Configuring a manual mode IPsec tunnel for IPv4 packets
Network requirements
As shown in Figure 133, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel as follows:
Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
Manually set up IPsec SAs.
Figure 128: Network diagram
Configuration procedure
Configure Router A:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<RouterA> system-view [RouterA] acl advanced 3101 [RouterA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-ipv4-adv-3101] quit
# Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (2.2.2.3) as an example.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 gigabitethernet 2/0/2 2.2.2.3
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit
# Create a manual IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[RouterA] ipsec policy map1 10 manual
# Apply ACL 3101.
[RouterA-ipsec-policy-manual-map1-10] security acl 3101
# Apply the IPsec transform set tran1.
[RouterA-ipsec-policy-manual-map1-10] transform-set tran1
# Specify the remote IP address of the IPsec tunnel as 2.2.3.1.
[RouterA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1
# Configure inbound and outbound SPIs for ESP.
[RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321
# Configure the inbound and outbound SA keys for ESP.
[RouterA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [RouterA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [RouterA-ipsec-policy-manual-map1-10] quit
# Apply the IPsec policy map1 to interface GigabitEthernet 2/0/2.
[RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 2.2.2.1 255.255.255.0 [RouterA-GigabitEthernet2/0/2] ipsec apply policy map1 [RouterA-GigabitEthernet2/0/2] quit
Configure Router B:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
<RouterB> system-view [RouterB] acl advanced 3101 [RouterB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-ipv4-adv-3101] quit
# Configure a static route to Host A. The command uses the direct next hop address (2.2.3.3) as an example.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 2/0/2 2.2.3.3
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit
# Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[RouterB] ipsec policy use1 10 manual
# Apply ACL 3101.
[RouterB-ipsec-policy-manual-use1-10] security acl 3101
# Apply IPsec transform set tran1.
[RouterB-ipsec-policy-manual-use1-10] transform-set tran1
# Specify the remote IP address of the IPsec tunnel as 2.2.2.1.
[RouterB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1
# Configure the inbound and outbound SPIs for ESP.
[RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345
# Configure the inbound and outbound SA keys for ESP.
[RouterB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba [RouterB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [RouterB-ipsec-policy-manual-use1-10] quit
# Apply the IPsec policy use1 to interface GigabitEthernet 2/0/2.
[RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ip address 2.2.3.1 255.255.255.0 [RouterB-GigabitEthernet2/0/2] ipsec policy use1 [RouterB-GigabitEthernet2/0/2] quit
Verifying the configuration
After the configuration is completed, an IPsec tunnel between Router A and Router B is established, and the traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is IPsec protected. This example uses Router A to verify the configuration.
# Use the display ipsec sa command to display IPsec SAs on Router A.
[RouterA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/2 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: Manual ----------------------------- Tunnel id: 549 Encapsulation mode: tunnel Path MTU: 1443 Tunnel: local address: 2.2.2.1 remote address: 2.2.3.1 Flow: as defined in ACL 3101 [Inbound ESP SA] SPI: 54321 (0x0000d431) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 12345 (0x00003039) Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA