Adding More Peer to Existing IPSec VPN Site-to-Site Tunnel With Huawei Router AR2220

1. Overview

 

In the previous article we had implemented IPSec VPN site-to-site between head office and branch office. Normally as the business grow, there are more branch offices to be created. So, we need to configure another IPSec VPN site-to-site between head office and the new created branch office.

In this article will show how to add more peer to exiting IPSec site-to-site tunnel in head office with the configuration of IPSec site-to-site on branch office on Huawei router AR2220.

2. Prerequisites

 

In this document, it is assumed that:

a. You already have Huawei router on eSNP  up and running. In case that you don’t, please follow this link Huawei Network Device Simulation With eNSP.
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
c. You are already have IPSec VPN site-to-site tunnel currently up and running. If you don’t, you may would like to read the previous article about Configuring Site-to-Site IPSec VPN Between Huawei Routers AR2220.

3. Network Diagram and IP Configuration

 

The following is the network diagram after adding one more new branch office.


Cisco router that locates in new branch office name is “BRRT02”. The following is the IP configuration for each relevant device.

On PC3

  • IP Address: 10.0.3.20/24
  • Gateway: 10.0.3.1

On BRRT02

] int g0/0/0
    undo sh
    ip add 10.0.3.1 255.255.255.0
] int g0/0/1
    undo sh
    ip add 99.99.99.1 255.255.255.252

On Internet router

] int g0/0/2
    undo sh
    ip add 99.99.99.2 255.255.255.252

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec VPN site-to-site between head office and new branch office will be used to in the configuration.

Firewall Type Headquarter New Branch Office
Manufacturer Huawei Huawei
Model Router AR2220 Router AR2220
Version 5.130 5.130

 

Configuration Headquarter New Branch Office
Phase 1
IKE Encryption Algorithm 3DES 3DES
IKE Hash Algorithm SHA-1 SHA-1
IKE Security Lifetime 86400 86400
Diffie-Hellman Group 2 2
Pre-shared key vpn@HQ2BR2 vpn@HQ2BR2
Phase 2
IPSEC security protocol ESP ESP
IPSEC Encryption Algorithm 3DES 3DES
IPSEC Hash Algorithm MD5 MD5
IPSEC Security Lifetime (Optional) □ 14400 □ 28800 (default) □ 86400 □ Other:………. □ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional) PFS □ No Group □ 2(default) □ 5 □ 7 PFS □ No Group □ 2 (default) □ 5 □ 7

 

IP Addressing Headquarter New Branch Office
Peer IP address 200.200.200.1 99.99.99.1
Local IP address 10.0.0.0/24 10.0.3.0/24

 

5. Configuration

5.1 Configure Default Route

 

Configure default router on BRRT02 as the following.

] ip route-static 0.0.0.0 0.0.0.0 99.99.99.2

Now BRRT02 should be able to ping to public IP address of HQRT02 locates in head office.

]ping 200.200.200.1
  PING 200.200.200.1: 56  data bytes, press CTRL_C to break
    Reply from 200.200.200.1: bytes=56 Sequence=1 ttl=254 time=60 ms
    Reply from 200.200.200.1: bytes=56 Sequence=2 ttl=254 time=50 ms
    Reply from 200.200.200.1: bytes=56 Sequence=3 ttl=254 time=30 ms
    Reply from 200.200.200.1: bytes=56 Sequence=4 ttl=254 time=20 ms
    Reply from 200.200.200.1: bytes=56 Sequence=5 ttl=254 time=30 ms

  --- 200.200.200.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/38/60 ms

5.2 Set Up IKE Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints.

We will use the existing IKE policy on HQRT01 in headquarter router. This IKE policy was configured when we set up IPSec VPN site-to-site to our first branch office.

] dis ike proposal number 1
-------------------------------------------
 IKE Proposal: 1
   Authentication method      : pre-shared
   Authentication algorithm   : SHA1
   Encryption algorithm       : 3DES-CBC
   DH group                   : MODP-1024
   SA duration                : 86400
   PRF                        : PRF-HMAC-SHA
-------------------------------------------

On BRRT02, the new branch office router, we need to apply following commands the to create ISAMKP policy.

] ike proposal 1
    authentication-algorithm sha1
    encryption-algorithm 3des-cbc
    dh group2
    sa duration 86400

5.3 Create IPSec Proposal

 

Next we need to create an IPSec proposal to establishes the encryption and authentication for IPSec tunnel. On HQRT01 already have a IPSec proposal name “PS01-3DES-SHA” from the previous configuration, but on the new branch office we want to use different IPSec proposal with the first branch office.

] dis ipsec proposal name PS01-3DES-SHA

IPSec proposal name: PS01-3DES-SHA                            
 Encapsulation mode: Tunnel                            
 Transform         : esp-new
 ESP protocol      : Authentication SHA1-HMAC-96                             
                     Encryption     3DES

So, let create a new IPSec proposal name “PS02-3DES-MD5” for this new branch as the following.

