06 vpn volume book
Post on 13-Jan-2016
17 Views
Preview:
DESCRIPTION
TRANSCRIPT
-
i
Table of Contents
1 DVPN Configuration 1-1 DVPN Overview 1-1
Basic Concepts of DVPN 1-1 Operation of DVPN1-2 Networking Structures of DVPN 1-2 Implementation of DVPN1-3 Supported DVPN Features1-5
DVPN Configuration Task List 1-6 Configuring AAA1-7 Configuring the VAM Server 1-7
VAM Server Configuration Task List 1-7 Creating a VPN Domain 1-7 Enabling VAM Server 1-7 Configuring the Listening IP Address and UDP Port Number1-8 Configuring the Security Parameters of VAM Protocol Packets 1-8 Specifying the Client Authentication Mode1-9 Configuring the Hubs1-9 Configuring the Pre-Shared Key of the VAM Server1-10 Configuring Keepalive Parameters1-10
Configuring a VAM Client1-11 VAM Client Configuration Task List1-11 Creating a VAM Client 1-11 Setting the VAM Protocol Packet Retransmission Interval 1-11 Specifying the Primary VAM Server 1-12 Specifying the Secondary VAM Server 1-12 Configuring the Username and Password1-12 Specifying the VPN Domain of the VAM Client1-13 Specifying the Pre-Shared Key of the VAM Client 1-13 Enabling VAM Client1-13
Configuring an IPsec Profile 1-14 Configuration Prerequisites 1-14 Configuration Procedure1-14
Configuring the DVPN Tunnel Parameters1-15 Configuration Prerequisites 1-15 Configuration Procedure1-15
Configuring Routing 1-18 Displaying and Maintaining DVPN1-18 DVPN Configuration Examples1-19
Full Mesh DVPN Configuration Example 1-19 Hub-Spoke DVPN Configuration Example1-32
2 GRE Configuration 2-1 GRE Overview 2-1
Introduction to GRE2-1
-
ii
GRE Security Options 2-3 GRE Applications 2-3 Protocols and Standards 2-5
Configuring a GRE over IPv4 Tunnel2-5 Configuration Prerequisites 2-5 Configuration Procedure2-5
Configuring a GRE over IPv6 Tunnel2-7 Configuration Prerequisites 2-7 Configuration Procedure2-7
Displaying and Maintaining GRE 2-9 GRE over IPv4 Tunnel Configuration Examples2-9
GRE over IPv4 Tunnel Configuration Example (on Routers)2-9 GRE over IPv4 Tunnel Configuration Example (on Switches)2-12
GRE over IPv6 Tunnel Configuration Examples2-15 GRE over IPv6 Tunnel Configuration Example (on Routers)2-15 GRE over IPv6 Tunnel Configuration Example (on Switches)2-18
Troubleshooting GRE2-22
3 L2TP Configuration 3-1 L2TP Overview3-1
Introduction3-1 Typical L2TP Networking Application3-2 Basic Concepts of L2TP3-3 L2TP Tunnel Modes and Tunnel Establishment Process 3-4 L2TP Features3-7 Protocols and Standards 3-7
L2TP Configuration Task List3-7 Configuring Basic L2TP Capability 3-8 Configuring an LAC3-9
Configuring an LAC to Initiate Tunneling Requests for Specified Users3-9 Configuring an LAC to Transfer AVP Data in Hidden Mode 3-9 Configuring AAA Authentication of VPN Users on LAC Side3-10
Configuring an LNS3-11 Creating a Virtual Interface Template3-11 Configuring the Local Address and the Address Pool for Allocation3-11 Configuring an LNS to Grant Certain L2TP Tunneling Requests 3-12 Configuring User Authentication on an LNS 3-13 Configuring AAA Authentication of VPN Users on LNS Side3-14 Enabling L2TP Multi-Instance 3-14 Specifying to Send ACCM3-15
Configuring L2TP Connection Parameters 3-15 Configuring L2TP Tunnel Authentication3-15 Setting the Hello Interval 3-16 Enabling Tunnel Flow Control 3-16 Disconnecting Tunnels by Force 3-17
Displaying and Maintaining L2TP 3-17 L2TP Configuration Examples 3-17
NAS-Initiated VPN3-17 Client-Initiated VPN 3-19
-
iii
L2TP Multi-Domain Application 3-21 Complicated Network Application3-24
Troubleshooting L2TP3-24
4 L2TP-Based EAD Configuration4-1 L2TP-Based EAD Overview4-1 Configuring L2TP-Based EAD 4-2
Configuration Prerequisites 4-2 Configuration Procedure4-2
Displaying and Maintaining L2TP-Based EAD 4-2 L2TP-Based EAD Configuration Example 4-2
Network Requirements4-2 Configuration Procedure4-3
5 SSL VPN Configuration4-1 SSL VPN Overview4-1 Configuring SSL VPN4-2
Configuration Prerequisites 4-2 Configuring SSL VPN4-3
SSL VPN Configuration Example 4-3
-
1-1
1 DVPN Configuration
z Support for some features may vary with device models.
z Support for some commands may vary with device models. For relevant information, refer to the corresponding command manual.
z All the MSR series routers are centralized devices.
z The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.
When configuring DVPN, go to these sections for information you are interested in:
z DVPN Overview
z DVPN Configuration Task List
z Displaying and Maintaining DVPN
z DVPN Configuration Examples
DVPN Overview
Nowadays, more and more enterprises are demanding for virtual private networks (VPNs) to connect their branches across the public network. However, branches of an enterprise usually use dynamically assigned IP addresses to access the public network and each of them has no way to know the public IP addresses of the other branches in advance. This makes it difficult for establishing VPNs. Dynamic virtual private network (DVPN) is intended to address this issue.
DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address Management (VAM) protocol, making VPN establishment available between enterprise branches that use dynamic addresses to access the public network.
In DVPN, a collection of nodes connected to the public network form a VPN. From the perspective of DVPN, the public network is the link layer of the VPN, and the tunnels which are used as the virtual channels between subnets of an intranet constitute the network layer. Branch devices dynamically access the public network. DVPN can get the public IP addresses of the peers through VAM to set up secure internal tunnels conveniently.
When a DVPN device forwards a packet from a user subnet to another, it performs these operations:
1) Obtaining the next hop on the private network through a routing protocol.
2) Inquiring the public network address of the next hop through the VAM protocol.
3) Encapsulating the packet, using the public address as the destination address of the tunnel.
4) Sending the packet down the tunnel to the destination.
Basic Concepts of DVPN
The following key roles are involved in DVPN:
-
1-2
DVPN node A DVPN node is a device at an end of a DVPN tunnel. It can be a networking device or a host. A DVPN node takes part in tunnel setup and must implement VAM client.
VAM server A VAM server receives registration information from DVPN nodes and manages and maintains information about DVPN clients. Currently, a VAM server is usually a high performance routing device with VAM server enabled.
VAM client A VAM client registers its private address, public address, and VAM ID with the VAM server and obtains information about other VAM clients from the VAM server. The VAM client function must be implemented on DVPN nodes. Unless otherwise noted, the term VAN client in this document refers to a Hub or a Spoke.
Hub A Hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing information. A Hub in a Hub-Spoke network is also a data forwarding center.
Spoke A Spoke is a type of VAM client. Usually acting as the gateway of a branch office, a Spoke does not forward data received from other DVPN nodes.
AAA server An Authentication, Authorization, and Accounting (AAA) server is used for user authentication and accounting.
Operation of DVPN
DVPN employs the client/server model. Operating at the application layer of the TCP/IP protocol stack, DVPN uses UDP as its transport layer protocol.
A DVPN consists of one server and multiple clients. The public address of the server in a DVPN must be static. The private address of a client needs to be statically assigned, while the public address of a client can be manually configured or dynamically assigned. All the private addresses of the nodes composing a DVPN must belong to the same network segment.
