All_about_network

So I am playing with IPsec Tunnels on Huawei’s AR28-31 it is really interesting in may ways.

I have two basic scenarios:

1. tunnel between two peers that are stable (two routers)
2. tunnel utilizing the “client-server” where only router has a stable public IP and clients are some PC’s

Of course I do realize that in IPSec there are no  clients and server but just a peers on the same level, but I cannot make myself to think about pc as a suitable peer. Especially when win XP is not even having a tunnel mode enabled.

For the first case it is kind of easy. The situation is something like this:

I will use IKE and isakmp for exchanging the keys and IPSec in tunneling mode wit some strong encryption.

Ok so what follows is not in any Huawei paper I saw so enjoy:

step 1 – configure IKE

here you have to define who is your peer (the second point of the tunnel and way of authentication) and the parameters of the proposal like diffie-hellman group (2 means 1024b) encryption cypher or how often will be the sa valid (after the time runs out the session will be re-keyed with newly generated sa)

#
ike proposal 1
encryption-algorithm aes-cbc 256
dh group2
sa duration 28800
#
ike peer 1
pre-shared-key password
remote-address 192.168.1.46
local-address 10.10.10.242

Ok now that is all for IKE config, easy isn’t it. Now the next step.

Step 2 configure IPSec

In IPSec is the most important the proposal which says which encapsulation will be used (tunnel vs. transport), which mode  (esp, ah, ah+esp) and the parameters of the mode.

#
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm aes 256
#
ipsec policy 1 10 isakmp
security acl 3005
ike-peer 1
proposal 1
#

In the IPSec policy I did bind ipsec proposal with ike 1 and IPSEc proposal 1and I said that I want to use isakmp for key exchange (which is most common).

Step 3 creation of ACL

Here we just use some simple rules to tell the router what belongs into the tunnel and what is not supposed to enter it. (Warning – do not use deny as last rule at the end of the ACL – it will cause the whole thing to stop working)

acl number 3005
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 192.168.1.201 0
rule 6 permit icmp source 10.10.10.0 0.0.0.255 destination 192.168.1.201 0

With ACL like this you do not need anything except a default route to connect to the opposite end (because it is defined above). This is of course valid only if you use the public IPs of course.

Step 4 application on the interface

interface Ethernet0/0
ip address 10.10.10.242 255.255.255.248
ipsec policy 1

Ok that’s it nothing more is needed. For troubleshooting you can see following commands:

display ipsec sa

display ike sa