HomeNetworkingHuaweiImplementing Internet Protocol Security (IPsec) ISAKMP mode on Huawei routers.

Implementing Internet Protocol Security (IPsec) ISAKMP mode on Huawei routers.

Implementing Internet Protocol Security (IPsec) ISAKMP mode on Huawei routers.

  • August 4, 2024
  • Posted by: James Majani
  • Categories: Huawei, Networking
No Comments

Basic Concepts.

IPSec is a suite of protocols and services that provide security for IP networks. It is a widely used Virtual Private Network (VPN) technology. IP packets lack effective security mechanisms and may be forged, stolen, or tampered with when being transmitted on a public network, such as the Internet. To solve this problem, the communicating parties establish an IPsec tunnel for encrypted transmission of IP packets. This ensures secure transmission of IP packets on an insecure network, such as the Internet.
IPSec has several standards:
 IP Security Protocol
o Authentication Header (AH)
o Encapsulating Security Payload (ESP)
 Data Encryption Standard (DES)
 Triple DES (3DES)
 Diffie-Hellman (D-H)
 Message Digest 5 (MD5)
 Secure Hash Algorithm-1 (SHA-1)
 Rivest, Shamir, and Adelman (RSA) Signatures
 Internet Key Exchange (IKE)
 Certificate Authorities (CAs
Internet Key Exchange (IKE, versioned as IKEv1 and IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. There are two main phases:
IKE Phase 1
Authentication is done using pre-shared key or certificate. Asymmetric encryption is used to agree on, and create a shared Symmetric key. In this phase IKE SA is created ( phase 1 tunnel).
IKE Phase 2
This Phase uses the keys agreed in Phase 1 and is about encryption method and keys for bulk data transfer. The end state is an IPSEC SA phase 2 tunnel is created.

IKE phase 1 purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. Phase one is quite slow and heavy while Phase 2 is fast. Once phase 1 is established, phase 2 can be established used and then torn down when there’s no more interesting traffic while phase 1 tunnel is persistent. Establishing a new phase 2 tunnel on demand is fast.

Networking Description.

As shown in our topology, HQ router and Branch router, are gateways of the enterprise headquarters and branch. The service provider has allocated a public network IP address to each gateway and the gateways can communicate with each other.
The enterprise requires a simple cost-effective mechanism to implement communication between the headquarters and branches through Internet. IPSec tunnels can be established between the headquarters and branches to meet this requirement.
In this environment, BGP is used in the backbone network, between Branch1 and ISP router (PE_1) BGP is used to exchange Public IPS of the gateways across the Internet. Between HQ router and Internet router (R5) OSPF protocol is configured to create routing entries. IPSec is deployed between Branch and HQ for secure transmission of data over the internet between the two sites.

Step 1: Basic configurations.

*******************************************AR222_BRANCH_GW
system-view
sysname AR222_BRANCH_GW
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.2 255.255.255.252
#
interface LoopBack0
 ip address 192.168.1.1 255.255.255.0
#
interface LoopBack1
 ip address 192.168.11.1 255.255.255.0

*******************************************AR222_PE_1
system-view
system-view
sysname AR222_PE_1
#
interface GigabitEthernet0/0/0
 ip address 10.1.0.1 255.255.255.252
#
interface GigabitEthernet0/0/1
 ip address 172.16.1.1 255.255.255.252


*******************************************AR222_P_1
system-view
sysname AR222_P_1
#
interface GigabitEthernet0/0/1
 ip address 172.16.1.2 255.255.255.252
#
interface GigabitEthernet0/0/0
 ip address 172.16.2.2 255.255.255.252

*******************************************AR222_PE_2
system-view
sysname AR222_PE_2
#
interface GigabitEthernet0/0/0
 ip address 172.16.2.1 255.255.255.252
#
interface GigabitEthernet0/0/1
 ip address 10.3.0.1 255.255.255.252

*******************************************AR222_HQ_GW

system-view
sysname AR222_HQ_GW
#
interface GigabitEthernet0/0/1
 ip address 10.3.0.2 255.255.255.252
 ipsec policy P1
#
interface LoopBack0
 ip address 192.168.3.1 255.255.255.0
#
interface LoopBack1
 ip address 192.168.33.1 255.255.255.0

Step 2: Configure routing protocols for route exchange.

*******************************************AR222_BRANCH_GW
bgp 100
 peer 10.1.0.1 as-number 300
 #
 ipv4-family unicast
  undo synchronization
  network 10.1.0.0 255.255.255.252
  network 192.168.1.0
  network 192.168.11.0
  peer 10.1.0.1 enable


*******************************************AR222_PE_1
bgp 300
 peer 10.1.0.2 as-number 100
 peer 172.16.1.2 as-number 400
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 10.1.0.2 enable
  peer 172.16.1.2 enable

*******************************************AR222_P_1
bgp 400
 peer 172.16.1.1 as-number 300
 peer 172.16.2.1 as-number 500
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 172.16.1.1 enable
  peer 172.16.2.1 enable

*******************************************AR222_PE_2
bgp 500
 peer 172.16.2.2 as-number 400
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  import-route ospf 1
  peer 172.16.2.2 enable
#
ospf 1 router-id 1.1.1.1
 import-route bgp
 area 0.0.0.0
  network 10.3.0.0 0.0.0.3

*******************************************AR222_HQ_GW
ospf 1
 area 0.0.0.0
  network 10.3.0.0 0.0.0.3
  network 192.168.3.0 0.0.0.255
  network 192.168.33.0 0.0.0.255

Step 3: Create access lists to match interesting traffic.

*******************************************AR222_BRANCH_GW
acl number 3001
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

*******************************************AR222_HQ_GW
acl number 3001
 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

Step 4: Start IPSec VPN configuration by first creating IPSec Proposal at the GWs.

*******************************************AR222_BRANCH_GW
ipsec proposal PRP1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128

*******************************************AR222_HQ_GW
ipsec proposal PRP1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128

Step 5: Create IKE Proposal and IKE peer at the GWs.

*******************************************AR222_BRANCH_GW
ike proposal 1
 authentication-algorithm sha1
 encryption-algorithm aes-cbc-128
 dh group14
#
ike peer peer1 v2
 ike-proposal 1
 remote-address 10.3.0.2
 pre-shared-key cipher Admin_123

*******************************************AR222_HQ_GW
ike proposal 1
 authentication-algorithm sha1
 encryption-algorithm aes-cbc-128
 dh group14
#
ike peer peer1 v2
 ike-proposal 1
 remote-address 10.1.0.2
 pre-shared-key cipher Admin_123

Step 6: Cofigure IPSec policy and apply the policy to the relevant interfaces.

*******************************************AR222_BRANCH_GW
ipsec policy P1 10 isakmp
 security acl 3001
 proposal PRP1
 ike-peer peer1 
#
interface GigabitEthernet0/0/0
 ipsec policy P1

*******************************************AR222_HQ_GW
ipsec policy P1 10 isakmp
 security acl 3001
 proposal PRP1
 ike-peer peer1 
 
#
interface GigabitEthernet0/0/1
 ipsec policy P1

Step 6: Results verification.

In addition, use WireShark to capture packets.



Leave a Reply

This website uses cookies and asks your personal data to enhance your browsing experience.
Ok, I agree Privacy Policy

Privacy Policy