Professional Documents
Culture Documents
AR100&AR120&AR150&AR160&AR200&AR1200&AR
2200&AR3200&AR3600 Series Enterprise Routers
Typical Configuration Examples 5 Using VPN to Implement WAN Interconnection
5.1 L2TP
5.2 GRE
5.3 DSVPN
5.4 IPSec
5.5 SSL VPN
5.6 BGP/MPLS IP VPN
5.7 VLL
5.8 PWE3
5.1 L2TP
Networking Requirements
As shown in Figure 5-1, users on enterprise branches LAN1 and LAN2 connect to the LAC
using PPPoE and initiate connections with enterprise headquarters LAN3.
Two domains are configured on the LAC: aaa.com and bbb.com. Users in the domain aaa.com
are located on the network segment 10.1.1.0/24 and users in the domain bbb.com are located
on the network segment 10.2.1.0/24.
There is a reachable route from the LNS to the LAC and a tunnel is set up between the LNS
and the LAC. After access users are authenticated, the LNS allocates IP addresses and
gateway addresses to the access users.
LAN 1
PP
Po G
E E2/
user1@aaa.com
202.1.1.2/24 202.1.1.1/24 10.3.1.1/24
LAN 3
0
0/
/
E E3
PC3
VT1 10.1.1.1/24 10.3.1.2/24
PP
PC2
user2@bbb.com
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
# Run the display l2tp session command on the LNS. You can see that two sessions are set
up.
----End
Configuration Notes
l An L2TP group is created for each domain and different L2TP groups have different
tunnel names.
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-2, an enterprise has some branches located in other cities, and the
branches use the Ethernet network.
The enterprise requires that the headquarters should provide VPDN services for branch users,
so that the branch users can access the headquarters network. When branch users access
intranet servers on the headquarters network, data should be encrypted to prevent data leaks.
To meet these requirements, you can configure the LAC to initiate an L2TP connection
request to the LNS. Then you can configure IPSec to protect data exchanged between branch
users and intranet servers. IPSec-encrypted data is transmitted over the L2TP tunnel between
the LAC and LNS.
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.2.1.0 0.0.0.255 destination 10.3.1.0 0.0.0.255
#
ipsec proposal lac //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //Create an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
remote-address 10.4.1.1 //Specify an IP address for the remote IPSec interface.
#
ipsec policy lac 1 isakmp //Create an IPSec policy.
security acl 3000
ike-peer lac
proposal lac
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp chap user huawei //Set the user name of a virtual PPP user to huawei.
ppp chap password cipher %@%@\;#%<c~6Y%cNZK/h.pK%:>Uo%@%@ //Set the password of
the virtual PPP user to Huawei@1234.
ip address ppp-negotiate //Configure IP address negotiation.
l2tp-auto-client enable //Enable the virtual PPP user to initiate an L2TP
connection request.
# Run the display l2tp tunnel command on the LAC or LNS. You can see that an L2TP
tunnel and a session numbered 1 have been established.
# Run the display ike sa command on the LAC or Router_1. In the command output, Flag(s)
is displayed as RD, indicating that an SA has been established successfully; Phase is
displayed as 1 and 2.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l On the LAC, the IPSec policy must be bound to the VT1 interface.
l When you configure a static route on the LAC, the outbound interface in the route
destined to the headquarters network segment must be the VT1 interface.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-3, users connect to the LNS to access the headquarters network though
the LAC. Data exchanged between the LAC and LNS is encrypted by IPSec.
PC LAC LNS
GE1/0/0 GE1/0/0 GE2/0/0
LAN 12.1.1.2/24 12.1.1.1/24 192.168.0.1/24
192.168.1.0/24
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable
L2TP.
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 12.1.1.2 0 destination 12.1.1.1 0 //Configure an ACL
rule to define the source and destination IP addresses.
#
ipsec proposal lac //Configure an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //Confiure an IKE
peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 12.1.1.1 //Configure the WAN-side interface address as the
remote address.
#
ipsec policy lac 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer lac
proposal lac
#
interface GigabitEthernet1/0/0 //Assign an IP address to the WAN-side
interface.
ip address 12.1.1.2 255.255.255.0
ipsec policy lac //Bind the IPSec
policy.
#
interface GigabitEthernet2/0/0 //Assign an IP address to the LAN-side
interface.
ip address 192.168.1.1
255.255.255.0
#
interface Virtual-Template1 //Configure the user name and password,
authentication mode, and IP address for the virtual PPP user.
ppp chap user huawei
ppp chap password cipher %^%#'&=6Q(|7-#|.]EB`mK$(h7[CY`2m}-YT)Q=Oh2~2%^%#
L2TP tunnel.
#
l2tp-group 1 //Configure an L2TP group and set
attributes.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name LAC
start l2tp ip 12.1.1.1 fullusername huawei
#
ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1 //Configure a static
route.
#
return
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l The IPSec policy is bound to the external network interface. Packets are encapsulated
with the L2TP header, and then the IPSec header.
Networking Requirements
As shown in Figure 5-4, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users. In this
example, the PC runs Windows 7 operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 5-4 Networking for configuring remote dialup users to connect to the external network
through the L2TP tunnel
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
dialup software) LNS
GE1/0/0 Enterprise
202.1.1.1/24 headquarters
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
local-user huawei password cipher
local-user huawei privilege level 0
local-user huawei server-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
ppp authentication-mode chap
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Enter an Internet address which is the IP address of the LNS (202.1.1.1), enter a destination
name (for example, L2TP) as the network connection name, and click Next. You can
customize a destination name.
Enter the user name huawei and password Huawei@1234 and click Create.
NOTE
Click Close.
Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP and choose Properties to set
connection parameters.
You do not need to modify parameters on the General tab.
Select Display progress while connecting and Prompt for name and password certificate,
etc on the Options tab.
NOTE
Do not change the parameters that are displayed after you click PPP Settings.
On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec for Type
of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication Protocol
[CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow these protocols.
NOTE
If you click Advanced settings, a dialog box is displayed on which you can set the IPSec pre-shared
key. Do not set the IPSec pre-shared key here.
You do not need to modify settings on the Networking and Sharing tabs.
Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP, enter the user name and password,
and click Connect.
# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.
----End
Example
Configuration Notes
Networking Requirements
As shown in Figure 5-5, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows XP operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 5-5 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
dialup software) LNS
GE1/0/0 Enterprise
202.1.1.1/24 headquarters
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
d. Fill in the company name as the connection name. For example, fill in L2TP and
click Next.
b. Click the Security tab page, select Advanced (custom settings), and click
Settings.
NOTE
If you click IPSec Settings on the page, the IPSec Settings page is displayed for you to set a
pre-shared key for authentication. Do not set a pre-shared key here.
c. Click Networking, and set Type of VPN to the default Auto or L2TP IPSec VPN.
Do not change any configurations on the Advanced tab page.
d. On the Network Connections page, double-click L2TP you have created, enter a
user name and password, and click Connect.
# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.
----End
Configuration Notes
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-6, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows 7 operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 5-6 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
dialup software) LNS
GE1/0/0 Enterprise
202.1.1.1/24 headquarters
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
c. Set Internet address to 202.1.1.1 (the IP address of the LNS) and Destination
name such as L2TP. The destination name is used as the network connection name.
Select Don't connect now; just set it up so I can connect later and then click
Next.
e. Click Close.
b. Select Display progress while connecting and Prompt for name and password
certificate, etc on the Options tab.
NOTE
Do not change the parameters that are displayed after you click PPP Settings.
c. On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec
for Type of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication
Protocol [CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow
these protocols.
NOTE
If you click Advanced settings, a dialog box is displayed on which you can set the IPSec
pre-shared key. Do not set the IPSec pre-shared key here.
You do not need to modify settings on the Networking and Sharing tabs.
d. Choose Start > Run > Network and Sharing Center and click Connect to a
network. The created L2TP connection is displayed. Right-click L2TP, enter the
user name and password, and click Connect.
----End
Configuration Notes
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.
Networking Requirements
As shown in Figure 5-7, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the VPN client
is installed on the PC.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 5-7 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
DNS
Server
10.10.10.10/24
Traveling
employee (L2TP
dialup software) LNS
GE1/0/0 Enterprise
202.1.1.1/24 headquarters
Internet
PC1 202.1.2.1/24 VT1
192.168.1.1/24 PC2
L2TP tunnel
192.168.2.2/24
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure the authentication
mode and specify the domain name.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
c. Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.
e. Set The name is to the VPN connection name such as L2TP and click Finished.
b. Click the Basic Settings tab page and modify the user name and password based on
the actual situation.
c. Do not modify the parameters on the L2TP Settings tab page if configurations on
the LNS are not modified. The parameters must be the same as those on the LNS.
d. In HUAWEI VPN Client, select the created L2TP and click Connect.
# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.
----End
Configuration Notes
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.
5.1.8 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Traverse NAT Devices and Connect to the
Headquarters over the Internet
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-8, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users.
Traveling employees connect to the Internet through the NAT device. Traffic sent from
traveling employees to the headquarters needs to be encapsulated through IPSec to ensure
security. In addition, the LNS functions as the gateway and has the firewall service deployed.
NAT traversal in L2TP over IPSec can be configured to meet requirements. Because the L2TP
over IPSec configuration on the PC is complex, and settings such as the registry and services
need to be modified, Huawei dialup software Secoway VPN Client is used on the PC. You can
visit http://support.huawei.com to obtain the software version.
LNS Enterprise
GE1/0/0
headquarters
Traveling employees Internet 202.1.1.1/24
(L2TP dialup software)
PC3 NAT2
VT1 PC1
192.168.1.1/24 192.168.2.2/24
L2TP tunnel IPSec
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ike local-name xp //Use the local name for IKE
negotiation. The local name must be used for NAT traversal in IPSec.
#
acl number 3001 //Configure an ACL.
rule 5 permit udp destination-port eq 1701 //Configure an ACL rule to allow
packets from a specified L2TP port.
rule 10 permit udp destination-port eq 4500 //Configure an ACL rule to allow
packets from a specified L2TP port after NAT traveral in IPSec.
rule 15 permit udp destination-port eq 500 //Configure an ACL rule to allow
packets from a specified L2TP port before NAT traveral in IPSec.
#
ipsec proposal 1
esp encryption-algorithm aes-256
#
ike peer xp v1
exchange-mode aggressive //Configure the aggressive mode. NAT
traversal can be only used in aggressive mode. In later versions of V200R005C00,
you do not need to perform this configuration.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure the authentication password in the pre-shared key
to huawei, in cipher text. This command in V200R003C00 and earlier versions is
pre-shared-key huawei, and the password is displayed in plain text.
local-id-type name //Set the local ID type to name in
IKE negotiation.
nat traversal //Enable NAT traversal. In V200R008
and later versions, the device supports NAT traversal by default, and this
command is not supported.
#
ipsec policy-template xptemp 2 //Configure an IPSec policy template
so that negotiation requests from multiple PCs can be processed.
ike-peer xp
proposal 1
#
ipsec policy xp 1 isakmp template xptemp //Reference an IPSec policy template
in an IPSec policy.
#
ip pool lns //Create an IP address pool named
lns from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and
password for L2TP access.
local-user huawei password cipher
local-user huawei privilege level 0
local-user huawei server-type ppp
#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15
#
firewall interzone trust untrust
firewall enable
packet-filter 3001 inbound //Configure the firewall and enable
packet filtering.
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
ipsec policy xp //Bind the IPSec policy to the interface.
zone untrust
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
ppp authentication-mode chap
remote address pool lns
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.
Select CHAP from the Authentication Mode drop-down list box, select Enable IPSec
Protocol, select Pre-Shared-Key, set Pre-shared-key to huawei (the pre-shared key must be
the same as that on the LNS), and click Next.
Set IPSec and IKE attributes. Set ESP Authentication Algorithm to MD5 and ESP
Encryption Algorithm to AES-256. In IKE, set Authentication Algorithm to SHA-1,
Encryption Algorithm to DES-CBC, Negotiation Mode to Aggressive mode, ID Type to
Name, Local Gateway Name to a random value, and Remote Gateway Name to xp (the
value must be the same as the local name in IKE negotiation on the LNS), and click Next.
Enter the VPN connection name in The name is. The VPN connection name can be user-
defined. Here, the value is My connection. Then click Finished.
Select My connection and click Property. The My connection Properties page is displayed.
Click Basic Settings. Modify the user name and password according to the actual situation.
Parameters in L2TP Settings, IPSec Settings, IKE Settings, and Advanced are the same as
those on the LNS. If parameters on the LNS are not modified, parameters on these tab pages
do not need to be modified.
On the Secoway VPN Client page, select My connection and click Connect.
# After the configurations are complete, PC2 and PC3 can obtain private IP addresses and
communicate with PC1.
----End
Configuration Notes
Note the following points:
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l The settings on the dialup software and LNS must be the same; otherwise, IPSec and
L2TP tunnels may fail to be set up.
l A NAT device is deployed between enterprise users and LNS, so the aggressive mode
must be used to implement NAT traversal. In addition, use names for IKE negotiation. In
V2R5C00, there is no such limitation.
l When the firewall service is deployed on the LNS, configure an ACL to permit ports
1701, 4500, and 500 used by L2TP and IPSec.
5.1.9 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Connect to the Headquarters
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-9, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through L2TP dialup. To ensure
security of traveling employees, the enterprise requires that an IPSec tunnel be set up between
the traveling employee's PC and headquarters gateway.
In this example, the PC runs Windows 7 operating system.
Figure 5-9 Networking for configuring L2TP over IPSec between a PC and a router
GE1/0/0 LNS
200.1.1.1/24 Enterprise
PC A headquarters
10.1.1.1/24 Internet
Traveling L2TP over IPSec
employee RouterA
Headquarters
gateway
NOTE
A host-to-gateway IPSec tunnel is established between a traveling employee and the headquarters; therefore,
the IPSec tunnel is based on the transport mode.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
l2tp enable //Enable L2TP.
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
#
ike peer peer1 v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
ip pool lns //Configure an IP address pool from which IP addresses are allocated
to access PCs.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the local user name and service type on the LNS.
local-user huawei password cipher
local-user huawei privilege level 0
Step 2 Configure PC A.
Choose Start > Run, and enter regedit to open the registry. Find
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters,
create DWORD named ProhibitIpSec with the value of 1, as shown in Figure 5-10, and then
restart the PC.
# Create an L2TP connection. Choose Start > Control Panel > Network and Internet >
Network and Sharing Center, and select Set up a new connection or network, as shown in
Figure 5-11.
On the Set up a Connection or Network page shown in Figure 5-12, select Connect to a
workplace and click Next.
Enter the Internet address (IP address of RouterA) and click Next, as shown in Figure 5-14.
Figure 5-17, Figure 5-18, Figure 5-19, and Figure 5-20 show how to create an IPSec policy.
On the IPSec Properties page shown in Figure 5-21, deselect Use Add Wizard and click
Add to add rules.
On the IP Filter List page shown in Figure 5-23, deselect Use Add Wizard and click
Add to add an IP filter list.
Configure IP filter attributes. On the Addresses tab page shown in Figure 5-24, select
My IP Address as the source address, headquarters gateway IP address as the
destination address, and mirror data flows.
On the Protocol tab page shown in Figure 5-25, select Any from the Select a protocol
type drop-down list box.
On the Description tab page shown in Figure 5-26, configure a description for the IP
filter.
Click OK. The IP Filter List page shown in Figure 5-27 is displayed.
Click OK. The New Rule Properties page shown in Figure 5-28 is displayed.
The New Filter Action Properties page shown in Figure 5-30 is displayed. Select
Accept unsecured communication, but always respond using IPSec and click Add.
The Security Methods page shown in Figure 5-31 is displayed. Select Custom and
click Settings.
The Custom Security Method Settings page shown in Figure 5-32 is displayed. Set
integrity and encryption algorithms, and perform session key settings.
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
3. Configure authentication methods.
On the Authentication Methods tab page shown in Figure 5-33, click Edit.
The Authentication Method Properties page shown in Figure 5-34 is displayed. Select
Use the string (preshared key) and use the pre-shared key huawei.
On the Key Exchange Settings page, select Methods, as shown in Figure 5-38.
On the Key Exchange Security Methods page, select Add, as shown in Figure 5-39.
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
Select the configured L2TP connection in Connect to network. The Figure 5-43 page is
displayed. Enter the user name and password.
# After the configurations are complete, PC A can ping RouterA successfully. Data exchanged
between PC A and RouterA is encrypted. You can run the display ipsec statistics esp
command to view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA. You can view
information about successful IPSec tunnel setup.
----End
Configuration Notes
The IPSec configuration on the PC is much complex than that on the router, so you must be
familiar with the IPSec configuration on the router.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-44, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters.
Figure 5-44 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
communicate with the headquarters
GE2/0/0
Enterprise LAC 10.1.2.1/24
branch (PPPoE server)
LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1
E GE2/0/0
Po
PP
L2TP Tunnel PC_2
PPP terminal 10.1.2.2/24
(PPPoE client) VT1
10.1.1.1/24
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa //Configure an L2TP user name and password.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac
start l2tp ip 1.1.1.1 fullusername huawei
#
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 5-45, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.
Figure 5-45 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
access the RADIUS server in the headquarters
GE2/0/0
Enterprise LAC 10.1.2.1/24
branch (PPPoE server)
LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1 hua
E GE2/0/0 RADIUS
Po
PP Server
10.2.1.2/24
L2TP Tunnel PC_2
PPP terminal
(PPPoE client) VT1 10.1.2.2/24
10.1.1.1/24
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa //Configure a user name and password.
local-user l2tp@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp@huawei.com privilege level 0
local-user l2tp@huawei.com service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
----End
Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
Networking Requirements
As shown in Figure 5-46, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS.
Figure 5-46 Configuring the LAC to establish an L2TP tunnel to communicate with the
headquarters through automatic dial-up
GE2/0/0
GE2/0/0 Enterprise
Enterprise 10.1.2.1/24
10.1.10.1/24 headquarters
branch
LAC LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.10.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 5-47, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.
Figure 5-47 Configuring the LAC to establish an L2TP tunnel to communicate with the
RADIUS server in headquarters through automatic dial-up
GE2/0/0
GE2/0/0
10.1.2.1/24 Enterprise
Enterprise 10.1.10.1/24
branch headquarters
LAC LNS
GE1/0/0 GE1/0/0
1.1.2.1/24 1.1.1.1/24
Internet
PC_1 c
RADIUS
Server
10.1.10.2/24 L2TP Tunnel
PC_2 10.2.1.2/24
VT1 10.1.2.2/24
10.1.1.1/24
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp@huawei.com
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.10.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
start l2tp ip 1.1.1.1 fullusername l2tp@huawei.com
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return
Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
Networking Requirements
As shown in Figure 5-48, many enterprises use the same LNS, and users from different
enterprises connect to LAC_1 and LAC_2 to communicate with their own headquarters sites.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC_1 and LAC_2 simultaneously, allowing enterprise
users to access their own internal networks.
Figure 5-48 Configuring multiple L2TP instances to implement communication between the
headquarters and branches
GE2/0/0 Enterprise A
Enterprise A 10.1.9.1/24
headquarters
branch
LAC_1
Site
GE1/0/0
VT1 PC_3
PC_1 1.1.2.1/24
10.1.1.1/24
L2TP Tunnel
GE1/0/0 LNS 10.1.2.2/24
GE2/0/0
10.1.9.2/24 1.1.1.1/24 10.1.2.1/24
Internet
GE2/0/0 Enterprise B
GE3/0/0
Enterprise B 10.1.10.1/24 headquarters
L2TP Tunnel 10.1.3.1/24
branch
GE1/0/0 VT2
Site
1.1.3.1/24 10.2.1.1/24
PC_4
PC_2
LAC_2
10.1.2.2/24
10.1.10.2/24
Procedure
Step 1 Configure LAC_1.
#
sysname LAC_1
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp1
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.9.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_1
start l2tp ip 1.1.1.1 fullusername l2tp1
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l If the L2TP group ID is 1, you do not need to specify the remote tunnel name, and the
LNS accepts the L2TP connection request initiated by any LAC. If the L2TP group ID is
not 1, you must specify the tunnel name for the remote LAC.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 5-49, an enterprise has some branches located in other cities and the
branches connect to the same L2TP network server (LNS). Branches A, B, and C
communicate with the headquarters through LAC1, LAC2, and LAC3, respectively.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC1, LAC2, and LAC3 simultaneously, allowing users
of enterprise branches to access the internal network of the enterprise. Users in the same VPN
can communicate with each other. The RADIUS server in the headquarters authenticates
users, delivers VPN instances, and assigns IP addresses to users.
Figure 5-49 Configuring the LACs to establish an L2TP tunnel to implement communication
between the headquarters and branches through automatic dial-up
VPN1
Branch A
GE1/0/0
1.1.1.1/24
Internet
LAC1 VT1
10.10.1.1/24
PC_1 GE2/0/0 L2TP Tunnel
10.1.1.1/24 10.4.4.4/24
GE1/0/0 VPN1
1.2.1.1/24 PC_4
VPN1 LNS
Branch B GE1/0/0 GE2/0/0
2.2.2.2/24 Headquarters
2.2.1.1/24
Internet
LAC2 GE3/0/0
3.2.1.1/24 PC_5
PC_2
GE2/0/0 L2TP Tunnel VPN2
10.2.2.1/24 10.5.5.5/24
VT1
10.10.1.1/24
Branch C VPN2
GE1/0/0
3.3.3.3/24
Internet
LAC3
Procedure
Step 1 Configure LAC1.
#
sysname LAC1
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp chap user lac1@huawei.com
ppp chap password cipher %^%#U>upTZ}mQM:rhRL:4;s$,(xf%^%#
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
tunnel password cipher %^%#/-#)Lg[S4F:#2~ZNvqa$]\DL%^%#
tunnel name lac1
start l2tp ip 1.2.1.1 fullusername lac1@huawei.com
#
ip route-static 1.2.1.0 255.255.255.0 1.1.1.2
ip route-static 10.4.4.0 255.255.255.0 Virtual-Template1
#
return
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2 //Configure the VPN instance VPN2.
ipv4-family
route-distinguisher 300:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
#
ip pool 1 //Create an IP address pool and assign IP addresses to access users.
gateway-list 10.10.1.1
network 10.10.1.0 mask 255.255.255.0
#
radius-server template l2tp //Create a RADIUS server template.
radius-server shared-key cipher %^%#}'|y>s-'m)@%$\X7QgS"Bc5M$iWmV:4aXREv:/~P%^%#
radius-server authentication 10.10.10.1 1645 weight 80
#
aaa //Set the AAA mode to RADIUS.
authentication-scheme l2tp
authentication-mode radius
domain huawei.com
authentication-scheme l2tp
radius-server l2tp
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp authentication-mode chap domain huawei.com
remote address pool 1
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 2.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 3.2.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
allow l2tp virtual-template 1
tunnel password cipher %^%#EB~j7Je>;@>uNr''D=J<]\WL%^%#
tunnel name lns
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2
ip route-static 2.2.2.0 255.255.255.255 2.2.1.2
ip route-static 3.3.3.0 255.255.255.255 3.2.1.2
ip route-static vpn-instance vpn1 10.1.1.0 255.255.255.255 10.10.1.100 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC1 is
10.10.1.100
ip route-static vpn-instance vpn1 10.2.2.0 255.255.255.255 10.10.1.101 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC2 is
10.10.1.101
ip route-static vpn-instance vpn2 10.3.3.0 255.255.255.255 10.10.1.102 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC3 is
10.10.1.102
#
return
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 has been established.
# PC_1, PC_2, and PC_4 can ping each other. PC_3 and PC_5 can ping each other.
----End
Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
l You need to configure the IP address assigned to the VT interfaces on the LACs on the
RADIUS server. In this example, no IP address is configured.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-50, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 3G cellular
interfaces to connect the Internet through the WCDMA network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.
Figure 5-50 Configuring the LAC using a 3G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up
3G Node B
LAC LNS
L2TP Tunnel
PC Server
VT1 VT1
3.1.1.2/24 3.1.1.1/24 Enterprise
LAN headquarters
10.1.1.2/24 10.1.0.2/24
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
ip address 3.1.1.2 255.255.255.0
l2tp-auto-client enable
#
interface Cellular0/0/0 //Configure a 3G interface.
link-protocol ppp
ip address ppp-negotiate //Configure the interface to obtain an IP address
from the carrier. The interface can use the IP address to connect to the public
network.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile 3GNET
dialer timer autodial 60 //Configure the user to dial up at an interval of 60s.
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
start l2tp ip 2.1.1.1 fullusername huawei
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile 3GNET
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
ip route-static 10.1.0.0 255.255.255.0 Virtual-Template1
#
return
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 5-51, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 4G cellular
interfaces to connect the Internet through the Long Term Evolution (LTE) network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.
Figure 5-51 Configuring the LAC using a 4G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up
LAC LNS
L2TP Tunnel
PC Server
VT1
3.1.1.1/24 Enterprise
LAN headquarters
10.1.1.2/24 10.1.0.2/24
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/0 //Configure a 4G interface.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile lteprofile
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile lteprofile
apn ltenet
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
start l2tp ip 2.1.1.1 fullusername huawei
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
ip route-static 10.1.0.0 255.255.255.0 Virtual-Template1
#
return
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
5.2 GRE
5.2.1 Example for Configuring a GRE Tunnel and Static Routes on
the Tunnel to Implement Interworking
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 5-52, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.
RouterB
GE1/0/0 GE2/0/0
20.1.1.2/24 30.1.1.1/24
PC1 PC2
10.1.1.1/24 10.2.1.1/24
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1 //Configure a public route.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 Configure a static route with
the next hop as the tunnel interface.
#
return
----End
Configuration Notes
l Both ends must be configured with routes to private network segments, with the
outbound interface as the tunnel interface.
l The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 5-53, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.
OSPF is enabled on the tunnel interfaces. OSPF process 1 is used for the VPN backbone
network and OSPF process 2 is used for user access.
RouterB
GE1/0/0 GE2/0/0
20.1.1.2/24 30.1.1.1/24
OSPF 1
GE1/0/0 GE1/0/0
20.1.1.1/24 30.1.1.2/24
RouterA Tunnel RouterC
Tunnel0/0/1 OSPF 2 Tunnel0/0/1
GE2/0/0 GE2/0/0
10.3.1.1/24 10.3.1.2/24
10.1.1.2/24 10.2.1.2/24
10.2.1.1/24
10.1.1.1/24
PC1 PC2
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.
----End
Configuration Notes
l Both ends must be configured with routes to private network segments.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Specifications
This example applies to all AR models of V200R006C10 and later versions.
Networking Requirements
As shown in Figure 5-54,PE0 is the headquarters gateway of a bank, while PE1 and PE2 are
the bank's branch gateways. PE1 communicates with PE0 over a carrier network; PE2
communicates with PE1 over a private network; however, PE0 cannot communicate with
PE2. The bank requires data encryption over the public network as well as the private
network; therefore, GRE over GRE can be deployed in the headquarters to implement secure
communication among PE0, PE1, and PE2. After GRE over GRE is configured, data between
PE0 and PE1 is transmitted over the GRE tunnel, and data between PE0 and PE2 is
transmitted over the GRE over GRE tunnel along the carrier network.
Figure 5-54 Configuring GRE over GRE for communication between branches and
headquarters
Tunnel0/0/101 Tunnel0/0/0
10.2.5.1/24 10.3.5.1/24
Loopback1 Loopback1
10.2.5.1/32 GRE tunnel GRE tunnel 10.3.5.1/32
Tunnel0/0/100 Tunnel0/0/0
10.1.5.1/24 10.1.5.2/24
PE1
PE0 Internet1 Internet2 PE2
GE1/0/0 GE1/0/0 GE2/0/0 GE1/0/0
GE2/0/0 10.1.5.1/24 10.1.5.2/24 10.1.6.1/24 10.1.6.2/24 GE2/0/0
10.1.2.1/24 10.1.3.1/24
Procedure
Step 1 Configure PE0.
#
sysname PE0
#
interface GigabitEthernet1/0/0
ip address 10.1.5.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack1
ip address 10.2.5.1 255.255.255.255
#
interface Tunnel0/0/100 //Configure a tunnel interface.
ip address unnumbered interface GigabitEthernet1/0/0 //Configure
Tunnel0/0/100 to borrow the IP address of GigabitEthernet1/0/0.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/100.
source 10.1.5.1 //Configure the source address for the tunnel.
destination 10.1.5.2 //Configure the destination address for the tunnel.
#
interface Tunnel0/0/101
ip address unnumbered interface Loopback1 //Configure Tunnel0/0/101 to
borrow the IP address of Loopback1.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/101.
source 10.2.5.1 //Configure the source address for the tunnel.
destination 10.3.5.1 //Configure the destination address for the tunnel.
#
ip route-static 10.3.5.1 255.255.255.255 Tunnel 0/0/100 //Configure
Tunnel0/0/100 as the outbound interface in the route to PE2's Tunnel0/0/0
destination address.
ip route-static 10.1.3.0 255.255.255.0 Tunnel 0/0/101 //Configure
Tunnel0/0/101 as the outbound interface in the route to data destination on PE2.
#
return
#
interface GigabitEthernet2/0/0
ip address 10.1.3.1 255.255.255.0
#
interface Loopback1
ip address 10.3.5.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure a tunnel interface.
ip address unnumbered interface Loopback1 //Configure Tunnel0/0/0 to borrow
the IP address of Loopback1.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/100.
source Loopback1 //Configure the source address for the tunnel.
destination 10.2.5.1 //Configure the destination address for the tunnel.
#
ip route-static 10.2.5.1 255.255.255.255 10.1.6.1 //Configure the IP address
of the outbound interface in the route to the source address of Tunnel0/0/101 to
10.1.6.1.
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 //Configure Tunnel0/0/0 as
the outbound interface in the route to data destination on PE0.
#
return
----End
Configuration Notes
1. The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
2. The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Networking Requirements
As shown in Figure 5-55, Router_1 is the gateway of an enterprise branch, and Router_2 is
the gateway of the headquarters. Router_1 and Router_2 communicate through the public
network.
The branch communicates with the headquarters through a GRE tunnel. The enterprise wants
to protect traffic excluding multicast data between the headquarters and branch. You can use
IPSec over GRE to establish a tunnel between virtual tunnel interfaces.
PC_1 PC_2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipsec proposal tran1 //Create an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Create an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer spub v2 //Create an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
ike-proposal 5
#
ipsec profile profile1 //Create an IPSec profile.
ike-peer spub
proposal tran1
#
interface Tunnel0/0/0 //Create a GRE tunnel interface.
ip address 192.168.1.1 255.255.255.0
tunnel-protocol gre
source 202.138.163.1
destination 202.138.162.1
#
interface Tunnel0/0/1 //Create an IPSec tunnel interface.
ip address 192.168.2.1 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0 //Specify the GRE tunnel interface as the source tunnel
interface.
destination 192.168.1.2 //Set an IP address for the destination GRE tunnel.
ipsec profile profile1 //Apply the IPSec profile.
#
interface GigabitEthernet1/0/0
ip address 202.138.163.1 255.255.255.0
#
interface GigabitEthernet2/0/0
----End
Configuration Notes
When you create IPSec tunnel interfaces, specify the GRE tunnel interface as the source
interface of the IPSec tunnel and the outbound interface in the route to the destination address
of the IPSec tunnel must be the GRE tunnel interface.
Networking Requirements
As shown in Figure 5-56, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters and branches. The service provider has allocated a public network IP address to
each gateway and the gateways can communicate with each other. The enterprise requires a
simple cost-effective mechanism to implement communication between the headquarters and
branches through private networks.
Generic Routing Encapsulation (GRE) tunnels can be established between the headquarters
and branches to meet this requirement. In this example, the Open Shortest Path First (OSPF)
protocol is configured to create routing entries with the tunnel interface as the source address
on the gateways.
Router_1
GE2/0/0
10.1.1.1/24 GE1/0/0
Headquarters 3.1.1.1/24
Tunnel0/0/1 Tunnel0/0/2
10.4.1.1/24 10.5.1.1/24
l
ne
l
ne
Internet
n
n
Tu
Tu
Tunnel0/0/1 Tunnel0/0/2
10.4.1.2/24 10.5.1.2/24
GE1/0/0 GE1/0/0
GE2/0/0 1.1.1.1/24 2.1.1.1/24 GE2/0/0
10.2.1.1/24 10.3.1.1/24
Router_2 Router_3
Branch Branch
PC_2 PC_3
10.2.1.2/24 10.3.1.2/24
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet1/0/0 //Configure a public network outbound interface.
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure a private network outbound interface.
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface and set the source and
destination addresses to the IP addresses of interfaces that send and receive
packets.
ip address 10.4.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 1.1.1.1
#
interface Tunnel0/0/2
ip address 10.5.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 2.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0
network 3.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0 //Configure private network routes.
network 10.1.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
return
# Run the display ip routing-table command on each router. You can find that the outbound
interface in routes to the peer is the tunnel interface.
----End
Configuration Notes
l Routes from both ends to private network segments must be configured.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Specifications
This example applies to all routers of V200R003 and later versions.
Networking Requirements
As shown in Figure 5-57, RouterA, RouterB, and RouterC are connected through an IPv4
network. RouterA and RouterC connect to two IPv6 networks, respectively. IPv6 hosts PC1
and PC2 connect to RouterA and RouterC, respectively. It is required that an IPv6 over IPv4
GRE tunnel be configured between RouterA and RouterC so that PC1 and PC2 can
communicate with each other.
Figure 5-57 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel
RouterB
GE1/0/0 GE2/0/0
10.1.1.2/24 10.1.2.1/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.1.2.2/24
RouterA GRE Tunnel RouterC
GE2/0/0 Tunnel0/0/1 Tunnel0/0/1 GE2/0/0
FC01::1/64 FC02::1/64 FC02::2/64 FC03::1/64
PC1 PC2
FC01::2/64 FC03::2/64
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IPv4 address for the
interface.
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address FC01::1/64 //Configure an IPv6 address for the interface.
#
interface Tunnel0/0/1 //Configure a tunnel interface of the GRE tunnel, set
the tunnel mode to GRE, configure an IPv6 address for the tunnel interface, and
configure IPv4 addresses as the source and destination IP addresses of the tunnel
interface.
ipv6 enable
ipv6 address FC02::1/64
tunnel-protocol gre
source 10.1.1.1
destination 10.1.2.2
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2 //Configure an IPv4 static
route to ensure that RouterA has a reachable route to RouterC.
#
ipv6 route-static FC03:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterA has a reachable route to PC2.
#
return
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
return
----End
Configuration Notes
l The devices on the IPv4 network have reachable routes to each other.
l The source and destination IP addresses of devices at both ends of the tunnel must be
configured. The source and destination IP addresses of the local device must be the same
as the destination and source IP addresses of the remote device, respectively.
5.3 DSVPN
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-58, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.
Figure 5-58 Configuring DSVPN when branches learn routes from each other
Branch Spoke1
Eth1/0/0 44.3.1.2/24
NHRP
Tunnel 0/0/0 Eth1/0/0 Hub
172.16.1.101/24 44.1.1.1/24
NHRP Tunnel 0/0/0 Tunnel 0/0/0
172.16.1.102/24 172.16.1.1/24
NHRP
Eth1/0/0 44.4.1.2/24
Branch Spoke 2
Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 44.3.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 44.1.1.1 register //Configure an NHRP mapping table.
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
ospf dr-priority 8
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 44.3.1.0 0.0.0.255
ospf 2 //Configure OSPF.
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
#
interface Tunnel0/0/0
ip address 172.16.1.102 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 44.1.1.1 register //Configure an NHRP mapping table.
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
ospf dr-priority 8
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 44.4.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
ospf dr-priority 10
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 44.4.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
----End
Configuration Notes
l If OSPF is configured, the OSPF network type of the tunnel interface must be broadcast.
Networking Requirements
As shown in Figure 5-59, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.
Figure 5-59 Configuring DSVPN when branches have only summarized routes to the central
office
Branch Spoke1
Eth1/0/0 44.3.1.2/24
NHRP Hub
Tunnel 0/0/0 Eth1/0/0
172.16.1.101/24 44.1.1.1/24
NHRP Tunnel 0/0/0 Tunnel 0/0/0
172.16.1.102/24 172.16.1.1/24
NHRP
Eth1/0/0 44.4.1.2/24
Branch Spoke2
Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 44.3.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 44.1.1.1 register //Configure an NHRP mapping table.
nhrp shortcut //Enable the NHRP shortcut function.
#
#
rip 1 //Configure RIP.
version 2
network 172.16.0.0
network 192.168.0.0
#
ospf 2
area 0.0.0.1
network 44.1.1.0 0.0.0.255
#
return
Ping Spoke1 and Spoke2, you can see that Spoke1 and Spoke2 have learned NHRP mapping
entries from each other.
----End
Configuration Notes
l If the dynamic routing protocol RIP is used, enable the split horizon and automatic route
aggregation functions on the tunnel interface of the hub.
Networking Requirements
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which
are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The
subnets of the central office and branches frequently change. The Spokes use dynamic
addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the
enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master
device and Hub2 functions as the backup device. Hub2 takes over the services and forwards
protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.
LoopBack0 Hub2
192.168.2.1/24 GE1/0/0
202.1.254.10/24
Spoke2
Tunnel0/0/0
GE1/0/0 172.16.1.254/24
202.1.3.10/24
LoopBack0
Branch 2 subnet Tunnel0/0/0 192.168.0.2/24
192.168.2.0/24 172.16.1.3/24
Procedure
Step 1 Configure Hub1.
#
sysname Hub1
#
interface GigabitEthernet1/0/0
ip address 202.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf cost 1000 //Configure a smaller OSPF cost value on Hub1 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
ospf dr-priority 100
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.1.1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 202.1.1.0 0.0.0.255
#
return
interface GigabitEthernet1/0/0
ip address 202.1.2.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Configure the OSPF network type to Point-to-Multipoint
(P2MP) to provide reachable routes to the Hub.
ospf dr-priority 10
nhrp shortcut //The shortcut function must be configured on the Spoke.
nhrp registration interval 300 //When Hub1 recovers, it restarts to learn
routes to Hub1 when it receives NHRP Registration Request packets from Spokes.
Set the interval for sending NHRP Registration Request packets to a proper value
to ensure that the Spokes can quickly detect Hub1 recovery. The interval for
sending NHRP Registration Request packets is 1800 seconds by default.
nhrp entry 172.16.1.1 202.1.1.10 register
nhrp entry 172.16.1.254 202.1.254.10 register
#
ospf 1 router-id 172.16.1.2 //Configure branch subnets to learn routes from each
other.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 202.1.2.0 0.0.0.255
#
return
#
return
NOTE
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the
NHRP mapping entry of Hub1 and Hub2.
Run the display nhrp peer all command on Hub2. The command output is as follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:21:09
Expire time : 01:59:51
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:14:13
Expire time : 01:59:48
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Hub2. The command output is as follows:
[Huawei] display ospf 1 routing
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
[Huawei] display ospf 1 routing
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:42:50
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:39:49
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:19
Expire time : 01:59:41
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:43:19
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:40:03
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:45
Expire time : 01:59:15
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:45
l Shutdown the physical interface GE1/0/0 of Hub1. Check the OSPF routing information.
# Run the shutdown command on the interface GE1/0/0 of Hub1.
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] shutdown
[Huawei-GigabitEthernet1/0/0] quit
Check the routing entries on the Spokes if Hub1 fails. The next hop switches to Hub2.
Run the display ospf 1 routing command on Spoke1. The command output is as
follows:
[Huawei] display ospf 1 routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
[Huawei] display ospf 1 routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
NOTICE
Before you run the ping command, ensure that no default route to Hub1 exists on the
local device.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output
is as follows:
[Huawei] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:46:29
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:43:28
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:46:54
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:43:38
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
NOTE
Before you run the Ping command, clear NHRP mapping entries existing on the Spokes.
----End
Configuration Notes
Different OSPF cost values must be configured on the mGRE interfaces of Hub1 and Hub2 to
ensure that the Spokes learn routes to the interface with a smaller cost value and prefer to use
the master Hub as the next hop device. When the cost value of the route to the master Hub is
larger than that to the backup Hub, Spokes prefer to forward packets through the backup Hub.
FAQ
l Q: Do I need to ensure that routes to the public network are reachable when configuring
DSVPN?
A: Yes. Ensuring reachable routes to the public network is the prerequisite for
implementing DSVPN.
l Q: Should I configure the master and backup Hubs on the same network segment?
A: No. You must not configure the master and backup Hubs on the same network
segment.
l Q: When the master Hub works normally, the backup Hub is in the Inactive state,
wasting sources. Can I configure the backup Hub as a Spoke?
A: Yes. When the master Hub works normally, the backup Hub is in the Inactive state. If
an enterprise has limited resources, you can configure the backup Hub as a Spoke. In this
case, the backup Hub registers with the master Hub in the same way as the other Spokes.
When the master Hub fails, the backup Hub takes over the role of the master and
transmits packets between Spokes.
5.4 IPSec
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 5-61, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters
subnet is 10.1.2.0/24.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be manually set up between the branch gateway and headquarters
gateway because they communicate over the Internet and only a few branches gateway need
to be maintained.
GE1/0/0 GE1/0/0
202.138.163.1/24 202.138.162.1/24
RouterA RouterB
Branch gateway Headquarters gateway
GE2/0/0 GE2/0/0
10.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC A PC B
10.1.1.2/24 10.1.2.2/24
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ipsec policy map1 10 manual //Manually create an IPSec policy.
security acl 3101
proposal tran1
tunnel local 202.138.163.1
tunnel remote 202.138.162.1
sa spi inbound esp 54321
sa string-key inbound esp cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure authentication key for the inbound SA to huawei.
sa spi outbound esp 12345
sa string-key outbound esp cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^
%# //Configure authentication key for the outbound SA to huawei.
#
interface GigabitEthernet1/0/0
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 202.138.162.0 255.255.255.0 202.138.163.2 //Configure a static
route with the destination address as the WAN-side interface of the headquarters.
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2 //Configure a static route
with the destination address as the LAN-side interface of the headquarters.
#
return
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.
Networking Requirements
As shown in Figure 5-62, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
RouterA RouterB
202.138.163.2 202.138.162.2
Eth 2/0/0 Eth 2/0/0
10.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC A PC B
10.1.1.2/24 10.1.2.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
acl number 3101 //Configure an
ACL.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
#
ike peer spua v1 //Configure an IKE
peer.
exchange-mode aggressive
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain
text.
ike-proposal 1
local-id-type name
remote-name huawei01 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 202.138.162.1
remote-address 202.138.163.1
#
ipsec policy use1 10 isakmp //Configure an IPSec
policy.
security acl 3101
ike-peer spua
proposal tran1
#
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
Networking Requirements
The Headquarters and Branch establish an IPSec connection and both of them are configured
with DPD. DPD is configured on a branch to check whether the IPSec peers between the
Headquarters and Branch are alive. This prevents communication interruption between the
Headquarters and Branch in the case that the IPSec SA of the Branch is deleted incorrectly
from the router in the Headquarters. If DPD is not configured, the Branch still sends
encrypted data to the Headquarters, but the Headquarters cannot correctly decrypt the data,
causing communication interruption.
PC A PC B
10.1.0.2/24 10.2.0.2/24
Headquarters subnet Branch subnet
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the Headquarters.
#
sysname Headquarters
#
acl number 3000 //Configure ACL 3000 to match traffic sent from Headquarters
subnet to Branch subnet.
rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer Center v1 //Configure an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 191.2.2.1 //Configure an IP address for the remote IKE peer.
dpd type on-demand //Set the on-demand DPD mode.
#
ipsec policy center 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer Center
proposal def
#
interface Ethernet1/0/0
ip address 191.2.1.1 255.255.255.0
----End
Specifications
This example applies to all versions and routers.
Networking Requirements
When a NAT gateway is deployed between two devices of the IPSec tunnel, the two devices
are required to support NAT traversal.
As shown in Figure 5-64, RouterA is the egress gateway of a branch network and RouterB is
the egress gateway of the headquarters network. RouterA and RouterB translate addresses
through the NATER and they establish an IPSec tunnel in aggressive mode. The IPSec tunnel
supports NAT traversal.
Eth2/0/0 Eth2/0/0
10.1.0.1/24 10.2.0.1/24
Branch HQ
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the host name of the device.
#
ike local-name RouterA //Configure the local host name used in IKE negotiation.
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer rta v1 //Configure an IKE peer.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key, this cliref is "pre-shared-key huawei" before the
version V2R3C00.
local-id-type name //Configure the local ID type of the IKE peer as name.
remote-name RouterB //Configure the IKE peer name. //Configure the IKE peer
name. In V200R008 and later versions, the device does not support the remote-name
command. This command provides teh same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008 and later versions, the
device supports NAT traversal by default, and this command is not supported.
#
ipsec policy-template rta_temp 1 //Create an IPSec policy template.
ike-peer rta
proposal rta
#
ipsec policy rta 1 isakmp template rta_temp //Specify the IPSec policy template
used to create SAs.
#
interface Ethernet1/0/0
ip address 1.2.0.1 255.255.255.0
ipsec policy rta
#
interface Ethernet2/0/0
ip address 10.1.0.1 255.255.255.0
#
ip route-static 10.2.0.0 255.255.255.0 1.2.0.2 //Configure a static route to
10.2.0.0
#
return
Run the ping command to trigger IPSec session setup. Run the display ike sa verbose and
display ipsec sa commands on RouterA to view the IPSec tunnel configuration.
----End
Configuration Notes
l Ensure that RouterA and RouterB can communicate through the NATER.
l RouterA functions as the IPSec responder and needs to be configured with an IPSec
template.
l RouterA and RouterB must support NAT traversal.
l When NAT traversal is enabled, the data encapsulation mode must be set to the tunnel
mode.
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 5-65, there are multiple network segments in the headquarters. The
branch needs to use different keys to access different network segments in the headquarters.
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
LAN
10.6.0.1/24
PC
RouterA RouterB
Eth1/0/0 Eth1/0/0
LAN 1.0.1.1/24 1.0.2.254/24
192.168.1.1/24
IPSec Tunnel
LAN
10.6.1.1/24
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure ACL 3000 to match traffic sent from 192.168.1.0/24
to 10.6.0.0/24.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
#
acl number 3001 //Configure ACL 3001 to match traffic sent from 192.168.1.0/24
to 10.6.1.0/24.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.6.1.0 0.0.0.255
#
ipsec proposal default //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l Both routers must be configured with IPSec policies.
Specifications
This example applies to all versions and routers.
Networking Requirements
An enterprise establishes multiple branches in different areas due to service expansion. The
branch gateways connect to the Internet using PPPoE. As shown in Figure 5-66,
PPPoE_Client is the branch gateway, and PPPoE_Server is the headquarters gateway. The
branch subnet is 192.168.0.0/24 and the headquarters subnet is 172.16.0.0/24. Branch devices
need to access service servers in the headquarters to carry out services. Data transmitted
between the headquarters and branches need to be encrypted to ensure service security.
Figure 5-66 Networking diagram for configuring IPSec on the dialer interface
PPPoE_Client PPPoE_Server
Eth2/0/0
Branch GE0/0/1 1.1.1.1/24 Headquarters
gateway gateway
GE0/0/2 GE0/0/1
192.168.0.1/24 172.16.0.1/24
IPSec Tunnel
PC A PC B
192.168.0.2/24 172.16.0.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the PPPoE_Client.
#
sysname
PPPoE_Client
#
acl number 3000 //Configure ACL 3000 to match traffic sent from Branch subnet to
Headquarters
subnet.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255
#
ipsec proposal pppoeserver //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike peer pppoeserver v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 1.1.1.1
#
ipsec policy pppoeserver 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer pppoeserver
proposal pppoeserver
#
interface Dialer0 //Configure a dialer
interface.
link-protocol ppp
ppp chap user vpdnuser@huawei.com //Configure CHAP authentication.
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@ //Set the CHAP
authentication password to Huawei@2012.
ip address ppp-negotiate
dialer user anyone //Configure a dialer user.
dialer bundle 1 //Specify the dialer group.
dialer-group 1 //Specify a dialer ACL.
ipsec policy pppoeserver //Configure an IPSec policy.
#
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1 //Bind dialer group 1 to the PPPoE_Client.
#
interface GigabitEthernet0/0/2
ip address 192.168.0.1 255.255.255.0 //Configure an internal network
interface.
#
dialer-rule //Configure a dialer ACL.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure a default route pointing to
the dialer interface.
#
return
#
ipsec proposal pppoeclient //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike peer pppoeclient v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
#
ipsec policy-template temp 1 //Configure an IPSec policy template.
security acl 3000 //Configure an ACL.
ike-peer pppoeclient //Configure an IKE peer.
proposal pppoeclient //Specify the IPSec proposal.
#
ipsec policy pppoeclient 1 isakmp template temp //Bind the IPSec policy template
to the IPSec policy.
#
ip pool 0 //Configure IP address pool
0.
network 1.1.1.0 mask 255.255.255.0
#
aaa //Configure PPP authentication
users.
authentication-scheme default
domain huawei.com
authentication-scheme
default
local-user vpdnuser@huawei.com password cipher %^%#Uj3KQ|TGS%KK$)'A*4s.P"G{D/
t1]+qh'0&-M4hW%^%# //Set the login password for PPP authentication users to
Huawei@2012, which is displayed in cipher text.
local-user vpdnuser@huawei.com privilege level 0
local-user vpdnuser@huawei.com service-type ppp
#
interface Ethernet2/0/0 //Bind the PPPoE_Server to virtual template interface
0.
pppoe-server bind Virtual-Template 0
ipsec policy pppoeclient
#
interface Virtual-Template0 //Create virtual template interface
0.
ppp authentication-mode chap
remote address pool 0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure internal network interface
address.
ip address 172.16.0.1 255.255.255.0
#
ip route-static 192.168.0.0 255.255.255.0 Virtual-Template0 //Configure a static
route to the internal network of the remote side.
#
return
Run the display ike sa verbose and display ipsec sa commands to view the IPSec tunnel
configuration.
----End
Configuration Notes
l The PPPoE_Server address must be specified on the PPPoE_Client.
l On the PPPoE_Client, the IKE peer address must be specified because an IPSec policy is
used. On the PPPoE_Server, you do not need to specify the IKE peer address because an
IPSec policy template is used.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-67, devices in two subnets communicate with the Internet using
respective gateways and need to establish an IPSec tunnel to transmit data flows. To meet this
requirement, perform the following operations:
l Establish an IPSec tunnel between the two gateways to protect security of data flows
transmitted between subnet Group1 at 10.1.1.0/24 and subnet Group2 at 10.2.1.0/24.
l Establish a security tunnel between the two gateways using Internet Key Exchange (IKE)
negotiation. During IKE negotiation, PKI certificates are used for identity authentication.
CA
RouterA RouterB
GE0/0/1 GE0/0/1
1.1.1.1/24 2.2.2.1/24
Eth2/0/0 Eth2/0/0
10.1.1.1/24 IPSec Tunnel 10.2.1.1/24
10.1.1.2/24 10.2.1.2/24
Group1 Group2
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
router id 10.1.1.1
#
pki entity routera //Configure a PKI
entity.
country CN
state jiangsu
organization huawei
organization-unit info
common-name helloa
#
pki realm testa //Configure a PKI
domain.
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity routera
fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d7a34d94624b1c1bcbf6d763c4a67035d
certificate-check none
rsa local-key-pair rsa_scep //Use the RSA key pair in SCEP certificate
application. This key pair is created in advance by running the pki rsa local-key-
pair create command. This command is supported in V200R008 and later versions.
password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$ //Set the challenge password
used in SCEP certificate application to 6AE73F21E6D3571D. This command is
supported in V200R008 and later versions.
auto-enroll 60 regenerate //Enable automatic certificate enrollment and update.
This command is supported in V200R008 and later versions.
#
acl number 3000 //Configure an ACL to define the data flows to be
protected.
rule 15 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal routera //Configure an IPSec
proposal.
esp authentication-algorithm
sha2-256
esp encryption-algorithm
aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#
peer.
ike-proposal 1
local-address 1.1.1.1
remote-address 2.2.2.1
pki realm testa
#
ipsec policy routera 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer routera
proposal routera
#
interface Ethernet2/0/0 //Configure an external network interface.
ip address 10.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
----End
Configuration Notes
l During IKE negotiation, if RouterA and RouterB do not obtain CA certificates or local
certificates, IKE negotiation fails.
l ACLs configured on devices in the headquarters and branch must mirror each other.
Networking Requirements
As shown in Figure 5-68, RouterA, RouterB, and RouterC connect to one switch, RTA and
RTB constitute a VRRP group with virtual IP address 1.0.2.128. RouterA functions as the
VRRP master and RouterB functions as the backup. An IPSec session is set up between
RouterC and the virtual IP address of the VRRP group.
2. /1
0. /0
24
1. th1
1/
E
RouterA
RouterC
Eth2/0/0
1.0.2.128/24
IPSec Tunnel
Eth2/0/0
1.0.1.254/24
RouterB
G .2.
E0 2/
1.
0
/0 24
NOTE
/1
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer branch v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
local-address 1.0.2.128
remote-address 1.0.1.254
#
ipsec policy branch 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet1/0/1 //Configure the connected
interface.
ip address 1.0.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1 and use the default
priority.
ipsec policy branch //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure an internal network
interface.
ip address 192.168.0.1 255.255.255.0
#
ip route-static 1.0.1.0 255.255.255.0 1.0.2.3 //Configure a static route to
the branch gateway.
ip route-static 192.168.1.0 255.255.255.0 1.0.2.3 //Configure a static route to
the branch network.
#
return
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.
Networking Requirements
As shown in Figure 5-69, RouterA functions as the headquarters gateway, and RouterB and
RouterC function as branch gateways. Branches connect to multiple private networks and
secure channels need to be set up between the headquarters and branches. An IPSec policy
template is configured on RouterA and is used for establishing IPSec tunnels.
Figure 5-69 Networking diagram for configuring access to multiple branches using an IPSec
policy template
10.1.1.2/24 10.11.1.2/24
GE0/0/1 RouterA
GE0/0/2
10.1.1.1/24
10.11.1.1/24
Eth2/0/0
1.1.1.1/24
IP
l
ne
Se
10.2.2.2/24 10.4.4.2/24
n
c
Tu
Tu
c
n
Se
ne
IP
GE0/0/1 GE0/0/2
10.2.2.1/24 1.1.1.2/24
10.4.4.1/24
10.22.2.2/24 10.44.4.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer branch v1 //Configure an IKE peer. You do not need to configure the
remote address or remote name.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
local-address 1.1.1.1
#
ipsec policy-template branch 1 //Configure an IPSec policy
template.
ike-peer branch
proposal def
#
ipsec policy hk 1 isakmp template branch //Configure an IPSec
policy.
#
interface Ethernet2/0/0 //Configure an interconnection interface for setting up
an IKE connection and encapsulating the outer IP address.
ip address 1.1.1.1 255.255.255.0
ipsec policy hk //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0 //Configure the router interface connected to
a private network.
#
interface GigabitEthernet0/0/2
ip address 10.11.1.1 255.255.255.0 //Configure the router interface connected
to another private network.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route.
#
return
Run the display ike sa command on the LAC or LNS to view SA information.
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 3G interface to dynamically obtain an IP address from a provider. When
deploying an IPSec policy, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
After an IPSec tunnel is established, branch users can only access internal resources of the
headquarters. The NAT function can be configured on RouterA to allow branch users to
access external networks.
3G NodeB
RouterA RouterB
Cellular0/0/1 Internet Serial1/0/0
Eth1/0/0 13.1.1.1/24 Eth1/0/0
192.168.1.1/24 192.168.2.1/24
IPSec
PC1
PC2
LAN LAN
192.168.1.0/24 192.168.2.0/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001 //Configure an ACL to protect data flows to an external network.
rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.1.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer rta v1 //Configure an IKE peer for establishing an IPSec connection
with RouterB.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 13.1.1.1 //Configure the remote address used for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
dialer-rule //Create a dilaer ACL.
dialer-rule 1 ip permit
#
apn profile 3gprofile //Create a APN profile.
user name 3guser password cipher %@%@,)AK/L"R0'^5%YUBDqKP#^y>%@%@ authentication-
mode auto
apn 3GNET
#
interface Cellular0/0/1 //Set dial parameters for the 3G interface.
link-protocol ppp
ip address ppp-negotiate //Enable PPP negotiation to automatically obtain the
IP address allocated by the carrier and connect to the public network.
dialer enable-circular //Enable the C-DCC function.
dialer-group 1 //Add the interface to a dialer group. The number must be the
same as that in the dialer group.
apn-profile 3gprofile
dialer timer autodial 60 //Set the auto-dial interval to 60s.
dialer number *99# autodial //Enable the auto-dial function.
mode wcdma wcdma-precedence //Configure a WCDMA network connection mode for a 3G
modem.
ipsec policy rta //Bind the IPSec policy to the interface.
nat outbound 3001 //Configure NAT to enable access to the public network.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return
----End
Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 5-71, RouterA and RouterB establish an IPSec session, a GRE tunnel is
set up, and traffic on the network segment connected to GE0/0/1 is imported to the GRE
tunnel.
PC A PC B
10.1.0.2/24 10.2.0.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0
#
ipsec proposal rtb //Configure an IPSec
proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE
proposal.
#
ike peer rtb v1 //Configure an IKE
peer.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 1.2.2.1
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE
negotiation.
security acl 3000 //Specify the
ACL.
ike-peer rtb //Specify the IKE
peer.
proposal rtb //Specify the IPSec
proposal.
#
interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel
interface.
destination 1.2.2.1 //Specify the destination address of the tunnel
interface.
#
ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static
route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
return
----End
Configuration Notes
l The ACL is configured to match the WAN-side interface IP address.
l The encapsulation mode in the IPSec proposal must be transport.
l The source and destination IP addresses of the GRE tunnel interface must be the same as
those of the data flow protected by IPSec (that is, defined in the ACL referenced by the
IPSec policy).
Networking Requirements
As shown in Figure 5-72, RouterA functions as the egress router of the headquarters network
and provides GRE over IPSec access for two branches. RouterB and RouterC are egress
routers of the two branches and connect to the headquarters network using GRE over IPSec.
OSPF is enabled on GRE tunnels of the headquarters and each branch. Traffic exchanged
between the headquarters and branches must be encrypted.
Figure 5-72 Networking diagram for configuring GRE over IPSec and OSPF
PC A
10.0.0.2/24
GE0/0/1
10.0.0.1/24
RouterA
Eth2/0/1
1.0.1.254/24
el
nn
G
Tu
R
E
ta
c
se
ov
En
da
Ip
er
cr
w E
y
er
flo R
Ip
pt low
tG
ov
se
s
G s
f
yp
c
E
Tu
R
E
cr
G
En
da
nn
ta
el
RouterC RouterB
GE 0/0/1 GE 0/0/2
GE 0/0/2 1.0.3.1/24 IPSec Session 1.0.2.1/24 GE 0/0/1
192.168.2.1/24 192.168.1.1/24
PC C PC B
192.168.2.2/24 192.168.1.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
destination 1.0.1.254
#
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0
network 192.168.255.1 0.0.0.0
network 192.168.0.0 0.0.0.3
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.2.2
#
return
routes.
area 0.0.0.0
network 192.168.255.2 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.3.2
#
return
Run the display ip routing-table command on RouterA or Router B. You can view the route
from the tunnel interface to the user-side interface.
----End
Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l ACLs configured on devices in the headquarters and branches must mirror each other.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l The WAN-side interface IP addresses in the headquarters and branches can be pinged.
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 5-73, the egress router in the headquarters provides IPSec VPN access
for branches. NAT devices exist between the branches and the Internet, so the aggressive
mode and NAT traversal are configured on egress routers of the headquarters and branches.
The headquarters egress router uses an IPSec policy template but not the ACL. The three
egress routers use loopback interface IP addresses to establish GRE over IPSec tunnels. ACLs
are configured on branch egress routers to implement communication between the
headquarters and branches through GRE over IPSec tunnels. OSPF is used on GRE over
IPSec tunnels so that traffic exchanged between branches is forwarded through the
headquarters egress router.
Figure 5-73 Networking diagram for configuring GRE over IPSec and OSPF to implement
NAT traversal
172.16.1.2/24
GE0/0/1 PC A
172.16.1.1/24
Lookback0 RouterA
172.16.0.1/32 Eth2/0/1
1.0.1.60/24
l GR
ne E
un ov
e cT er
S PS I
GE0/0/1 r IP En ec GE0/0/1
ve E cry Tu
10.0.2.2/24 R Eo t GR da pt G nn 10.0.1.2/24
p s ta el
G cry low flo R E
En ata f ws
d
RouterC RouterB
Lookback0 Lookback0
192.168.2.1/32 192.168.1.1/32
Eth1/0/1 IPSec Session Eth1/0/1
1.0.3.1/24 1.0.2.1/24 NAT2
GE0/0/2 NAT1 GE0/0/2
192.168.12.1/24 GE0/0/1 GE0/0/1 192.168.11.1/24
10.0.2.1/24 10.0.1.1/24
PC B
PC C
192.168.12.2/24 192.168.11.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 172.16.0.1 //Configure the OSPF router ID.
#
#
router id 192.168.1.1 //Configure the OSPF router ID.
#
ike local-name rtb
#
acl number 3000
rule 0 permit gre source 192.168.1.1 0 destination 172.16.0.1 0
#
ipsec proposal default //Configure a default IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer center v1 //Configure an IKE peer.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name rta //Configure the IKE peer name. In V200R008 and later versions,
the device does not support the remote-name command. This command provides teh
same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008 and later versions, the
device supports NAT traversal by default, and this command is not supported.
remote-address 1.0.1.60
#
ipsec policy center 1 isakmp //Configure an IPSec policy and set the sequence
number to 1.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface in branch
1.
ip address 10.0.1.2 255.255.255.0
ipsec policy center
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface in branch
1.
ip address 192.168.11.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 192.168.1.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure a tunnel
interface.
ip address 192.168.0.2 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 172.16.0.1
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.11.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 10.0.1.1 //Configure a default route.
#
return
#
ike local-name rtc
#
acl number 3000
rule 0 permit gre source 192.168.2.1 0 destination 172.16.0.1 0
#
ipsec proposal default //Configure a default IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer center v1 //Configure an IKE
peer.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name rta //Configure the IKE peer name. In V200R008 and later versions,
the device does not support the remote-name command. This command provides teh
same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008 and later versions, the
device supports NAT traversal by default, and this command is not supported.
remote-address 1.0.1.60
#
ipsec policy center 1 isakmp //Configure an IPSec policy and set the sequence
number to 1.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface in branch
2.
ip address 10.0.2.2 255.255.255.0
ipsec policy center
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface in branch
2.
ip address 192.168.12.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 192.168.2.1 255.255.255.255
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 192.168.0.6 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 172.16.0.1
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.12.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.0.2.1 //Configure a default route.
#
return
#
nat address-group 0 11.0.0.1 11.0.0.10 //Configure a NAT address
pool.
#
interface Ethernet1/0/1 //Configure the WAN-side
interface.
ip address 1.0.3.1 255.255.255.0
nat outbound 2000 address-group 0
#
interface GigabitEthernet0/0/1 //Configure the NAT device interface connected to
the router in branch 2.
ip address 10.0.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.0.3.2 //Configure a default route.
#
return
----End
Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l There must be reachable routes between the headquarters and branches.
Applicability
This example applies to all AR models of V200R008C50 and later versions.
Networking Requirements
In Figure 5-74, Router1 is the gateway of an enterprise branch, and Router2 is the gateway of
the headquarters. Router1 and Router2 communicate through the public network.
On the live network, the enterprise branch communicates with the headquarters through a
GRE tunnel. The enterprise wants to protect traffic excluding multicast data between the
headquarters and branch. An IPSec over GRE tunnel can be established based on ACL to
protect traffic between the headquarters and branch.
Figure 5-74 Establishing an IPSec over GRE tunnel between the headquarters and branch
Branch gateway Headquarters
Router1 GE1/0/0 GE1/0/0 gateway
1.1.1.1/24 2.1.1.1/24 Router2
Tunnel0/0/0 Tunnel0/0/0
GE2/0/0 GE2/0/0
10.2.1.1/24 10.2.1.2/24
10.1.1.1/24 10.1.2.1/24
IPSec over GRE
PC1 PC2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure Router1.
#
sysname Router1
#
acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
in the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in
the IKE proposal.
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
#
ike peer spub //Configure an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 5
remote-address 10.2.1.2 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy map1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spub
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.1.1.1
ipsec policy map1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route to the
public network.
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 //Configure a static route
to the private network.
#
return
Precautions
l The pre-shared key at both ends must be the same.
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.
Networking Requirements
In Figure 5-75, a large-sized enterprise has the headquarters (Hub) and multiple branches
(Spoke1 and Spoke2 in this example) located in different areas, and the Spokes connect to
public networks using dynamic IP addresses obtained through DHCP. DSVPN is deployed to
enable communication between Spokes as well as between Spoke and Hub.
The enterprise requires that data transmitted between Spokes as well as between Spoke and
Hub be encrypted. IPSec over DSVPN can be configured on Hub and Spokes to provide
traffic protection.
Figure 5-75 Establishing IPSec over DSVPN tunnels between Hub and Spokes
Tunnel0/0/0
Branch 1 10.2.1.2/24
GE1/0/0
GE1/0/1 1.1.2.10/24
10.1.2.1/24
Spoke1
GE1/0/1
10.1.1.1/24
GE1/0/0
1.1.1.10/24
Headquarters
Tunnel0/0/0
10.2.1.1/24
Hub
Spoke2
GE1/0/1
10.1.3.1/24 GE1/0/0
1.1.3.10/24
Tunnel0/0/0
Branch 2
10.2.1.3/24
Assume that the dynamic addresses obtained by Spoke1 and Spoke2 are 1.1.2.10 and 1.1.3.10,
respectively.
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the Hub.
#
sysname Hub
#
ipsec proposal pro1 //Configure the authentication and encryption algorithms in
the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer hub //Configure an IKE peer.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic
dpd idle-time 40
#
ipsec policy-template use1 10 //Configure an IPSec policy template and import
parameters to the template.
ike-peer hub
proposal pro1
#
ipsec policy policy1 10 isakmp template use1 //Configure an IPSec policy and
reference the policy template.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ospf dr-priority 100 //Configure an interface priority for DR election.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry multicast dynamic //Add a dynamically registered Spoke to the NHRP
multicast member table.
#
ospf 1 router-id 10.2.1.1 //Configure private network routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer spoke1 //Configure an IKE peer.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke1
proposal pro1
#
interface GigabitEthernet1/0/0
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ospf dr-priority 0 //Configure an interface priority for DR election.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry 10.2.1.1 1.1.1.10 register //Configure an NHRP mapping table.
#
ospf 1 router-id 10.2.1.2 //Configure private network routes.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.2.0 0.0.0.255
#
return
prf aes-xcbc-128
#
ike peer spoke2 //Configure an IKE peer.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke2
proposal pro1
#
interface GigabitEthernet1/0/0
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
ip address 10.1.3.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ospf dr-priority 0 //Configure an interface priority for DR election.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry 10.2.1.1 1.1.1.10 register //Configure an NHRP mapping table.
#
ospf 1 router-id 10.2.1.3 //Configure private network routes.
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.3.0 0.0.0.255
#
return
Run the display ike sa command on the Hub and Spokes. You can find that SAs are
established successfully.
After users in Spoke1 ping the Hub, run the display ipsec statistics command on Spoke1 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that data transmitted between the Hub and Spoke1 is encrypted.
After users in Spoke2 ping the Hub, run the display ipsec statistics command on Spoke2 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that data transmitted between the Hub and Spoke2 is encrypted.
----End
Precautions
l The pre-shared key at both ends must be the same.
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.
Networking Requirements
As shown in Figure 5-76, RouterA (remote branch gateway) and RouterB (headquarters
gateway) communicate through the Internet in PPPoE mode. The branch subnet is 10.1.1.0/24
and the headquarters subnet is 10.1.2.0/24. The DNS server resolves domain names, the
DDNS server updates IP addresses mapping domain names, and the PPPoE server allocates IP
addresses.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway
because they communicate over the Internet. Because IP addresses of the branch and
headquarters are dynamic addresses, domain names can be used for IKE negotiation.
Figure 5-76 Networking for using dynamic addresses to establish an IPSec tunnel in IKE
negotiation mode between the branch and headquarters
PPPoE Server
PC A PC B
10.1.1.2/24 10.1.2.2/24
DNS Server DDNS Server
Branch Headquarters
Subnet 70.1.1.11 Subnet
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
dns resolve //Configure DNS.
dns server 70.1.1.11 //Specify the DNS server IP address.
ddns policy ddnspolicy1 //Configure a DDNS policy.
url oray://username1:password1@phddnsdev.oray.net //Configure the URL of the
DDNS server.
#
acl number 3003 //Configure an ACL to permit data flows from 10.1.1.0/24 to
10.1.2.0/24.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
#
ike peer rut1 v1 //Configure an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address www.huaweib.com //The domain name has been registered with the
DDNS server.
#
ipsec policy policy1 10 isakmp //Configure an IPSec
policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Set parameters on the dialer
interface.
link-protocol ppp
ppp chap user user@huawei.com
ppp chap password cipher %@%@l$S'&"Sm7!j4F#)i{{G#L3Wu%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1
dialer-group 1
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface so that
the DDNS client can notify the DDNS server of changes in mappings between domain
names and IP addresses when the interface IP address changes.
ipsec policy policy1 //Apply the IPSec policy to the dialer
interface.
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.
pppoe-client dial-bundle-number 1
#
interface Ethernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 255.255.255.255 dialer1
#
return
pppoe-client dial-bundle-number 1
#
interface Ethernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 255.255.255.0 dialer1
#
return
# After the configurations are complete, PC A can ping PC B successfully. Data exchanged
between PC A and PC B is encrypted. You can run the display ipsec statistics command to
view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA and RouterB. You can
view the IPSec tunnel configuration.
----End
Configuration Notes
If an IPSec tunnel cannot be reestablished due to frequent IP address change of the dialer
interface, use either of the following methods:
l If IPSec policies are configured at both ends, configure DPD to detect faults on the
remote end.
l If an IPSec policy is configured at one end and an IPSec policy template is configured at
the other end, run the ipsec remote traffic-identical accept command (supported by
V2R3C00 and later versions) on the end where the IPSec policy template is configured.
This command allows new users with the same traffic rule as original branch users to
access the headquarters network so that the existing IPSec SAs can be rapidly aged and a
new IPSec tunnel can be established.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-77, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through the public network. To
ensure security of traveling employees, the enterprise requires that an IPSec tunnel be set up
between the traveling employee's PC and headquarters gateway.
Figure 5-77 Networking for configuring an IPSec tunnel between the PC and router
GE1/0/0
Enterprise
PC A 200.1.1.1/24
headquarters
10.1.1.1/24
Traveling
employee
IPSec Tunnel RouterA
Headquarters
gateway
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
#
ike peer peer1 v1 //Configure an IKE
peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
interface
GigabitEthernet1/0/0
ip address 200.1.1.1 255.255.255.0
ipsec policy policy1
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2 //Configure a static route.
#
return
Step 2 Configure PC A.
# Create an IPSec policy.
Choose Control Pane > System and Security > Administrative Tools > IP Security
Policies on Local Computer.
Right-click IP Security Policies on Local Computer shown in Figure 5-78. The IP security
policy wizard is displayed.
Figure 5-79, Figure 5-80, Figure 5-81, and Figure 5-82 show how to create an IPSec policy.
On the IPSec Properties page shown in Figure 5-83, deselect Use Add Wizard and click
Add to add rules.
On the IP Filter List page shown in Figure 5-85, deselect Use Add Wizard and click
Add to add an IP filter list.
Configure IP filter attributes. On the Addresses tab page shown in Figure 5-86, select
My IP Address as the source address, headquarters gateway IP address as the
destination address, and mirror data flows.
On the Protocol tab page shown in Figure 5-87, select Any from the Select a protocol
type drop-down list box.
On the Description tab page shown in Figure 5-88, configure a description for the IP
filter.
Click OK. The IP Filter List page shown in Figure 5-89 is displayed.
Click OK. The New Rule Properties page shown in Figure 5-90 is displayed.
The New Filter Action Properties page shown in Figure 5-92 is displayed. Select
Accept unsecured communication, but always respond using IPSec and click Add.
The Security Methods page shown in Figure 5-93 is displayed. Select Custom and
click Settings.
The Custom Security Method Settings page shown in Figure 5-94 is displayed. Set
integrity and encryption algorithms, and perform session key settings.
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
3. Configure authentication methods.
On the Authentication Methods tab page shown in Figure 5-95, click Edit.
The Authentication Method Properties page shown in Figure 5-96 is displayed. Select
Use the string (preshared key) and use the pre-shared key huawei.
On the Key Exchange Settings page, select Methods, as shown in Figure 5-100.
On the Key Exchange Security Methods page, select Add, as shown in Figure 5-101.
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
----End
Configuration Notes
The IPSec configuration on the PC is much complex than that on the router, so you must be
familiar with the IPSec configuration on the router.
A host-to-gateway IPSec tunnel is established between a traveling employee and the
headquarters; therefore, the IPSec tunnel is based on the transport mode.
