Configuring Fail Over IPSec Site-to-site VPN With Dual WAN Links and NQA Tracking on Huawei Routers

1. Overview

 

In some environments of site-to-site IPSec VPN no mater it is international vpn or small office vpn, it is required to guarantee the up time of the VPN connection. To serve this objective, we can use WAN redundancy links with NQA tracking in Huawei to automatically switch over the VPN connection from one ISP to another ISP.

In this tutorial will show how to configure site-to-site IPSec VPN on Huawei router AR2240 series over two WAN links with NQA tracking to have redundancy connection between two office locations. The configuration here should applicable for all Huawei router AR2200 series.

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You already have Huawei eNSP up and running. In case that you don’t, please follow this link Huawei Network Device Simulation With eNSP
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

3. Lab Scenario Set up

 

To demonstrate configuring IPSec VPN site-to-site with Huawei NQA the availability of WAN links on Huawei router AR2240, we will set up a eNSP lab as the following diagram.

 

There are two Huawei routers which is HQRT01 locates in head office and BRRT01 locates in branch office. There are two other routers act as two different internet connection for dual WAN redundancy. The following is the IP configuration of each device.

On PC1

  • IP Address: 10.10.10.10/24
  • Gateway: 10.10.10.1

On HQRT01

] int g0/0/0
    undo sh
    ip add 10.10.10.1 255.255.255.0
] int g0/0/1
    undo sh
    ip add 100.100.100.1 255.255.255.252
] int g0/0/2 
    undo sh 
    ip add 200.200.200.1 255.255.255.25

On ISP01 router

] int g0/0/0
   undo sh
   ip add 100.100.100.2 255.255.255.252

] int g0/0/1
   undo sh
   ip add 101.101.101.2 255.255.255.252

On ISP02 router

] int g0/0/0 
    undo sh
    ip add 200.200.200.2 255.255.255.252
] int g0/0/1 
    undo sh
    ip add 201.201.201.2 255.255.255.252

On BRRT01

] int g0/0/0
    undo sh
    ip add 20.20.20.1 255.255.255.0
] int g0/0/1
    undo sh
    ip add 101.101.101.1 255.255.255.252
] int g0/0/1 
    undo sh 
    ip add 201.201.201.1 255.255.255.252

On PC2

  • IP Address: 20.20.20.10/24
  • Gateway: 20.20.20.1

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec VPN site-to-site will be used to in the configuration.

Firewall Type Headquarter Branch Office
Manufacturer Huawei Huawei
Model Router AR2220 Router AR2220
Version 5.130 5.130

 

Configuration Headquarter Branch Office
Phase 1
IKE Encryption Algorithm 3DES 3DES
IKE Hash Algorithm SHA-1 SHA-1
IKE Security Lifetime 86400 86400
Diffie-Hellman Group 2 2
Pre-shared key vpn@HQ2BR vpn@HQ2BR
Phase 2
IPSEC security protocol ESP ESP
IPSEC Encryption Algorithm 3DES 3DES
IPSEC Hash Algorithm SHA-1 SHA-1
IPSEC Security Lifetime (Optional) □ 14400 □ 28800 (default) □ 86400 □ Other:………. □ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional) PFS □ No □Yes Group □ 2(default) □ 5 □ 7 PFS □ No □ Yes Group □ 2 (default) □ 5 □ 7

 

IP Addressing Headquarter Branch Office
Peer IP address 200.200.200.1 100.100.100.1
Local IP address 10.0.0.0/24 10.0.2.0/24

5. Configuration

 

5.1 Configure NQA Tracking And Default Route

 

Apply the the following NQA tracking and default router configuration.

On HQRT01

] nqa test-instance isp01 icmp 
     test-type icmp
     destination-address ipv4 101.101.101.1
     frequency 10
     start now
] ip route-static 20.20.20.0 255.255.255.0 100.100.100.2 track nqa isp01 icmp
] ip route-static 20.20.20.0 255.255.255.0 200.200.200.2 preference 200

On BRRT01

] nqa test-instance isp01 icmp 
    test-type icmp
    destination-address ipv4 100.100.100.1
    frequency 10
    start now
] ip route-static 10.10.10.0 255.255.255.0 101.101.101.2 track nqa isp01 icmp
] ip route-static 10.10.10.0 255.255.255.0 201.201.201.2 preference 200

After apply Huawei NQA tracking and default route configuration, now both HQRT01 and BRRT01 should be able to ping their public IP each other.


On HQRT01

] ping 101.101.101.1
  PING 101.101.101.1: 56  data bytes, press CTRL_C to break
    Reply from 101.101.101.1: bytes=56 Sequence=1 ttl=254 time=230 ms
    Reply from 101.101.101.1: bytes=56 Sequence=2 ttl=254 time=180 ms
    Reply from 101.101.101.1: bytes=56 Sequence=3 ttl=254 time=50 ms
    Reply from 101.101.101.1: bytes=56 Sequence=4 ttl=254 time=30 ms
    Reply from 101.101.101.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 101.101.101.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 30/104/230 ms

On BRRT01

] ping 100.100.100.1
  PING 100.100.100.1: 56  data bytes, press CTRL_C to break
    Reply from 100.100.100.1: bytes=56 Sequence=1 ttl=254 time=130 ms
    Reply from 100.100.100.1: bytes=56 Sequence=2 ttl=254 time=50 ms
    Reply from 100.100.100.1: bytes=56 Sequence=3 ttl=254 time=30 ms
    Reply from 100.100.100.1: bytes=56 Sequence=4 ttl=254 time=30 ms
    Reply from 100.100.100.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 100.100.100.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 30/54/130 ms

5.2 Set Up IKE Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both On HQRT01 and BRRT01.

] ike proposal 1
    authentication-algorithm sha1
    encryption-algorithm 3des-cbc
    dh group2
    sa duration 86400

5.3 Create IPSec Proposal

 

Next we need to create an IPSec proposal to establishes the encryption and authentication for IPSec tunnel. The follow are the commands to be executed on HQRT01 to create an IPSec proposal name “PS01-3DES-SHA”.

] ipsec proposal PS01-3DES-SHA
    encapsulation-mode tunnel
    transform esp
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des

Apply the follow configuration on BRRT01 to create an IPSec proposal name “PS01-3DES-SHA”

] ipsec proposal PS01-3DES-SHA
    encapsulation-mode tunnel
    transform esp
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des

5.4 Create ACL For VPN Tunnel

 

To match the traffic for IPSec VPN tunnel, an ACL must be created.

Create the following ACL on HQRT01.

] acl 3000
    rule 10 permit ip source 10.10.10.0 0.0.0.255 destination 20.20.20.0 0.0.0.255

Create the following ACL on BRRT01.

] acl 3000
    rule 10 permit ip source 20.20.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

5.5 Create IKE Peer

 

Create an IKE peer for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.

On HQRT01

] ike peer 101.101.101.1 V1
    pre-shared-key cipher vpn@HQ2BR
    remote-address 101.101.101.1
    ike-proposal 1

On BRRT01

] ike peer 100.100.100.1 V1
    pre-shared-key cipher vpn@HQ2BR
    remote-address 100.100.100.1
    ike-proposal 1

5.6 Apply Proposal and IKE Peer

 

Below is the final step that we need to apply proposal and IKE peer to combine IPsec proposal , access list, and IKE peer configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.

On HQRT01

] ipsec policy POLICY1 10 isakmp
    proposal PS01-3DES-SHA
    security acl 3000
    ike-peer 101.101.101.1

] int GE0/0/0
    ipsec policy POLICY1

On BRRT01

] ipsec policy POLICY1 10 isakmp
    proposal PS01-3DES-SHA
    security acl 3000
    ike-peer 100.100.100.1

] int GE0/0/1
    ipsec policy POLICY1

5.7 Test and Verify the Configuration

 

To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in headquarter to PC2 in branch office.

PC>ping 20.10.20.10

Ping 20.10.20.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 20.10.20.10: bytes=32 seq=2 ttl=127 time=62 ms
From 20.10.20.10: bytes=32 seq=3 ttl=127 time=31 ms
From 20.10.20.10: bytes=32 seq=4 ttl=127 time=47 ms
From 20.10.20.10: bytes=32 seq=5 ttl=127 time=47 ms

--- 20.10.20.10 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/46/62 ms

We got the successful result to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.

] dis ipsec sa peerip 101.101.101.1

===============================
Interface: GigabitEthernet0/0/1
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "POLICY1"
  Sequence number  : 10
  Acl Group        : 3000
  Acl rule         : 10
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 4
    Encapsulation mode: Tunnel
    Tunnel local      : 100.100.100.1
    Tunnel remote     : 101.101.101.1
    Flow source       : 10.10.10.0/255.255.255.0 0/0
    Flow destination  : 20.20.20.0/255.255.255.0 0/0
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 2851413544 (0xa9f51e28)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key duration (bytes/sec): 1887436800/1848
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 2073531348 (0x7b9793d4)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key duration (bytes/sec): 1887436800/1848
      Max received sequence-number: 0
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

We can test disconnect the ISP01 and we should still be able to ping to the local IP of branch office.

PC>ping 20.10.20.10 
Ping 20.10.20.10: 32 data bytes, Press Ctrl_C to break 
Request timeout! 
From 20.10.20.10: bytes=32 seq=2 ttl=127 time=62 ms 
From 20.10.20.10: bytes=32 seq=3 ttl=127 time=31 ms 
From 20.10.20.10: bytes=32 seq=4 ttl=127 time=47 ms 
From 20.10.20.10: bytes=32 seq=5 ttl=127 time=47 ms 

--- 20.10.20.10 ping statistics ---   
   5 packet(s) transmitted   
   4 packet(s) received   
  20.00% packet loss   
  round-trip min/avg/max = 0/46/62 ms

6. Conclusion

 

Having finished this article, you should be able to configure failover IPSec site-to-site VPN with dual WAN links or dual vpn and NQA on Huawei routers AR2200 series. It is a great idea if you could practice with Huawei eNSP to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments