Configure the two gateways to be interconnected through IPSec VPN and perform NAT through the headquarters IPSec gateway to access the Internet.

Specifications

Applicable to V200R002C00 and higher versions and all types of AR routers.

Network requirements

As shown in Figure 1, an enterprise is divided into a headquarters and two branches. Branch 1 and Branch 2 are connected to the Internet through RouterB and RouterC respectively. RouterA is a NAT gateway. Headquarters RouterA and branch RouterB have fixed public network addresses, and RouterC has a dynamic public network IP address. RouterA and RouterB, as well as RouterA and RouterC, are reachable by each other. Enterprises require the following networking requirements:

  • Branch PC2 and PC3 can communicate securely with headquarters PC1.
  • IPSec tunnels are established between RouterA, RouterB, and RouterA and RouterC. RouterB and RouterC do not directly establish any IPSec connections.
  • PC1 can directly access the public network, and PC2 and PC3 can access the public network through the headquarters gateway.

Figure 1 The networking diagram in which two gateways are interconnected through IPSec VPN and then access the Internet after NAT through the headquarters IPSec gateway.

Operation steps
  1. Configure RouterA 
    <span style="color:#333333"><span style="background-color:#dddddd">#
 sysname RouterA
#
acl number 3000
 rule 5 permit ip destination 10.1.2.0 0.0.0.255
 rule 10 permit ip destination 10.1.3.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer c
 pre-shared-key %^%#0ljf5R_9LXP|Qe=WVA6-Y%'}%^%#
 ike-proposal 10
#
ipsec policy-template temp 1
 security acl 3000
 ike-peer c
 proposal tran1
#
ipsec policy map1 10 isakmp template temp
#
interface GigabitEthernet0/0/3
 undo shutdown
 IP address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 IP address 1.1.3.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.3.0 mask 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.2.0 mask 255.255.255.0
  source-address 10.1.3.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.3.1 mask 255.255.255.255
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  destination-address 1.1.3.1 mask 255.255.255.255
  action permit
#
nat-policy
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.3.0 mask 255.255.255.0
  action no-nat
 rule name policy_nat2
  source-zone trust
  source-zone untrust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 10.1.2.0 mask 255.255.255.0
  source-address 10.1.3.0 mask 255.255.255.0
  action source-nat easy-ip
#
return</span></span>
  2. Configure RouterB 
    <span style="color:#333333"><span style="background-color:#dddddd">#
sysname RouterB
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer a
 pre-shared-key %^%#St4#CBb9$L>G`5W(HV*BKTnm%^%#
 ike-proposal 10
 remote-address 1.1.3.1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 IP address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 IP address 1.1.5.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.3.0 mask 255.255.255.0
 action permit
  rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 10.1.3.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
 action permit
  rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.5.1 mask 255.255.255.255
  destination-address 1.1.3.1 mask 255.255.255.255
 action permit
  rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 mask 255.255.255.255
  destination-address 1.1.5.1 mask 255.255.255.255
  action permit
#
return</span></span>
  3. Configure RouterC 
    <span style="color:#333333"><span style="background-color:#dddddd">#
sysnameRouterC
#
acl number 3000
 rule 5 permit ip source 10.1.3.0 0.0.0.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer a
 pre-shared-key %^%#LV|sQ=~fUQO:M$CeqaMEnwVD%^%#
 ike-proposal 10
 remote-address 1.1.3.1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 IP address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1 /*configuration of obtaining IP*/
 undo shutdown
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.3.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.3.0 mask 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  destination-address 1.1.3.1 mask 255.255.255.255
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 mask 255.255.255.255
  action permit
#
return</span></span>
  4. Verify the configuration results.
    1. After the configuration is completed, PC1 can access the public network at any time, can ping 1.1.5.1 of RouterB, and can view the NAT translation session entries on RouterA. 
      <span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display firewall session table</strong>
 Current Total Sessions: 5
  icmp VPN:public --> public 10.1.1.2:61251[1.1.3.1:2048]-->1.1.5.1:2048
  icmp VPN:public --> public 10.1.1.2:62019[1.1.3.1:2049]-->1.1.5.1:2048
  icmp VPN:public --> public 10.1.1.2:62275[1.1.3.1:2050]-->1.1.5.1:2048
  icmp VPN:public --> public 10.1.1.2:62531[1.1.3.1:2051]-->1.1.5.1:2048
  icmp VPN:public --> public 10.1.1.2:62787[1.1.3.1:2052]-->1.1.5.1:2048</span></span>
    2. PC2 can access the public network at any time, can ping the public network IP address (assumed to be 1.1.6.1), and can view the NAT translation session entry on RouterA. 
      <span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display firewall session table</strong>
Current Total Sessions: 5
  icmp VPN:public --> public 10.1.2.2:61251[1.1.3.1:2053]-->1.1.6.1:2048
  icmp VPN:public --> public 10.1.2.2:62019[1.1.3.1:2054]-->1.1.6.1:2048
  icmp VPN:public --> public 10.1.2.2:62275[1.1.3.1:2055]-->1.1.6.1:2048
  icmp VPN:public --> public 10.1.2.2:62531[1.1.3.1:2056]-->1.1.6.1:2048
  icmp VPN:public --> public 10.1.2.2:62787[1.1.3.1:2057]-->1.1.6.1:2048</span></span>
    3. PC2 initiates access, and then PC1 and PC2 can access each other.
    4. The corresponding IKE SA can be viewed on RouterA at the headquarters. 
      <span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display ike sa</strong>
IKE SA information:
    Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
  -------------------------------------------------- -----------------------
     83887864 1.1.5.1:500 RD|A v2:2 IP 1.1.5.1
     83887652 1.1.5.1:500 RD|A v2:1 IP 1.1.5.1
  Number of IKE SA: 2
  -------------------------------------------------- --------------------------
  Flag Description:
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
  HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
  M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </span></span>
    5. RouterB on the branch can view the IKE SA whose peer is the headquarters. RouterB is the initiator and the flag is ST. 
      <span style="color:#333333"><span style="background-color:#dddddd"><RouterB> <strong>display ike sa</strong>
IKE SA information:
    Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
  -------------------------------------------------- -----------------------
    62887864 1.1.3.1:500 RD|ST|A v2:2 IP 1.1.3.1
    62887652 1.1.3.1:500 RD|ST|A v2:1 IP 1.1.3.1
  Number of IKE SA: 2
  -------------------------------------------------- -----------------------
  Flag Description:
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
  HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
  M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING </span></span>
    6. A pair of bidirectional IPSec SAs can be viewed on the headquarters RouterA, corresponding to the branch RouterB. 
      <span style="color:#333333"><span style="background-color:#dddddd"><RouterA> <strong>display ipsec sa brief</strong>
Current ipsec sa num:2
Spu board slot 1, cpu 1 ipsec sa information:
Number of SAs:2
    Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------- --------------------------
     1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128
     1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128 </span></span>
    7. A pair of bidirectional IPSec SAs can be viewed on the branch node RouterB. 
      <span style="color:#333333"><span style="background-color:#dddddd"><RouterB> <strong>display ipsec sa brief</strong>
Current ipsec sa num:2
Spu board slot 1, cpu 1 ipsec sa information:
Number of SAs:2
    Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------- --------------------------
     1.1.3.1 1.1.5.1 787858613 ESP E:AES-256 A:SHA2_256_128
     1.1.5.1 1.1.3.1 3923280450 ESP E:AES-256 A:SHA2_256_128 </span></span>