Specifications
Applicable to V200R002C00 and higher versions and all types of AR routers.
Network requirements
As shown in Figure 1, an enterprise is divided into a headquarters and two branches. Branch 1 and Branch 2 are connected to the Internet through RouterB and RouterC respectively. RouterA is a NAT gateway. Headquarters RouterA and branch RouterB have fixed public network addresses, and RouterC has a dynamic public network IP address. RouterA and RouterB, as well as RouterA and RouterC, are reachable by each other. Enterprises require the following networking requirements:
- Branch PC2 and PC3 can communicate securely with headquarters PC1.
- IPSec tunnels are established between RouterA, RouterB, and RouterA and RouterC. RouterB and RouterC do not directly establish any IPSec connections.
- PC1 can directly access the public network, and PC2 and PC3 can access the public network through the headquarters gateway.
Figure 1 The networking diagram in which two gateways are interconnected through IPSec VPN and then access the Internet after NAT through the headquarters IPSec gateway.
Operation steps
- Configure RouterA
<span style="color:#333333"><span style="background-color:#dddddd"># sysname RouterA # acl number 3000 rule 5 permit ip destination 10.1.2.0 0.0.0.255 rule 10 permit ip destination 10.1.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer c pre-shared-key %^%#0ljf5R_9LXP|Qe=WVA6-Y%'}%^%# ike-proposal 10 # ipsec policy-template temp 1 security acl 3000 ike-peer c proposal tran1 # ipsec policy map1 10 isakmp template temp # interface GigabitEthernet0/0/3 undo shutdown IP address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 undo shutdown IP address 1.1.3.1 255.255.255.0 ipsec policy map1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.2.0 mask 255.255.255.0 source-address 10.1.3.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust source-address 1.1.3.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local destination-address 1.1.3.1 mask 255.255.255.255 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action no-nat rule name policy_nat2 source-zone trust source-zone untrust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 source-address 10.1.2.0 mask 255.255.255.0 source-address 10.1.3.0 mask 255.255.255.0 action source-nat easy-ip # return</span></span>
- Configure RouterB
<span style="color:#333333"><span style="background-color:#dddddd"># sysname RouterB # acl number 3000 rule 5 permit ip source 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key %^%#St4#CBb9$L>G`5W(HV*BKTnm%^%# ike-proposal 10 remote-address 1.1.3.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 # interface GigabitEthernet0/0/3 undo shutdown IP address 10.1.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 undo shutdown IP address 1.1.5.1 255.255.255.0 ipsec policy map1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.1.0 mask 255.255.255.0 source-address 10.1.3.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust source-address 1.1.5.1 mask 255.255.255.255 destination-address 1.1.3.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local source-address 1.1.3.1 mask 255.255.255.255 destination-address 1.1.5.1 mask 255.255.255.255 action permit # return</span></span>
- Configure RouterC
<span style="color:#333333"><span style="background-color:#dddddd"># sysnameRouterC # acl number 3000 rule 5 permit ip source 10.1.3.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # ike peer a pre-shared-key %^%#LV|sQ=~fUQO:M$CeqaMEnwVD%^%# ike-proposal 10 remote-address 1.1.3.1 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a proposal tran1 # interface GigabitEthernet0/0/3 undo shutdown IP address 10.1.3.1 255.255.255.0 # interface GigabitEthernet0/0/1 /*configuration of obtaining IP*/ undo shutdown ipsec policy map1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.3.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.1.0 mask 255.255.255.0 source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.3.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust destination-address 1.1.3.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local source-address 1.1.3.1 mask 255.255.255.255 action permit # return</span></span>
- Verify the configuration results.
- After the configuration is completed, PC1 can access the public network at any time, can ping 1.1.5.1 of RouterB, and can view the NAT translation session entries on RouterA.
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display firewall session table</strong> Current Total Sessions: 5 icmp VPN:public --> public 10.1.1.2:61251[1.1.3.1:2048]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62019[1.1.3.1:2049]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62275[1.1.3.1:2050]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62531[1.1.3.1:2051]-->1.1.5.1:2048 icmp VPN:public --> public 10.1.1.2:62787[1.1.3.1:2052]-->1.1.5.1:2048</span></span>
- PC2 can access the public network at any time, can ping the public network IP address (assumed to be 1.1.6.1), and can view the NAT translation session entry on RouterA.
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display firewall session table</strong> Current Total Sessions: 5 icmp VPN:public --> public 10.1.2.2:61251[1.1.3.1:2053]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62019[1.1.3.1:2054]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62275[1.1.3.1:2055]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62531[1.1.3.1:2056]-->1.1.6.1:2048 icmp VPN:public --> public 10.1.2.2:62787[1.1.3.1:2057]-->1.1.6.1:2048</span></span>
- PC2 initiates access, and then PC1 and PC2 can access each other.
- The corresponding IKE SA can be viewed on RouterA at the headquarters.
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display ike sa</strong> IKE SA information: Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------- ----------------------- 83887864 1.1.5.1:500 RD|A v2:2 IP 1.1.5.1 83887652 1.1.5.1:500 RD|A v2:1 IP 1.1.5.1 Number of IKE SA: 2 -------------------------------------------------- -------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </span></span>
- RouterB on the branch can view the IKE SA whose peer is the headquarters. RouterB is the initiator and the flag is ST.
<span style="color:#333333"><span style="background-color:#dddddd"><RouterB> <strong>display ike sa</strong> IKE SA information: Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------- ----------------------- 62887864 1.1.3.1:500 RD|ST|A v2:2 IP 1.1.3.1 62887652 1.1.3.1:500 RD|ST|A v2:1 IP 1.1.3.1 Number of IKE SA: 2 -------------------------------------------------- ----------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </span></span>
- A pair of bidirectional IPSec SAs can be viewed on the headquarters RouterA, corresponding to the branch RouterB.
<span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display ipsec sa brief</strong> Current ipsec sa num:2 Spu board slot 1, cpu 1 ipsec sa information: Number of SAs:2 Src address Dst address SPI VPN Protocol Algorithm -------------------------------------------------- -------------------------- 1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128 1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128 </span></span>
- A pair of bidirectional IPSec SAs can be viewed on the branch node RouterB.
<span style="color:#333333"><span style="background-color:#dddddd"><RouterB> <strong>display ipsec sa brief</strong> Current ipsec sa num:2 Spu board slot 1, cpu 1 ipsec sa information: Number of SAs:2 Src address Dst address SPI VPN Protocol Algorithm -------------------------------------------------- -------------------------- 1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128 1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128 </span></span>
- After the configuration is completed, PC1 can access the public network at any time, can ping 1.1.5.1 of RouterB, and can view the NAT translation session entries on RouterA.