IKEv2 with RSA signature authentication configuration example
Network requirements
As shown in Figure 101, configure an IKE-based IPsec tunnel between Switch A and Switch B to secure the communication between them.
Configure Switch A and Switch B to use IKEv2 negotiation and RSA signature authentication.
Figure 100: Network diagram
Configuration procedure
Configure Switch A:
# Assign an IP address to VLAN-interface 1.
<SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.255.0 [SwitchA-vlan-interface1] quit
# Configure IPv4 advanced ACL 3101 to identify the traffic between Switch A and Switch B.
[SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[SwitchA-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity1.
[SwitchA] pki entity entity1
# Set the common name to switcha for the PKI entity.
[SwitchA-pki-entity-entity1] common-name switcha [SwitchA-pki-entity-entity1] quit
# Create a PKI domain named domain1.
[SwitchA] pki domain domain1
# Set the certificate request mode to auto and set the password to 123 for certificate revocation.
[SwitchA-pki-domain-domain1] certificate request mode auto password simple 123
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
[SwitchA-pki-domain-domain1] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA 8088.
[SwitchA-pki-domain-domain1] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.
[SwitchA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[SwitchA-pki-domain-domain1] certificate request from ca
# Specify the PKI entity for certificate request as entity1.
[SwitchA-pki-domain-domain1] certificate request entity entity1
# Specify the RSA key pair rsa1 with the general purpose for certificate request.
[SwitchA-pki-domain-domain1] public-key rsa general name rsa1 [SwitchA-pki-domain-domain1] quit
# Create an IKEv2 profile named profile1.
[SwitchA] ikev2 profile profile1
# Specify the local authentication method as RSA signatures.
[SwitchA-ikev2-profile-profile1] authentication-method local rsa-signature
# Specify the remote authentication method as RSA signatures.
[SwitchA-ikev2-profile-profile1] authentication-method remote rsa-signature
# Specify PKI domain domain1 for the IKEv2 profile.
[SwitchA-ikev2-profile-profile1] certificate domain domain1
# Set the local ID to the FQDN name www.switcha.com.
[SwitchA-ikev2-profile-profile1] identity local fqdn www.switcha.com
# Specify the peer ID that the IKEv2 profile matches. The peer ID is the FQDN name www.switchb.com.
[SwitchA-ikev2-profile-profile1] match remote identity fqdn www.switchb.com [SwitchA-ikev2-profile-profile1] quit
# Create an IKEv2 proposal named 10.
[SwitchA] ikev2 proposal 10
# Specify the integrity protection algorithm as HMAC-MD5.
[SwitchA-ikev2-proposal-10] integrity md5
# Specify the encryption algorithm as 3DES-CBC.
[SwitchA-ikev2-proposal-10] encryption 3des-cbc
# Specify the DH group as Group 1.
[SwitchA-ikev2-proposal-10] dh group1
# Specify the PRF algorithm as HMAC-MD5.
[SwitchA-ikev2-proposal-10] prf md5 [SwitchA-ikev2-proposal-10] quit
# Create an IKEv2 policy named 1.
[SwitchA] ikev2 policy 1
# Specify IKEv2 proposal 10 for the IKEv2 policy.
[SwitchA-ikev2-policy-1] proposal 10 [SwitchA-ikev2-policy-1] quit
# Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
[SwitchA] ipsec policy map1 10 isakmp
# Specify the remote IP address 2.2.2.2 for the IPsec tunnel.
[SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2
# Specify IPsec transform set tran1 for the IPsec policy.
[SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1
# Specify ACL 3101 to identify the traffic to be protected.
[SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101
# Specify IKEv2 profile profile1 for the IPsec policy.
[SwitchA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy map1 to VLAN-interface 1.
[SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1
# Specify an Ethernet interface module or a service module for forwarding the traffic on the interface.
[SwitchA-Vlan-interface1] service slot 3 [SwitchA-Vlan-interface1] quit
Configure Switch B:
# Assign an IP address to VLAN-interface 1.
<SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit
# Configure IPv4 advanced ACL 3101 to identify the traffic between Switch B and Switch A.
[SwitchB] acl advanced 3101 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 [SwitchB-acl-ipv4-adv-3101] quit
# Create an IPsec transform set named tran1.
[SwitchB] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use the ESP protocol for the IPsec transform set.
[SwitchB-ipsec-transform-set-tran1] protocol esp
# Specify the encryption and authentication algorithms.
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit
# Create a PKI entity named entity2.
[SwitchB] pki entity entity2
# Set the common name to switchb for the PKI entity.
[SwitchB-pki-entity-entity2] common-name switchb [SwitchB-pki-entity-entity2] quit
# Create a PKI domain named domain2.
[SwitchB] pki domain domain2
# Set the certificate request mode to auto and set the password to 123 for certificate revocation.
[SwitchB-pki-domain-domain2] certificate request mode auto password simple 123
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
[SwitchB-pki-domain-domain2] root-certificate fingerprint md5 50c7a2d282ea710a449eede6c56b102e
# Specify the trusted CA 8088.
[SwitchB-pki-domain-domain2] ca identifier 8088
# Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7.
[SwitchB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7
# Specify the CA to accept certificate requests.
[SwitchB-pki-domain-domain2] certificate request from ca
# Specify the PKI entity for certificate request as entity2.
[SwitchB-pki-domain-domain2] certificate request entity entity2
# Specify the RSA key pair rsa1 with the general purpose for certificate request.
[SwitchB-pki-domain-domain2] public-key rsa general name rsa1 [SwitchB-pki-domain-domain2] quit
# Create an IKEv2 profile named profile2.
[SwitchB] ikev2 profile profile2
# Specify the local authentication method as RSA signatures.
[SwitchB-ikev2-profile-profile2] authentication-method local rsa-signature
# Specify the remote authentication method as RSA signatures.
[SwitchB-ikev2-profile-profile2] authentication-method remote rsa-signature
# Set the local identity to the FQDN name www.switchb.com.
[SwitchB-ikev2-profile-profile2] identity local fqdn www.switchb.com
# Specify the peer ID that the IKEv2 profile matches. The peer ID is the FQDN name www.switcha.com.
[SwitchB-ikev2-profile-profile2] match remote identity fqdn www.switcha.com [SwitchB-ikev2-profile-profile2] quit
# Create an IKEv2 proposal named 10.
[SwitchB] ikev2 proposal 10
# Specify the integrity protection algorithm as HMAC-MD5.
[SwitchB-ikev2-proposal-10] integrity md5
# Specify the encryption algorithm as 3DES-CBC.
[SwitchB-ikev2-proposal-10] encryption 3des-cbc
# Specify the DH group as Group 1.
[SwitchB-ikev2-proposal-10] dh group1
# Specify the PRF algorithm as HMAC-MD5.
[SwitchB-ikev2-proposal-10] prf md5 [SwitchB-ikev2-proposal-10] quit
# Create an IKEv2 policy named 1.
[SwitchB] ikev2 policy 1
# Specify IKEv2 proposal 10 for the IKEv2 policy.
[SwitchB-ikev2-policy-1] proposal 10 [SwitchB-ikev2-policy-1] quit
# Create an IPsec policy template entry. Specify the template name as template1 and set the sequence number to 1.
[SwitchB] ipsec policy-template template1 1
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
[SwitchB-ipsec-policy-template-template1-1] remote-address 1.1.1.1
# Specify ACL 3101 to identify the traffic to be protected.
[SwitchB-ipsec-policy-template-template1-1] security acl 3101
# Specify IPsec transform set tran1 for the IPsec policy template.
[SwitchB-ipsec-policy-template-template1-1] transform-set tran1
# Specify IKEv2 profile profile2 for the IPsec policy template.
[SwitchB-ipsec-policy-template-template1-1] ikev2-profile profile2 [SwitchB-ipsec-policy-template-template1-1] quit
# Create an IKE-based IPsec policy entry by using IPsec policy template template1. Specify the policy name as use1 and set the sequence number to 1.
[SwitchB] ipsec policy use1 1 isakmp template template1
# Apply IPsec policy use1 to VLAN-interface 1.
[SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1
# Specify an Ethernet interface module or a service module for forwarding the traffic on the interface.
[SwitchB-Vlan-interface1] service slot 3 [SwitchB-Vlan-interface1] quit
Verifying the configuration
# Initiate a connection between Switch A and Switch B to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the switches is IPsec protected.