H3C MSR Routers Configuration Examples(Web)-R6728-6W100

HomeSupportConfigure & DeployConfiguration ExamplesH3C MSR Routers Configuration Examples(Web)-R6728-6W100
07-IPsec VPN Configuration Examples
Title Size Download
07-IPsec VPN Configuration Examples 577.08 KB

Introduction

The following information provides IPsec VPN configuration examples based on IKE exchange in the following modes:

·     Main mode—Applicable in scenarios where both the WAN interfaces on the headquarters and branch gateway routers use fixed public addresses.

·     Aggressive mode—Applicable in scenarios where the WAN interface on the headquarters or branch gateway router uses dynamic public addresses (for example, DHCP-assigned IP addresses).

Refer to the main mode or aggressive mode configuration example in this document to configure the IPsec VPN according to your actual network.

Prerequisites

Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of IPsec VPN.

Software versions used

The configuration examples were created and verified on Release 6728P22 of the MSR830-10HI router and Release 6728P22 of the MSR3600-28-G-DP router.

Example: Configuring main mode IPsec VPN

Network configuration

As shown in Figure 1, the headquarters gateway Router A and branch gateway Router B each use a single WAN interface with a fixed public address to connect to the Internet. The headquarters and the branch communicate with each other over the Internet. To protect data flows between the headquarters and the branch, establish an IPsec tunnel between the gateway routers. Configure the network as follows:

·     Configure Router A and Router B to use preshared key 123456TESTplat&! for authentication.

·     Specify the encapsulation mode as tunnel and the security protocol as ESP.

·     Specify the encryption algorithm as 3DES-CBC and the authentication algorithm as MD5.

Figure 1 Network diagram

 

Analysis

To configure IPsec VPN, complete the following configurations on Router A and Router B:

1.     Configure basic WAN and LAN settings.

a.     Specify the IP address and gateway of the WAN interface on each router.

b.     Modify the default IP address of VLAN 1 on each router.

2.     Add an IPsec policy.

Because the WAN interface on each router uses a fixed IP address to connect to the Internet, configure the IPsec policy to use the main mode for phase 1 IKE negotiation.

Restrictions and guidelines

After you modify the default IP address of VLAN 1, the Web connection fails. You must use the modified IP address to log in to the Web interface again.

If your network uses dual-WAN or multiple-WAN access, configure a static route on each router to direct the traffic destined for the peer internal network to the WAN interface specified in the IPsec policy. In this example, the routers use single-WAN access. No static route configuration is needed. The routers will generate a default route to direct all traffic to the egress gateway.

Make sure both sides of the IPsec tunnel use the same preshared key, security protocol, encryption algorithm, authentication algorithm, and encapsulation mode.

Procedures

Configuring Router A

Modifying the IP address of VLAN 1

# Modify the VLAN interface IP address of VLAN 1 to 10.1.1.1/24.

1.     Log in to the Web interface. From the navigation pane, select Network > LAN Settings.

2.     Click the Edit icon in the Operation column for VLAN 1.

3.     In the Interface IP address field, enter 10.1.1.1.

4.     In the Subnet mask field, enter 255.255.255.0.

5.     Use the default settings for other parameters, and then click Apply.

Figure 2 Modifying VLAN 1

 

Configuring the WAN interface (WAN0) to connect to the Internet

# Configure a single WAN interface using a fixed IP address.

1.     From the navigation pane, select Network > WAN Settings.

2.     On the Scene page that opens, select Single-WAN scenario, and then select WAN0(GE0) in the Line1 field.

3.     Click Apply.

Figure 3 Configuring WAN scenario

 

4.     Click the WAN Settings tab.

5.     Click the Edit icon in the Operation column for WAN0(GE0).

6.     In the Connection mode field, select Fixed IP.

7.     In the IP address field, enter 2.2.2.1.

8.     In the Subnet mask field, enter 255.255.255.0.

9.     In the Gateway field, enter 2.2.2.254.

10.     Use the default settings for other parameters, and then click Apply.

Figure 4 Modifying WAN settings

 

Configuring the IPsec policy

# Specify the network mode as the headquarters gateway and the IKE negotiation mode as the main mode.

1.     From the navigation pane, select Virtual Network > IPsec VPN.

2.     Click Add.

3.     On the page that opens, configure the following parameters:

¡     Specify the name as map1.

¡     Select WAN0(GE0) in the Interface field.

¡     Select Headquarters gateway in the Network mode field.

¡     Enter 123456TESTplat&! in the Preshared key field.

Figure 5 Adding the IPsec policy

 

4.     Click Show advanced settings. On the page that opens, configure the following parameters:

¡     In the Negotiation mode field, select Main mode.

¡     In the Local ID field, select IP address, and then enter 2.2.2.1.

¡     In the DPD field, select Enable, and specify the DPD try interval as 30.

This feature is disabled by default. To timely monitor the availability of the IPsec tunnel, enable this feature.

¡     In the Algorithm suite field, select Customize.

¡     In the Authentication algorithm field, select MD5.

¡     In the Encryption algorithm field, select 3DES-CBC.

¡     Use the default settings for other parameters.

Figure 6 Configuring advanced IKE settings

 

5.     Click the IPsec settings tab, and then configure the following parameters:

¡     In the Algorithm combination field, select Customize.

¡     In the Security protocol field, select ESP.

¡     In the ESP authentication algorithm field, select MD5.

¡     In the ESP encryption algorithm field, select 3DES-CBC.

¡     In the Encapsulation mode field, select Tunnel.

¡     Use the default settings for other parameters.

Figure 7 Configuring advanced IPsec settings

 

6.     Click Back to basic settings to go back to the Add IPsec Policy page.

7.     Click Apply.

Configuring Router B

Modifying the IP address of VLAN 1

# Modify the VLAN interface IP address of VLAN 1 to 10.1.2.1/24.

1.     Log in to the Web interface.

2.     From the navigation pane, select Network > LAN Settings.

3.     Click the Edit icon in the Operation column for VLAN 1.

4.     In the Interface IP address field, enter 10.1.2.1.

5.     In the Subnet mask field, enter 255.255.255.0.

6.     Use the default settings for other parameters, and then click Apply.

Figure 8 Modifying VLAN 1

 

Configuring the WAN interface (WAN3) to connect to the Internet

# Configure a single WAN interface using a fixed IP address.

1.     From the navigation pane, select Network > WAN Settings.

2.     On the Scene page that opens, select Single-WAN scenario, and then select WAN3(GE1/0/3) in the Line1 field.

3.     Click Apply.

Figure 9 Configuring WAN scenario

 

4.     Click the WAN Settings tab.

5.     Click the Edit icon in the Operation column for WAN3(GE1/0/3).

6.     In the Connection mode field, select Fixed IP.

7.     In the IP address field, enter 2.2.3.1.

8.     In the Subnet mask field, enter 255.255.255.0.

9.     In the Gateway field, enter 2.2.3.254.

10.     Use the default settings for other parameters, and then click Apply.

Figure 10 Modifying WAN settings

 

Configuring the IPsec policy

# Specify the network mode as the branch gateway and the IKE negotiation mode as the main mode.

1.     From the navigation pane, select Virtual Network > IPsec VPN.

2.     Click Add.

3.     On the page that opens, configure the following parameters:

¡     Specify the name as map1.

¡     Select WAN3(GE1/0/3) in the Interface field.

¡     Select Branch gateway in the Network mode field and specify the peer gateway address as 2.2.2.1.

¡     Enter 123456TESTplat&! in the Preshared key field.

¡     In the Protected data flows area, select IP as the protocol to be protected, enter 10.1.2.0/255.255.255.0 in the Local subnet/mask filed and 10.1.1.0/255.255.255.0 in the Peer subnet/mask field, and then click the  icon.

Figure 11 Adding the IPsec policy

 

4.     Click Show advanced settings. On the page that opens, configure the following parameters:

¡     In the Negotiation mode field, select Main mode.

¡     In the Local ID field, select IP address, and then enter 2.2.3.1.

¡     In the Remote ID field, select IP address, and then enter 2.2.2.1.

¡     In the DPD field, select Enable, and specify the DPD try interval as 30.

¡     In the Algorithm suite field, select Customize.

¡     In the Authentication algorithm field, select MD5.

¡     In the Encryption algorithm field, select 3DES-CBC.

¡     Use the default settings for other parameters.

Figure 12 Configuring advanced IKE settings

 

5.     Click the IPsec settings tab, and then configure the following parameters:

¡     In the Algorithm combination field, select Customize.

¡     In the Security protocol field, select ESP.

¡     In the ESP authentication algorithm field, select MD5.

¡     In the ESP encryption algorithm field, select 3DES-CBC.

¡     In the Encapsulation mode field, select Tunnel.

¡     Use the default settings for other parameters.

Figure 13 Configuring advanced IPsec settings

 

6.     Click Back to basic settings to go back to the Add IPsec Policy page.

7.     Click Apply.

Verifying the configuration

1.     Verify that Host A can ping Host B successfully.

C:\Users\abc>ping 10.1.2.2

Ping 10.1.2.2 (10.1.2.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.2.2: icmp_seq=0 ttl=254 time=2.137 ms

56 bytes from 10.1.2.2: icmp_seq=1 ttl=254 time=2.051 ms

56 bytes from 10.1.2.2: icmp_seq=2 ttl=254 time=1.996 ms

56 bytes from 10.1.2.2: icmp_seq=3 ttl=254 time=1.963 ms

56 bytes from 10.1.2.2: icmp_seq=4 ttl=254 time=1.991 ms

 

--- Ping statistics for 10.1.2.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.963/2.028/2.137/0.062 ms

C:\Users\abc>

2.     Click Virtual Network > IPsec VPN > Monitor Information on the Web interface to verify that the IPsec tunnel is successfully established. Status Active indicates successful establishment of the IPsec tunnel.

Example: Configuring aggressive mode IPsec VPN

Network configuration

As shown in Figure 14, the headquarters gateway Router A uses a single WAN interface with a fixed public address to connect to the Internet. The branch gateway Router B uses a DHCP-assigned IP address to connect to the Internet. The headquarters and the branch communicate with each other over the Internet. To protect data flows between the headquarters and the branch, establish an IPsec tunnel between the routers. Configure the network as follows:

·     Configure Router A and Router B to use preshared key 123456TESTplat&! for authentication.

·     Specify the encapsulation mode as tunnel and the security protocol as ESP.

·     Specify the encryption algorithm as 3DES-CBC and the authentication algorithm as MD5.

Figure 14 Network diagram

 

Analysis

To configure IPsec VPN, complete the following configurations on Router A and Router B:

1.     Configure basic WAN and LAN settings.

a.     Specify the IP address and gateway of the WAN interface on each router.

b.     Modify the default IP address of VLAN 1 on each router.

2.     Add an IPsec policy.

Because one side of the IPsec tunnel (Router B) uses DHCP-assigned IP addresses, to successfully set up the IPsec tunnel, configure the IPsec policy to use aggressive mode for phase 1 IKE negotiation.

Restrictions and guidelines

After you modify the default IP address of VLAN 1, the Web connection fails. You must use the modified IP address to log in to the Web interface again.

If your network uses dual-WAN or multiple-WAN access, configure a static route on each router to direct the traffic destined for the peer internal network to the WAN interface specified in the IPsec policy. In this example, the routers use single-WAN access. No static route configuration is needed. The routers will generate a default route to direct all traffic to the egress gateway.

Make sure both sides of the IPsec tunnel use the same preshared key, security protocol, encryption algorithm, authentication algorithm, and encapsulation mode.

Procedures

Configuring Router A

Modifying the IP address of VLAN 1

# Modify the VLAN interface IP address of VLAN 1 to 10.1.1.1/24.

1.     Log in to the Web interface. From the navigation pane, select Network > LAN Settings.

2.     Click the Edit icon in the Operation column for VLAN 1.

3.     In the Interface IP address field, enter 10.1.1.1.

4.     In the Subnet mask field, enter 255.255.255.0.

5.     Use the default settings for other parameters, and then click Apply.

Figure 15 Modifying VLAN 1

 

Configuring the WAN interface (WAN 0) to connect to the Internet

# Configure a single WAN interface using a fixed IP address.

1.     From the navigation pane, select Network > WAN Settings.

2.     On the Scene page that opens, select Single-WAN scenario, and then select WAN0(GE0) in the Line1 field.

3.     Click Apply.

Figure 16 Configuring WAN scenario

 

4.     Click the WAN Settings tab.

5.     Click the Edit icon in the Operation column for WAN0(GE0).

6.     In the Connection mode field, select Fixed IP.

7.     In the IP address field, enter 2.2.2.1.

8.     In the Subnet mask field, enter 255.255.255.0.

9.     In the Gateway field, enter 2.2.2.254.

10.     Use the default settings for other parameters, and then click Apply.

Figure 17 Modifying WAN settings

 

Configuring the IPsec policy

# Specify the network mode as the headquarters gateway and the IKE negotiation mode as the aggressive mode.

1.     From the navigation pane, select Virtual Network > IPsec VPN.

2.     Click Add.

3.     On the page that opens, configure the following parameters:

¡     Specify the name as map1.

¡     Select WAN0(GE0) in the Interface field.

¡     Select Headquarters gateway in the Network mode field.

¡     Enter 123456TESTplat&! in the Preshared key field.

Figure 18 Adding the IPsec policy

 

4.     Click Show advanced settings. On the page that opens, configure the following parameters:

¡     In the Negotiation mode field, select Aggressive mode.

¡     In the Local ID field, select FDQN, and then enter the FQDN name (for example, www.test.com).

¡     In the DPD field, select Enable, and specify the DPD try interval as 30.

This feature is disabled by default. To timely monitor the availability of the IPsec tunnel, enable this feature.

¡     In the Algorithm suite field, select Customize.

¡     In the Authentication algorithm field, select MD5.

¡     In the Encryption algorithm field, select 3DES-CBC.

¡     Use the default settings for other parameters.