Each client registers the mapping of its private address and public address with the server. After a client registers its address mapping with the server, other clients can get the public address of this client from the server. This is for DVPN tunnel establishment between clients. Each client uses the VAM protocol to communicate with the server and uses the DVPN tunneling protocol to establish, maintain, and remove tunnels to other clients. Whenever there is a change in the topology, the server will be notified automatically.
Networking Structures of DVPN
DVPN supports two typical networking structures, full mesh and Hub-Spoke.
z Full mesh DVPN: In a full mesh DVPN, Spokes can communicate with each other directly by establishing tunnels between them, and the Hub is mainly used as the routing information exchange center. As shown in Figure 1-1, after the Spokes (the clients) register with the VAM server and get the Hub information in the VPN domain, they establish permanent tunnels with the Hub. Any two Spokes can establish a tunnel directly between them, which is dynamic and will be aged out if no data exchange occurs on it during the specified period of time (the idle timeout for the Spoke-Spoke tunnel).
-
1-3
Figure 1-1 Full mesh DVPN networking diagram
Site 1 Site 2
VAM server Hub
Spoke 1
Public network
Spoke 2Spoke-Spoke
Hub-Spoke
Data
z Hub-Spoke DVPN. In a Hub-Spoke DVPN, no tunnel can be established between two Spokes, and data between them has to be forwarded through the Hub. That is, the Hub is used as both the routing information exchange center and the data forwarding center. As shown in Figure 1-2, each Spoke establishes a permanent tunnel with the Hub, and data between Spokes is forwarded through the Hub.
Figure 1-2 Hub-Spoke DVPN networking diagram
Site 1 Site 2
VAM server Hub
Spoke 1
Public network
Spoke 2
Hub-Spoke
Data
Data
Implementation of DVPN
DVPN works in three phases: connection initialization, registration, and tunnel establishment. The following is a brief description of the phases:
Connection initialization phase When a client accesses the server for the first time, connection initialization is performed first. During the initialization procedure, the two parties negotiate whether VAM protocol packets should be secured.
-
1-4
If so, they negotiate the packet encryption and integrity validation algorithms, generate the keys, and acknowledge the negotiated result. After the connection initialization process completes, the client proceeds with the registration phase. Figure 1-3 shows the initialization process.
Figure 1-3 Initialization process
Client Server
1) Connection request
2) Connection response
3) Negotiation acknowledgement
4) Negotiation acknowledgement
2) The client sends the server a connection request, which carries the supported encryption and integrity validation algorithms.
3) Upon reception of the connection request, the server and the client begin to negotiate the algorithms to be used, with the server dominating the negotiation. When negotiating an algorithm to be used, the VAM server first compares the algorithm of the highest priority on its own algorithm list against the algorithm list of the client. If a match is found, the algorithm is used. If not, the server compares its next-highest priority algorithm against the list. The operation continues until a match is found or all the algorithms on the servers algorithm list have been compared. If a match is found, the server sends to the client a connection response, which carries the negotiation result, and at the same time, the server and the client generate the encryption key and integrity validation key.
4) The client and server respectively checks whether the algorithm negotiation and key negotiation are successful through the negotiation acknowledge packets.
Registration phase
Figure 1-4 Registration process
Figure 1-4 shows the registration process:
1) The client sends the server a registration request, which carries information about the client.
2) Upon reception of the registration request, the server first determines whether to authenticate the identity of the client. If identity authentication is not required, the server directly registers the client and sends the client a registration acknowledgement. Otherwise, the server sends the client an identity authentication request, indicating the required authentication algorithm. In the case of CHAP authentication, a random number is also sent.
3) The client submits its identity information to the server.
-
1-5
4) After receiving the identity information of the client, the server sends an authentication request to the AAA server and, after receiving the expected authentication acknowledgement, sends an accounting request to the AAA server. When the server receives the accounting acknowledgement, it sends the client a registration acknowledgement, telling the client information about the Hubs in the VPN.