Networking Requirements
As shown in Figure 5-105, Router_1, Router_2, and Router_3 are the municipal branch
gateway, county-level branch gateway, and headquarters gateway of an enterprise. Branches
and the headquarters communicate over the public network. The enterprise has few municipal
branches but many county-level branches.
The enterprise wants to implement direct communication between the county-level branch
and headquarters, between county-level branch and headquarters, and between the municipal
branch and headquarters, and protect mutual traffic between branches and the headquarters.
Figure 5-105 Establishing an IPSec tunnel in manual and IKE negotiation modes
Router_1
PC_1 Municipal branch
192.168.1.1/24 gateway
GE0/0/2 IPS
192.168.1.2/24 ec
GE0/0/1 Tu
nne
60.1.1.1/24 l
IPSec Tunnel
Router_3
Internet GE0/0/1 Headquarters
60.1.3.1/24 gateway
GE0/0/1 l GE0/0/2
ne
60.1.2.1/24 un 192.168.3.2/24
ecT
GE0/0/2 IPS
192.168.2.2/24
PC_2 Router_2
192.168.2.1/24 County-level PC_3
gateway 192.168.3.1/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the municipal branch gateway Router_1.
#
sysname Router_1
#
acl number 3001 //When a policy template is used, ACL reference is optional,
and you only need to define the data flow to the headquarters on Router_1.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the headquarters.
security acl 3001
proposal tran1
tunnel local 60.1.1.1
tunnel remote 60.1.3.1
sa spi inbound esp 12345 //Set the inbound SPI, which must be the same as
the outbound SPI in the headquarters.
sa string-key inbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the inbound SA to Huawei@123, which must
be the same as the authentication key for the outbound SA in the headquarters.
sa spi outbound esp 54321 //Set the outbound SPI, which must be the same as
the inbound SPI in the headquarters.
sa string-key outbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'L`eOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the outbound SA to Huawei@321, which must
be the same as the authentication key for the inbound SA in the headquarters.
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //When a policy template is used to establish an IPSec tunnel
with the county-level branch, you do not need to specify a remote address because
Router_1 functions as the IKE responder.
pre-shared-key cipher %^%#]%qh%KV&]('NP)+OE3VF"nAn7VF%/+EgfmX3BE|*%^%# //Set
the pre-shared key to Huawei@4321 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify qualified
county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and
enable IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route.
#
return
#
sysname Router_2
#
ike local-name huaweirt2
#
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
acl number 3002
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //Configure an IKE peer used to negotiate with the headquarters
for establishing an IPSec tunnel. You must specify a remote address.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
remote-address 60.1.3.1
#
ike peer rut2 v2 //Configure an IKE peer used to negotiate with the municipal
branch for establishing an IPSec tunnel. You must specify a remote address.
pre-shared-key cipher %^%#F[de7*vUZ9ZT)V5UEqX(g|)XG`S)xT}:C."&>c].%^%# //Set
the pre-shared key to Huawei@4321 in ciphertext. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plaintext.
ike-proposal 5
remote-address 60.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the headquarters.
security acl 3001
ike-peer rut1
proposal tran1
ipsec policy policy1 20 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the municipal branch.
security acl 3002
ike-peer rut2
proposal tran1
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.2.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected with the
service segment.
ip address 192.168.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route.
#
return
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the municipal branch.
security acl 3001
proposal tran1
tunnel local 60.1.3.1
tunnel remote 60.1.1.1
sa spi inbound esp 54321 //Set the inbound SPI, which must be the same as
the outbound SPI in the municipal branch.
sa string-key inbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'L`eOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the inbound SA to Huawei@321, which must
be the same as the authentication key for the outbound SA in the municipal branch.
sa spi outbound esp 12345 //Set the outbound SPI, which must be the same as
the inbound SPI in the municipal branch.
sa string-key outbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the outbound SA to Huawei@123, which must
be the same as the authentication key for the inbound SA in the municipal branch.
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //When a policy template is used to establish an IPSec tunnel
with the county-level branch, you do not need to specify a remote address because
Router_3 functions as the IKE responder.
pre-shared-key cipher %^%#SNMkBqDAZOwo!9=MwR{+h;Bp"JEU.-s!Z=Wdu7_@%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify
qualified county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.3.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.3.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.3.2 //Configure a static route.
#
return
l Ping PC_3 from PC_1 and PC_2 respectively. The ping operations succeed. Run the
display ipsec statistics command to view statistics on IPSec packets. The value of the
Inpacket decap count/Outpacket encap count (in a version earlier than V200R008) or
input/output security packets (in V200R008 or a later version) field is not 0, indicating
that data transmitted between the branches and headquarters is encrypted.
l Run the display ipsec sa command on Router_1, Router_2, and Router_3 to view
information about established SAs. The command output contains the Tunnel remote
(tunnel destination address) and Mode (security policy mode in which the IPSec tunnel
is established) fields.
– On Router_1, the security policy mode for the tunnel with the destination address
60.1.3.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
– On Router_2, the security policy mode for the tunnels with the destination
addresses 60.1.1.1 and 60.1.3.1 is ISAKMP.
– On Router_3, the security policy mode for the tunnel with the destination address
60.1.1.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
l Run the display ike sa v2 command on Router_1, Router_2, and Router_3 to view SAs
established through IKE negotiation. (In V200R008 and later versions, the V2 parameter
is not supported.)
– Only the entry whose peer is 60.1.2.1 exists on Router_1.
– The entries whose peer is 60.1.1.1 and 60.1.3.1 exist on Router_2.
– Only the entry whose peer is 60.1.2.1 exists on Router_3.
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The IKE peers must use the same pre-shared key.
l When configuring an IPSec policy manually, you must specify the inbound and
outbound SPIs. The inbound SPI on the local end must be the same as the outbound SPI
on the remote end. The outbound SPI on the local end must be the same as the inbound
SPI on the remote end.
Networking Requirements
As shown in Figure 5-106, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. RouterA uses two egress links in backup or load balancing
mode. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.
The Enterprise wants to protect traffic between the branch subnet and headquarters subnet. If
an active/standby switchover occurs or the egress link becomes faulty, IPSec services need to
be smoothly switched.
Figure 5-106 Establishing an IPSec tunnel between the enterprise headquarters and branch
using a multi-link shared IPSec policy group
LoopBack0
1.1.1.1/32 GE1/0/0
GE1/0/0 60.1.1.1/24
70.1.1.1/24
RouterA RouterB
Branch gateway Headquarters gateway
GE3/0/0 GE2/0/0 GE3/0/0
10.1.1.1/24 80.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC A PC B
10.1.1.2/24 10.1.2.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut v1 //Configure an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 60.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer rut
proposal prop
#
ipsec policy policy1 shared local-interface LoopBack0 //Configure a multi-link
shared IPSec policy group.
#
interface GigabitEthernet1/0/0
ip address 70.1.1.1 255.255.255.0
ipsec policy policy1 //Bind the IPSec policy group.
#
interface GigabitEthernet2/0/0
ip address 80.1.1.1 255.255.255.0
ipsec policy policy1 //Bind the IPSec policy group.
#
interface GigabitEthernet3/0/0
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 10.1.2.0 255.255.255.0 70.1.1.2 preference 10 //Configure a
static route from GE1/0/0 of RouterA to the internal network on the headquarters
network.
ip route-static 10.1.2.0 255.255.255.0 80.1.1.2 preference 20 //Configure a
static route from GE2/0/0 of RouterA to the internal network on the headquarters
network.
ip route-static 60.1.1.0 255.255.255.0 70.1.1.2 preference 10 //Configure a
static route from GE1/0/0 of RouterA to the LAN-side interface on the
headquarters network.
ip route-static 60.1.1.0 255.255.255.0 80.1.1.2 preference 20 //Configure a
static route from GE2/0/0 of RouterA to the LAN-side interface on the
headquarters network.
#
return
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.
Networking Requirements
As shown in Figure 5-107, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters, branch 1, and branch 2, and they communicate over the public network.
Because the branch gateways connect to multiple private networks, a large number of static
routes need to be configured on the headquarters gateway to direct data destined for branches
to the IPSec tunnel. Besides, the static route configuration on the headquarters gateway needs
to be adjusted when the internal network planning of enterprise branches changes. This results
in heavy workload and configuration errors may easily occur.
The enterprise wants to provide security protection for traffic between the headquarters and
branches, and reduce the configuration and maintenance workload on the headquarters
gateway.
10.1.1.2/24
GE0/0/1
10.1.1.1/24
Router_1
Headquarters gateway
Eth2/0/0
1.1.1.1/24
IP
10.2.2.2/24
l
10.4.4.2/24
Se
nn
c
Tu
Tu
c
n
Se
ne
IP
1.1.1.2/24 GE0/0/2
l
GE0/0/1
10.2.2.1/24 10.4.4.1/24
Router_2 1.2.1.2/24 1.4.1.2/24 Router_3
Branch 1 gateway Eth1/0/1 GE0/0/1 Branch 2 gateway
GE0/0/0 1.2.1.1/24 1.4.1.1/24 Eth2/0/0
10.22.2.1/24 10.44.4.1/24
10.22.2.2/24 10.44.4.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
#
ipsec policy hk 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet1/0/1 //Configure an interconnection interface for setting up
an IKE connection and encapsulating the outer IP address.
ip address 1.2.1.1 255.255.255.0
ipsec policy hk
#
interface GigabitEthernet0/0/0
ip address 10.22.2.1 255.255.255.0 //Configure an interface connected to
service segment 1.
#
interface GigabitEthernet0/0/1
ip address 10.2.2.1 255.255.255.0 //Configure an interface connected to service
segment 2.
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2 //Configure a static route from
branch 1 to the headquarters extranet.
ip route-static 10.1.1.0 255.255.255.0 1.2.1.2 //Configure a static route from
branch 1 to the headquarters intranet.
#
return
segment 2.
#
ip route-static 1.1.1.0 255.255.255.0 1.4.1.2 //Configure a static route from
branch 2 to the headquarters extranet.
ip route-static 10.1.1.0 255.255.255.0 1.4.1.2 //Configure a static route from
branch 2 to the headquarters intranet.
#
return
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.
l There must be reachable routes between the headquarters and branches.
l Only an SA established using dynamic IKE negotiation supports route injection; a
manually established SA does not support route injection.
Applicability
This example applies to all AR models of V200R003C00 and later versions.
Networking Requirements
As shown in Figure 5-108, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters, and they communicate over the public network. The bandwidth between the
branch egress and public network is 2 Mbit/s. VoIP, production, and office service flows are
transmitted between the headquarters and branch.
The enterprise wants to protect service flows transmitted between the enterprise branch and
headquarters and provide QoS guarantee for the VoIP, production, and office service flows.
l For the VoIP service flow, the IP priority must be set to 5 to ensure low latency and 500
kbit/s bandwidth.
l For the production service flow, the IP priority must be set to 4 to ensure 600 kbit/s
bandwidth.
l For the office service flow, the IP priority must be set to 2 to ensure 800 kbit/s
bandwidth.
Figure 5-108 Implementing QoS guarantee for traffic passing through the IPSec tunnel
Eth1/0/0 Eth1/0/0
20.1.1.1/24 30.1.1.1/24
Router_1 Router_2
20.1.1.2 30.1.1.2
Eth2/0/0.1:10.1.1.1/24 Eth2/0/0
Eth2/0/0.2:10.1.2.1/24 192.168.2.1/24
Eth2/0/0.3:10.1.3.1/24 IPSec Tunnel
Enterprise
LSW
headquarters
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure Router_1.
NOTE
Configure the downlink interfaces of the LSW connecting to terminals as access interfaces and add the
interfaces to VLANs of the VoIP, production, and office services. Configure the uplink interface of the LSW
connecting to Router_1 as trunk interfaces and configure the interfaces to allow packets from the VoIP,
production, and office service VLANs to pass. For detailed configurations, see the LSW configuration
manual.
#
sysname Router_1
#
ike local-name huawei01
#
acl number 3001 //Create an ACL rule to define the VoIP service flow.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3002 //Create an ACL rule to define the production service flow.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.
l There must be reachable routes between the headquarters and branches.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 4G interface to dynamically obtain an IP address from a provider. When
IPSec policies are used, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
PC1 IPSec
PC2
LAN LAN
192.168.1.0/24 192.168.2.0/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike peer rta v1 //Configure an IKE peer for establishing an IPSec connection
with RouterB.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00,
the pre-shared key pre-shared-key huawei is displayed in plain text.
remote-address 13.1.1.1 //Configure a peer IP address for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Cellular0/0/1 //Set dial parameters for the 4G interface.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile lteprofile
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
ipsec policy rta //Bind an IPSec policy to the interface to initiate IPSec
negotiation.
#
dialer-rule //Create a dialer ACL that defines conditions to initiate calls.
dialer-rule 1 ip permit
#
apn profile lteprofile //Create an APN profile.
apn ltenet
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return
ike-peer rtb
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and
reference the policy template.
#
interface Ethernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface Serial1/0/0 //Configure a public network interface and set a fixed IP
address for the interface.
link-protocol ppp
ip address 13.1.1.1 255.255.255.0
ipsec policy rtb
#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return
Run the display ike sa command on the device, you can view information about the SA.
After the configuration, users in the headquarters and branch can ping each other.
----End
Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote address of the IKE peer for the end using an IPSec
policy template.
l You can choose not to configure an ACL on the headquarters using an IPSec policy
template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-110, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters. The branch communicates with the headquarters over the Internet and uses a 3G
link as the standby link. When the active link is faulty, traffic is switched to the standby link
to ensure traffic continuity.
The enterprise requires to protect traffic transmitted over the Internet between the enterprise
branch and headquarters. The enterprise branch and headquarters communicate through the
Internet. An IPSec tunnel can be established between the branch gateway and headquarters
gateway to protect data flows between them. In addition, the NAT function can be configured
on Router_1 to allow branch users to access external networks.
Figure 5-110 Establishing an IPSec tunnel between the branch and headquarters through
active and standby links
PC_1 3G PC_2
10.1.1.2/24 network 10.2.1.2/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
acl number 3000 // Configure an address segment to supports NAT.
rule 1 deny ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3010 // Configure an address segment that supports IPSec encryption.
rule 2 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer rta v1 //Configure an IKE peer.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
dpd msg seq-hash-notify
remote-address 2.1.1.1
#
ipsec policy rt1 1 isakmp //Configure an IPSec policy.
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and
reference the policy template.
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
ipsec policy rtb //Bind the IPSec policy to the interface.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 //Configure a static route.
#
return
----End
Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured to protect data flows, the destination address in
the ACL must cover all the source addresses in ACLs on branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 5-111, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters. Router_1 and Router_2 communicate through the public network.
