1. Overview
The price of Cisco network device is very expensive comparing to Huawei network device. Due to budget limitation, some companies would prefer to use Huawei device such as router to be the VPN gateway instead of Cisco devices.
In this article will demonstrate how to configure site-to-site IPSec VPN between two Huawei routers model AR2220 on Huawei eNSP.
2. Prerequisites
In this tutorial, it is assumed that:
a. You already have Huawei eNSP up and running. In case that you don’t, please follow this link Huawei Network Device Simulation With eNSP
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
3. Lab Scenario Set up
Below is the network diagram of GNS3 Lab that will be used to demonstrate configuring IPSec VPN site-to-site between two Cisco routers.
In headquarter there is an Huawei router model AR2220 with host name of HQRT01 and there is also a Huawei router model AR2220 locates in branch office with host name BRRT01. There is one router act as internet. The following is the IP configuration of each device.
On PC1
- IP Address: 10.0.0.20/24
- Gateway: 10.0.0.1
On HQRT01
] int g0/0/0
undo sh
ip add 10.0.0.1 255.255.255.0
] int g0/0/1
undo sh
ip add 200.200.200.1 255.255.255.252
On Internet router
] int g0/0/0 undo sh ip add 200.200.200.2 255.255.255.252 ] int g0/0/1 undo sh ip add 100.100.100.2 255.255.255.252
On BRRT01
] int g0/0/0
undo sh
ip add 10.0.2.1 255.255.255.0
] int g0/0/1
undo sh
ip add 100.100.100.1 255.255.255.252
On PC2
- IP Address: 10.0.2.20/24
- Gateway: 10.0.2.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Headquarter | Branch Office |
| Manufacturer | Huawei | Huawei |
| Model | Router AR2220 | Router AR2220 |
| Version | 5.130 | 5.130 |
| Configuration | Headquarter | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@HQ2BR | vpn@HQ2BR | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | SHA-1 | SHA-1 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No □Yes | Group □ 2(default) □ 5 □ 7 | PFS □ No □ Yes | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Headquarter | Branch Office |
| Peer IP address | 200.200.200.1 | 100.100.100.1 |
| Local IP address | 10.0.0.0/24 | 10.0.2.0/24 |
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration.
On HQRT01
] ip route-static 0.0.0.0 0.0.0.0 200.200.200.2
On BRRT01
] ip route-static 0.0.0.0 0.0.0.0 100.100.100.2
After apply default route configuration, now both HQRT01 and BRRT01 should be able to ping their public IP each other.
On HQRT01
] ping 100.100.100.1 PING 100.100.100.1: 56 data bytes, press CTRL_C to break Reply from 100.100.100.1: bytes=56 Sequence=1 ttl=254 time=230 ms Reply from 100.100.100.1: bytes=56 Sequence=2 ttl=254 time=180 ms Reply from 100.100.100.1: bytes=56 Sequence=3 ttl=254 time=50 ms Reply from 100.100.100.1: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 100.100.100.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 100.100.100.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/104/230 ms
On BRRT01
] ping 200.200.200.1 PING 200.200.200.1: 56 data bytes, press CTRL_C to break Reply from 200.200.200.1: bytes=56 Sequence=1 ttl=254 time=130 ms Reply from 200.200.200.1: bytes=56 Sequence=2 ttl=254 time=50 ms Reply from 200.200.200.1: bytes=56 Sequence=3 ttl=254 time=30 ms Reply from 200.200.200.1: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 200.200.200.1: bytes=56 Sequence=5 ttl=254 time=30 ms --- 200.200.200.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/54/130 ms
5.2 Set Up IKE Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both On HQRT01 and BRRT01.
] ike proposal 1 authentication-algorithm sha1 encryption-algorithm 3des-cbc dh group2 sa duration 86400
5.3 Create IPSec Proposal
Next we need to create an IPSec proposal to establishes the encryption and authentication for IPSec tunnel. The follow are the commands to be executed on HQRT01 to create an IPSec proposal name “PS01-3DES-SHA”.
] ipsec proposal PS01-3DES-SHA encapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des
Apply the follow configuration on BRRT01 to create an IPSec proposal name “PS01-3DES-SHA”
] ipsec proposal PS01-3DES-SHA encapsulation-mode tunnel transform esp esp authentication-algorithm sha1 esp encryption-algorithm 3des
5.4 Create ACL For VPN Tunnel
To match the traffic for IPSec VPN tunnel, an ACL must be created.
Create the following ACL on HQRT01.
] acl 3000 rule 10 permit ip source 10.0.0.0 0.0.0.255 destination 10.0.2.0 0.0.0.255
Create the following ACL on BRRT01.
] acl 3000 rule 10 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
5.5 Create IKE Peer
Create an IKE peer for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
On HQRT01
] ike peer 100.100.100.1 V1 pre-shared-key cipher vpn@HQ2BR remote-address 100.100.100.1 ike-proposal 1
On BRRT01
] ike peer 200.200.200.1 V1 pre-shared-key cipher vpn@HQ2BR remote-address 200.200.200.1 ike-proposal 1
5.6 Apply Proposal and IKE Peer
Below is the final step that we need to apply proposal and IKE peer to combine IPsec proposal , access list, and IKE peer configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.
On HQRT01
] ipsec policy POLICY1 10 isakmp proposal PS01-3DES-SHA security acl 3000 ike-peer 100.100.100.1 ] int GE0/0/0 ipsec policy POLICY1
On BRRT01
] ipsec policy POLICY1 10 isakmp proposal PS01-3DES-SHA security acl 3000 ike-peer 200.200.200.1 ] int GE0/0/1 ipsec policy POLICY1
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in headquarter to PC2 in branch office.
PC>ping 10.0.2.20 Ping 10.0.2.20: 32 data bytes, Press Ctrl_C to break Request timeout! From 10.0.2.20: bytes=32 seq=2 ttl=127 time=62 ms From 10.0.2.20: bytes=32 seq=3 ttl=127 time=31 ms From 10.0.2.20: bytes=32 seq=4 ttl=127 time=47 ms From 10.0.2.20: bytes=32 seq=5 ttl=127 time=47 ms --- 10.0.2.20 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/46/62 ms
We got the successful result to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.
] dis ipsec sa peerip 100.100.100.1 =============================== Interface: GigabitEthernet0/0/1 Path MTU: 1500 =============================== ----------------------------- IPSec policy name: "POLICY1" Sequence number : 10 Acl Group : 3000 Acl rule : 10 Mode : ISAKMP ----------------------------- Connection ID : 4 Encapsulation mode: Tunnel Tunnel local : 200.200.200.1 Tunnel remote : 100.100.100.1 Flow source : 10.0.0.0/255.255.255.0 0/0 Flow destination : 10.0.2.0/255.255.255.0 0/0 Qos pre-classify : Disable [Outbound ESP SAs] SPI: 2851413544 (0xa9f51e28) Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887436800/1848 Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 2073531348 (0x7b9793d4) Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887436800/1848 Max received sequence-number: 0 Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N
5.8 IPSec Security Lifetime and PFS (Optional)
It is not required to set IPSec security lifetime and PFS. Without it the VPN tunnel still up and running. If it is needed, the following are the commands to configure it.
On HQRT01
] ipsec policy POLICY1 10 isakmp pfs dh-group2 sa duration time-based 3600
On BRRT01
] ipsec policy POLICY1 10 isakmp pfs dh-group2 sa duration time-based 3600
6. Conclusion
Having finished this article, you should be able to configure IPSec VPN site-to-site between two Huawei routers model AR2220. It is a great idea if you could practice with Huawei eNSP to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
