Example: Configuring IPsec RRI

Network configuration

As shown in Figure 120, branches access the enterprise center through an IPsec VPN.

Configure the IPsec VPN as follows:

Figure 120: Network diagram

Procedure

  1. Assign IPv4 addresses to the interfaces on the switches according to Figure 120. (Details not shown.)

  2. Configure Switch A:

    # Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.

    <SwitchA> system-view
    [SwitchA] ipsec transform-set tran1
    [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
    [SwitchA-ipsec-transform-set-tran1] protocol esp
    [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des
    [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchA-ipsec-transform-set-tran1] quit
    

    # Create and configure the IKE profile named profile1.

    [SwitchA] ike profile profile1
    [SwitchA-ike-profile-profile1] keychain keychain1
    [SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0
    [SwitchA-ike-profile-profile1] quit
    

    # Create an IPsec policy template named temp1. Specify IPsec transform set tran1 and IKE profile profile1 for the IPsec policy template.

    [SwitchA] ipsec policy-template temp1 1
    [SwitchA-ipsec-policy-template-temp1-1] transform-set tran1
    [SwitchA-ipsec-policy-template-temp1-1] ike-profile profile1
    

    # Enable IPsec RRI, set the preference to 100 and the tag to 1000 for the static routes created by IPsec RRI.

    [SwitchA-ipsec-policy-template-temp1-1] reverse-route dynamic
    [SwitchA-ipsec-policy-template-temp1-1] reverse-route preference 100
    [SwitchA-ipsec-policy-template-temp1-1] reverse-route tag 1000
    [SwitchA-ipsec-policy-template-temp1-1] quit
    

    # Create an IKE-based IPsec policy entry by using IPsec policy template temp1. Specify the policy name as map1 and set the sequence number to 10.

    [SwitchA] ipsec policy map1 10 isakmp template temp1
    

    # Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.

    [SwitchA] ike proposal 1
    [SwitchA-ike-proposal-1] encryption-algorithm 3des-cbc
    [SwitchA-ike-proposal-1] authentication-algorithm sha
    [SwitchA-ike-proposal-1] authentication-method pre-share
    [SwitchA-ike-proposal-1] quit
    

    # Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 2.2.2.2.

    [SwitchA] ike keychain key1
    [SwitchA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123
    [SwitchA-ike-keychain-key1] quit
    

    # Apply IPsec policy map1 to VLAN-interface 100.

    [SwitchA] interface vlan-interface 100
    [SwitchA-Vlan-interface100] ipsec apply policy map1
    [SwitchA-Vlan-interface100] quit
    
  3. Configure Switch B:

    # Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.

    [SwitchB] ipsec transform-set tran1
    [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
    [SwitchB-ipsec-transform-set-tran1] protocol esp
    [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des
    [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
    [SwitchB-ipsec-transform-set-tran1] quit
    

    # Configure IPv4 advanced ACL 3000 to identify traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24.

    [SwitchB] acl advanced 3000
    [SwitchB-acl-ipv4-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0 0.0.0.255
    [SwitchB-acl-ipv4-adv-3000] quit
    

    # Create and configure the IKE profile named profile1.

    [SwitchB] ike profile profile1
    [SwitchB-ike-profile-profile1] keychain keychain1
    [SwitchB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0
    [SwitchB-ike-profile-profile1] quit
    

    # Create an IKE-based IPsec policy entry named map1 and configure the following settings for the policy entry:

    • Set the sequence number to 10.

    • Specify transform set tran1 and ACL 3000.

    • Specify the remote IP address for the tunnel as 1.1.1.1.

    • Specify IKE profile profile1.

    [SwitchB] ipsec policy map1 10 isakmp
    [SwitchB-ipsec-policy-isakmp-map1-10] transform-set tran1
    [SwitchB-ipsec-policy-isakmp-map1-10] security acl 3000
    [SwitchB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1
    [SwitchB-ipsec-policy-isakmp-map1-10] ike-profile profile1
    [SwitchB-ipsec-policy-isakmp-map1-10] quit
    

    # Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method.

    [SwitchB] ike proposal 1
    [SwitchB-ike-proposal-1] encryption-algorithm 3des-cbc
    [SwitchB-ike-proposal-1] authentication-algorithm sha
    [SwitchB-ike-proposal-1] authentication-method pre-share
    [SwitchB-ike-proposal-1] quit
    

    # Create an IKE keychain named key1 and specify 123 in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1.

    [SwitchB] ike keychain key1
    [SwitchB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123
    [SwitchB-ike-keychain-key1] quit
    

    # Apply IPsec policy map1 to VLAN-interface 100.

    [SwitchB] interface vlan-interface 100
    [SwitchB-Vlan-interface100] ipsec apply policy map1
    [SwitchB-Vlan-interface100] quit
    

    Make sure Switch B has a route to the peer private network, with the outgoing interface as VLAN-interface 100.

  4. Configure Switch C and Switch D in the same way Switch B is configured.

Verifying the configuration

  1. Verify that IPsec RRI can automatically create a static route from Switch A to Switch B:

    # Initiate a connection from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Switch A and Switch B. (Details not shown.)

    # Verify that IPsec SAs are established on Switch A.

    [SwitchA] display ipsec sa
    -------------------------------
    Interface: Vlan-interface100
    -------------------------------
    
      -----------------------------
      IPsec policy: map1
      Sequence number: 10
      Mode: Template
      -----------------------------
        Tunnel id: 0
        Encapsulation mode: tunnel
        Perfect Forward Secrecy:
        Inside VPN: 
        Extended Sequence Numbers enable: N
        Traffic Flow Confidentiality enable: N
        Path MTU: 1463
        Tunnel:
            local  address: 1.1.1.1
            remote address: 2.2.2.2
        Flow:
            sour addr: 4.4.4.0/255.255.255.0  port: 0  protocol: ip
            dest addr: 5.5.5.0/255.255.255.0  port: 0  protocol: ip
    
        [Inbound ESP SAs]
          SPI: 1014286405 (0x3c74c845)
          Connection ID: 90194313219
          Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
          SA duration (kilobytes/sec): 1843200/3600
          SA remaining duration (kilobytes/sec): 1843199/3590
          Max received sequence-number: 4
          Anti-replay check enable: Y
          Anti-replay window size: 64
          UDP encapsulation used for NAT traversal: N
          Status: Active
    
        [Outbound ESP SAs]
          SPI: 4011716027 (0xef1dedbb)
          Connection ID: 64424509441
          Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
          SA duration (kilobytes/sec): 1843200/3600
          SA remaining duration (kilobytes/sec): 1843199/3590
          Max sent sequence-number: 4
          UDP encapsulation used for NAT traversal: N
          Status: Active
    

    # Verify that IPsec RRI has created a static route to reach Switch B.

    [SwitchA] display ip routing-table verbose
    
  2. Verify that Switch A can automatically create static routes to Switch C and Switch D in the same way that you verify the IPsec RRI feature by using Switch A and Switch B. (Details not shown.)