1. Overview
In some environments of site-to-site IPSec VPN no mater it is international vpn or small office vpn, it is required to guarantee the up time of the VPN connection. To serve this objective, we can use WAN redundancy links with NQA tracking in Huawei to automatically switch over the VPN connection from one ISP to another ISP.
In this tutorial will show how to configure site-to-site IPSec VPN on Huawei router AR2240 series over two WAN links with NQA tracking to have redundancy connection between two office locations. The configuration here should applicable for all Huawei router AR2200 series.
2. Prerequisites
In this tutorial, it is assumed that:
a. You already have Huawei eNSP up and running. In case that you don’t, please follow this link Huawei Network Device Simulation With eNSP
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
3. Lab Scenario Set up
To demonstrate configuring IPSec VPN site-to-site with Huawei NQA the availability of WAN links on Huawei router AR2240, we will set up a eNSP lab as the following diagram.
There are two Huawei routers which is HQRT01 locates in head office and BRRT01 locates in branch office. There are two other routers act as two different internet connection for dual WAN redundancy. The following is the IP configuration of each device.
On PC1
- IP Address: 10.10.10.10/24
- Gateway: 10.10.10.1
On HQRT01
] int g0/0/0
undo sh
ip add 10.10.10.1 255.255.255.0
] int g0/0/1
undo sh
ip add 100.100.100.1 255.255.255.252
] int g0/0/2
undo sh
ip add 200.200.200.1 255.255.255.25
On ISP01 router
] int g0/0/0 undo sh ip add 100.100.100.2 255.255.255.252 ] int g0/0/1 undo sh ip add 101.101.101.2 255.255.255.252
On ISP02 router
] int g0/0/0
undo sh
ip add 200.200.200.2 255.255.255.252
] int g0/0/1
undo sh
ip add 201.201.201.2 255.255.255.252
On BRRT01
] int g0/0/0
undo sh
ip add 20.20.20.1 255.255.255.0
] int g0/0/1
undo sh
ip add 101.101.101.1 255.255.255.252
] int g0/0/1
undo sh
ip add 201.201.201.1 255.255.255.252
On PC2
- IP Address: 20.20.20.10/24
- Gateway: 20.20.20.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Headquarter | Branch Office |
| Manufacturer | Huawei | Huawei |
| Model | Router AR2220 | Router AR2220 |
| Version | 5.130 | 5.130 |
| Configuration | Headquarter | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@HQ2BR | vpn@HQ2BR | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | SHA-1 | SHA-1 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No □Yes | Group □ 2(default) □ 5 □ 7 | PFS □ No □ Yes | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Headquarter | Branch Office |
| Peer IP address | 200.200.200.1 | 100.100.100.1 |
| Local IP address | 10.0.0.0/24 | 10.0.2.0/24 |
5. Configuration
5.1 Configure NQA Tracking And Default Route
Apply the the following NQA tracking and default router configuration.
On HQRT01
] nqa test-instance isp01 icmp
test-type icmp
destination-address ipv4 101.101.101.1
frequency 10
start now
] ip route-static 20.20.20.0 255.255.255.0 100.100.100.2 track nqa isp01 icmp
] ip route-static 20.20.20.0 255.255.255.0 200.200.200.2 preference 200
On BRRT01
] nqa test-instance isp01 icmp
test-type icmp
destination-address ipv4 100.100.100.1
frequency 10
start now
] ip route-static 10.10.10.0 255.255.255.0 101.101.101.2 track nqa isp01 icmp
] ip route-static 10.10.10.0 255.255.255.0 201.201.201.2 preference 200
After apply Huawei NQA tracking and default route configuration, now both HQRT01 and BRRT01 should be able to ping their public IP each other.
On HQRT01
] ping 101.101.101.1 PING 101.101.101.1: 56 data bytes, press CTRL_C to break Reply from 101.101.101.1: bytes=56 Sequence=1 ttl=254 time=230 ms Reply from 101.101.101.1: bytes=56 Sequence=2 ttl=254 time=180 ms Reply from 101.101.101.1: bytes=56 Sequence=3 ttl=254 time=50 ms Reply from 101.101.101.1: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 101.101.101.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 101.101.101.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/104/230 ms
On BRRT01
] ping 100.100.100.1 PING 100.100.100.1: 56 data bytes, press CTRL_C to break Reply from 100.100.100.1: bytes=56 Sequence=1 ttl=254 time=130 ms Reply from 100.100.100.1: bytes=56 Sequence=2 ttl=254 time=50 ms Reply from 100.100.100.1: bytes=56 Sequence=3 ttl=254 time=30 ms Reply from 100.100.100.1: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 100.100.100.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 100.100.100.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/54/130 ms
5.2 Set Up IKE Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both On HQRT01 and BRRT01.
] ike proposal 1 authentication-algorithm sha1 encryption-algorithm 3des-cbc dh group2 sa duration 86400
5.3 Create IPSec Proposal
Next we need to create an IPSec proposal to establishes the encryption and authentication for IPSec tunnel. The follow are the commands to be executed on HQRT01 to create an IPSec proposal name “PS01-3DES-SHA”.
] ipsec proposal PS01-3DES-SHA encapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des
Apply the follow configuration on BRRT01 to create an IPSec proposal name “PS01-3DES-SHA”
] ipsec proposal PS01-3DES-SHA encapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des
5.4 Create ACL For VPN Tunnel
To match the traffic for IPSec VPN tunnel, an ACL must be created.
Create the following ACL on HQRT01.
] acl 3000 rule 10 permit ip source 10.10.10.0 0.0.0.255 destination 20.20.20.0 0.0.0.255
Create the following ACL on BRRT01.
] acl 3000 rule 10 permit ip source 20.20.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
5.5 Create IKE Peer
Create an IKE peer for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
On HQRT01
] ike peer 101.101.101.1 V1 pre-shared-key cipher vpn@HQ2BR remote-address 101.101.101.1 ike-proposal 1
On BRRT01
] ike peer 100.100.100.1 V1 pre-shared-key cipher vpn@HQ2BR remote-address 100.100.100.1 ike-proposal 1
5.6 Apply Proposal and IKE Peer
Below is the final step that we need to apply proposal and IKE peer to combine IPsec proposal , access list, and IKE peer configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.
On HQRT01
] ipsec policy POLICY1 10 isakmp proposal PS01-3DES-SHA security acl 3000 ike-peer 101.101.101.1 ] int GE0/0/0 ipsec policy POLICY1
On BRRT01
] ipsec policy POLICY1 10 isakmp proposal PS01-3DES-SHA security acl 3000 ike-peer 100.100.100.1 ] int GE0/0/1 ipsec policy POLICY1
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in headquarter to PC2 in branch office.
PC>ping 20.10.20.10 Ping 20.10.20.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 20.10.20.10: bytes=32 seq=2 ttl=127 time=62 ms From 20.10.20.10: bytes=32 seq=3 ttl=127 time=31 ms From 20.10.20.10: bytes=32 seq=4 ttl=127 time=47 ms From 20.10.20.10: bytes=32 seq=5 ttl=127 time=47 ms --- 20.10.20.10 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/46/62 ms
We got the successful result to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.
] dis ipsec sa peerip 101.101.101.1 =============================== Interface: GigabitEthernet0/0/1 Path MTU: 1500 =============================== ----------------------------- IPSec policy name: "POLICY1" Sequence number : 10 Acl Group : 3000 Acl rule : 10 Mode : ISAKMP ----------------------------- Connection ID : 4 Encapsulation mode: Tunnel Tunnel local : 100.100.100.1 Tunnel remote : 101.101.101.1 Flow source : 10.10.10.0/255.255.255.0 0/0 Flow destination : 20.20.20.0/255.255.255.0 0/0 Qos pre-classify : Disable [Outbound ESP SAs] SPI: 2851413544 (0xa9f51e28) Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887436800/1848 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 2073531348 (0x7b9793d4) Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887436800/1848 Max received sequence-number: 0 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N
We can test disconnect the ISP01 and we should still be able to ping to the local IP of branch office.
PC>ping 20.10.20.10 Ping 20.10.20.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 20.10.20.10: bytes=32 seq=2 ttl=127 time=62 ms From 20.10.20.10: bytes=32 seq=3 ttl=127 time=31 ms From 20.10.20.10: bytes=32 seq=4 ttl=127 time=47 ms From 20.10.20.10: bytes=32 seq=5 ttl=127 time=47 ms --- 20.10.20.10 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/46/62 ms
6. Conclusion
Having finished this article, you should be able to configure failover IPSec site-to-site VPN with dual WAN links or dual vpn and NQA on Huawei routers AR2200 series. It is a great idea if you could practice with Huawei eNSP to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
