Configuring an IKE-based IPsec tunnel for IPv6 packets
Network requirements
As shown in Figure 135, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 333::/64 and subnet 555::/64. Configure the IPsec tunnel as follows:
Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1.
Set up SAs through IKE negotiation.
Figure 130: Network diagram
Configuration procedure
Configure Router A:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure an IPv6 advanced ACL to identify data flows from subnet 333::/64 to subnet 555::/64.
<RouterA> system-view [RouterA] acl ipv6 advanced 3101 [RouterA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-ipv6-adv-3101] quit
# Configure a static route to Host B. The command uses the direct next hop address (111::2) as an example.
[RouterA] ipv6 route-static 555::0 64 111::2
# Create an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterA-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit
# Create and configure the IKE keychain named keychain1.
[RouterA] ike keychain keychain1 [RouterA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterA] ike profile profile1 [RouterA-ike-profile-profile1] keychain keychain1 [RouterA-ike-profile-profile1] match remote identity address ipv6 222::1 64 [RouterA-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[RouterA] ipsec ipv6-policy map1 10 isakmp
# Apply IPv6 ACL 3101.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101
# Apply the IPsec transform set tran1.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1
# Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1 [RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1
# Apply the IKE profile profile1.
[RouterA-ipsec-ipv6-policy-isakmp-map1-10] ike-profile profile1 [RouterA-ipsec-ipv6-policy-isakmp-map1-10] quit
# Apply the IPsec policy map1 to interface GigabitEthernet 2/0/2.
[RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ipv6 address 111::1/64 [RouterA-GigabitEthernet2/0/2] ipsec apply ipv6-policy map1 [RouterA-GigabitEthernet2/0/2] quit
Configure Router B:
# Configure IPv6 addresses for interfaces. (Details not shown.)
# Configure an IPv6 advanced ACL to identify data flows from subnet 555::/64 to subnet 333::/64.
<RouterB> system-view [RouterB] acl ipv6 advanced 3101 [RouterB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64 [RouterB-acl-ipv6-adv-3101] quit
# Configure a static route to Host A. The command uses the direct next hop address (222::2) as an example.
[RouterB] ipv6 route-static 333::0 64 222::2
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] protocol esp
# Specify the ESP encryption and authentication algorithms.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit
# Create and configure the IKE keychain named keychain1.
[RouterB] ike keychain keychain1 [RouterB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&! [RouterB-ike-keychain-keychain1] quit
# Create and configure the IKE profile named profile1.
[RouterB] ike profile profile1 [RouterB-ike-profile-profile1] keychain keychain1 [RouterB-ike-profile-profile1] match remote identity address ipv6 111::1 64 [RouterB-ike-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
[RouterB] ipsec ipv6-policy use1 10 isakmp
# Apply ACL 3101.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101
# Apply the IPsec transform set tran1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1 [RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1
# Apply the IKE profile profile1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1 [RouterB-ipsec-ipv6-policy-isakmp-use1-10] quit
# Apply the IPsec policy use1 to interface GigabitEthernet 2/0/2.
[RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ipv6 address 222::1/64 [RouterB-GigabitEthernet2/0/2] ipsec apply ipv6-policy use1 [RouterB-GigabitEthernet2/0/2] quit
Verifying the configuration
# Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected.
# Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.
[RouterA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/2 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VRF: Path MTU: 1423 Tunnel: local address: 111::1 remote address: 222::1 Flow: sour addr: 111::1/0 port: 0 protocol: ipv6 dest addr: 222::1/0 port: 0 protocol: ipv6 [Inbound ESP SAs] SPI: 3769702703 (0xe0b1192f) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 3840956402 (0xe4f057f2) Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: N Status: Active