Configuring an IKE-based IPsec tunnel for IPv4 packets
Network requirements
As shown in Figure 134, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the IPsec tunnel as follows:
Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
Set up SAs through IKE negotiation.
Figure 129: Network diagram
Configuration procedure
Configure Router A:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<RouterA> system-view [RouterA] acl advanced 3101 [RouterA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-ipv4-adv-3101] quit
# Configure a static route to Host B. The command uses the direct next hop address (2.2.2.3) as an example.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 gigabitethernet 2/0/2 2.2.2.3
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[RouterA] ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.3.1.
[RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterA] ike profile profile1 [RouterA-ike-profile-profile1] keychain keychain1 [RouterA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0 [RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[RouterA] ipsec policy map1 10 isakmp
# Apply ACL 3101.
[RouterA-ipsec-policy-isakmp-map1-10] security acl 3101
# Apply the IPsec transform set tran1.
[RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1.
[RouterA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1 [RouterA-ipsec-policy-isakmp-map1-10] remote-address 2.2.3.1
# Apply the IKE profile profile1.
[RouterA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [RouterA-ipsec-policy-isakmp-map1-10] quit
# Apply the IPsec policy map1 to interface GigabitEthernet 2/0/2.
[RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 2.2.2.1 255.255.255.0 [RouterA-GigabitEthernet2/0/2] ipsec apply policy map1 [RouterA-GigabitEthernet2/0/2] quit
Configure Router B:
# Configure IP addresses for interfaces. (Details not shown.)
# Configure an IPv4 advanced ACL to identify data flows from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
<RouterB> system-view [RouterB] acl advanced 3101 [RouterB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-ipv4-adv-3101] quit
# Configure a static route to Host A. The command uses the direct next hop address (2.2.3.3) as an example.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 2/0/2 2.2.3.3
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit
# Create an IKE keychain named keychain1.
[RouterB] ike keychain keychain1
# Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.2.1.
[RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&! [RouterB-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterB] ike profile profile1 [RouterB-ike-profile-profile1] keychain keychain1 [RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0 [RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[RouterB] ipsec policy use1 10 isakmp
# Apply ACL 3101.
[RouterB-ipsec-policy-isakmp-use1-10] security acl 3101
# Apply the IPsec transform set tran1.
[RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.
[RouterB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1 [RouterB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1
# Apply the IKE profile profile1.
[RouterB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [RouterB-ipsec-policy-isakmp-use1-10] quit
# Apply the IPsec policy use1 to interface GigabitEthernet 2/0/2.
[RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ip address 2.2.3.1 255.255.255.0 [RouterB-GigabitEthernet2/0/2] ipsec apply policy use1 [RouterB-GigabitEthernet2/0/2] quit
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected.
# Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.
[RouterA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/2 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP Flow table status: Active ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VRF: Extended Sequence Number enable: N Traffic Flow Confidentiality enable: N Path MTU: 1443 Tunnel: local address: 2.2.3.1 remote address: 2.2.2.1 Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: ip dest addr: 2.2.2.1/0.0.0.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3769702703 (0xe0b1192f) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 3840956402 (0xe4f057f2) Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: N Status: Active