The enterprise requires to protect traffic transmitted over the public network between the
enterprise branch and headquarters. The enterprise branch and headquarters communicate
through the public network. An IPSec tunnel can be established between the branch gateway
and headquarters gateway to protect data flows between them. In addition, the NAT function
can be configured on Router_1 to allow branch users to access external networks.
Figure 5-111 Establishing an IPSec tunnel between the branch and headquarters using wired
lines
GE1/0/0 GE1/0/0
Router_1 1.1.1.1/24 2.1.1.1/24 Router_2
Branch Headquarters
GE2/0/0 GE2/0/0
gateway gateway
10.1.1.1/24 10.1.2.1/24
IPSec Tunnel
PC_1 PC_2
10.1.1.2/24 10.1.2.2/24
Branch Headquarters
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
acl number 3000 //Configure an address segment to support NAT.
rule 1 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3101 //Configure an address segment that supports IPSec encryption.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 // Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer spub v1 //Configure an IKE peer.
authentication-algorithm sha2-256
#
ike peer spua v1 //Configure an IKE peer.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
remote-address 1.1.1.1
#
ipsec policy use1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer spua
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
ipsec policy use1 //Bind the IPSec policy to the interface.
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route.
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
#
return
After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.
----End
Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l There must be reachable routes between the headquarters and branches.
l ACLs configured on devices in the headquarters and branches must mirror each other.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.
Networking Requirements
Traveling employees access the enterprise network from different locations, and they want to
communicate with the headquarters frequently. As shown in Figure 5-112, traveling
employees connect to the headquarters by dialing up using their iPhones, and the headquarters
can authenticate and manage access users. In addition, communication between the traveling
employees and headquarters is encrypted to prevent information leakage.
Figure 5-112 Connecting iPhones of mobile office users to the headquarters through L2TP
over IPSec
GE1/0/1 GE1/0/2
1.1.1.2/24 10.1.1.1/24
HQ
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the Router.
#
sysname Router
#
l2tp enable //Enable L2TP.
#
acl number 3101 //Configure the IP address segment that permits IPSec
encryption.
rule 5 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
for the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 10 //Configure the authentication, encryption, and DH group
algorithms for the IKE proposal.
encryption-algorithm aes-128 //In V200R008 and later versions, the aes-cbc-128
parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer a //Set the pre-shared key of the IKE peer to Admin@123.
pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
ike-proposal 10
#
ipsec policy-template policy_temp 1 //Configure an IPSec policy template and
reference related parameters.
security acl 3101
ike-peer a
proposal tran1
#
ipsec policy policy1 10 isakmp template policy_temp //Configure an IPSec policy
and associate it with the IPSec policy template.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from
the IP address pool.
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to
vpdnuser and Hello123.
authentication-scheme l2tp
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy to the interface and enable IPSec.
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1 //Create a VT template and configure dial-up
parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode
and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to
disable tunnel authentication.
allow l2tp virtual-template 1
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
#
return
NOTE
Set Account and Password to vpdnuser and Hello123 configured on the Router. Set Secret to the IPSec pre-
shared key Admin@123 configured on the Router.
----End
Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the Router if the L2TP client does not support
tunnel authentication.
Networking Requirements
Traveling employees access the enterprise network from different locations, and they want to
communicate with the headquarters frequently. As shown in Figure 5-113, traveling
employees connect to the headquarters by dialing up using their Android phones, and the
headquarters can authenticate and manage access users. In addition, communication between
the traveling employees and headquarters is encrypted to prevent information leakage.
Figure 5-113 Connecting Android phones of mobile office users to the headquarters through
L2TP over IPSec
GE1/0/1 GE1/0/2
1.1.1.2/24 10.1.1.1/24
HQ
Android L2TP over IPSec Router
phone Server
VT1 (LNS)
(LAC)
3.3.3.3/24 10.2.1.1/24
NOTE
The commands used to configure IKE peers and the IKE protocol differ depending on the software
version.
l In earlier versions of V200R008:
ike peer peer-name [ v1 | v2 ]
l In V200R008 and later versions:
l To configure IKE peers: ike peer peer-name
l To configure the IKE protocol: version { 1 | 2 }
By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate
a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
Procedure
Step 1 Configure the Router.
#
sysname Router
#
l2tp enable //Enable L2TP.
#
acl number 3101 //Configure the IP address segment that permits IPSec
encryption.
rule 5 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
for the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 10 //Configure the authentication, encryption, and DH group
algorithms for the IKE proposal.
encryption-algorithm aes-128 //In V200R008 and later versions, the aes-cbc-128
parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer a //Set the pre-shared key of the IKE peer to Admin@123.
pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
ike-proposal 10
#
ipsec policy-template policy_temp 1 //Configure an IPSec policy template and
reference related parameters.
security acl 3101
ike-peer a
proposal tran1
#
ipsec policy policy1 10 isakmp template policy_temp //Configure an IPSec policy
and associate it with the IPSec policy template.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from
the IP address pool.
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to
vpdnuser and Hello123.
authentication-scheme l2tp
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy to the interface and enable IPSec.
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1 //Create a VT template and configure dial-up
parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode
and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to
disable tunnel authentication.
allow l2tp virtual-template 1
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
#
return
NOTE
Set Router to Admin@123, which is the same as the IPSec pre-shared key configured on the Router.
----End
Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the Router if the L2TP client does not support
tunnel authentication.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in , an enterprise network connects to the Internet using a Router that functions as
an SSL VPN gateway. The marketing personnel, VIP customers, and partners on external
networks access the enterprise intranet through the Router.
l Marketing personnel are allowed to access the internal web server and mail server, share
desktop with the internal host 10.138.10.21, and ping the internal hosts
10.138.10.64-10.138.10.95.
l VIP customers are allowed to access the internal mail server and use Telnet to access the
internal application server.
l Partners are allowed to access the internal web server.
Eth2/0/0 Eth1/0/0
Enterprise
intranet
Router
VIP customers
Share
desktop Web server
Partners
Procedure
Step 1 # Configure the Router.
#
sysname Router
#
pki entity a //Configure a PKI entity.
country CN
common-name hello
#
pki realm admin //Configure a PKI domain.
ca id ca_a
enrollment-url http://10.2.1.9:8080/certsrv/mscep/mscep.dll ra
entity a
fingerprint sha256
e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0 //Configure
the CA certificate fingerprint used in CA certificate verification.
rsa local-key-pair rsa_scep //Configures that the RSA key pair is used for
SCEP-based certificate application. The RSA key pair is created using the pki rsa
local-key-pair create command. This command applies to V200R008 and later
versions.
password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$ //Set the challenge password
used in SCEP-based certificate application to 6AE73F21E6D3571D. This command
applies to V200R008 and later versions.
auto-enroll 60 regenerate //Enable the automatic certificate application and
update function. This command applies to V200R008 and later versions.
#
ssl policy adminserver type server //Configure a server SSL policy and bind the
server SSL policy to the HTTPS server.
pki-realm admin
#
ip pool market_pool //Configure an IP address pool.
network 10.139.30.0 mask 255.255.255.0
#
aaa //Configure SSL VPN user information.
domain default
local-user rose password cipher %^%#~Hc]'Mf1<;Y)b9En!Q',BF!VQ5%=ZPFf'7SdhlX1%^
%# //The password is rose123456.
local-user wangjun password cipher %^%#*k9gJ4K:-1z<)l+t3SS1QLw^7xks6C]WR8(LS,C3%^
%# //The password is wangjun654321.
local-user zhanghong password cipher %^%#.SoT@db-zEl.^\K"k6@LG6BM9}9uBD2zA4'k2%kQ
%^%# //The password is zhanghong123456.
local-user huwei password cipher %^%#tz]d@Q,R(/_*s6As'F+$M"!\Gg-[sC7k+k>x3N2/%^
%# //The password is huwei654321.
local-user jack password cipher %^%#D3q-7\3NwG+f6GPIs:NRm;$nIjY3`Xo}S,XsP$B>%^
%# //The password is jack123456.
local-user john password cipher %^%#8N3T8`vr!%~feB7oGz$#qNz2=Z>;zN%/r&B]j0(V%^
%# //The password is john654321.
#
interface Ethernet 2/0/0
ip address 1.1.1.1 255.255.255.0
#
interface Ethernet 1/0/0
ip address 10.138.10.254 255.255.255.0
#
telnet server enable
#
sslvpn gateway market //Create a virtual gateway market.
extranet interface Ethernet 2/0/0 //Configure the intranet and extranet
interfaces for the virtual gateway.
intranet interface Ethernet 1/0/0
bind domain default //Bind an AAA domain to the virtual gateway and configure
user information.
enable
service-type web-proxy resource market_web-proxy //Configure a web proxy
service on the virtual gateway so that marketing personnel can access the web
server.
link http://10.138.10.1:80/
service-type port-forwarding resource market_port-forwarding //Configure a port
forwarding service.
server ip-address 10.138.10.3 port 995
description market-email
service-type port-forwarding resource market_port-forwarding //Configure a port
forwarding service.
server ip-address 10.138.10.21 port 3389
description market-deskshare
service-type ip-forwarding resource market_ip-forwarding //Configure an IP
forwarding service.
bind ip-pool market_pool
route-mode split
route-split ip address 10.138.10.64 mask 27
# //Configure a virtual gateway customer, configure intranet and extranet
interfaces for the virtual gateway, bind an AAA domain to the virtual gateway,
and configure user information.
sslvpn gateway customer
extranet interface Ethernet 2/0/0
intranet interface Ethernet 1/0/0
bind domain default
enable
service-type port-forwarding resource customer_port-forwarding //Configure a
port forwarding service.
server ip-address 10.138.10.3 port 995
description custom-email
service-type port-forwarding resource customer_port-forwarding //Configure a
port forwarding service.
server ip-address 10.138.10.2 port 23
description custom-telnet
# //Configure a virtual gateway company, configure intranet and extranet
interfaces for the virtual gateway, bind an AAA domain to the virtual gateway,
and configure user information.
sslvpn gateway company
extranet interface Ethernet 2/0/0
intranet interface Ethernet 1/0/0
bind domain default
enable
service-type web-proxy resource company_web-proxy //Configure a web proxy
service.
link http://10.138.10.1:80/
#
return
----End
Configuration Notes
l Before using the Router as an SSL VPN gateway, configure the Router as an HTTPS
server.
Networking Requirements
As shown in Figure 5-115:
l CE1 and CE3 belong to vpna.
l CE2 and CE4 belong to vpnb.
l The VPN target of vpna is 111:1, and the VPN target of vpnb is 222:2.
l Users in different VPNs cannot communicate.
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.3.1.1/24
Loopback1
Eth1/0/0 2.2.2.9/32 Eth1/0/0
10.1.1.2/24 Eth1/0/0 Eth2/0/0 10.3.1.2/24
PE1 PE2
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 Eth2/0/1 Eth2/0/1 3.3.3.9/32
172.1.1.1/24 172.2.1.2/24
Eth2/0/0 P Eth2/0/0
10.2.1.2/24 MPLS backbone 10.4.1.2/24
AS: 100
Eth1/0/0 Eth1/0/0
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420 AS: 65440
Procedure
Step 1 Configure PE1.
#
sysname PE1
#
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb //Create a VPN instance vpnb.
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9 //Configure MPLS.
mpls
#
mpls ldp //Configure LDP.
#
interface Ethernet1/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb //Bind the VPN instance to the interface.
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/1 //Enable MPLS on the interface.
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 //Configure an MP-IBGP peer.
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1 /Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.4.1.1 as-number 65440
import-route direct
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
#
return
----End
Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.
Networking Requirements
As shown in Figure 5-116, the Hub-CE in the central site controls communication between
Spoke-CEs. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE but not by
the Hub-PE.
AS: 65430
Hub-CE
Eth1/0/0 Eth2/0/0
110.1.1.1/24 110.2.1.1/24
Eth3/0/0 Eth4/0/0
110.1.1.2/24 110.2.1.2/24
Hub-PE
Eth1/0/0 Eth2/0/0
10.1.1.2/24 11.1.1.2/24
Loopback1 Loopback1
Loopback1
1.1.1.9/32 3.3.3.9/32
2.2.2.9/32
Eth2/0/0 Eth2/0/0
10.1.1.1/24 11.1.1.1/24
Eth1/0/0 Eth1/0/0
100.1.1.1/24 120.1.1.1/24
Spoke-CE1 Spoke-CE2
AS: 65410 AS: 65420
Procedure
Step 1 Configure Spoke-CE1.
#
sysname Spoke-CE1
#
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65410 //Establish an EBGP peer relationship between the Spoke-PE and the CE.
peer 100.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 100.1.1.2 enable
#
return
#
bgp 100 //Establish an MP-IBGP peer relationship between PEs.
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
# //Establish an MP-IBGP peer relationship between PEs.
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
# //Establish an MP-EBGP peer relationship between the Spoke-PE and the CE.
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
import-route direct //Import direct routes.
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out //Configure a VPN instance vpn_out.
ipv4-family
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0 //Enable MPLS on the interface.
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet3/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface Ethernet4/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100 //Establish an EBGP peer relationship between the Hub-PE and the CE.
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in //Import VPN routes.
peer 110.1.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpn_out //Import VPN routes.
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
----End
Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.
Networking Requirements
As shown in Figure 5-117, CE1 and CE2 belong to the same VPN and have the same VPN
target. CE1 connects to the UPE, and CE2 connects to the PE. UPE, SPE, and PE
communicate using OSPF.
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
Eth2/0/0
Eth1/0/0 172.2.1.1/24 PE
Loopback1 172.1.1.2/24 Eth2/0/0
1.1.1.9/32 172.2.1.2/24
SPE
Eth2/0/0 Eth1/0/0
172.1.1.1/24 10.2.1.2/24
UPE Eth1/0/0 AS: 100
10.1.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Configure EBGP between the PE and the CE.
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish MP-IBGP peer relationships between the UPE and the SPE, and
between the PE and the SPE.
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
# //Configure routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
----End
Specifications
This example applies to all versions.
Networking Requirements
As shown in Figure 5-118, CE1 and CE2 belong to the same VPN. CE1 accesses PE1
through AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option A. That is, the VRF-to-VRF
method is used to manage VPN routes.
Eth2/0/0 Eth2/0/0
10.1.1.2/24 10.2.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a PE and a CE.
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
mpls
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.1.1.1 as-number 65001
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
peer 192.1.1.2 as-number 200
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
# //Enable MPLS.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and ASBR.
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.2.1.1 as-number 65002
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
----End
Specifications
This example applies to all versions.
This example does not apply to AR100&AR120&AR150&AR160&AR200 series routers.
Networking Requirements
As shown in Figure 5-119, CE1 and CE2 belong to the same VPN. CE1 accesses PE1
through AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option B:
l ASBR1 and ASBR2 exchange VPNv4 routes using MP-EBGP.
l ASBRs do not filter the VPN-IPv4 routes received from each other based on VPN
targets.
Eth2/0/0 Eth2/0/0
10.1.1.2/24 10.2.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a CE and a PE.
