NAT device interface connected to
the router in branch 1.
ip address 10.0.1.1 255.255.255.0
#
#
return

Run the display ike sa command on RouterA, RouterB, or RouterC to view SA information.
Users in the headquarters and branches can communicate.
----End
Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l There must be reachable routes between the headquarters and branches.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.4.14 Example for Establishing an IPSec over GRE Tunnel

Between the Headquarters and Branch (Based on ACL)
Applicability
In Figure 5-74, Router1 is the gateway of an enterprise branch, and Router2 is the gateway of
the headquarters. Router1 and Router2 communicate through the public network.
On the live network, the enterprise branch communicates with the headquarters through a
GRE tunnel. The enterprise wants to protect traffic excluding multicast data between the
headquarters and branch. An IPSec over GRE tunnel can be established based on ACL to
protect traffic between the headquarters and branch.
Figure 5-74 Establishing an IPSec over GRE tunnel between the headquarters and branch
Branch gateway Headquarters
Router1 GE1/0/0 GE1/0/0 gateway
1.1.1.1/24 2.1.1.1/24 Router2
GE2/0/0 GE2/0/0
10.2.1.1/24 10.2.1.2/24
10.1.1.1/24 10.1.2.1/24
IPSec over GRE
PC1 PC2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
NOTE
version.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
Step 1 Configure Router1.
#
sysname Router1
#
acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
in the IPSec proposal.
#
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in
the IKE proposal.
encryption-algorithm aes-128
dh group14
#
ike peer spub //Configure an IKE peer.
the pre-shared key to Huawei@1234.
ike-proposal 5
remote-address 10.2.1.2 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy map1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spub
proposal tran1
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.1.1.1
ipsec policy map1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route to the
public network.
to the private network.
#
return
Step 2 Configure Router2.

#
sysname Router2
#
acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
#
in the IPSec proposal.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in

the IKE proposal.
dh group14
#
ike peer spua //Configure an IKE peer.
ike-proposal 5
interface.
#
ipsec policy use1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spua
proposal tran1
#
ip address 2.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 1.1.1.1
ipsec policy use1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route to the
public network.
to the private network.
#
return

Run the display ike sa command on the routers. You can find that an SA is established
successfully.
After branch users ping the headquarters, run the display ipsec statistics command on the
routers to view statistics on IPSec packets. The value of the input/output security packets
field is not 0, indicating that data transmitted between the branch and headquarters is
encrypted.
----End
Precautions
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.
5.4.15 Example for Establishing IPSec over DSVPN Tunnels

Between Hub and Spokes (Based on ACL)
Applicability

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
In Figure 5-75, a large-sized enterprise has the headquarters (Hub) and multiple branches
(Spoke1 and Spoke2 in this example) located in different areas, and the Spokes connect to
public networks using dynamic IP addresses obtained through DHCP. DSVPN is deployed to
enable communication between Spokes as well as between Spoke and Hub.
The enterprise requires that data transmitted between Spokes as well as between Spoke and
Hub be encrypted. IPSec over DSVPN can be configured on Hub and Spokes to provide
traffic protection.
Figure 5-75 Establishing IPSec over DSVPN tunnels between Hub and Spokes
Tunnel0/0/0
Branch 1 10.2.1.2/24
GE1/0/0
GE1/0/1 1.1.2.10/24
10.1.2.1/24
Spoke1
GE1/0/1
10.1.1.1/24
GE1/0/0
1.1.1.10/24
Headquarters
Tunnel0/0/0
10.2.1.1/24
Hub
Spoke2
GE1/0/1
10.1.3.1/24 GE1/0/0
1.1.3.10/24
Tunnel0/0/0
Branch 2
10.2.1.3/24
Assume that the dynamic addresses obtained by Spoke1 and Spoke2 are 1.1.2.10 and 1.1.3.10,
respectively.
NOTE
version.
Procedure
Step 1 Configure the Hub.
#
sysname Hub

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ipsec proposal pro1 //Configure the authentication and encryption algorithms in
the IPSec proposal.
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
dh group14
prf aes-xcbc-128
#
ike peer hub //Configure an IKE peer.
pre-shared-key cipher %^%#O3uIP\/YNF+ÀcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
ike-proposal 1
dpd type periodic
dpd idle-time 40
#
ipsec policy-template use1 10 //Configure an IPSec policy template and import
parameters to the template.
ike-peer hub
proposal pro1
#
ipsec policy policy1 10 isakmp template use1 //Configure an IPSec policy and
reference the policy template.
#
ip address 1.1.1.10 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ospf dr-priority 100 //Configure an interface priority for DR election.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry multicast dynamic //Add a dynamically registered Spoke to the NHRP
multicast member table.
#
ospf 1 router-id 10.2.1.1 //Configure private network routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return

#
sysname Spoke1
#
acl number 3101 //COnfigure the IP address segments that support IPSec
encryption.
#
the IPSec proposal.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
dh group14
prf aes-xcbc-128
#
ike peer spoke1 //Configure an IKE peer.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke1
proposal pro1
#
ip address dhcp-alloc
#
ip address 10.1.2.1 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
IPSec protection.
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
area 0.0.0.1
network 1.1.2.0 0.0.0.255
#
return

#
sysname Spoke2
#
acl number 3101 //COnfigure the IP address segments that support IPSec
encryption.
#
the IPSec proposal.
#
dh group14

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
prf aes-xcbc-128
#
ike peer spoke2 //Configure an IKE peer.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke2
proposal pro1
#
ip address dhcp-alloc
#
ip address 10.1.3.1 255.255.255.0
#
ip address 10.2.1.3 255.255.255.0
IPSec protection.
#
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
area 0.0.0.1
network 1.1.3.0 0.0.0.255
#
return
Run the display ike sa command on the Hub and Spokes. You can find that SAs are
established successfully.
After users in Spoke1 ping the Hub, run the display ipsec statistics command on Spoke1 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that data transmitted between the Hub and Spoke1 is encrypted.
After users in Spoke2 ping the Hub, run the display ipsec statistics command on Spoke2 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that data transmitted between the Hub and Spoke2 is encrypted.
----End
Precautions
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Branch and Headquarters Through IKE Negotiation in Domain
Name Mode
Specifications
As shown in Figure 5-76, RouterA (remote branch gateway) and RouterB (headquarters
gateway) communicate through the Internet in PPPoE mode. The branch subnet is 10.1.1.0/24
and the headquarters subnet is 10.1.2.0/24. The DNS server resolves domain names, the
DDNS server updates IP addresses mapping domain names, and the PPPoE server allocates IP
addresses.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway
because they communicate over the Internet. Because IP addresses of the branch and
headquarters are dynamic addresses, domain names can be used for IKE negotiation.
Figure 5-76 Networking for using dynamic addresses to establish an IPSec tunnel in IKE
negotiation mode between the branch and headquarters
PPPoE Server
RouterA GE1/0/0 GE1/0/0

RouterB
Eth2/0/0 IPSec Tunnel Eth2/0/0
10.1.1.1/24 10.1.2.1/24
PC A PC B
10.1.1.2/24 10.1.2.2/24
DNS Server DDNS Server
Branch Headquarters
Subnet 70.1.1.11 Subnet

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
version.
Procedure
#
#
dns resolve //Configure DNS.
dns server 70.1.1.11 //Specify the DNS server IP address.
ddns policy ddnspolicy1 //Configure a DDNS policy.
url oray://username1:password1@phddnsdev.oray.net //Configure the URL of the
DDNS server.
#
acl number 3003 //Configure an ACL to permit data flows from 10.1.1.0/24 to
10.1.2.0/24.
#
ipsec proposal prop1 //Configure an IPSec proposal.
#
#
ike peer rut1 v1 //Configure an IKE peer.
ike-proposal 5
remote-address www.huaweib.com //The domain name has been registered with the
DDNS server.
#
ipsec policy policy1 10 isakmp //Configure an IPSec
policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Set parameters on the dialer
interface.
link-protocol ppp
ppp chap user user@huawei.com
ppp chap password cipher %@%@l$S'&"Sm7!j4F#)i{{G#L3Wu%@%@
dialer user huawei
dialer bundle 1
dialer-group 1
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface so that
the DDNS client can notify the DDNS server of changes in mappings between domain
names and IP addresses when the interface IP address changes.
ipsec policy policy1 //Apply the IPSec policy to the dialer
interface.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.
pppoe-client dial-bundle-number 1
#
ip address 10.1.1.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
#
ip route-static 0.0.0.0 255.255.255.255 dialer1
#
return

#
sysname RouterB //Configure the device name.
#
dns resolve //Configure DNS.
dns server 70.1.1.11 //Specify the DNS server IP address.
ddns policy ddnspolicy1 //Configure a DDNS policy.
url oray://username2:password2@phddnsdev.oray.net //Configure the URL of the
DDNS server.
#
acl number 3003 //Configure an ACL to permit data flows from 10.1.2.0/24 to
10.1.1.0/24.
#
ipsec proposal prop1 //Configure an IPSec proposal.
#
#
ike peer rut1 v1 //Configure an IKE
peer.
ike-proposal 5
remote-address www.huaweia.com //The domain name has been registered with the
DDNS server.
#
ipsec policy policy1 10 isakmp //Configure an IPSec
policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Set parameters on the dialer
interface.
link-protocol ppp
ppp chap user user@huawei.com
ppp chap password cipher %@%@l$S'&"Sm7!j4F#)i{{G#L3Wu%@%@
dialer user huawei
dialer bundle 1
dialer-group 1
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface so that
the DDNS client can notify the DDNS server of changes in mappings between domain
names and IP addresses when the interface IP address changes.
ipsec policy policy1 //Apply the IPSec policy to the dialer
interface.
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
pppoe-client dial-bundle-number 1
#
ip address 10.1.2.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
#
ip route-static 0.0.0.0 255.255.255.0 dialer1
#
return
# After the configurations are complete, PC A can ping PC B successfully. Data exchanged
between PC A and PC B is encrypted. You can run the display ipsec statistics command to
view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA and RouterB. You can
view the IPSec tunnel configuration.
----End
Configuration Notes
If an IPSec tunnel cannot be reestablished due to frequent IP address change of the dialer
interface, use either of the following methods:
l If IPSec policies are configured at both ends, configure DPD to detect faults on the
remote end.
l If an IPSec policy is configured at one end and an IPSec policy template is configured at
the other end, run the ipsec remote traffic-identical accept command (supported by
V2R3C00 and later versions) on the end where the IPSec policy template is configured.
This command allows new users with the same traffic rule as original branch users to
access the headquarters network so that the existing IPSec SAs can be rapidly aged and a
new IPSec tunnel can be established.
5.4.17 Example for Establishing an IPSec Tunnel for Employees

on a Business Trip to Connect to the Headquarters
Specifications
As shown in Figure 5-77, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through the public network. To
ensure security of traveling employees, the enterprise requires that an IPSec tunnel be set up
between the traveling employee's PC and headquarters gateway.
In this example, the PC runs Windows 7 operating system.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-77 Networking for configuring an IPSec tunnel between the PC and router
GE1/0/0
Enterprise
PC A 200.1.1.1/24
headquarters
10.1.1.1/24
Traveling
employee
IPSec Tunnel RouterA
Headquarters
gateway
NOTE
version.
Procedure
#
#
#
#
ike peer peer1 v1 //Configure an IKE
peer.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
interface
ip address 200.1.1.1 255.255.255.0
#
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Step 2 Configure PC A.
# Create an IPSec policy.
Choose Control Pane > System and Security > Administrative Tools > IP Security
Policies on Local Computer.
Right-click IP Security Policies on Local Computer shown in Figure 5-78. The IP security
policy wizard is displayed.
Figure 5-78 Creating an IPSec policy
Figure 5-79, Figure 5-80, Figure 5-81, and Figure 5-82 show how to create an IPSec policy.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-79 Welcome to the IP Security Policy Wizard page
Figure 5-80 Editing the IP Security Policy Name page

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-81 Specifying the PC to respond to requests for secure communication

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-82 Completing the IP Security Policy Wizard page
On the IPSec Properties page shown in Figure 5-83, deselect Use Add Wizard and click
Add to add rules.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-83 IPSec Properties page
# Set attributes of an IPSec policy.

1. Configure an IP filter list.
On the IP Filter List tab page shown in Figure 5-84, click Edit to edit an IP filter list.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-84 Editing the New IP Filter List page
On the IP Filter List page shown in Figure 5-85, deselect Use Add Wizard and click
Add to add an IP filter list.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-85 Adding an IP filter list
Configure IP filter attributes. On the Addresses tab page shown in Figure 5-86, select
My IP Address as the source address, headquarters gateway IP address as the
destination address, and mirror data flows.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-86 Editing the Addresses tab page
On the Protocol tab page shown in Figure 5-87, select Any from the Select a protocol
type drop-down list box.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-87 Editing the Protocol tab page
On the Description tab page shown in Figure 5-88, configure a description for the IP
filter.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-88 Editing the Description tab page
Click OK. The IP Filter List page shown in Figure 5-89 is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-89 IP Filter List page
Click OK. The New Rule Properties page shown in Figure 5-90 is displayed.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-90 New Rule Properties page
2. Configure a filter action.

On the Filter Action tab page shown in Figure 5-91, click Edit.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-91 Editing the Filter Action tab page
The New Filter Action Properties page shown in Figure 5-92 is displayed. Select
Accept unsecured communication, but always respond using IPSec and click Add.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-92 Editing the Filter Action Properties page
The Security Methods page shown in Figure 5-93 is displayed. Select Custom and
click Settings.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-93 Editing the Security Methods page
The Custom Security Method Settings page shown in Figure 5-94 is displayed. Set
integrity and encryption algorithms, and perform session key settings.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-94 Editing the Custom Security Method Settings page
Click OK until the Filter Action tab page is displayed.

NOTE
non-authentication.
3. Configure authentication methods.
On the Authentication Methods tab page shown in Figure 5-95, click Edit.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-95 Editing the Authentication Methods tab page
The Authentication Method Properties page shown in Figure 5-96 is displayed. Select
Use the string (preshared key) and use the pre-shared key huawei.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-96 Editing the Authentication Method Properties page
4. Configure an encapsulation mode.

On the Tunnel Setting tab page shown in Figure 5-97, select This rule does not specify
an IPsec tunnel.. That is, the transport mode is used.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-97 Editing the Tunnel Setting tab page
5. Configure a connection mode.

On the Connection Type tab page shown in Figure 5-98, select All network
connections.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-98 Editing the Connection Type tab page
6. Configure an IKE proposal.

Click Apply. The IPSec Properties page is displayed. Click General and select
Settings, as shown in Figure 5-99.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-99 General tab page
On the Key Exchange Settings page, select Methods, as shown in Figure 5-100.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-100 Editing the Key Exchange Settings page
On the Key Exchange Security Methods page, select Add, as shown in Figure 5-101.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-101 Editing the Key Exchange Security Methods page
Add security methods, and click OK, as shown in Figure 5-102.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-102 Added key exchange methods
On the IPSec Properties page shown in Figure 5-103, click OK.

NOTE
non-authentication.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-103 Completing IPSec policy setting
# Apply the IPSec policy.

On the IP Security on Local Computer page, right-click the configured IPSec policy and
click Assign, as shown in Figure 5-104. That is, apply the IPSec policy to the PC.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-104 Assigning the configured IPSec policy

# After the configurations are complete, PC A can ping RouterA successfully. Data exchanged
between PC A and RouterA is encrypted. You can run the display ipsec statistics command
to view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA. You can view
information about successful IPSec tunnel setup.
----End
Configuration Notes
The IPSec configuration on the PC is much complex than that on the router, so you must be
familiar with the IPSec configuration on the router.
A host-to-gateway IPSec tunnel is established between a traveling employee and the
headquarters; therefore, the IPSec tunnel is based on the transport mode.
5.4.18 Example for Establishing an IPSec Tunnel In Manual and

IKE Negotiation Modes
Applicability
This example applies to all AR routers of all versions.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
As shown in Figure 5-105, Router_1, Router_2, and Router_3 are the municipal branch
gateway, county-level branch gateway, and headquarters gateway of an enterprise. Branches
and the headquarters communicate over the public network. The enterprise has few municipal
branches but many county-level branches.
The enterprise wants to implement direct communication between the county-level branch
and headquarters, between county-level branch and headquarters, and between the municipal
branch and headquarters, and protect mutual traffic between branches and the headquarters.
Figure 5-105 Establishing an IPSec tunnel in manual and IKE negotiation modes
Router_1
PC_1 Municipal branch
192.168.1.1/24 gateway
GE0/0/2 IPS
192.168.1.2/24 ec
GE0/0/1 Tu
nne
60.1.1.1/24 l
IPSec Tunnel
Router_3
Internet GE0/0/1 Headquarters
60.1.3.1/24 gateway
GE0/0/1 l GE0/0/2
ne
60.1.2.1/24 un 192.168.3.2/24
ecT
GE0/0/2 IPS
192.168.2.2/24
PC_2 Router_2
192.168.2.1/24 County-level PC_3
gateway 192.168.3.1/24
NOTE
version.
Procedure
Step 1 Configure the municipal branch gateway Router_1.
#
sysname Router_1
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
acl number 3001 //When a policy template is used, ACL reference is optional,
and you only need to define the data flow to the headquarters on Router_1.
#
ipsec proposal tran1
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the headquarters.
security acl 3001
proposal tran1
sa spi inbound esp 12345 //Set the inbound SPI, which must be the same as
the outbound SPI in the headquarters.
sa string-key inbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the inbound SA to Huawei@123, which must
be the same as the authentication key for the outbound SA in the headquarters.
sa spi outbound esp 54321 //Set the outbound SPI, which must be the same as
the inbound SPI in the headquarters.
sa string-key outbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'LèOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the outbound SA to Huawei@321, which must
be the same as the authentication key for the inbound SA in the headquarters.
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
prf hmac-sha2-256
#
ike peer rut1 v2 //When a policy template is used to establish an IPSec tunnel
with the county-level branch, you do not need to specify a remote address because
Router_1 functions as the IKE responder.
pre-shared-key cipher %^%#]%qh%KV&]('NP)+OE3VF"nAn7VF%/+EgfmX3BE|*%^%# //Set
the pre-shared key to Huawei@4321 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify qualified
county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and
enable IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.1.2 255.255.255.0
#
#
return
Step 2 Configure the county-level branch gateway Router_2.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
sysname Router_2
#
ike local-name huaweirt2
#
acl number 3001
acl number 3002
#
#
ike proposal 5
dh group2
prf hmac-sha2-256
#
ike peer rut1 v2 //Configure an IKE peer used to negotiate with the headquarters
for establishing an IPSec tunnel. You must specify a remote address.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
ike-proposal 5
#
ike peer rut2 v2 //Configure an IKE peer used to negotiate with the municipal
branch for establishing an IPSec tunnel. You must specify a remote address.
pre-shared-key cipher %^%#F[de7*vUZ9ZT)V5UEqX(g|)XG`S)xT}:C."&>c].%^%# //Set
the pre-shared key to Huawei@4321 in ciphertext. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plaintext.
ike-proposal 5
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the headquarters.
security acl 3001
ike-peer rut1
proposal tran1
ipsec policy policy1 20 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the municipal branch.
security acl 3002
ike-peer rut2
proposal tran1
#
ip address 60.1.2.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected with the
service segment.
ip address 192.168.2.2 255.255.255.0
#
#
return
Step 3 Configure the headquarters gateway Router_3.

#
sysname Router_3
#
acl number 3001 //When a policy template is used, ACL reference is optional,
and you only need to define the data flow to the municipal branch on Router_3.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the municipal branch.
security acl 3001
proposal tran1
sa spi inbound esp 54321 //Set the inbound SPI, which must be the same as
the outbound SPI in the municipal branch.
sa string-key inbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'LèOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the inbound SA to Huawei@321, which must
be the same as the authentication key for the outbound SA in the municipal branch.
sa spi outbound esp 12345 //Set the outbound SPI, which must be the same as
the inbound SPI in the municipal branch.
sa string-key outbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the outbound SA to Huawei@123, which must
be the same as the authentication key for the inbound SA in the municipal branch.
#
ike proposal 5
dh group2
prf hmac-sha2-256
#
ike peer rut1 v2 //When a policy template is used to establish an IPSec tunnel
with the county-level branch, you do not need to specify a remote address because
Router_3 functions as the IKE responder.
pre-shared-key cipher %^%#SNMkBqDAZOwo!9=MwR{+h;Bp"JEU.-s!Z=Wdu7_@%^%# //Set
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify
qualified county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
ip address 60.1.3.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.3.2 255.255.255.0
#
#
return

After the configurations are complete:

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
l Ping PC_3 from PC_1 and PC_2 respectively. The ping operations succeed. Run the
display ipsec statistics command to view statistics on IPSec packets. The value of the
Inpacket decap count/Outpacket encap count (in a version earlier than V200R008) or
input/output security packets (in V200R008 or a later version) field is not 0, indicating
that data transmitted between the branches and headquarters is encrypted.
l Run the display ipsec sa command on Router_1, Router_2, and Router_3 to view
information about established SAs. The command output contains the Tunnel remote
(tunnel destination address) and Mode (security policy mode in which the IPSec tunnel
is established) fields.
– On Router_1, the security policy mode for the tunnel with the destination address
60.1.3.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
– On Router_2, the security policy mode for the tunnels with the destination
addresses 60.1.1.1 and 60.1.3.1 is ISAKMP.
– On Router_3, the security policy mode for the tunnel with the destination address
60.1.1.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
l Run the display ike sa v2 command on Router_1, Router_2, and Router_3 to view SAs
established through IKE negotiation. (In V200R008 and later versions, the V2 parameter
is not supported.)
– Only the entry whose peer is 60.1.2.1 exists on Router_1.
– The entries whose peer is 60.1.1.1 and 60.1.3.1 exist on Router_2.
– Only the entry whose peer is 60.1.2.1 exists on Router_3.
----End
Configuration Notes
l The IKE peers must use the same pre-shared key.
l When configuring an IPSec policy manually, you must specify the inbound and
outbound SPIs. The inbound SPI on the local end must be the same as the outbound SPI
on the remote end. The outbound SPI on the local end must be the same as the inbound
SPI on the remote end.

Enterprise Headquarters and Branch Using a Multi-Link Shared
IPSec Policy Group
Specifications
As shown in Figure 5-106, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. RouterA uses two egress links in backup or load balancing
mode. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
The Enterprise wants to protect traffic between the branch subnet and headquarters subnet. If
an active/standby switchover occurs or the egress link becomes faulty, IPSec services need to
be smoothly switched.
Figure 5-106 Establishing an IPSec tunnel between the enterprise headquarters and branch
using a multi-link shared IPSec policy group
LoopBack0
1.1.1.1/32 GE1/0/0
GE1/0/0 60.1.1.1/24
70.1.1.1/24
RouterA RouterB
GE3/0/0 GE2/0/0 GE3/0/0
10.1.1.1/24 80.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC A PC B
10.1.1.2/24 10.1.2.2/24
NOTE
version.
Procedure
#
sysname RouterA
#
#
#
dh group2
prf hmac-sha2-256

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ike peer rut v1 //Configure an IKE peer.
ike-proposal 5
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer rut
proposal prop
#
ipsec policy policy1 shared local-interface LoopBack0 //Configure a multi-link
shared IPSec policy group.
#
ip address 70.1.1.1 255.255.255.0
ipsec policy policy1 //Bind the IPSec policy group.
#
ip address 80.1.1.1 255.255.255.0
ipsec policy policy1 //Bind the IPSec policy group.
#
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 10.1.2.0 255.255.255.0 70.1.1.2 preference 10 //Configure a
static route from GE1/0/0 of RouterA to the internal network on the headquarters
network.
static route from GE2/0/0 of RouterA to the internal network on the headquarters
network.
static route from GE1/0/0 of RouterA to the LAN-side interface on the
headquarters network.
static route from GE2/0/0 of RouterA to the LAN-side interface on the
headquarters network.
#
return

#
sysname RouterB
#
#
#
dh group2
prf hmac-sha2-256
#
ike peer rut v1 //Configure an IKE peer.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

ike-proposal 5
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer rut
proposal prop
#
ip address 60.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
the destination address as the Loopback interface of the peer.
the destination address as the LAN-side interface of the branch.
the destination address as the LAN-side interface GE1/0/0 of the branch.
the destination address as the LAN-side interface GE2/0/0 of the branch.
#
return