Tunnel establishment phase After a Spoke successfully registers itself, it needs to establish a permanent tunnel with a Hub. A Spoke can establish permanent tunnels with up to two Hubs. If there are two Hubs in a VPN domain, a permanent tunnel is required between the Hubs. Figure 1-5 shows the tunnel establishment process.
Figure 1-5 Tunnel establishment process
Spoke/Hub Hub
1) Tunnel establishment request
2) Tunnel established
Spoke Spoke
1) Tunnel establishment request
2) Tunnel established
2) The initiator originates a tunnel establishment request.
z Hub-Spoke tunnel: After a Spoke registers itself successfully, it needs to establish a permanent tunnel with each Hub in the VPN. Upon receiving the registered information of the hubs from the server, the Spoke checks whether a tunnel is present to each Hub. If no tunnel exists between the Spoke and a Hub, the Spoke sends a tunnel establishment request to the Hub.
z Hub-Hub tunnel: After a Hub registers itself successfully, the server sends the registered information of the other Hubs in the VPN to the Hub and the Hub checks whether a tunnel exists to each of its peer Hubs. If not, the Hub sends a tunnel establishment request to the peer Hub.
z Spoke-Spoke tunnel: In a full mesh network, when a Spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server and then, after receiving the resolved address, sends a tunnel establishment request to the peer Spoke.
3) The tunnel establishment request receiver saves the tunnel establishment information and sends a response to the sender. If the request sender receives the response, a tunnel is established. Otherwise, tunnel establishment attempt fails.
Supported DVPN Features
NAT traversal of DVPN packets When a Spoke needs to communicate with another Spoke, one of the following cases will occur:
z If neither of the two Spokes is behind a NAT gateway, a direct tunnel will be established between them.
z If only the tunnel initiator resides behind a NAT gateway, a Spoke-Spoke tunnel can be established traversing the NAT gateway.
-
1-6
z If the tunnel request receiver is behind a NAT gateway, packets must be forwarded by a Hub before the intended receiver originates a tunnel establishment request.
z If both Spokes reside behind NAT gateways, no tunnel can be established between them and packets between them will be forwarded by a Hub.
Support for dynamic VAM client IP address As each VAM client registers its public and private addresses with the VAM server and can get the public address of the peer VAM client from the VAM server, no tunnel destination address needs to be configured on either tunnel interface of a tunnel. When a VAM client has its IP address changed, it reregisters with the VAM server, thus supporting dynamic IP address.
AAA identity authentication of VAM clients on the VAM server After the initialization process completes, a VAM client registers with the VAM server. You can specify to authenticate VAM clients during the registration process. VAM supports PAP authentication and CHAP authentication. The VAM server uses AAA to authenticate clients in the VPN domain. A VAM client must pass authentication to access the VPN.
Identity authentication of the VAM server and VAM client using the pre-shared key A VAM client and the VAM server must be configured with the same pre-shared key to generate the encryption/integrity validation key. The VAM client/VAM server can determine whether the pre-shared keys of both sides are the same by checking the result of packet decryption and integrity validation, so as to implement identity authentication of the VAM server/VAM client.
Encryption of VAM protocol packets VAM protocol packets can be encrypted by using AES-128, DES, or 3DES.
IPsec protection of data packets Data packets in a DVPN tunnel can be protected by IPsec (using the ESP protocol and IKE).
Centralized management of policies A VAM server manages all policies in a VPN domain centrally.
Support for multiple VPN domains A VAM server supports up to 10 VPN domains.
DVPN Configuration Task List
When configuring DVPN, you are recommended to perform configuration in the order of the VAM server, the Hub(s), and the Spokes.