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.2 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 1.1.1.9 enable
peer 192.1.1.2 enable
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 4.4.4.9 enable
peer 192.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
----End
Networking Requirements
As shown in Figure 5-120, CE1 and CE2 belong to the same VPN. CE1 accesses PE1
through AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option C.
Eth2/0/0 Eth2/0/0
10.1.1.2/24 10.2.1.2/24
Eth1/0/0 Eth1/0/0
10.1.1.1/24 10.2.1.1/24
CE1 CE2
AS 65001 AS 65002
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001 //Establish an EBGP peer relationship between a CE and a PE.
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
and a CE and configure PE1 to import VPN routes from the CE.
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Configure labeled IPv4 route exchange.
bgp 200
peer 192.1.1.1 as-number 100 //Establish an EBGP peer relationship between
ASBR2 and ASBR1.
peer 4.4.4.9 as-number 200 //Establish an IBGP peer relationship between ASBR2
and PE1.
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export //Apply a routing policy to the
routes advertised to ASBR1, and enable labeled IPv4 route exchange with ASBR1.
peer 192.1.1.1 label-route-capability
peer 4.4.4.9 enable
peer 4.4.4.9 route-policy policy2 export //Apply a routing policy to the
routes advertised to PE2, and enable labeled IPv4 route exchange with PE2.
peer 4.4.4.9 label-route-capability
# //Configure routes.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
# //Create a route-policy.
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
#
return
----End
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use IS-IS to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
isis 1 //Configure an IS-IS process.
network-entity 10.0000.1111.1112.00
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
return
GigabitEthernet0/0/1
10.137.2.0/24 IBGP 255 20 RD 2.2.2.2
GigabitEthernet0/0/1
2. Run the display ip routing-table protocol isis command on CEs. CE1 and CE2 can
learn routes from each other.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use IS-IS to exchange routes, bind the IS-IS process to the VPN
instance.
l PEs need to import routes advertised by BGP and IS-IS routes from each other.
Specifications
This example applies to all versions.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use BGP to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
bgp 65101
peer 10.1.1.1 as-number 100 //Establish an EBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.1 enable
#
return
#
return
2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
learn routes from each other.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l PEs and CEs can use IBGP or EBGP to exchange routes. This example uses EBGP.
l You must configure the CE as a VPN peer in the BGP-VPN instance IPv4 address family
view on the connected PE.
Specifications
This example applies to all versions.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use OSPF to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.137.1.0 0.0.0.255
#
return
#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route ospf 2 //Import OSPF routes into the VRF table of the BGP-VPN
instance IPv4 address
family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ospf 2 vpn-instance vpn1
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the peer PE to OSPF.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return
2. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other.
Use the display on CE1 as an example.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use OSPF to exchange routes, bind the OSPF process to the VPN
instance.
l PEs need to import routes advertised by BGP and OSPF from each other.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use OSPF to exchange routes. CE1 and CE2 belong to the same OSPF area. VPN traffic
between CE1 and CE2 is forwarded over the MPLS backbone network but not OSPF intra-
area routes.
Figure 5-124 Networking diagram for configuring BGP MPLS/IP VPN and OSPF sham link
Loopback0 Loopback0
1.1.1.1/32 2.2.2.2/32
GE0/0/1 GE0/0/1
10.1.1.1/24 10.1.1.2/24
PE1 PE2
Eth1/0/1 Eth1/0/0
Shamlink L
100.1.1.1/24 11 22 oopb 100.1.2.1/24
a ck 32 .22 ac
o pb .11/ .22 k22
Lo 1.11 .22
/32
. 1
11
Eth1/0/1 Eth1/0/0
100.1.1.2/24 Eth1/0/0 Eth1/0/1 100.1.2.2/24
192.168.2.2/24 192.168.2.1/24
CE1 CE2
Bypass link
GE0/0/1 GE0/0/1
192.168.1.1/24 192.168.3.1/24
PC1 PC2
192.168.1.2/24 192.168.3.2/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 192.168.2.2 255.255.255.0
ospf cost 10
#
interface Ethernet1/0/1
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
#
interface Ethernet1/0/0
ip address 100.1.2.2 255.255.255.0
#
interface Ethernet1/0/1
ip address 192.168.2.1 255.255.255.0
ospf cost 10
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
ospf 2 vpn-instance vpn1
import-route bgp
area 0.0.0.0
network 100.1.1.0 0.0.0.255
sham-link 11.11.11.11 22.22.22.22 //Specify the source and destination
addresses of the sham link.
#
return
import-route bgp
area 0.0.0.0
network 100.1.2.0 0.0.0.255
sham-link 22.22.22.22 11.11.11.11 //Specify the source and destination
addresses of the sham link.
#
return
2. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
Use the display on PE1 as an example.
GigabitEthernet0/0/1
192.168.2.0/24 OSPF 10 11 D 100.1.2.2
Ethernet1/0/0
192.168.3.0/24 OSPF 10 2 D 100.1.2.2
Ethernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0
3. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other and the outbound interface is the CE interface connected to
the PE.
----End
Configuration Notes
l The route of the sham link address cannot be advertised to the peer PE through an OSPF
process bound to a VPN instance. If the route of the sham link address is advertised to
the peer PE through an OSPF process bound to a VPN instance, the peer PE has two
routes to the sham link address. The two routes are learned from OSPF and MP-BGP
respectively. The OSPF route takes precedence over the BGP route, so the peer PE uses
the OSPF route. As a result, the sham link fails to be established.
l A PE must use the loopback interface address with a 32-bit mask to establish a sham
link.
l To forward VPN traffic through the MPLS backbone network, configure the cost of the
sham link to be smaller than the cost of the OSPF route used for forwarding VPN traffic
over the user network.
Specifications
This example applies to all versions.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use static routes to communicate.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route static //Import static routes.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static vpn-instance vpn1 10.137.2.0 255.255.255.0 10.1.2.2
#
return
# Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN routing
table on the local PE has a route to the peer PE. CE2 can ping IP address 10.137.1.1 and CE1
can ping IP address 10.137.2.1.
----End
Configuration Notes
l BGP on PEs needs to import static VPN routes.
l Static routes to other VPNs must be configured on CEs.
Specifications
This example applies to all versions.
This example does not apply to AR100&AR120&AR150&AR160&AR200 series routers.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use RIP to exchange routes.
1.1.1.1/32 2.2.2.2/32
GE0/0/1
PE1 192.168.1.1/24 PE2
GE1/0/0 GE0/0/1 GE1/0/0
10.1.1.1/24 192.168.1.2/24 10.1.2.1/24
vpn1 vpn1
Fawo
GE0/0/1 GE0/0/1
10.1.1.2/24 10.1.2.2/24
CE1 CE2
GE1/0/0 GE1/0/0
10.137.1.1/24 10.137.2.1/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
rip 1 //Create a RIP
process.
version 2
network 10.0.0.0
#
return
network 10.0.0.0
#
return
2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
learn routes from each other.
Use the display on CE1 as an example.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use RIP to exchange routes, bind the RIP process to the VPN
instance.
l PEs need to import routes advertised by BGP and RIP from each other.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, MP-IBGP
connections between PE1 and the RR, and between PE2 and the RR are set up, and VPN
routes are reflected by the RR.
Figure 5-127 Networking diagram for configuring route reflection to optimize the VPN
backbone layer
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 192.168.4.2 255.255.255.0
#
bgp 65001 //Establish an EBGP relationship with PE1.
peer 192.168.4.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.4.1 enable
#
return
peer.
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
peer 192.168.4.2 as-number
65001
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return
#
return
1
1.1.1.1 4 100 16 19 0 00:13:36 Established
1
2. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
The display on PE1 is as follows:
----End
Configuration Notes
l The PEs only need to establish MP-IBGP peer relationships with the RR.
l The VPN instance does not need to be configured on the RR.
5.7 VLL
Networking Requirements
As shown in Figure 5-128, the MPLS network of an ISP provides the L2VPN service for
users. Many users connect to the MPLS network through PE1 and PE2, and users connected
to PE1 and PE2 change frequently. A proper VPN solution is required to provide secure VPN
services for users and to simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements.
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
CE1 CE2
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
return
mpls
mpls ldp
#
interface GigabitEthernet2/0/0 //Create a VLL in Martini mode.
mpls l2vc 10.10.10.1 101
#
interface LoopBack1
ip address 10.10.10.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.10.10.3 0.0.0.0
#
return
# Run the display mpls l2vc brief command on the PE devices to check L2VPN connection
information. You can see that an LDP VC is set up and is in Up state.
----End
Applicability
This example applies to all AR models of V200R003C00 and later versions.
Networking Requirements
The MPLS network of an ISP provides the L2VPN service for users. Many users connect to
the MPLS network through PE1 and PE2, and users connected to PE1 and PE2 change
frequently. A proper VPN solution is required to provide secure VPN services for users and to
simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements. By
default, PE1 and PE2 set up one LSP tunnel and do not load balance traffic among multiple
tunnels. When the P device does not support MPLS, Martini VLL cannot be implemented.
To solve this problem, you can apply a tunnel policy to a Martini VLL so that VLL services
can be transmitted over the GRE tunnel.
Figure 5-129 Networking diagram for configuring VLL to use a GRE tunnel
P
GE2/0/0 GE1/0/0
172.1.1.2/24 172.2.1.2/24
Loopback1 Loopback1
10.10.1.1/32 10.10.2.1/32
GE2/0/0 GE1/0/0
172.1.1.1/24 172.2.1.1/24
PE1 GRE Tunnel PE2
CE1 CE2
10.1.1.1/24 10.1.1.2/24
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
return
#
ospf 1
area 0.0.0.0
network 10.10.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
#
tunnel-policy gre1 //Configure a tunnel policy.
tunnel select-seq gre load-balance-number 1
#
return
----End
5.8 PWE3
Networking Requirements
In an Air Traffic Control (ATC) scenario, the Area Control Center (ACC) connects to a
broadcasting system over the backbone network as shown in Figure 5-130. PE1 on the
backbone network uses an E&M interface to connect to the Voice Communication System of
the ACC, and PE2 uses an E&M interface to connect to the broadcasting system. The
customer requires that very high frequency (VHF) services can be normally transmitted
between the ACC and broadcasting system, so that the pilots can talk with the air traffic
controller.
In addition, communication between the ACC and broadcasting system is very important and
signal interruption is not allowed. The customer uses two E1 links to ensure communication
stability and reliability.
Figure 5-130 Configuring E&M interfaces for transmitting VHF services in ATC scenario
Air traffic
Wireless tower
controller Loopback0 Loopback0
1.1.1.9/32 2.2.2.9/32
MPLS backbone
network
Serial1/0/0:0 Serial1/0/0:0
172.1.1.1/24 172.1.1.2/24
Serial4/0/0 Serial4/0/0
E&M E&M Local/Remote
Area Control Serial1/0/1:0 Serial1/0/1:0
interface interface broadcasting system
Center 173.1.1.1/24 173.1.1.2/24
PE1 PE2
MPLS TE tunnel
Requirement Analysis
l VHF services between the ACC and broadcasting system need to be transmitted through
E&M interface. PWE3 is required to set up a tunnel over the backbone network for
transmitting VHF service data.
l The customer uses two E1 links over the backbone network to ensure communication
stability and reliability. Among the current tunneling technologies, MPLS TE is
preferred due to the high reliability and fast switching capability. In addition, MPLS TE
can be used with BFD to speed up fault detection and switching between primary and
backup CR-LSPs. The primary and backup CR-LSPs set up using MPLS TE use one E1
explicit path respectively. After the primary link fails, service data is fast switched to the
hot backup CR-LSP without traffic loss or delay.
NOTE
The PWE3 function is used with a license. To use the PWE3 functions, apply for and purchase the license
from the Huawei local office.
Procedure
Step 1 Configure PE1.
#
sysname PE1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf //Enable CSPF and create an MPLS TE tunnel.
#
mpls l2vpn
#
explicit-path backup //Specify an explicit path for the backup CR-LSP.
next hop 173.1.1.2
next hop 2.2.2.9
#
explicit-path main //Specify an explicit path for the primary CR-LSP.
next hop 172.1.1.2
next hop 2.2.2.9
#
pw-template pe2pe //Set up PWE3 using the PW template.
peer-address 2.2.2.9 //Specify the remote address of the PW.
jitter-buffer depth 8 //Set the jitter buffer depth. The deeper the jitter
buffer is, the stronger the anti-jitter capabilities are, but a long transmission
delay will be introduced when data flows are reconstructed. An improper jitter
buffer depth will degrade service transmission quality.
tdm-encapsulation-number 8 //Set the number of TDM frames encapsulated into each
PW packet. If you encapsulate a small number of TDM frames into a packet, network
delay will be small, but encapsulation overhead will be high. If you encapsulate
a large number of TDM frames into a packet, the bandwidth usage will be high, but
network delay will be large.
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.9 //Specify the MPLS LDP peer.
remote-ip 2.2.2.9
#
controller E1 1/0/0
using e1
clock master //Configure the interface to work in master clock
mode to ensure correct data transmission.
#
controller E1 1/0/1
using e1
clock master
#
interface Serial1/0/0:0
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial1/0/1:0
link-protocol ppp
ip address 173.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0 //Configure an AC interface to create a tunnel for
transmitting high frequency services.
link-protocol tdm
mpls l2vc pw-template pe2pe 300 tunnel-policy te
em passthrough enable //Enable transparent data transmission to transmit E&M
data through the MPLS tunnel.
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel0/0/0 //Create an MPLS TE tunnel.
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 2.2.2.9
mpls te tunnel-id 100
mpls te record-route
mpls te path explicit-path main //Configure the explicit path used by the
primary CR-LSP.
mpls te path explicit-path backup secondary //Configure the explicit path used
by the backup CR-LSP.
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1 router-id 1.1.1.9 //Advertise routing information to set up an MPLS TE
tunnel.
opaque-capability enable
area 0.0.0.0
network 1.1.1.9 0.0.0.0
#After the configurations are complete, check whether an MPLS TE tunnel has been set up
between the two PE devices and whether the VCs are in Up state. The command output on
PE1 is used as an example.
[PE1] display mpls te tunnel-interface tunnel 0/0/0
----------------------------------------------------------------
Tunnel0/0/0
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 100
Ingress LSR ID : 1.1.1.9 Egress LSR ID: 2.2.2.9
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 10
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32773
[PE1] display mpls l2vc interface serial 4/0/0
*client interface : Serial4/0/0 is up
Administrator PW : no
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 300
VC type : CESoPSN basic mode
destination : 2.2.2.9
......
# When music is played in the ACC, the broadcasting system transmits voices properly and
clearly. When the primary E1 link is cut off, services are fast switched to the backup link and
pilots are not aware of interruption or delay. When the primary E1 link recovers, services are
fast switched back to the primary link and pilots are not aware of interruption or delay.
----End