Example: Configuring IPsec RRI
Network configuration
As shown in Figure 120, branches access the enterprise center through an IPsec VPN.
Configure the IPsec VPN as follows:
Configure an IPsec tunnel between Switch A and each branch gateway (Switch B, Switch C, and Switch D) to protect traffic between subnets 4.4.4.0/24 and 5.5.5.0/24.
Configure the tunnels to use security protocol ESP, encryption algorithm DES, and authentication algorithm SHA1-HMAC-96. Use IKE for IPsec SA negotiation.
Configure IKE proposal to use the pre-shared key authentication method, encryption algorithm 3DES, and authentication algorithm HMAC-SHA1.
Configure IPsec RRI on Switch A to automatically create static routes to the branches based on the established IPsec SAs.
Figure 120: Network diagram
Procedure
Assign IPv4 addresses to the interfaces on the switches according to Figure 120. (Details not shown.)
Configure Switch A:
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
<SwitchA> system-view [SwitchA] ipsec transform-set tran1 [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel [SwitchA-ipsec-transform-set-tran1] protocol esp [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit
# Create and configure the IKE profile named profile1.
[SwitchA] ike profile profile1 [SwitchA-ike-profile-profile1] keychain keychain1 [SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0 [SwitchA-ike-profile-profile1] quit
# Create an IPsec policy template named temp1. Specify IPsec transform set tran1 and IKE profile profile1 for the IPsec policy template.
[SwitchA] ipsec policy-template temp1 1 [SwitchA-ipsec-policy-template-temp1-1] transform-set tran1 [SwitchA-ipsec-policy-template-temp1-1] ike-profile profile1
# Enable IPsec RRI, set the preference to 100 and the tag to 1000 for the static routes created by IPsec RRI.
[SwitchA-ipsec-policy-template-temp1-1] reverse-route dynamic [SwitchA-ipsec-policy-template-temp1-1] reverse-route preference 100 [SwitchA-ipsec-policy-template-temp1-1] reverse-route tag 1000 [SwitchA-ipsec-policy-template-temp1-1] quit
# Create an IKE-based IPsec policy entry by using IPsec policy template temp1. Specify the policy name as map1 and set the sequence number to 10.
[SwitchA] ipsec policy map1 10 isakmp template temp1
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.
[SwitchA] ike proposal 1 [SwitchA-ike-proposal-1] encryption-algorithm 3des-cbc [SwitchA-ike-proposal-1] authentication-algorithm sha [SwitchA-ike-proposal-1] authentication-method pre-share [SwitchA-ike-proposal-1] quit
# Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2.
[SwitchA] ike keychain key1 [SwitchA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [SwitchA-ike-keychain-key1] quit
# Apply IPsec policy map1 to VLAN-interface 100.
[SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ipsec apply policy map1 [SwitchA-Vlan-interface100] quit
Configure Switch B:
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
[SwitchB] ipsec transform-set tran1 [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel [SwitchB-ipsec-transform-set-tran1] protocol esp [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit
# Configure IPv4 advanced ACL 3000 to identify traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24.
[SwitchB] acl advanced 3000 [SwitchB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255 [SwitchB-acl-ipv4-adv-3000] quit
# Create and configure the IKE profile named profile1.
[SwitchB] ike profile profile1 [SwitchB-ike-profile-profile1] keychain keychain1 [SwitchB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [SwitchB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry named map1 and configure the following settings for the policy entry:
Set the sequence number to 10.
Specify transform set tran1 and ACL 3000.
Specify the remote IP address for the tunnel as 1.1.1.1.
Specify IKE profile profile1.
[SwitchB] ipsec policy map1 10 isakmp [SwitchB-ipsec-policy-isakmp-map1-10] transform-set tran1 [SwitchB-ipsec-policy-isakmp-map1-10] security acl 3000 [SwitchB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1 [SwitchB-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-map1-10] quit
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.
[SwitchB] ike proposal 1 [SwitchB-ike-proposal-1] encryption-algorithm 3des-cbc [SwitchB-ike-proposal-1] authentication-algorithm sha [SwitchB-ike-proposal-1] authentication-method pre-share [SwitchB-ike-proposal-1] quit
# Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1.
[SwitchB] ike keychain key1 [SwitchB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123 [SwitchB-ike-keychain-key1] quit
# Apply IPsec policy map1 to VLAN-interface 100.
[SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ipsec apply policy map1 [SwitchB-Vlan-interface100] quit
Make sure Switch B has a route to the peer private network, with the outgoing interface as VLAN-interface 100.
Configure Switch C and Switch D in the same way Switch B is configured.
Verifying the configuration
Verify that IPsec RRI can automatically create a static route from Switch A to Switch B:
# Initiate a connection from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Switch A and Switch B. (Details not shown.)
# Verify that IPsec SAs are established on Switch A.
[SwitchA] display ipsec sa ------------------------------- Interface: Vlan-interface100 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: Template ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1463 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1014286405 (0x3c74c845) Connection ID: 90194313219 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max received sequence-number: 4 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 4011716027 (0xef1dedbb) Connection ID: 64424509441 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max sent sequence-number: 4 UDP encapsulation used for NAT traversal: N Status: Active
# Verify that IPsec RRI has created a static route to reach Switch B.
[SwitchA] display ip routing-table verbose
Verify that Switch A can automatically create static routes to Switch C and Switch D in the same way that you verify the IPsec RRI feature by using Switch A and Switch B. (Details not shown.)