Run the display ike sa verbose and display ipsec sa commands on RouterA to view the
IPSec tunnel configuration.
----End
Configuration Notes
l The headquarters and branches use the same pre-shared-key.
5.4.20 Example for Configuring IPSec Reverse Route Injection

Applicability
As shown in Figure 5-107, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters, branch 1, and branch 2, and they communicate over the public network.
Because the branch gateways connect to multiple private networks, a large number of static
routes need to be configured on the headquarters gateway to direct data destined for branches
to the IPSec tunnel. Besides, the static route configuration on the headquarters gateway needs
to be adjusted when the internal network planning of enterprise branches changes. This results
in heavy workload and configuration errors may easily occur.
The enterprise wants to provide security protection for traffic between the headquarters and
branches, and reduce the configuration and maintenance workload on the headquarters
gateway.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-107 Configuring IPSec reverse route injection
10.1.1.2/24
GE0/0/1
10.1.1.1/24
Router_1
Headquarters gateway
Eth2/0/0
1.1.1.1/24
IP
10.2.2.2/24
l
10.4.4.2/24
Se
nn
c
Tu
Tu
c
n
Se
ne
IP
1.1.1.2/24 GE0/0/2
l
GE0/0/1
10.2.2.1/24 10.4.4.1/24
Router_2 1.2.1.2/24 1.4.1.2/24 Router_3
Branch 1 gateway Eth1/0/1 GE0/0/1 Branch 2 gateway
GE0/0/0 1.2.1.1/24 1.4.1.1/24 Eth2/0/0
10.22.2.1/24 10.44.4.1/24
10.22.2.2/24 10.44.4.2/24
NOTE
version.
Procedure
#
sysname Router_1
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipsec proposal def

#
ike proposal 5
dh group2
prf hmac-sha2-256
#
ike peer center v1 //Configure an IKE peer. You do not need to specify a
remote address or a remote name.
ike-proposal 5
#
ipsec policy-template center 1 //Configure an IPSec policy template.
ike-peer center
proposal def
route inject dynamic //Configure the dynamic route injection function to
automatically add static routes from the headquarters to branch subnets.
#
ipsec policy hk 1 isakmp template center //Configure an IPSec policy.
#
interface Ethernet2/0/0 //Configure an interconnection interface for
ip address 1.1.1.1 255.255.255.0
ipsec policy hk //Bind the IPSec policy to the interface.
#
ip address 10.1.1.1 255.255.255.0 //Configure an interface connected to the
service segment.
#
ip route-static 1.2.1.0 255.255.255.0 1.1.1.2 //Configure a static route from
the headquarters to branch 1 extranet.
the headquarters to branch 2 extranet.
#
return

#
sysname Router_2
#
acl number 3000 //Configure ACL 3000 and define two data flows.
#
ipsec proposal def
#
ike proposal 5
dh group2
prf hmac-sha2-256
#
ike peer branch v1 //Configure an IKE peer. You must specify a remote address.
ike-proposal 5

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ipsec policy hk 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer branch
proposal def
#
ip address 1.2.1.1 255.255.255.0
ipsec policy hk
#
ip address 10.22.2.1 255.255.255.0 //Configure an interface connected to
service segment 1.
#
ip address 10.2.2.1 255.255.255.0 //Configure an interface connected to service
segment 2.
#
branch 1 to the headquarters extranet.
branch 1 to the headquarters intranet.
#
return

#
sysname Router_3
#
acl number 3000 //Configure ACL 3000 and define two data flows.
#
ipsec proposal def
#
ike proposal 5
dh group2
prf hmac-sha2-256
#
ike peer branch v1 //Configure an IKE peer. You must specify a remote address.
ike-proposal 5
#
ipsec policy hk 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer branch
proposal def
#
ip address 1.4.1.1 255.255.255.0
ipsec policy hk
#
ip address 10.44.4.1 255.255.255.0 //Configure an interface connected to
service segment 1.
#
ip address 10.4.4.1 255.255.255.0 //Configure an interface connected to service

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
segment 2.
#
branch 2 to the headquarters extranet.
branch 2 to the headquarters intranet.
#
return
After the configurations are complete:

l Ping the host in the headquarters from the hosts in the branches. The ping operations
succeed. Run the display ipsec statistics command to view statistics on IPSec packets.
The value of the Inpacket decap count/Outpacket encap count (in a version earlier
than V200R008) or input/output security packets (in V200R008 or a later version)
field is not 0, indicating that data transmitted between the branches and headquarters is
encrypted.
l Run the display ike sa command on the headquarters and branch gateways to view SA
information.
l Run the display ip routing-table command on the headquarters gateway. The command
output shows the routing entries from the headquarters to the branch subnets, where the
destination addresses are 10.2.2.0/24, 10.22.2.0/24, 10.4.4.0/24, and 10.44.4.0/24, the
next-hop address is 1.1.1.1, and the value of the Proto field is Unr indicating injected
routes.
----End
Configuration Notes
l The headquarters and branches use the same pre-shared key.
l Only an SA established using dynamic IKE negotiation supports route injection; a
manually established SA does not support route injection.
5.4.21 Example for Implementing QoS Guarantee for Traffic

Passing Through the IPSec Tunnel
Applicability
As shown in Figure 5-108, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters, and they communicate over the public network. The bandwidth between the
branch egress and public network is 2 Mbit/s. VoIP, production, and office service flows are
transmitted between the headquarters and branch.
The enterprise wants to protect service flows transmitted between the enterprise branch and
headquarters and provide QoS guarantee for the VoIP, production, and office service flows.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
l For the VoIP service flow, the IP priority must be set to 5 to ensure low latency and 500
kbit/s bandwidth.
l For the production service flow, the IP priority must be set to 4 to ensure 600 kbit/s
bandwidth.
l For the office service flow, the IP priority must be set to 2 to ensure 800 kbit/s
bandwidth.
Figure 5-108 Implementing QoS guarantee for traffic passing through the IPSec tunnel
Eth1/0/0 Eth1/0/0
20.1.1.1/24 30.1.1.1/24
Router_1 Router_2
20.1.1.2 30.1.1.2
Eth2/0/0.1:10.1.1.1/24 Eth2/0/0
Eth2/0/0.2:10.1.2.1/24 192.168.2.1/24
Eth2/0/0.3:10.1.3.1/24 IPSec Tunnel
Enterprise
LSW
headquarters
Enterprise branch PC_3

VoIP: 10.1.1.0/24 192.168.2.2/24
Production service:
10.1.2.0/24
Office service:
10.1.3.0/24
NOTE
version.
Procedure
NOTE
Configure the downlink interfaces of the LSW connecting to terminals as access interfaces and add the
interfaces to VLANs of the VoIP, production, and office services. Configure the uplink interface of the LSW
connecting to Router_1 as trunk interfaces and configure the interfaces to allow packets from the VoIP,
production, and office service VLANs to pass. For detailed configurations, see the LSW configuration
manual.
#
sysname Router_1
#
#
acl number 3001 //Create an ACL rule to define the VoIP service flow.
acl number 3002 //Create an ACL rule to define the production service flow.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

acl number 3003 //Create an ACL rule to define the office service flow.
#
#
dh group2
prf hmac-sha2-256
#
ike peer branch v1 //Configure an IKE peer.
ike-proposal 1
#
ipsec policy map1 10 isakmp //Create an IPSec policy for the VoIP service flow.
security acl 3001
ike-peer branch
proposal tran1
qos pre-classify
ipsec policy map1 20 isakmp //Create an IPSec policy for the production service
flow.
security acl 3002
ike-peer branch
proposal tran1
qos pre-classify
ipsec policy map1 30 isakmp //Create an IPSec policy for the office service flow.
security acl 3003
ike-peer branch
proposal tran1
qos pre-classify
#
traffic classifier tc2 operator or
if-match acl 3001
if-match acl 3002
if-match acl 3003
#
traffic behavior tb1
car cir 500 cbs 94000 pbs 156500 mode color-blind green pass yellow pass red
discard
remark local-precedence ef
discard
remark local-precedence af2
discard
remark local-precedence af4
#
traffic policy tp1
classifier tc1 behavior tb1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
interface Ethernet1/0/0 //Configure the external network interface.
ip address 20.1.1.1 255.255.255.0
traffic-policy tp1 outbound
ipsec policy map1
#
interface Ethernet2/0/0 //Configure the private network interface.
#
interface Ethernet2/0/0.1
dot1q termination vid 10 //Configure the sub-interface to terminate
the VLAN ID of the VoIP service flow and run the arp broadcast enable command to
enable ARP broadcast on the sub-interface. (ARP broadcast is enabled by default.)
ip address 10.1.1.1 255.255.255.0
#
dot1q termination vid 20 //Configure the sub-interface to terminate
the VLAN ID of the production service flow and run the arp broadcast enable
command to enable ARP broadcast on the sub-interface. (ARP broadcast is enabled
by default.)
ip address 10.1.2.1 255.255.255.0
#
dot1q termination vid 30 //Configure the sub-interface to terminate the
VLAN ID of the office service flow and run the arp broadcast enable command to
enable ARP broadcast on the sub-interface.
ip address 10.1.3.1 255.255.255.0
#
from the branch to the headquarters intranet.
from the branch to the headquarters extranet.
#
return

#
sysname Router_2
#
#
acl number 3001 //Create an ACL rule to define the VoIP service flow.
acl number 3002 //Create an ACL rule to define the production service flow.
acl number 3003 //Create an ACL rule to define the office service flow.
#
#
dh group2
prf hmac-sha2-256
#
ike peer center v1 //Configure an IKE peer.
ike-proposal 1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
ipsec policy map1 10 isakmp //Create an IPSec policy for the VoIP service flow.
security acl 3001
ike-peer center
proposal tran1
ipsec policy map1 20 isakmp //Create an IPSec policy for the production service
flow.
security acl 3002
ike-peer center
proposal tran1
ipsec policy map1 30 isakmp //Create an IPSec policy for the office service flow.
security acl 3003
ike-peer center
proposal tran1
#
interface Ethernet1/0/0 //Configure the external network interface.
ip address 30.1.1.1 255.255.255.0
ipsec policy map1
#
interface Ethernet2/0/0 //Configure the private network interface.
ip address 192.168.2.1 255.255.255.0
#
from the headquarters to the branch's VoIP service segment.
from the headquarters to the branch's production service segment.
from the headquarters to the branch's office service segment.
from the headquarters to the branch extranet.
#
return

After the configurations are complete, send VoIP, production, and office service flows to
ETH2/0/0 on Router_1 at a rate of 10,000 kbit/s respectively.
l The bandwidth for VoIP, production, and office service flows from ETH1/0/0 is no less
than 500 kbit/s, 600 kbit/s, and 800 kbit/s respectively.
l Run the capture-packet interface ethernet 1/0/0 destination terminal command in the
system view on Router_1. The command output shows that the DSCP values of VoIP,
production, and office service packets sent from ETH1/0/0 are 5, 4, and 2.
l Run the display ipsec statistics command on Router_1 and Router_2 to view statistics
on IPSec packets. The value of the Inpacket decap count/Outpacket encap count (in a
version earlier than V200R008) or input/output security packets (in V200R008 or a
later version) field is not 0, indicating that data transmitted between the branches and
headquarters is encrypted.
----End
Configuration Notes

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.4.22 Example for Configuring the Branch to Access Internet

Using a 4G Interface and Establish IPSec Tunnel with the
Headquarters Using IPSec Policy Template
Specifications
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 4G interface to dynamically obtain an IP address from a provider. When
IPSec policies are used, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
Figure 5-109 Establishing an SA using an IPSec policy template
RouterA Serial1/0/0 RouterB

Cellular0/0/1
Eth1/0/0 13.1.1.1/24 Eth1/0/0
192.168.1.1/24 192.168.2.1/24
PC1 IPSec
PC2
LAN LAN
192.168.1.0/24 192.168.2.0/24
NOTE
version.
Procedure

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
#
#
ike peer rta v1 //Configure an IKE peer for establishing an IPSec connection
with RouterB.
the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00,
the pre-shared key pre-shared-key huawei is displayed in plain text.
remote-address 13.1.1.1 //Configure a peer IP address for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
ip address 192.168.1.1 255.255.255.0
#
interface Cellular0/0/1 //Set dial parameters for the 4G interface.
apn-profile lteprofile
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
ipsec policy rta //Bind an IPSec policy to the interface to initiate IPSec
negotiation.
#
dialer-rule //Create a dialer ACL that defines conditions to initiate calls.
#
apn profile lteprofile //Create an APN profile.
apn ltenet
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return

#
sysname RouterB
#
acl number 3000
#
ipsec proposal rtb
#
ike peer rtb v1 //Configure an IKE peer. You do not need to specify the peer IP
address.
the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00,
the pre-shared key pre-shared-key huawei is displayed in plain text.
#
ipsec policy-template temp 1 //Configure an IPSec policy template and reference
parameters to the template.
security acl 3000

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ike-peer rtb
proposal rtb
#
#
ip address 192.168.2.1 255.255.255.0
#
interface Serial1/0/0 //Configure a public network interface and set a fixed IP
address for the interface.
link-protocol ppp
ip address 13.1.1.1 255.255.255.0
ipsec policy rtb
#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return
Run the display ike sa command on the device, you can view information about the SA.
After the configuration, users in the headquarters and branch can ping each other.
----End
Configuration Notes
l You do not need to specify the remote address of the IKE peer for the end using an IPSec
policy template.
l You can choose not to configure an ACL on the headquarters using an IPSec policy
template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.

