Example: Configuring a manual mode IPsec tunnel for IPv4 packets

Network configuration

As shown in Figure 117, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches. Configure the tunnel as follows:

Figure 117: Network diagram

Procedure

  1. Configure Switch A:

    # Configure an IP address for VLAN-interface 1.

    <SwitchA> system-view
    [SwitchA] interface vlan-interface 1
    [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0
    [SwitchA-Vlan-interface1] quit
    

    # Configure an IPv4 advanced ACL to identify the data flows between Switch A and Switch B.

    [SwitchA] acl advanced 3101
    [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0
    [SwitchA-acl-ipv4-adv-3101] quit
    

    # Create an IPsec transform set named tran1.

    [SwitchA] ipsec transform-set tran1
    

    # Specify the encapsulation mode as tunnel.

    [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
    

    # Specify the security protocol as ESP.

    [RouterA-ipsec-transform-set-tran1] protocol esp
    

    # Specify the ESP encryption and authentication algorithms.

    [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
    [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchA-ipsec-transform-set-tran1] quit
    

    # Create a manual IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.

    [SwitchA] ipsec policy map1 10 manual
    

    # Specify ACL 3101.

    [SwitchA-ipsec-policy-manual-map1-10] security acl 3101
    

    # Specify IPsec transform set tran1.

    [SwitchA-ipsec-policy-manual-map1-10] transform-set tran1
    

    # Specify the remote IP address of the IPsec tunnel as 2.2.3.1.

    [SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1
    

    # Configure inbound and outbound SPIs for ESP.

    [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345
    [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
    

    # Configure the inbound and outbound SA keys for ESP.

    [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg
    [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba
    [SwitchA-ipsec-policy-manual-map1-10] quit
    

    # Apply IPsec policy map1 to VLAN-interface 1.

    [SwitchA] interface vlan-interface 1
    [SwitchA-Vlan-interface1] ipsec apply policy map1
    
  2. Configure Switch B:

    # Configure an IP address for VLAN-interface 1.

    <SwitchB> system-view
    [SwitchB] interface vlan-interface 1
    [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0
    [SwitchB-Vlan-interface1] quit
    

    # Configure an IPv4 advanced ACL to identify the data flows between Switch B and Switch A.

    [SwitchB] acl advanced 3101
    [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0
    [SwitchB-acl-ipv4-adv-3101] quit
    

    # Create an IPsec transform set named tran1.

    [SwitchB] ipsec transform-set tran1
    

    # Specify the encapsulation mode as tunnel.

    [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
    

    # Specify the security protocol as ESP.

    [SwitchB-ipsec-transform-set-tran1] protocol esp
    

    # Specify the ESP encryption and authentication algorithms.

    [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192
    [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchB-ipsec-transform-set-tran1] quit
    

    # Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.

    [SwitchB] ipsec policy use1 10 manual
    

    # Specify ACL 3101.

    [SwitchB-ipsec-policy-manual-use1-10] security acl 3101
    

    # Specify IPsec transform set tran1.

    [SwitchB-ipsec-policy-manual-use1-10] transform-set tran1
    

    # Specify the remote IP address of the IPsec tunnel as 2.2.2.1.

    [SwitchB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1
    

    # Configure the inbound and outbound SPIs for ESP.

    [SwitchB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321
    [SwitchB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
    

    # Configure the inbound and outbound SA keys for ESP.

    [SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba
    [SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg
    [SwitchB-ipsec-policy-manual-use1-10] quit
    

    # Apply IPsec policy use1 to VLAN-interface 1.

    [SwitchB] interface vlan-interface 1
    [SwitchB-Vlan-interface1] ipsec apply policy use1
    

Verifying the configuration

After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec-protected. This example uses Switch A to verify the configuration.

# Use the display ipsec sa command to display IPsec SAs on Switch A.

[SwitchA] display ipsec sa
-------------------------------
Interface: Vlan-interface 1
-------------------------------

  -----------------------------
  IPsec policy: map1
  Sequence number: 10
  Mode: manual
  -----------------------------
    Tunnel id: 549
    Encapsulation mode: tunnel
    Path MTU: 1443
    Tunnel:
        local  address: 2.2.2.1
        remote address: 2.2.3.1
    Flow:
        as defined in ACL 3101
    [Inbound ESP SA]
      SPI: 54321 (0x0000d431)
      Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
      No duration limit for this SA
    [Outbound ESP SA]
      SPI: 12345 (0x00003039)
      Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
      No duration limit for this SA