Figure 19 Configuring advanced IKE settings

 

5.     Click the IPsec settings tab, and then configure the following parameters:

¡     In the Algorithm combination field, select Customize.

¡     In the Security protocol field, select ESP.

¡     In the ESP authentication algorithm field, select MD5.

¡     In the ESP encryption algorithm field, select 3DES-CBC.

¡     In the Encapsulation mode field, select Tunnel.

¡     Use the default settings for other parameters.

Figure 20 Configuring advanced IPsec settings

 

6.     Click Back to basic settings to go back to the Add IPsec Policy page.

7.     Click Apply.

Configuring Router B

Modifying the IP address of VLAN 1

# Modify the VLAN interface IP address of VLAN 1 to 10.1.2.1/24.

1.     Log in to the Web interface.

2.     From the navigation pane, select Network > LAN Settings.

3.     Click the Edit icon in the Operation column for VLAN 1.

4.     In the Interface IP address field, enter 10.1.2.1.

5.     In the Subnet mask field, enter 255.255.255.0.

6.     Use the default settings for other parameters, and then click Apply.

Figure 21 Modifying VLAN 1

 

Configuring the WAN interface (WAN 3) to connect to the Internet

# Configure a single WAN interface using DHCP-assigned IP addresses.

1.     From the navigation pane, select Network > WAN Settings.

2.     On the Scene page that opens, select Single-WAN scenario, and then select WAN3(GE1/0/3) in the Line1 field.

3.     Click Apply.

Figure 22 Configuring WAN scenario

 

4.     Click the WAN Settings tab.

5.     Click the Edit icon in the Operation column for WAN3(GE1/0/3).

6.     In the Connection mode field, select DHCP.

7.     Use the default settings for other parameters, and then click Apply.

Figure 23 Modifying WAN settings

 

Configuring the IPsec policy

# Specify the network mode as the branch gateway and the IKE negotiation mode as the aggressive mode.

1.     From the navigation pane, select Virtual Network > IPsec VPN.

2.     Click Add.

3.     On the page that opens, configure the following parameters:

¡     Specify the name as map1.

¡     Select WAN3(GE1/0/3) in the Interface field.

¡     Select Branch gateway in the Network mode field and specify the peer gateway address as 2.2.2.1.

¡     Enter 123456TESTplat&! in the Preshared key field.

¡     In the Protected data flows area, select IP as the protocol to be protected, enter 10.1.2.0/255.255.255.0 in the Local subnet/mask filed and 10.1.1.0/255.255.255.0 in the Peer subnet/mask field, and then click the  icon.

Figure 24 Adding the IPsec policy

 

4.     Click Show advanced settings. On the page that opens, configure the following parameters:

¡     In the Negotiation mode field, select Main mode.

¡     In the Local ID field, select FDQN, then enter the FQDN name (for example, www.test1.com).

¡     In the Remote ID field, select FDQN, and then enter FQDN name www.test.com.

¡     In the DPD field, select Enable, and specify the DPD retry interval as 30.

¡     In the Algorithm suite field, select Customize.

¡     In the Authentication algorithm field, select MD5.

¡     In the Encryption algorithm field, select 3DES-CBC.

¡     Use the default settings for other parameters.

Figure 25 Configuring advanced IKE settings

 

5.     Click the IPsec settings tab, and then configure the following parameters:

¡     In the Algorithm combination field, select Customize.

¡     In the Security protocol field, select ESP.

¡     In the ESP authentication algorithm field, select MD5.

¡     In the ESP encryption algorithm field, select 3DES-CBC.

¡     In the Encapsulation mode field, select Tunnel.

¡     Use the default settings for other parameters.

Figure 26 Configuring advanced IPsec settings

 

6.     Click Back to basic settings to go back to the Add IPsec Policy page.

7.     Click Apply.

Verifying the configuration

1.     Verify that Host A can ping Host B successfully.

C:\Users\abc>ping 10.1.2.2

Ping 10.1.2.2 (10.1.2.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.2.2: icmp_seq=0 ttl=254 time=2.137 ms

56 bytes from 10.1.2.2: icmp_seq=1 ttl=254 time=2.051 ms

56 bytes from 10.1.2.2: icmp_seq=2 ttl=254 time=1.996 ms

56 bytes from 10.1.2.2: icmp_seq=3 ttl=254 time=1.963 ms

56 bytes from 10.1.2.2: icmp_seq=4 ttl=254 time=1.991 ms

 

--- Ping statistics for 10.1.2.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.963/2.028/2.137/0.062 ms

C:\Users\abc>

2.     Click Virtual Network > IPsec VPN > Monitor Information on the Web interface to verify that the IPsec tunnel is successfully established. Status Active indicates successful establishment of the IPsec tunnel.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网