Branch and Headquarters Through Active and Standby Links
Specifications
headquarters. The branch communicates with the headquarters over the Internet and uses a 3G
link as the standby link. When the active link is faulty, traffic is switched to the standby link
to ensure traffic continuity.
The enterprise requires to protect traffic transmitted over the Internet between the enterprise
branch and headquarters. The enterprise branch and headquarters communicate through the
Internet. An IPSec tunnel can be established between the branch gateway and headquarters
gateway to protect data flows between them. In addition, the NAT function can be configured
on Router_1 to allow branch users to access external networks.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-110 Establishing an IPSec tunnel between the branch and headquarters through
active and standby links
Router_1 GE1/0/0 GE1/0/0 Router_2

1.1.1.1/24 2.1.1.1/24
GE2/0/0 GE2/0/0
10.1.1.1/24 10.2.1.1/24
Cellular0/0/1
Branch Headquarters
3G NodeB
PC_1 3G PC_2
10.1.1.2/24 network 10.2.1.2/24
NOTE
version.
Procedure
#
sysname Router_1
#
acl number 3000 // Configure an address segment to supports NAT.
acl number 3010 // Configure an address segment that supports IPSec encryption.
#
#
#
ike peer rta v1 //Configure an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
dpd msg seq-hash-notify
#
ipsec policy rt1 1 isakmp //Configure an IPSec policy.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
security acl 3010

ike-peer rta
proposal rta
ipsec policy rt2 1 isakmp
security acl 3010
ike-peer rta
proposal rta
#
ip address 1.1.1.1 255.255.255.0
ipsec policy rt1 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
standby interface Cellular0/0/1 //Configure a standby interface for the main
interface.
nat outbound 3000 //Configure the NAT function to allow users to access
external networks.
#
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/1 //Configure dial-up parameters for the 3G interface.
link-protocol ppp
ip address ppp-negotiate //Automatically obtain the IP address allocated by
the carrier to access the Internet.
dialer enable-circular // Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dial control list. The
interface ID is the same as the rule ID in the control list.
dialer timer autodial 15
ipsec policy rt2 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
nat outbound 3000
#
dialer-rule
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 40 //Configure a static
route to use the link as the active link.
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1 preference 80
#
return

#
sysname Router_2
#
acl number 3010 //Configure an address segment that supports IPSec encryption.
rule permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal rtb //Configure an IPSec proposal.
#
#
ike peer rtb v1 // Configure an IKE peer. You do not need to configure the
remote address.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
dpd msg seq-hash-notify
#
ipsec policy-template temp 1 //Configure an IPSec policy template and set
parameters in the template.
security acl 3010
ike-peer rtb

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
proposal rtb
#
#
ip address 2.1.1.1 255.255.255.0
ipsec policy rtb //Bind the IPSec policy to the interface.
#
ip address 10.2.1.1 255.255.255.0
#
#
return

After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.
----End
Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured to protect data flows, the destination address in
the ACL must cover all the source addresses in ACLs on branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.

Branch and Headquarters Using Wired Lines
Specifications
headquarters. Router_1 and Router_2 communicate through the public network.
The enterprise requires to protect traffic transmitted over the public network between the
enterprise branch and headquarters. The enterprise branch and headquarters communicate
through the public network. An IPSec tunnel can be established between the branch gateway

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
and headquarters gateway to protect data flows between them. In addition, the NAT function
can be configured on Router_1 to allow branch users to access external networks.
Figure 5-111 Establishing an IPSec tunnel between the branch and headquarters using wired
lines
GE1/0/0 GE1/0/0
Router_1 1.1.1.1/24 2.1.1.1/24 Router_2
Branch Headquarters
GE2/0/0 GE2/0/0
gateway gateway
10.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC_1 PC_2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
NOTE
version.
Procedure
#
sysname Router_1
#
acl number 3000 //Configure an address segment to support NAT.
acl number 3101 //Configure an address segment that supports IPSec encryption.
#
ipsec proposal tran1 // Configure an IPSec proposal.
#
#
ike peer spub v1 //Configure an IKE peer.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#

ike-proposal 5
#
ipsec policy map1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer spub
proposal tran1
#
ip address 1.1.1.1 255.255.255.0
ipsec policy map1 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
nat outbound 3000 //Configure the NAT function to allow users to access
external networks.
#
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
#
return

#
sysname Router_2
#
acl number 3101 //Configure the address segment that supports IPSec encryption.
#
#
#
ike peer spua v1 //Configure an IKE peer.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
#
ipsec policy use1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer spua
proposal tran1
#
ip address 2.1.1.1 255.255.255.0
ipsec policy use1 //Bind the IPSec policy to the interface.
#
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
#
return


Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.
----End
Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.
5.4.25 Example for Connecting iPhones of Mobile Office Users to

the Headquarters Through L2TP over IPSec
Specifications
Traveling employees access the enterprise network from different locations, and they want to
communicate with the headquarters frequently. As shown in Figure 5-112, traveling
employees connect to the headquarters by dialing up using their iPhones, and the headquarters
can authenticate and manage access users. In addition, communication between the traveling
employees and headquarters is encrypted to prevent information leakage.
Figure 5-112 Connecting iPhones of mobile office users to the headquarters through L2TP
over IPSec
GE1/0/1 GE1/0/2
1.1.1.2/24 10.1.1.1/24
HQ
iPhone L2TP over IPSec Router

(LAC) Server
VT1 (LNS)
3.3.3.3/24
10.2.1.1/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
version.
Procedure
Step 1 Configure the Router.
#
sysname Router
#
#
acl number 3101 //Configure the IP address segment that permits IPSec
encryption.
#
for the IPSec proposal.
#
ike proposal 10 //Configure the authentication, encryption, and DH group
algorithms for the IKE proposal.
encryption-algorithm aes-128 //In V200R008 and later versions, the aes-cbc-128
parameter is changed to aes-128.
dh group14
#
ike peer a //Set the pre-shared key of the IKE peer to Admin@123.
pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
ike-proposal 10
#
ipsec policy-template policy_temp 1 //Configure an IPSec policy template and
reference related parameters.
security acl 3101
ike-peer a
proposal tran1
#
ipsec policy policy1 10 isakmp template policy_temp //Configure an IPSec policy
and associate it with the IPSec policy template.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from
the IP address pool.
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to
vpdnuser and Hello123.
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy to the interface and enable IPSec.
#
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1 //Create a VT template and configure dial-up
parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode
and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to
disable tunnel authentication.
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
#
return
Step 2 Configure the iPhone.
NOTE
Set Account and Password to vpdnuser and Hello123 configured on the Router. Set Secret to the IPSec pre-
shared key Admin@123 configured on the Router.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Enable VPN connection on the iPhone. You can find that the VPN connection is established
successfully.
Run the display l2tp tunnel command on the Router. You can find that an L2TP tunnel is
Run the display ike sa command on the Router. You can find that an SA is established
successfully.
After the configuration is complete, the traveling employee and the headquarters can
exchange encrypted data.
----End
Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the Router if the L2TP client does not support
tunnel authentication.
5.4.26 Example for Connecting Android Phones of Mobile Office

Users to the Headquarters Through L2TP over IPSec
Specifications
Traveling employees access the enterprise network from different locations, and they want to
communicate with the headquarters frequently. As shown in Figure 5-113, traveling
employees connect to the headquarters by dialing up using their Android phones, and the
headquarters can authenticate and manage access users. In addition, communication between
the traveling employees and headquarters is encrypted to prevent information leakage.
Figure 5-113 Connecting Android phones of mobile office users to the headquarters through
L2TP over IPSec
GE1/0/1 GE1/0/2
1.1.1.2/24 10.1.1.1/24
HQ
Android L2TP over IPSec Router
phone Server
VT1 (LNS)
(LAC)
3.3.3.3/24 10.2.1.1/24

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
NOTE
version.
Procedure
Step 1 Configure the Router.
#
sysname Router
#
#
acl number 3101 //Configure the IP address segment that permits IPSec
encryption.
#
for the IPSec proposal.
#
ike proposal 10 //Configure the authentication, encryption, and DH group
algorithms for the IKE proposal.
encryption-algorithm aes-128 //In V200R008 and later versions, the aes-cbc-128
parameter is changed to aes-128.
dh group14
#
ike peer a //Set the pre-shared key of the IKE peer to Admin@123.
pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
ike-proposal 10
#
ipsec policy-template policy_temp 1 //Configure an IPSec policy template and
reference related parameters.
security acl 3101
ike-peer a
proposal tran1
#
ipsec policy policy1 10 isakmp template policy_temp //Configure an IPSec policy
and associate it with the IPSec policy template.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from
the IP address pool.
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to
vpdnuser and Hello123.
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy to the interface and enable IPSec.
#
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1 //Create a VT template and configure dial-up
parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode
and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to
disable tunnel authentication.
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
#
return
Step 2 Configure the Android phone.
NOTE
Set Router to Admin@123, which is the same as the IPSec pre-shared key configured on the Router.

Enable VPN connection on the Android phone. You can find that the VPN connection is
Run the display l2tp tunnel command on the Router. You can find that an L2TP tunnel is
Run the display ike sa command on the Router. You can find that an SA is established
successfully.
After the configuration is complete, the traveling employee and the headquarters can
exchange encrypted data.
----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the Router if the L2TP client does not support
tunnel authentication.
5.5 SSL VPN
5.5.1 Example for Configuring SSL VPN to Allow External Users

to Connect to the Intranet of an Enterprise
Specifications
As shown in , an enterprise network connects to the Internet using a Router that functions as
an SSL VPN gateway. The marketing personnel, VIP customers, and partners on external
networks access the enterprise intranet through the Router.
The networking requirements are as follows:
l Marketing personnel are allowed to access the internal web server and mail server, share
desktop with the internal host 10.138.10.21, and ping the internal hosts
10.138.10.64-10.138.10.95.
l VIP customers are allowed to access the internal mail server and use Telnet to access the
internal application server.
l Partners are allowed to access the internal web server.
The Router must be configured to meet the preceding requirements.
Figure 5-114 SSL VPN gateway network

Marketing
personnel Application
Mail server
server
Eth2/0/0 Eth1/0/0
Enterprise
intranet
Router
VIP customers
Share
desktop Web server
Partners