] ipsec proposal PS02-3DES-DM5
    encapsulation-mode tunnel
    transform esp
    esp authentication-algorithm md5
    esp encryption-algorithm 3des

On BRRT02 apply the follow configuration to create a transform set name “PS01-3DES-MD5”.

] ipsec proposal PS01-3DES-DM5
    encapsulation-mode tunnel
    transform esp
    esp authentication-algorithm md5
    esp encryption-algorithm 3des

5.4 Create ACL For VPN Tunnel

 

Create the following ACL to much traffic between head office and new branch office.

On HQRT01

] acl 3001
    rule 10 permit ip source 10.0.0.0 0.0.0.255 destination 10.0.3.0 0.0.0.255

On BRRT02

] acl 3000
    rule 10 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

5.5 Create IKE Peer

 

Now create a IKE peer for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.

Apply the following tunnel group configuration on HQRT01.

] ike peer 99.99.99.1 V1
    pre-shared-key cipher vpn@HQ2BR2
    remote-address 99.99.99.1
    ike-proposal 1

Apply the following tunnel group configuration on BRRT02.

] ike peer 200.200.200.1 V1
    pre-shared-key cipher vpn@HQ2BR2
    remote-address 200.200.200.1
    ike-proposal 1

5.6 Apply Proposal and IKE Peer

 

The final step is to apply the IPSec proposal and IKE peer to combine IPsec proposal, IKE peer, and access list configured previously for this new VPN peer and apply it to the interface that is connected to the internet.

As on HQRT01 already had an IPSec VPN tunnel in place and already applied to interface G0/0/1 that is connected to the internet, but on Huawei we need to re-apply the policy on the interface. Now we just need to add more peer by increasing the sequence number as the following.

] ipsec policy POLICY1 11 isakmp
    proposal PS02-3DES-DM5
    security acl 3001
    ike-peer 99.99.99.1
] int g0/0/1
    undo ipsec policy
    ipsec policy POLICY

The following are the commands to be executed on BRRT02.

] ipsec policy POLICY1 10 isakmp
    proposal PS01-3DES-DM5
    security acl 3000
    ike-peer 200.200.200.1
] int g0/0/1
    ipsec policy POLICY1

5.7 Test and Verify the Configuration

 

To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC3 in new branch office.

PC>ping 10.0.3.20

Ping 10.0.3.20: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 10.0.3.20: bytes=32 seq=2 ttl=127 time=31 ms
From 10.0.3.20: bytes=32 seq=3 ttl=127 time=47 ms
From 10.0.3.20: bytes=32 seq=4 ttl=127 time=31 ms
From 10.0.3.20: bytes=32 seq=5 ttl=127 time=31 ms

--- 10.0.3.20 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/35/47 ms

As we are successful to ping IP of host in the local network of the new branch office, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.

] dis ipsec sa peerip 99.99.99.1

===============================
Interface: GigabitEthernet0/0/1
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "POLICY1"
  Sequence number  : 11
  Acl Group        : 3001
  Acl rule         : 10
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 17
    Encapsulation mode: Tunnel
    Tunnel local      : 200.200.200.1
    Tunnel remote     : 99.99.99.1
    Flow source       : 10.0.0.0/255.255.255.0 0/0
    Flow destination  : 10.0.3.0/255.255.255.0 0/0
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 2696499338 (0xa0b9508a)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887360000/3420
      Max sent sequence-number: 5
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 3833351078 (0xe47c4ba6)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436560/3420
      Max received sequence-number: 4
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

As we can see in the above result, peer IP 99.99.99.1 which is the new branch office is up and running now.
We can verify on BRRT02 as the follow.

]dis ipsec sa peerip 200.200.200.1

===============================
Interface: GigabitEthernet0/0/1
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "POLICY1"
  Sequence number  : 10
  Acl Group        : 3000
  Acl rule         : 10
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 3
    Encapsulation mode: Tunnel
    Tunnel local      : 99.99.99.1
    Tunnel remote     : 200.200.200.1
    Flow source       : 10.0.3.0/255.255.255.0 0/0
    Flow destination  : 10.0.0.0/255.255.255.0 0/0
    Qos pre-classify  : Disable

    [Outbound ESP SAs] 
      SPI: 3833351078 (0xe47c4ba6)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887375360/3332
      Max sent sequence-number: 4
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs] 
      SPI: 2696499338 (0xa0b9508a)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-MD5
      SA remaining key duration (bytes/sec): 1887436500/3332
      Max received sequence-number: 5
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N

6. Conclusion

 

Now you should know about how to and add more peer to existing IPSec VPN site-to-site tunnel on Huawei router AR2220. To improve your confidence, it is recommended that you practice it on Huawei eNSP. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments