IKEv2 with NAT traversal configuration example
Network requirements
As shown in Figure 149, Device A is behind the NAT device. Configure an IKE-based IPsec tunnel between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use the default IKEv2 proposal and the default IKEv2 policy in IKEv2 negotiation to set up IPsec SAs.
Configure the two devices to use the pre-shared key authentication method in IKEv2 negotiation.
Figure 144: Network diagram
Configuration procedure
Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named transform1.
[DeviceA] ipsec transform-set transform1
# Use the ESP protocol for the IPsec transform set.
[DeviceA-ipsec-transform-set-transform1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceA-ipsec-transform-set-transform1] quit
# Create an IKEv2 keychain named keychain1.
[DeviceA] ikev2 keychain keychain1
# Create an IKEv2 peer named peer1.
[DeviceA-ikev2-keychain-keychain1] peer peer1
# Specify the peer IP address 2.2.2.2/16.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] address 2.2.2.2 16
# Specify the peer ID, which is the IP address 2.2.2.2.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2
# Specify 123 in plain text as the pre-shared key to be used with the peer.
[DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123 [DeviceA-ikev2-keychain-keychain1-peer-peer1] quit [DeviceA-ikev2-keychain-keychain1] quit
# Create an IKEv2 profile named profile1.
[DeviceA] ikev2 profile profile1
# Specify the IKEv2 keychain keychain1.
[DeviceA-ikev2-profile-profile1] keychain keychain1
# Set the local ID to the FQDN name www.devicea.com.
[DeviceA-ikev2-profile-profile1] identity local fqdn www.devicea.com
# Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 2.2.2.2/16.
[DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0 [DeviceA-ikev2-profile-profile1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as policy1 and set the sequence number to 1.
[DeviceA] ipsec policy policy1 1 isakmp
# Specify the remote IP address 2.2.2.2 for the IPsec tunnel.
[DeviceA-ipsec-policy-isakmp-policy1-1] remote-address 2.2.2.2
# Specify the IPsec transform set transform1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-policy1-1] transform-set transform1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceA-ipsec-policy-isakmp-policy1-1] security acl 3101
# Specify the IKEv2 profile profile1 for the IPsec policy.
[DeviceA-ipsec-policy-isakmp-policy1-1] ikev2-profile profile1 [DeviceA-ipsec-policy-isakmp-policy1-1] quit
# Apply the IPsec policy policy1 to interface GigabitEthernet 2/0/1.
[DeviceA] interface gigabitethernet 2/0/1 [DeviceA-GigabitEthernet2/0/1] ipsec apply policy policy1 [DeviceA-GigabitEthernet2/0/1] quit
# Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (1.1.1.2) as an example.
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
Configure Device B:
# Assign an IP address to each interface. (Details not shown.)
# Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
<DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named transform1.
<DeviceB> system-view [DeviceB] ipsec transform-set transform1
# Use the ESP protocol for the IPsec transform set.
[DeviceB-ipsec-transform-set-transform1] protocol esp
# Specify the encryption and authentication algorithms.
[DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceB-ipsec-transform-set-transform1] quit
# Create an IKEv2 keychain named keychain1.
[DeviceB]ikev2 keychain keychain1
# Create an IKEv2 peer named peer1.
[DeviceB-ikev2-keychain-keychain1] peer peer1
# Specify the peer IP address 1.1.1.1/16.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16
# Specify the peer ID, which is the IP address 1.1.1.1.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] identity address 1.1.1.1
# Specify 123 in plain text as the pre-shared key to be used with the peer.
[DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123 [DeviceB-ikev2-keychain-keychain1-peer-peer1] quit [DeviceB-ikev2-keychain-keychain1] quit
# Create an IKEv2 profile named profile1.
[DeviceB] ikev2 profile profile1
# Specify the IKEv2 keychain keychain1.
[DeviceB-ikev2-profile-profile1] keychain keychain1
# Specify the peer ID that the IKEv2 profile matches. The peer ID is the FQDN name www.devicea.com.
[DeviceB-ikev2-profile-profile1] match remote identity fqdn www.devicea.com [DeviceB-ikev2-profile-profile1] quit
# Create an IPsec policy template entry. Specify the template name as template1 and set the sequence number to 1.
[DeviceB] ipsec policy-template template1 1
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[DeviceB-ipsec-policy-template-template1-1] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[DeviceB-ipsec-policy-template-template1-1] security acl 3101
# Specify the IPsec transform set transform1 for the IPsec policy template.
[DeviceB-ipsec-policy-template-template1-1] transform-set transform1
# Specify the IKEv2 profile profile1 for the IPsec policy template.
[DeviceB-ipsec-policy-template-template1-1] ikev2-profile profile1 [DeviceB-ipsec-policy-template-template1-1] quit
# Create an IKE-based IPsec policy entry by using IPsec policy template template1. Specify the policy name as policy1 and set the sequence number to 1.
[DeviceB] ipsec policy policy1 1 isakmp template template1
# Apply the IPsec policy policy1 to interface GigabitEthernet 2/0/1.
[DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ipsec apply policy policy1 [DeviceB-GigabitEthernet2/0/1] quit
# Configure a static route to the subnet where Host A resides. The command uses the direct next hop address (2.2.2.1) as an example.
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1
Verifying the configuration
# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec protected.
# Display the IKEv2 SA on Device A.
[DeviceA] display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 1 1.1.1.1/500 2.2.2.2/500 EST Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting [DeviceA] display ikev2 sa verbose ----------------------------------------------- Connection ID: 13 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Initiator ----------------------------------------------- Local IP: 1.1.1.1 Local ID type: FQDN Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 84565 Exchange-mode: Aggressive Diffie-Hellman group: Group 1 NAT traversal: Detected
# Display the IPsec SAs on Device A.
[DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/1 ------------------------------- ----------------------------- IPsec policy: policy1 Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1435 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.2.1.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 830667426 (0x3182faa2) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: active [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: active