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
Step 1 # Configure the Router.
#
sysname Router
#
pki entity a //Configure a PKI entity.
country CN
common-name hello
#
pki realm admin //Configure a PKI domain.
ca id ca_a
entity a
fingerprint sha256
e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0 //Configure
the CA certificate fingerprint used in CA certificate verification.
rsa local-key-pair rsa_scep //Configures that the RSA key pair is used for
SCEP-based certificate application. The RSA key pair is created using the pki rsa
local-key-pair create command. This command applies to V200R008 and later
versions.
used in SCEP-based certificate application to 6AE73F21E6D3571D. This command
applies to V200R008 and later versions.
auto-enroll 60 regenerate //Enable the automatic certificate application and
update function. This command applies to V200R008 and later versions.
#
ssl policy adminserver type server //Configure a server SSL policy and bind the
server SSL policy to the HTTPS server.
pki-realm admin
#
ip pool market_pool //Configure an IP address pool.
network 10.139.30.0 mask 255.255.255.0
#
aaa //Configure SSL VPN user information.
domain default
local-user rose password cipher %^%#~Hc]'Mf1<;Y)b9En!Q',BF!VQ5%=ZPFf'7SdhlX1%^
%# //The password is rose123456.
local-user wangjun password cipher %^%#*k9gJ4K:-1z<)l+t3SS1QLw^7xks6C]WR8(LS,C3%^
%# //The password is wangjun654321.
local-user zhanghong password cipher %^%#.SoT@db-zEl.^\K"k6@LG6BM9}9uBD2zA4'k2%kQ
%^%# //The password is zhanghong123456.
local-user huwei password cipher %^%#tz]d@Q,R(/_*s6As'F+$M"!\Gg-[sC7k+k>x3N2/%^
%# //The password is huwei654321.
local-user jack password cipher %^%#D3q-7\3NwG+f6GPIs:NRm;$nIjY3`Xo}S,XsP$B>%^
%# //The password is jack123456.
local-user john password cipher %^%#8N3T8`vr!%~feB7oGz$#qNz2=Z>;zN%/r&B]j0(V%^
%# //The password is john654321.
#
interface Ethernet 2/0/0
ip address 1.1.1.1 255.255.255.0
#
interface Ethernet 1/0/0
ip address 10.138.10.254 255.255.255.0
#
telnet server enable
#
sslvpn gateway market //Create a virtual gateway market.
extranet interface Ethernet 2/0/0 //Configure the intranet and extranet
interfaces for the virtual gateway.
intranet interface Ethernet 1/0/0
bind domain default //Bind an AAA domain to the virtual gateway and configure
user information.
enable
service-type web-proxy resource market_web-proxy //Configure a web proxy
service on the virtual gateway so that marketing personnel can access the web
server.
link http://10.138.10.1:80/
service-type port-forwarding resource market_port-forwarding //Configure a port

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
forwarding service.
server ip-address 10.138.10.3 port 995
description market-email
service-type port-forwarding resource market_port-forwarding //Configure a port
forwarding service.
description market-deskshare
service-type ip-forwarding resource market_ip-forwarding //Configure an IP
forwarding service.
bind ip-pool market_pool
route-mode split
route-split ip address 10.138.10.64 mask 27
# //Configure a virtual gateway customer, configure intranet and extranet
interfaces for the virtual gateway, bind an AAA domain to the virtual gateway,
and configure user information.
sslvpn gateway customer
extranet interface Ethernet 2/0/0
bind domain default
enable
service-type port-forwarding resource customer_port-forwarding //Configure a
port forwarding service.
description custom-email
service-type port-forwarding resource customer_port-forwarding //Configure a
port forwarding service.
description custom-telnet
# //Configure a virtual gateway company, configure intranet and extranet
interfaces for the virtual gateway, bind an AAA domain to the virtual gateway,
and configure user information.
sslvpn gateway company
extranet interface Ethernet 2/0/0
bind domain default
enable
service-type web-proxy resource company_web-proxy //Configure a web proxy
service.
link http://10.138.10.1:80/
#
return

Open the Internet Explorer on a terminal, such as a computer and enter https://1.1.1.1/
marketsslvpn to display the web login page. Enter the user name and password to log in. After
you are authenticated, you can see a resource list on the web page, including the web server,
mail server, and host for desktop sharing. You can ping the hosts on
10.138.10.64-10.138.10.95.
----End
Configuration Notes
l Before using the Router as an SSL VPN gateway, configure the Router as an HTTPS
server.
5.6 BGP/MPLS IP VPN

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.6.1 Example for Configuring BGP/MPLS IP VPN to Implement

Communication Between Devices
Specifications
This example applies to all versions.
This example does not apply to AR100&AR120&AR150&AR160&AR200 series routers.
As shown in Figure 5-115:
l CE1 and CE3 belong to vpna.
l CE2 and CE4 belong to vpnb.
l The VPN target of vpna is 111:1, and the VPN target of vpnb is 222:2.
l Users in different VPNs cannot communicate.
Figure 5-115 Networking diagram for configuring BGP/MPLS IP VPN
AS: 65410 AS: 65430

vpna vpna
CE1 CE3
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.3.1.1/24
Loopback1
Eth1/0/0 2.2.2.9/32 Eth1/0/0
10.1.1.2/24 Eth1/0/0 Eth2/0/0 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 Eth2/0/1 Eth2/0/1 3.3.3.9/32
172.1.1.1/24 172.2.1.2/24
Eth2/0/0 P Eth2/0/0
10.2.1.2/24 MPLS backbone 10.4.1.2/24
AS: 100
Eth1/0/0 Eth1/0/0
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420 AS: 65440
Procedure
#
sysname PE1
#
ip vpn-instance vpna //Create a VPN instance vpna.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipv4-family
#
ip vpn-instance vpnb //Create a VPN instance vpnb.
ipv4-family
#
mpls lsr-id 1.1.1.9 //Configure MPLS.
mpls
#
mpls ldp //Configure LDP.
#
interface Ethernet1/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
ip binding vpn-instance vpnb //Bind the VPN instance to the interface.
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/1 //Enable MPLS on the interface.
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 //Configure an MP-IBGP peer.
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
import-route direct
#
ospf 1 /Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
Step 2 Configure the P.

#
sysname P
#
mpls
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
mpls ldp
#
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
#
ip vpn-instance vpnb //Create a VPN instance vpnb.
ipv4-family
#
mpls lsr-id 3.3.3.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
ip address 10.3.1.2 255.255.255.0
#
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100 //Configure an MP-IBGP peer.
#
ipv4-family unicast
peer 1.1.1.9 enable
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
import-route direct
#
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
Step 4 Configure CE1.

#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65410 //Establish an EBGP peer relationship between a PE and a CE.
#
ipv4-family unicast
import-route direct //Import direct routes.
peer 10.1.1.2 enable
#
return

#
sysname CE2
#
ip address 10.2.1.1 255.255.255.0
#
#
ipv4-family unicast
#
return

#
sysname CE3
#
ip address 10.3.1.1 255.255.255.0
#
#
ipv4-family unicast

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
return

#
sysname CE4
#
ip address 10.4.1.1 255.255.255.0
#
#
ipv4-family unicast
#
return
----End
Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.

Communication Between the Branch and Headquarters and
Between Branches
Specifications
As shown in Figure 5-116, the Hub-CE in the central site controls communication between
Spoke-CEs. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE but not by
the Hub-PE.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-116 Networking diagram for configuring Hub and Spoke
AS: 65430
Hub-CE
Eth1/0/0 Eth2/0/0
110.1.1.1/24 110.2.1.1/24
Eth3/0/0 Eth4/0/0
110.1.1.2/24 110.2.1.2/24
Hub-PE
Eth1/0/0 Eth2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1 Loopback1
Loopback1
1.1.1.9/32 3.3.3.9/32
2.2.2.9/32
Eth2/0/0 Eth2/0/0
10.1.1.1/24 11.1.1.1/24
Eth1/0/0 Spoke-PE1 Spoke-PE2 Eth1/0/0

100.1.1.2/24 Backbone 120.1.1.2/24
AS100
Eth1/0/0 Eth1/0/0
100.1.1.1/24 120.1.1.1/24
Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420
Procedure
Step 1 Configure Spoke-CE1.
#
sysname Spoke-CE1
#
ip address 100.1.1.1 255.255.255.0
#
bgp 65410 //Establish an EBGP peer relationship between the Spoke-PE and the CE.
#
ipv4-family unicast
#
return
Step 2 Configure Spoke-PE1.

#
sysname Spoke-PE1
#
ip vpn-instance vpna //Configure a VPN instance.
ipv4-family

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
mpls
#
mpls ldp
#
ip address 100.1.1.2 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 //Establish an MP-IBGP peer relationship between PEs.
#
ipv4-family unicast
peer 2.2.2.9 enable
# //Establish an MP-IBGP peer relationship between PEs.
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
# //Establish an MP-EBGP peer relationship between the Spoke-PE and the CE.
ipv4-family vpn-instance vpna
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
Step 3 Configure Spoke-PE2.

#
sysname Spoke-PE2
#
ip vpn-instance vpna //Configure a VPN instance.
ipv4-family
#
mpls
#
mpls ldp
#
ip address 120.1.1.2 255.255.255.0
#
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
bgp 100 //Establish an MP-IBGP peer relationship between PEs.
#
ipv4-family unicast
peer 2.2.2.9 enable
# //Establish an MP-IBGP peer relationship between PEs.
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
# //Establish an MP-EBGP peer relationship between the Spoke-PE and the CE.
#
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
Step 4 Configure Spoke-CE2.

#
sysname Spoke-CE2
#
ip address 120.1.1.1 255.255.255.0
#
#
ipv4-family unicast
#
return
Step 5 Configure the Hub-CE.

#
sysname Hub-CE
#
ip address 110.1.1.1 255.255.255.0
#
ip address 110.2.1.1 255.255.255.0
#
#
ipv4-family unicast
#
return
Step 6 Configure the Hub-PE.

#
sysname Hub-PE
#
ip vpn-instance vpn_in //Configure a VPN instance vpn_in.
ipv4-family

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ip vpn-instance vpn_out //Configure a VPN instance vpn_out.
ipv4-family
#
mpls
#
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100 //Establish an EBGP peer relationship between the Hub-PE and the CE.
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in //Import VPN routes.
import-route direct
#
ipv4-family vpn-instance vpn_out //Import VPN routes.
peer 110.2.1.1 allow-as-loop
import-route direct
#
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.

Communication Between Devices on a Hierarchical Network
Specifications
As shown in Figure 5-117, CE1 and CE2 belong to the same VPN and have the same VPN
target. CE1 connects to the UPE, and CE2 connects to the PE. UPE, SPE, and PE
communicate using OSPF.
Figure 5-117 Networking diagram for configuring HoVPN
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
Eth2/0/0
Eth1/0/0 172.2.1.1/24 PE
Loopback1 172.1.1.2/24 Eth2/0/0
1.1.1.9/32 172.2.1.2/24
SPE
Eth2/0/0 Eth1/0/0
172.1.1.1/24 10.2.1.2/24
UPE Eth1/0/0 AS: 100
10.1.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
vpna AS: 65410 AS: 65420 vpna
Procedure
#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
# //Configure EBGP between the PE and the CE.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
Step 2 Configure the UPE.

#
sysname UPE
# //Create and configure a VPN instance.
ip vpn-instance vpna
ipv4-family
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
# //Bind the VPN instance to the interface.
ip address 10.1.1.2 255.255.255.0
#
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the UPE and the SPE.
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
# //Configure routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
Step 3 Configure the SPE.

#
sysname SPE
ipv4-family

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish MP-IBGP peer relationships between the UPE and the SPE, and
between the PE and the SPE.
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
Step 4 Configure the PE.

#
sysname PE
ipv4-family
# //Enable MPLS.
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
ip address 10.2.1.2 255.255.255.0
#
ip address 172.2.1.2 255.255.255.0
mpls //Enable MPLS on the interface
mpls ldp

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
# //Establish an MP-IBGP peer relationship between the PE and the SPE.

interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return

#
sysname CE2
#
ip address 10.2.1.1 255.255.255.0
# //Configure BGP between the PE and the CE.
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
----End
5.6.4 Example for Configuring Inter-AS BGP/MPLS IP VPN in

Option A Mode
Specifications
As shown in Figure 5-118, CE1 and CE2 belong to the same VPN. CE1 accesses PE1
through AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option A. That is, the VRF-to-VRF
method is used to manage VPN routes.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-118 Networking diagram for configuring Inter-AS VPN Option A
BGP/MPLS Backbone BGP/MPLS Backbone

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
Eth1/0/0
Eth2/0/0 Eth2/0/0 Eth1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
ASBR1 ASBR2 Loopback1
1.1.1.9/32
4.4.4.9/32
Eth1/0/0 Eth1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2
Eth2/0/0 Eth2/0/0
10.1.1.2/24 10.2.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
Procedure
#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a PE and a CE.
bgp 65001
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
ip vpn-instance vpn1
ipv4-family
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
ip address 172.1.1.2 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
mpls
mpls ldp
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
peer.
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
Step 3 Configure ASBR1.

#
sysname ASBR1
ipv4-family
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

#
sysname ASBR2
ipv4-family
# //Configure the MPLS LSR.
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and ASBR.
bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable
#
peer.
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
sysname PE2
ipv4-family
# //Enable MPLS.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
peer.
policy vpn-target
peer 3.3.3.9 enable
#
PE and a CE.
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
ip address 10.2.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a PE and a CE.
bgp 65002
#
ipv4-family unicast
import-route direct
#
return
----End

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Option B Mode
Specifications
Inter-AS BGP/MPLS IP VPN is implemented through Option B:
l ASBR1 and ASBR2 exchange VPNv4 routes using MP-EBGP.
l ASBRs do not filter the VPN-IPv4 routes received from each other based on VPN
targets.
Figure 5-119 Networking diagram for configuring Inter-AS VPN Option B

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
Eth1/0/0
Eth2/0/0 Eth2/0/0 Eth1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
1.1.1.9/32
4.4.4.9/32
Eth1/0/0 Eth1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2
Eth2/0/0 Eth2/0/0
10.1.1.2/24 10.2.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
Procedure
#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a CE and a PE.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
bgp 65001
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
ipv4-family
apply-label per-instance
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
peer.
policy vpn-target
peer 2.2.2.9 enable
#
PE and a CE.
import-route direct
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

#
sysname ASBR1
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
mpls ldp
#
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 1.1.1.9 enable
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

#
sysname ASBR2
# //Enable MPLS.
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
bgp 200
#
ipv4-family unicast
peer 4.4.4.9 enable

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname PE2
ipv4-family
apply-label per-instance
# //Configure the MPLS LSR.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
bgp 200
#
ipv4-family unicast
peer 3.3.3.9 enable
#
peer.
policy vpn-target
peer 3.3.3.9 enable
#
PE and a CE.
import-route direct
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
sysname CE2
#
ip address 10.2.1.1 255.255.255.0
#
#
ipv4-family unicast
import-route direct
#
return
----End

Option C Mode
Specifications
Inter-AS BGP/MPLS IP VPN is implemented through Option C.
Figure 5-120 Networking diagram for configuring Inter-AS VPN Option C

AS 100 AS 200
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
Eth1/0/0
Eth2/0/0 Eth2/0/0 Eth1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24 162.1.1.1/24
Loopback1
1.1.1.9/32
4.4.4.9/32
Eth1/0/0 Eth1/0/0
PE1 172.1.1.2/24 162.1.1.2/24 PE2
Eth2/0/0 Eth2/0/0
10.1.1.2/24 10.2.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65001 //Establish an EBGP peer relationship between a CE and a PE.
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
ipv4-family
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100 //Establish an IBGP peer relationship between PE1
and ASBR1.
peer 4.4.4.9 as-number 200 //Establish an MP-EBGP peer relationship between PE1
and PE2.
peer 4.4.4.9 ebgp-max-hop 10
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 2.2.2.9 label-route-capability //Enable the ability to exchange VPN IPv4
routes with ASBR1.
peer 4.4.4.9 enable
#
peer.
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between PE1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
and a CE and configure PE1 to import VPN routes from the CE.
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
peer 1.1.1.9 as-number 100 //Establish an IBGP peer relationship between ASBR1
and PE1.
#
ipv4-family unicast
network 1.1.1.9 255.255.255.255
peer 192.1.1.2 route-policy policy1 export //Apply a routing policy to the
routes advertised to ASBR2, and enable labeled IPv4 route exchange with ASBR2.
peer 192.1.1.2 label-route-capability
peer 1.1.1.9 enable
routes advertised to PE1, and enable labeled IPv4 route exchange with PE1.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
# //Configure a route-policy.
route-policy policy1 permit node 1
apply mpls-label
if-match mpls-label
apply mpls-label
#
return

#
sysname ASBR2
# //Enable MPLS.
mpls lsr-id 3.3.3.9

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
mpls
#
mpls ldp
#
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Configure labeled IPv4 route exchange.
bgp 200
peer 192.1.1.1 as-number 100 //Establish an EBGP peer relationship between
ASBR2 and ASBR1.
peer 4.4.4.9 as-number 200 //Establish an IBGP peer relationship between ASBR2
and PE1.
#
ipv4-family unicast
network 4.4.4.9 255.255.255.255
routes advertised to ASBR1, and enable labeled IPv4 route exchange with ASBR1.
peer 4.4.4.9 enable
routes advertised to PE2, and enable labeled IPv4 route exchange with PE2.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
# //Create a route-policy.
apply mpls-label
if-match mpls-label
apply mpls-label
#
return

#
sysname PE2
# //Create an configure a VPN instance.
ipv4-family
# //Enable MPLS.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 1.1.1.9 as-number 100 //Establish an MP-IBGP peer relationship between PE1
and PE2.
peer 1.1.1.9 ebgp-max-hop 10
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between PE1
and CE and configure PE1 to import VPN routes from the CE.
import-route direct
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
ip address 10.2.1.1 255.255.255.0
#
bgp 65002 //Configure an EBGP peer relationship between the CE and the PE.
#
ipv4-family unicast
import-route direct
#
return
----End

Communication Between Devices (Running IS-IS Between the
PEs and CEs)
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use IS-IS to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
#
sysname CE1
#
isis 1 //Configure an IS-IS process.
network-entity 10.0000.1111.1112.00
#
ip address 10.1.1.2 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
ip address 10.137.1.1 255.255.255.0
#
return

#
sysname CE2
#
is 1 //Configure an IS-IS process.
network-entity 10.0000.1111.0001.00
#
ip address 10.1.2.2 255.255.255.0
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 10.137.2.1 255.255.255.0

#
return

#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
#
mpls
#
mpls ldp
#
isis 1 vpn-instance vpn1 //Bind the IS-IS process to the VPN
instance.
network-entity 10.0000.1111.1111.00
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the remote PE to IS-IS.
#
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
isis enable 1 //Enable IS-IS on the
interface.
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route isis 1 //Import IS-IS routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
sysname PE2
#
ipv4-family
#
mpls
#
mpls ldp
#
isis 1 vpn-instance vpn1 //Bind the IS-IS process to the VPN instance.
network-entity 10.0000.1111.0002.00
the remote PE to IS-IS.
#
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
import-route isis 1 //Import IS-IS routes into the VRF table of the BGP-VPN
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

1. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
Use the display on PE1 as an example.
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.2.0/24 IBGP 255 0 RD 2.2.2.2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
10.137.2.0/24 IBGP 255 20 RD 2.2.2.2
10.1.1.0/24 IBGP 255 0 RD 1.1.1.1

10.137.1.0/24 IBGP 255 20 RD 1.1.1.1
2. Run the display ip routing-table protocol isis command on CEs. CE1 and CE2 can
learn routes from each other.
Use the display on CE1 as an example.
Destination/Mask Proto Pre Cost Flags NextHop

Interface
10.1.2.0/24 ISIS-L2 15 74 D 10.1.1.1

10.137.2.0/24 ISIS-L2 15 74 D 10.1.1.1

Interface
10.1.1.0/24 ISIS-L2 15 74 D 10.1.2.1

10.137.1.0/24 ISIS-L2 15 74 D 10.1.2.1
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use IS-IS to exchange routes, bind the IS-IS process to the VPN
instance.
l PEs need to import routes advertised by BGP and IS-IS routes from each other.

Communication Between Devices (Running BGP Between the
PEs and CEs)
Specifications

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
use BGP to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
#
sysname CE1
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.137.1.1 255.255.255.0
#
bgp 65101
peer 10.1.1.1 as-number 100 //Establish an EBGP peer
relationship.
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
ip address 10.1.2.2 255.255.255.0
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 10.137.2.1 255.255.255.0

#
bgp 65102
peer 10.1.2.1 as-number 100 //Establish an EBGP peer
relationship.
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
#
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.1 255.255.255.0
mpls
side.
#
interface
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
with the peer.
policy vpn-target
peer 2.2.2.2 enable

import-route direct
peer 10.1.1.2 as-number 65101 //Configure the CE as a VPN peer.
#
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
return

#
sysname PE2
#
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.2 255.255.255.0
mpls
#
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
peer 1.1.1.1 enable
#
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
peer 10.1.2.2 as-number 65102 //Configure the CE as a VPN peer.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2

10.137.2.0/24 IBGP 255 0 RD 2.2.2.2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
10.1.1.0/24 IBGP 255 0 RD 1.1.1.1

10.137.1.0/24 IBGP 255 0 RD 1.1.1.1
2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
10.1.2.0/24 EBGP 255 0 D 10.1.1.1 GigabitEthernet

0/0/1
10.137.2.0/24 EBGP 255 0 D 10.1.1.1 GigabitEthernet

0/0/2
10.1.1.0/24 EBGP 255 0 D 10.1.2.1

10.137.1.0/24 EBGP 255 0 D 10.1.2.1
----End
Configuration Notes
l PEs and CEs can use IBGP or EBGP to exchange routes. This example uses EBGP.
l You must configure the CE as a VPN peer in the BGP-VPN instance IPv4 address family
view on the connected PE.

Communication Between Devices (Running OSPF Between the
PEs and CEs)
Specifications
use OSPF to exchange routes.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-123 Networking diagram for configuring BGP/MPLS IP VPNN
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
#
sysname CE1
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.137.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.137.1.0 0.0.0.255
#
return

#
sysname CE2
#
ip address 10.1.2.2 255.255.255.0
#
ip address 10.137.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.137.2.0 0.0.0.255
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
sysname PE1
#
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.1 255.255.255.0
mpls
side.
#
interface
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
with the peer.
policy vpn-target
peer 2.2.2.2 enable

import-route ospf 3 //Import OSPF routes into the VRF table of the BGP-VPN
#
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ospf 3 vpn-instance vpn1 //Create an OSPF process and bind the OSPF process to
the VPN instance.
import-route bgp //Configure the local PE to importe VPNv4 routes learned from
the peer PE to OSPF.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname PE2
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.2 255.255.255.0
mpls
#
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
relationship.
#
ipv4-family unicast
peer 1.1.1.1 enable
#
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
import-route ospf 2 //Import OSPF routes into the VRF table of the BGP-VPN
instance IPv4 address
family.
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ospf 2 vpn-instance vpn1
the peer PE to OSPF.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2

10.137.2.0/24 IBGP 255 3 RD 2.2.2.2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
10.1.1.0/24 IBGP 255 0 RD 1.1.1.1

10.137.1.0/24 IBGP 255 3 RD 1.1.1.1
2. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can

Interface
10.1.2.0/24 O_ASE 150 1 D 10.1.1.1

10.137.2.0/24 OSPF 10 4 D 10.1.1.1

Interface
10.1.1.0/24 O_ASE 150 1 D 10.1.2.1

10.137.1.0/24 OSPF 10 4 D 10.1.2.1
----End
Configuration Notes
l When PEs and CEs use OSPF to exchange routes, bind the OSPF process to the VPN
instance.
l PEs need to import routes advertised by BGP and OSPF from each other.
5.6.10 Example for Configuring an OSPF Sham Link to Prevent

Traffic Between Users in One VPN of the Same OSPF Area from
Being Forwarded Based on the OSPF Intra-Area Routes
Specifications
use OSPF to exchange routes. CE1 and CE2 belong to the same OSPF area. VPN traffic

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
between CE1 and CE2 is forwarded over the MPLS backbone network but not OSPF intra-
area routes.
Figure 5-124 Networking diagram for configuring BGP MPLS/IP VPN and OSPF sham link
Loopback0 Loopback0
1.1.1.1/32 2.2.2.2/32
GE0/0/1 GE0/0/1
10.1.1.1/24 10.1.1.2/24
PE1 PE2
Eth1/0/1 Eth1/0/0
Shamlink L
100.1.1.1/24 11 22 oopb 100.1.2.1/24
a ck 32 .22 ac
o pb .11/ .22 k22
Lo 1.11 .22
/32
. 1
11
Eth1/0/1 Eth1/0/0
100.1.1.2/24 Eth1/0/0 Eth1/0/1 100.1.2.2/24
192.168.2.2/24 192.168.2.1/24
CE1 CE2
Bypass link
GE0/0/1 GE0/0/1
192.168.1.1/24 192.168.3.1/24
PC1 PC2
192.168.1.2/24 192.168.3.2/24
Procedure
#
sysname CE1
#
ip address 192.168.2.2 255.255.255.0
ospf cost 10
#
ip address 100.1.1.2 255.255.255.0
#
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname CE2
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 192.168.3.1 255.255.255.0
#
ip address 100.1.2.2 255.255.255.0
#
ip address 192.168.2.1 255.255.255.0
ospf cost 10
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
ip address 100.1.1.1 255.255.255.0
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack11
ip binding vpn-instance vpn1 //Bind the loopback interface used to establish a
sham link to the VPN instance.
255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
import-route direct //Import the end address of a sham link. The end address
of a sham link is advertised as the VPN-IPv4 address.
import-route ospf 2
#
ospf 1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
import-route bgp
area 0.0.0.0
network 100.1.1.0 0.0.0.255
sham-link 11.11.11.11 22.22.22.22 //Specify the source and destination
addresses of the sham link.
#
return

#
sysname PE2
#
ipv4-family
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
ip address 100.1.2.1 255.255.255.0
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack22
ip binding vpn-instance vpn1 //Bind the loopback interface used to establish a
sham link to the VPN instance.
55.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct //Import the end address of a sham link. The end address
of a sham link is advertised as the VPN-IPv4 address
import-route ospf 2
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
import-route bgp
area 0.0.0.0
network 100.1.2.0 0.0.0.255
sham-link 22.22.22.22 11.11.11.11 //Specify the source and destination
addresses of the sham link.
#
return

1. Run the display ospf 2 sham-link command on PEs to view the sham link.
Area NeighborId Source-IP Destination-IP State

Cost
0.0.0.0 100.1.1.1 22.22.22.22 11.11.11.11 P-2-P 1

Interface
11.11.11.11/32 Direct 0 0 D 127.0.0.1

LoopBack0
22.22.22.22/32 IBGP 255 0 RD 2.2.2.2
100.1.1.0/24 Direct 0 0 D 100.1.1.1
Ethernet1/0/1
100.1.1.1/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/1
100.1.1.255/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/1
100.1.2.0/24 IBGP 255 0 RD 2.2.2.2
192.168.1.0/24 OSPF 10 2 D 100.1.1.2
Ethernet1/0/1
192.168.2.0/24 OSPF 10 11 D 100.1.1.2
Ethernet1/0/1
192.168.3.0/24 IBGP 255 3 RD 2.2.2.2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Interface
11.11.11.11/32 IBGP 255 0 RD 1.1.1.1

22.22.22.22/32 Direct 0 0 D 127.0.0.1
LoopBack0
100.1.1.0/24 IBGP 255 0 RD 1.1.1.1
100.1.2.0/24 Direct 0 0 D 100.1.2.1
Ethernet1/0/0
100.1.2.1/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/0
100.1.2.255/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/0
192.168.1.0/24 IBGP 255 3 RD 1.1.1.1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
192.168.2.0/24 OSPF 10 11 D 100.1.2.2
Ethernet1/0/0
192.168.3.0/24 OSPF 10 2 D 100.1.2.2
Ethernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0
3. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other and the outbound interface is the CE interface connected to
the PE.
100.1.2.0/24 OSPF 10 3 D 100.1.1.1 Ethernet1/0/1

192.168.3.0/24 OSPF 10 4 D 100.1.1.1 Ethernet1/0/1
100.1.1.0/24 OSPF 10 3 D 100.1.2.1 Ethernet1/0/0

192.168.1.0/24 OSPF 10 4 D 100.1.2.1 Ethernet1/0/0
----End
Configuration Notes
l The route of the sham link address cannot be advertised to the peer PE through an OSPF
process bound to a VPN instance. If the route of the sham link address is advertised to
the peer PE through an OSPF process bound to a VPN instance, the peer PE has two
routes to the sham link address. The two routes are learned from OSPF and MP-BGP
respectively. The OSPF route takes precedence over the BGP route, so the peer PE uses
the OSPF route. As a result, the sham link fails to be established.
l A PE must use the loopback interface address with a 32-bit mask to establish a sham
link.
l To forward VPN traffic through the MPLS backbone network, configure the cost of the
sham link to be smaller than the cost of the OSPF route used for forwarding VPN traffic
over the user network.

Communication Between Devices (Running Static Routes
Between the PEs and CEs)
Specifications
use static routes to communicate.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
#
sysname CE1
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.137.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return

#
sysname CE2
#
ip address 10.1.2.2 255.255.255.0
#
ip address 10.137.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.2.1
#
return

#
sysname PE1
#
ipv4-family

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
mpls
#
mpls ldp
#
ip address 192.168.1.1 255.255.255.0
mpls
side.
#
interface
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
with the peer.
policy vpn-target
peer 2.2.2.2 enable
#
import-route static //Import static routes.
#
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static vpn-instance vpn1 10.137.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname PE2
#
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.2 255.255.255.0
mpls
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
relationship.
#
ipv4-family unicast
peer 1.1.1.1 enable
#
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
import-route static //Import static routes.
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static vpn-instance vpn1 10.137.2.0 255.255.255.0 10.1.2.2
#
return
# Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN routing
table on the local PE has a route to the peer PE. CE2 can ping IP address 10.137.1.1 and CE1
can ping IP address 10.137.2.1.
# Use the display on PE1 as an example.
10.1.2.0/24 IBGP 255 0 RD 2.2.2.2

10.137.2.0/24 IBGP 255 20 RD 2.2.2.2
# Use the display on PE2 as an example.
10.1.1.0/24 IBGP 255 0 RD 1.1.1.1

10.137.1.0/24 IBGP 255 20 RD 1.1.1.1
----End
Configuration Notes
l BGP on PEs needs to import static VPN routes.
l Static routes to other VPNs must be configured on CEs.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

Communication Between Devices (Running RIP Between the PEs
and CEs)
Specifications
use RIP to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
#
sysname CE1
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.137.1.1 255.255.255.0
#
rip 1 //Create a RIP
process.
version 2
network 10.0.0.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
return

#
sysname CE2
#
ip address 10.1.2.2 255.255.255.0
#
ip address 10.137.2.1 255.255.255.0
#
rip 1 //Create a RIP process.
version 2
network 10.0.0.0
#
return

#
sysname PE1
#
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.1 255.255.255.0
mpls
side.
#
interface
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.2 enable
#
with the peer.
policy vpn-target
peer 2.2.2.2 enable

import-route rip 1 //Import RIP routes into the VRF table of the BGP-VPN
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
rip 1 vpn-instance vpn1 //Crete a RIP process and bind it to the VPN
instance.
the peer PE to RIP.
version 2
network 10.0.0.0
#
return

#
sysname PE2
#
ipv4-family
#
mpls
#
mpls ldp
#
ip address 192.168.1.2 255.255.255.0
mpls
#
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
with 32-bit mask to build an MP-IBGP peer relationship.
#
ipv4-family unicast
peer 1.1.1.1 enable
#
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
import-route rip 1 //Import RIP routes into the VRF table of the BGP-VPN
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
rip 1 vpn-instance vpn1
the peer PE to RIP.
version 2

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
network 10.0.0.0
#
return

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2

10.137.2.0/24 IBGP 255 1 RD 2.2.2.2
10.1.1.0/24 IBGP 255 0 RD 1.1.1.1

10.137.1.0/24 IBGP 255 1 RD 1.1.1.1
2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can

Interface
10.1.2.0/24 RIP 100 1 D 10.1.1.1

10.137.2.0/24 RIP 100 1 D 10.1.1.1

Interface
10.1.1.0/24 RIP 100 1 D 10.1.2.1

10.137.1.0/24 RIP 100 1 D 10.1.2.1
----End
Configuration Notes
l When PEs and CEs use RIP to exchange routes, bind the RIP process to the VPN
instance.
l PEs need to import routes advertised by BGP and RIP from each other.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.6.13 Example for Configuring Route Reflection to Optimize the

VPN Backbone Layer
Specifications
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, MP-IBGP
connections between PE1 and the RR, and between PE2 and the RR are set up, and VPN
routes are reflected by the RR.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-127 Networking diagram for configuring route reflection to optimize the VPN
backbone layer
Loopback0 Loopback0 Loopback0

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/1
10.1.2.1/24 10.1.1.1/24
PE1 PE2
GE0/0/2
GE0/0/1 10.1.2.2/24 GE0/0/1 GE0/0/2
Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Procedure
#
sysname CE1
#
ip address 192.168.4.2 255.255.255.0
#
bgp 65001 //Establish an EBGP relationship with PE1.
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
ip address 192.168.3.2 255.255.255.0
#
bgp 65002 //Establish an EBGP relationship with PE2.
#
ipv4-family unicast
import-route direct
#
return

#
sysname PE1
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
ip address 192.168.4.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100 //Specify the RR as the IBGP

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
peer.
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
peer 192.168.4.2 as-number
65001
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return

#
sysname PE2
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 192.168.3.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100 //Specify the RR as the IBGP
peer.
#
ipv4-family unicast
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.0 0.0.0.255

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
return
Step 5 Configure the RR.

#
sysname RR
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100 //Specify PE2 as the IBGP peer of
RR.
peer 1.1.1.1 as-number 100 //Specify PE1 as the IBGP peer of
RR.
#
ipv4-family unicast
peer 3.3.3.3 enable
peer 1.1.1.1 enable
#
ipv4-family vpnv4
undo policy vpn-target //Configure the RR not to filter the received VPNv4
routes based on VPN targets.
peer 3.3.3.3 enable
peer 3.3.3.3 reflect-client //Configure route reflection for BGP VPNv4 routes
on the RR. PE2 is the client.
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client //Configure route reflection for BGP VPNv4 routes
on the RR. PE1 is the client.
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return

1. Run the dis bgp vpnv4 all peer command on a PE or RR to view the BGP VPNv4 peer
setup.
The display on PE1 is as follows:

Peer V AS MsgRcvd MsgSent OutQ Up/Down State
Pre
fRcv

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
2.2.2.2 4 100 13 11 0 00:08:10 Established

1

Pre
fRcv
2.2.2.2 4 100 18 19 0 00:13:44 Established

1
The display on the RR is as follows:

Pre
fRcv
3.3.3.3 4 100 19 19 0 00:14:13 Established
1
1.1.1.1 4 100 16 19 0 00:13:36 Established
1

Interface
192.168.3.0/24 IBGP 255 0 RD 3.3.3.3


Interface
...
192.168.4.0/24 IBGP 255 0 RD 1.1.1.1
...
----End
Configuration Notes
l The PEs only need to establish MP-IBGP peer relationships with the RR.
l The VPN instance does not need to be configured on the RR.
5.7 VLL

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
5.7.1 Example for Configuring Martini VLL to Implement

Communication Among Devices
Applicability
This example does not apply to the AR100&AR120&AR150&AR160&AR200 series routers.
As shown in Figure 5-128, the MPLS network of an ISP provides the L2VPN service for
users. Many users connect to the MPLS network through PE1 and PE2, and users connected
to PE1 and PE2 change frequently. A proper VPN solution is required to provide secure VPN
services for users and to simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements.
Figure 5-128 Martini VLL networking

Loopback1 Loopback1 Loopback1
10.10.10.1/32 10.10.10.2/32 10.10.10.3/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
GE1/0/0 Martini GE1/0/0

10.3.1.1/24 10.3.1.2/24
CE1 CE2
Procedure
#
sysname CE1
#
ip address 10.3.1.1 255.255.255.0
#
return

#
sysname PE1
#
mpls lsr-id 10.10.10.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls l2vpn //Enable MPLS L2VPN functions.
#

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
mpls ldp //Enable MPLS LDP globally.

#
mpls ldp remote-peer 10.10.10.3 //Create a remote LDP session.
remote-ip 10.10.10.3
#
interface GigabitEthernet1/0/0 //Create a VLL in Martini mode.
mpls l2vc 10.10.10.3 101
#
interface GigabitEthernet2/0/0 //Enable MPLS LDP on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.10.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.10.10.1 0.0.0.0
#
return

#
sysname P
#
#
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.10.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
network 10.10.10.2 0.0.0.0
#
return

#
sysname PE2
#
#
#
#
remote-ip 10.10.10.1
#
ip address 10.2.2.1 255.255.255.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
mpls
mpls ldp
#
interface GigabitEthernet2/0/0 //Create a VLL in Martini mode.
mpls l2vc 10.10.10.1 101
#
interface LoopBack1
ip address 10.10.10.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.10.10.3 0.0.0.0
#
return

#
sysname CE2
#
ip address 10.3.1.2 255.255.255.0
#
return
# Run the display mpls l2vc brief command on the PE devices to check L2VPN connection
information. You can see that an LDP VC is set up and is in Up state.
# CE1 and CE2 can ping each other.
----End
5.7.2 Example for Configuring VLL to Implement Communication

over a GRE Tunnel
Applicability
This example does not apply to the AR100&AR120&AR150&AR160&AR200 series routers.
The MPLS network of an ISP provides the L2VPN service for users. Many users connect to
the MPLS network through PE1 and PE2, and users connected to PE1 and PE2 change
frequently. A proper VPN solution is required to provide secure VPN services for users and to
simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements. By
default, PE1 and PE2 set up one LSP tunnel and do not load balance traffic among multiple
tunnels. When the P device does not support MPLS, Martini VLL cannot be implemented.
To solve this problem, you can apply a tunnel policy to a Martini VLL so that VLL services
can be transmitted over the GRE tunnel.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-129 Networking diagram for configuring VLL to use a GRE tunnel
P
GE2/0/0 GE1/0/0
172.1.1.2/24 172.2.1.2/24
Loopback1 Loopback1
10.10.1.1/32 10.10.2.1/32
GE2/0/0 GE1/0/0
172.1.1.1/24 172.2.1.1/24
PE1 GRE Tunnel PE2

10.2.1.1/24 10.2.1.2/24
CE1 CE2
10.1.1.1/24 10.1.1.2/24
Procedure
#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
#
return

#
sysname PE1
#
#
#
#
remote-ip 10.10.2.1
#
mpls l2vc 10.10.2.1 39 tunnel-policy gre1 //Create a VLL in Martini mode and
specify the tunnel policy name.
#
ip address 172.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre
source 10.10.1.1

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
#
ospf 1
area 0.0.0.0
network 10.10.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
#
tunnel-policy gre1 //Configure a tunnel policy.
tunnel select-seq gre load-balance-number 1
#
return

#
sysname P
#
ip address 172.1.1.2 255.255.255.0
#
ip address 172.2.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return

#
sysname PE2
#
#
#
#
remote-ip 10.10.1.1
#
ip address 172.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Create a VLL in Martini mode and specify the
tunnel policy name.
mpls l2vc 10.10.1.1 39 tunnel-policy gre1
#
interface LoopBack1
ip address 10.10.2.1 255.255.255.255
#
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre
source 10.10.2.1
#
ospf 1
area 0.0.0.0
network 10.10.2.1 0.0.0.0
network 172.2.1.0 0.0.0.255
#
tunnel-policy gre1 //Configure a tunnel policy.
tunnel select-seq gre load-balance-number 1
#
return

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR

#
sysname CE2
#
ip address 10.1.1.2 255.255.255.0
#
return

# Run the display mpls l2vc brief command on the PE devices to check L2VPN connection
information. You can see that a VC is set up and is in Up state.
# CE1 and CE2 can ping each other.
----End
5.8 PWE3
5.8.1 Example for Configuring E&M Interfaces for Transmitting

VHF Services in ATC Scenario (Dual Link Protection on the
Backbone Network)
Specifications
This example applies to AR2220, AR2240, AR2240C, AR3260 and AR3670 routers of
V200R005C20 and later versions.
In an Air Traffic Control (ATC) scenario, the Area Control Center (ACC) connects to a
broadcasting system over the backbone network as shown in Figure 5-130. PE1 on the
backbone network uses an E&M interface to connect to the Voice Communication System of
the ACC, and PE2 uses an E&M interface to connect to the broadcasting system. The
customer requires that very high frequency (VHF) services can be normally transmitted
between the ACC and broadcasting system, so that the pilots can talk with the air traffic
controller.
In addition, communication between the ACC and broadcasting system is very important and
signal interruption is not allowed. The customer uses two E1 links to ensure communication
stability and reliability.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Figure 5-130 Configuring E&M interfaces for transmitting VHF services in ATC scenario
Air traffic
Wireless tower
controller Loopback0 Loopback0
1.1.1.9/32 2.2.2.9/32
MPLS backbone
network
Serial1/0/0:0 Serial1/0/0:0
172.1.1.1/24 172.1.1.2/24
Serial4/0/0 Serial4/0/0
E&M E&M Local/Remote
Area Control Serial1/0/1:0 Serial1/0/1:0
interface interface broadcasting system
Center 173.1.1.1/24 173.1.1.2/24
PE1 PE2
MPLS TE tunnel
Requirement Analysis
l VHF services between the ACC and broadcasting system need to be transmitted through
E&M interface. PWE3 is required to set up a tunnel over the backbone network for
transmitting VHF service data.
l The customer uses two E1 links over the backbone network to ensure communication
stability and reliability. Among the current tunneling technologies, MPLS TE is
preferred due to the high reliability and fast switching capability. In addition, MPLS TE
can be used with BFD to speed up fault detection and switching between primary and
backup CR-LSPs. The primary and backup CR-LSPs set up using MPLS TE use one E1
explicit path respectively. After the primary link fails, service data is fast switched to the
hot backup CR-LSP without traffic loss or delay.
NOTE
The PWE3 function is used with a license. To use the PWE3 functions, apply for and purchase the license
from the Huawei local office.
Procedure
#
sysname PE1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf //Enable CSPF and create an MPLS TE tunnel.
#
mpls l2vpn
#
explicit-path backup //Specify an explicit path for the backup CR-LSP.
next hop 173.1.1.2
next hop 2.2.2.9
#
explicit-path main //Specify an explicit path for the primary CR-LSP.
next hop 172.1.1.2
next hop 2.2.2.9
#
pw-template pe2pe //Set up PWE3 using the PW template.
peer-address 2.2.2.9 //Specify the remote address of the PW.

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
jitter-buffer depth 8 //Set the jitter buffer depth. The deeper the jitter
buffer is, the stronger the anti-jitter capabilities are, but a long transmission
delay will be introduced when data flows are reconstructed. An improper jitter
buffer depth will degrade service transmission quality.
tdm-encapsulation-number 8 //Set the number of TDM frames encapsulated into each
PW packet. If you encapsulate a small number of TDM frames into a packet, network
delay will be small, but encapsulation overhead will be high. If you encapsulate
a large number of TDM frames into a packet, the bandwidth usage will be high, but
network delay will be large.
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.9 //Specify the MPLS LDP peer.
remote-ip 2.2.2.9
#
controller E1 1/0/0
using e1
clock master //Configure the interface to work in master clock
mode to ensure correct data transmission.
#
controller E1 1/0/1
using e1
clock master
#
interface Serial1/0/0:0
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
link-protocol ppp
ip address 173.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0 //Configure an AC interface to create a tunnel for
transmitting high frequency services.
link-protocol tdm
mpls l2vc pw-template pe2pe 300 tunnel-policy te
em passthrough enable //Enable transparent data transmission to transmit E&M
data through the MPLS tunnel.
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel0/0/0 //Create an MPLS TE tunnel.
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 2.2.2.9
mpls te tunnel-id 100
mpls te record-route
mpls te path explicit-path main //Configure the explicit path used by the
primary CR-LSP.
mpls te path explicit-path backup secondary //Configure the explicit path used
by the backup CR-LSP.
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1 router-id 1.1.1.9 //Advertise routing information to set up an MPLS TE
tunnel.
opaque-capability enable
area 0.0.0.0
network 1.1.1.9 0.0.0.0

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
network 172.1.1.0 0.0.0.255

network 173.1.1.0 0.0.0.255
mpls-te enable
#
tunnel-policy te //Configure a tunnel policy to enable the PWE3 to use the
MPLS TE tunnel and LDP LSP.
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd a bind mpls-te interface Tunnel0/0/0 te-lsp //Configure BFD to fast switch
service data between the primary and backup CR-LSPs.
discriminator local 10
discriminator remote 10
min-tx-interval 10
min-rx-interval 10
process-pst
notify neighbor-down
commit
#
return

#
sysname PE2
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
explicit-path backup
next hop 173.1.1.1
next hop 1.1.1.9
#
explicit-path main
next hop 172.1.1.1
next hop 1.1.1.9
#
pw-template pe2pe
peer-address 1.1.1.9
jitter-buffer depth 8
tdm-encapsulation-number 8
#
mpls ldp
#
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
controller E1 1/0/0
using e1
#
controller E1 1/0/1
using e1
#
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
link-protocol ppp

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
ip address 173.1.1.2 255.255.255.0

mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0
link-protocol tdm
mpls l2vc pw-template pe2pe 300 tunnel-policy te
em passthrough enable
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 1.1.1.9
mpls te tunnel-id 100
mpls te record-route
mpls te path explicit-path main
mpls te path explicit-path backup secondary
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
opaque-capability enable
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 173.1.1.0 0.0.0.255
mpls-te enable
#
tunnel-policy te
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd a bind mpls-te interface Tunnel0/0/0 te-lsp
discriminator local 10
discriminator remote 10
min-tx-interval 10
min-rx-interval 10
process-pst
notify neighbor-down
commit
#
return
Step 3 Verify the Configuration
#After the configurations are complete, check whether an MPLS TE tunnel has been set up
between the two PE devices and whether the VCs are in Up state. The command output on
PE1 is used as an example.
[PE1] display mpls te tunnel-interface tunnel 0/0/0
----------------------------------------------------------------
Tunnel0/0/0
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 100
Ingress LSR ID : 1.1.1.9 Egress LSR ID: 2.2.2.9
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 10
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32773
[PE1] display mpls l2vc interface serial 4/0/0
*client interface : Serial4/0/0 is up

Huawei
AR100&AR120&AR150&AR160&AR200&AR1200&AR
Administrator PW : no
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 300
VC type : CESoPSN basic mode
destination : 2.2.2.9
......
# When music is played in the ACC, the broadcasting system transmits voices properly and
clearly. When the primary E1 link is cut off, services are fast switched to the backup link and
pilots are not aware of interruption or delay. When the primary E1 link recovers, services are
fast switched back to the primary link and pilots are not aware of interruption or delay.
----End


01-05 Using VPN To Implement WAN Interconnection

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-05 Using VPN To Implement WAN Interconnection

Uploaded by

Copyright:

Available Formats

Huawei

5 Using VPN to Implement WAN

About This Chapter

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 145

5.1.1 Example for Configuring L2TP to Implement

Figure 5-1 Networking diagram of multi-domain access

PC1 LAC LNS

GE1/0/0 GE1/0/0 GE2/0/0

lac1 L2TP Group1 Tunnel lns

LAN 2 lac2 L2TP Group2 Tunnel lns

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 146

l2tp enable //Enable L2TP.

Step 2 Configure the LNS.

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 147

ppp authentication-mode chap

tunnel password cipher %@%@eS*)0t-0D!,~pa;IPll=3liC%@%@

Step 3 Verify the configuration.

# PC1 and PC2 can ping PC3 successfully.

5.1.2 Example for Configuring L2TP to Implement

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 148

Figure 5-2 IPSec over L2TP networking

VT1 LNS Headquarters

L2TP Tunnel Server

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 149

ipsec policy lac //Apply an IPSec policy.

Step 2 Configure the LNS.

Step 3 Configure Router_1.

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 150

ipsec proposal lac1 //Create an IPSec proposal.

Step 4 Verify the configuration.

# The headquarters and branch can ping each other.

5.1.3 Example for Configuring L2TP over IPSec to Implement

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 151

Figure 5-3 Networking diagram of L2TP over IPSec

lac L2TP Over IPSec lns Server

ip address ppp-negotiate //Configure an interface to obtain an IP address

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 152

Step 2 Configure the LNS.

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 153

ip address 192.168.0.2 255.255.255.0

Step 3 Verify the configuration.

5.1.4 Example for Configuring an L2TP Tunnel for Remote Dial-

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 154

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 155

Step 2 Configure Windows 7.

# Create an L2TP network connection.

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 156

Click Use my Internet connection (VPN).

Click I'll set up an Internet connection later.

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 157

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 158

You do not need to set the domain.

# Set authentication parameters for the L2TP connection.

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 159

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 160

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 161

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 162

Step 3 Verify the configuration.

Note the following points:

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 163

5.1.5 Example for Establishing an L2TP Tunnel Between a Remote

Issue V2.2 (2017-02-28) Huawei Proprietary and Confidential 164

Step 2 Configure Windows XP.