IPSEC VPN (Huawei) workflow
- Configure security ACL: Configure which traffic needs to be protected
- Configure security proposals: Configure IPsec parameters
- Configure IKE: pre-shared key, configure authentication method, encryption algorithm and other security parameters
- Configure security policy: Associate 1 and 2
- Apply security policy to interface
Specific configuration commands:
1. Define the data flow that needs to be protected through ACL
[R1]acl 3000
[R1-acl-adv-3000]rule permit ip source 50.50.50.0 0.0.0.255 destination 60.60.60.0 0.0.0.255
//The configuration of the peer device is similar, except that the source address and destination address are exchanged.
2. Configure IPsec security proposal (encapsulation mode, security protocol, encryption algorithm and verification algorithm)
[R1]ipsec proposal tran1 //Name and enter the ipsec security proposal view
[R1-ipsec-proposa-tran1]encapsulation-mode tunnel
//Configure to work in tunnel mode (optional transmission mode transform)
[R1-ipsec-proposa-tran1]transform esp
//Security protocol uses ESP (optional AH, default ESP)
[R1-ipsec-proposa-tran1]esp encryption-algorithm 3des
//Adopt 3DES algorithm for data confidentiality protection (optional DES, AES)
[R1-ipsec-proposa-tran1] esp authentication-algorithm sha1
//Use SHA1 hash algorithm to ensure message integrity (optional MD5)
[R1-ipsec-proposa-tran1]quit
//The configuration of the peer device is the same
3. Configure IKE peers
[R1]ike peer peer1 //Naming
[R1-ike-peer-peer1]pre-shared-key simple Huawei
//Configure a pre-shared key (generally configure a brief password authentication). If the passwords of the gateway devices at both ends are the same, they will become IKE peers and become a secure gateway.
[R1-ike-peer-peer1]remote-address 20.20.20.1
//Specify the peer IP
[R1-ike-peer-peer1]quit
//The peer configuration is similar. When specifying the peer IP, specify 30.30.30.1
You can also configure IKE proposals (common test method: explain):
[R1]ike proposal {proposal-number}
//The smaller the value, the higher the level
[R1-ike-proposal-10]encryption-algorithm {3des-cbc|aes-cbc[key-length]|des-cbc}
//Default CBC mode 56-bit DES
[R1-ike-proposal-10]authentication-mathod {pre-share|rsa-signature} //Default pre-share (pre-shared key)
[R1-ike-proposal-10]authentication-algorithm {MD5|sha}
//Default SHA-1 verification algorithm
[R1-ike-proposal-10]dh {group1 (768 bits) | group2 (1024 bits) | group3 (1536 bits) | group4 (2048 bits)}
//Algorithm used for key exchange, default group1
[R1-ike-proposal-10]in duration seconds
//Set the security association timeout time, the default is 86400
If not configured, the default IKE proposal is used: DES, SHA-1, pre-Share, gourp1, 86400
4. Configure IPsec security policy (and associate 1 and 2)
[R1]ipsec policy csaimap 1 isakmp //Name the security policy
[R1-ipsec-policy-isakmp-csaimap-1]proposal tran1
[R1-ipsec-policy-isakmp-csaimap-1]security acl 3000
[R1-ipsec-policy-isakmp-csaimap-1]ike-peer peer1
[R1-ipsec-policy-isakmp-csaimap-1]quit
//The configuration of the peer device is consistent
5. Apply IPsec security policy group on the interface
[R1]interface s0/0
[R1-serial 0/0]ipsec policy csaimap
//Apply at the starting and ending points of the tunnel
//The configuration of the peer device is basically similar, but note that the peer address needs to be modified.
Note: The exam is usually based on VPN principles. How to test configuration commands: explain or fill in the blanks.
3. Policy routing (Huawei)
Concept: Ordinary routing forwards packets based on routing tables, while policy routing filters and forwards packets based on rules. It is an effective enhancement of traditional routing. Usually used in load-balanced networks.
Priority: Policy routing is greater than static routing (60) and dynamic routing (see the specific protocol)
Function: For example, to access China Unicom's server, use China Unicom's data line, and to access China Telecom's server, use China Telecom's data line.
Required to understand configuration commands
