Implementing Internet Protocol Security (IPsec) ISAKMP mode on Huawei routers.
- August 4, 2024
- Posted by: James Majani
- Categories: Huawei, Networking
Basic Concepts.
IPSec is a suite of protocols and services that provide security for IP networks. It is a widely used Virtual Private Network (VPN) technology. IP packets lack effective security mechanisms and may be forged, stolen, or tampered with when being transmitted on a public network, such as the Internet. To solve this problem, the communicating parties establish an IPsec tunnel for encrypted transmission of IP packets. This ensures secure transmission of IP packets on an insecure network, such as the Internet.
IPSec has several standards:
IP Security Protocol
o Authentication Header (AH)
o Encapsulating Security Payload (ESP)
Data Encryption Standard (DES)
Triple DES (3DES)
Diffie-Hellman (D-H)
Message Digest 5 (MD5)
Secure Hash Algorithm-1 (SHA-1)
Rivest, Shamir, and Adelman (RSA) Signatures
Internet Key Exchange (IKE)
Certificate Authorities (CAs
Internet Key Exchange (IKE, versioned as IKEv1 and IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. There are two main phases:
IKE Phase 1
Authentication is done using pre-shared key or certificate. Asymmetric encryption is used to agree on, and create a shared Symmetric key. In this phase IKE SA is created ( phase 1 tunnel).
IKE Phase 2
This Phase uses the keys agreed in Phase 1 and is about encryption method and keys for bulk data transfer. The end state is an IPSEC SA phase 2 tunnel is created.
IKE phase 1 purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. Phase one is quite slow and heavy while Phase 2 is fast. Once phase 1 is established, phase 2 can be established used and then torn down when there’s no more interesting traffic while phase 1 tunnel is persistent. Establishing a new phase 2 tunnel on demand is fast.
Networking Description.
As shown in our topology, HQ router and Branch router, are gateways of the enterprise headquarters and branch. The service provider has allocated a public network IP address to each gateway and the gateways can communicate with each other.
The enterprise requires a simple cost-effective mechanism to implement communication between the headquarters and branches through Internet. IPSec tunnels can be established between the headquarters and branches to meet this requirement.
In this environment, BGP is used in the backbone network, between Branch1 and ISP router (PE_1) BGP is used to exchange Public IPS of the gateways across the Internet. Between HQ router and Internet router (R5) OSPF protocol is configured to create routing entries. IPSec is deployed between Branch and HQ for secure transmission of data over the internet between the two sites.
Step 1: Basic configurations.
*******************************************AR222_BRANCH_GW
system-view
sysname AR222_BRANCH_GW
#
interface GigabitEthernet0/0/0
ip address 10.1.0.2 255.255.255.252
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack1
ip address 192.168.11.1 255.255.255.0
*******************************************AR222_PE_1
system-view
system-view
sysname AR222_PE_1
#
interface GigabitEthernet0/0/0
ip address 10.1.0.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 172.16.1.1 255.255.255.252
*******************************************AR222_P_1
system-view
sysname AR222_P_1
#
interface GigabitEthernet0/0/1
ip address 172.16.1.2 255.255.255.252
#
interface GigabitEthernet0/0/0
ip address 172.16.2.2 255.255.255.252
*******************************************AR222_PE_2
system-view
sysname AR222_PE_2
#
interface GigabitEthernet0/0/0
ip address 172.16.2.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 10.3.0.1 255.255.255.252
*******************************************AR222_HQ_GW
system-view
sysname AR222_HQ_GW
#
interface GigabitEthernet0/0/1
ip address 10.3.0.2 255.255.255.252
ipsec policy P1
#
interface LoopBack0
ip address 192.168.3.1 255.255.255.0
#
interface LoopBack1
ip address 192.168.33.1 255.255.255.0
Step 2: Configure routing protocols for route exchange.
*******************************************AR222_BRANCH_GW
bgp 100
peer 10.1.0.1 as-number 300
#
ipv4-family unicast
undo synchronization
network 10.1.0.0 255.255.255.252
network 192.168.1.0
network 192.168.11.0
peer 10.1.0.1 enable
*******************************************AR222_PE_1
bgp 300
peer 10.1.0.2 as-number 100
peer 172.16.1.2 as-number 400
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.0.2 enable
peer 172.16.1.2 enable
*******************************************AR222_P_1
bgp 400
peer 172.16.1.1 as-number 300
peer 172.16.2.1 as-number 500
#
ipv4-family unicast
undo synchronization
import-route direct
peer 172.16.1.1 enable
peer 172.16.2.1 enable
*******************************************AR222_PE_2
bgp 500
peer 172.16.2.2 as-number 400
#
ipv4-family unicast
undo synchronization
import-route direct
import-route ospf 1
peer 172.16.2.2 enable
#
ospf 1 router-id 1.1.1.1
import-route bgp
area 0.0.0.0
network 10.3.0.0 0.0.0.3
*******************************************AR222_HQ_GW
ospf 1
area 0.0.0.0
network 10.3.0.0 0.0.0.3
network 192.168.3.0 0.0.0.255
network 192.168.33.0 0.0.0.255
Step 3: Create access lists to match interesting traffic.
*******************************************AR222_BRANCH_GW
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
*******************************************AR222_HQ_GW
acl number 3001
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
Step 4: Start IPSec VPN configuration by first creating IPSec Proposal at the GWs.
*******************************************AR222_BRANCH_GW
ipsec proposal PRP1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
*******************************************AR222_HQ_GW
ipsec proposal PRP1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
Step 5: Create IKE Proposal and IKE peer at the GWs.
*******************************************AR222_BRANCH_GW
ike proposal 1
authentication-algorithm sha1
encryption-algorithm aes-cbc-128
dh group14
#
ike peer peer1 v2
ike-proposal 1
remote-address 10.3.0.2
pre-shared-key cipher Admin_123
*******************************************AR222_HQ_GW
ike proposal 1
authentication-algorithm sha1
encryption-algorithm aes-cbc-128
dh group14
#
ike peer peer1 v2
ike-proposal 1
remote-address 10.1.0.2
pre-shared-key cipher Admin_123
Step 6: Cofigure IPSec policy and apply the policy to the relevant interfaces.
*******************************************AR222_BRANCH_GW
ipsec policy P1 10 isakmp
security acl 3001
proposal PRP1
ike-peer peer1
#
interface GigabitEthernet0/0/0
ipsec policy P1
*******************************************AR222_HQ_GW
ipsec policy P1 10 isakmp
security acl 3001
proposal PRP1
ike-peer peer1
#
interface GigabitEthernet0/0/1
ipsec policy P1
Step 6: Results verification.
In addition, use WireShark to capture packets.