Complete the following tasks to configure DVPN:
Task Remarks
Configuring AAA Optional Server side configuration
Configuring the VAM Server Required
Configuring a VAM Client Required
Configuring an IPsec Profile Optional
Configuring the DVPN Tunnel
Parameters Required
Client side configuration
Configuring Routing Required
-
1-7
Configuring AAA
A VAM server can employ AAA to authenticate the identities of clients accessing a VPN domain. For AAA configuration, refer to AAA RADIUS HWTACACS Configuration in the Security Volume.
Configuring the VAM Server
VAM Server Configuration Task List
Complete the following tasks to configure a VAM server:
Task Remarks
Creating a VPN Domain Required
Enabling VAM Server Required
Configuring the Listening IP Address and UDP Port Number Required
Configuring the Security Parameters of VAM Protocol Packets Optional
Specifying the Client Authentication Mode Optional
Configuring the Hubs Required
Configuring the Pre-Shared Key of the VAM Server Required
Configuring Keepalive Parameters Optional
Creating a VPN Domain
Follow these steps to create a VPN domain:
To do Use the command Remarks
Enter system view system-view
Create a VPN domain and
enter VPN domain view vam server vpn vpn-name
Required
No VPN domain exists by default.
Enabling VAM Server
Follow these steps to enable VAM server:
To do Use the command Remarks
Enter system view system-view
Enable VAM server for
one or all VPN domains
vam server enable { all | vpn vpn-name }
vam server vpn vpn-name Enable VAM server
Enable VAM server for
a VPN domain server enable
Required
Use either approach.
Disabled by default
-
1-8
Configuring the Listening IP Address and UDP Port Number
Follow these steps to configure the listening IP address and UDP port number of the VAM server:
To do Use the command Remarks
Enter system view system-view
Configure the listening IP address
and UDP port number of the
server
vam server ip-address ip-address [ port port-number ]
Required
Not configured by default
A VAM server listens to packets sent from VAM clients on only the configured IP address and UDP port. A VAM server uses the same listening IP address and UDP port for all VPN domains.
Configuring the Security Parameters of VAM Protocol Packets
Based on the packet integrity authentication algorithm and encryption algorithm configuration, a VAM server negotiates with a client to determine the protocol packets integrity authentication and encryption algorithms to be used between them.
Follow these steps to configure VAM protocol packet security parameters:
To do Use the command Remarks
Enter system view system-view
Enter VPN domain view vam server vpn vpn-name
Specify the algorithms for protocol
packet authentication and their
priorities
authentication-algorithm { none
| { md5 | sha-1 } * }
Optional
By default, SHA-1 is used for
protocol packet authentication.
Specify the algorithms for protocol
packet encryption and their
priorities
encryption-algorithm { { 3des |
aes-128 | des } * | none }
Optional
By default, three encryption
algorithms are available and
preferred in this order: AES-128,
3DES and DES.
-
1-9
z In the connection initialization process, SHA-1 is always used for authenticating connection requests from clients and connection responses from the server. Whether subsequent protocol packets are to be authenticated and what algorithms are available for authentication depend on your configuration.
z In the connection initialization process, AES-128 is always used for encrypting connection requests from clients and connection responses from the server. Whether subsequent protocol packets are to be encrypted and what algorithms are available for encryption depend on your configuration.
z The configuration order of the algorithms determines the priorities of the algorithms.
Specifying the Client Authentication Mode
Currently, a VAM server supports only PAP and CHAP authentication.
Follow these steps to configure the client authentication mode:
To do Use the command Remarks
Enter system view system-view
Enter VPN domain view vam server vpn vpn-name
Specify the client
authentication mode
authentication-method { none | { chap | pap } [ domain name-string ] }
Required
By default, a VAM server
performs CHAP authentication
of clients, using the default
domain configured for the
system.
Configuring the Hubs
Follow these steps to configure a Hub:
To do Use the command Remarks
Enter system view system-view
Enter VPN domain view vam server vpn vpn-name
Configure a Hub by specifying its
IP addresses
hub private-ip private-ip-address [ public-ip public-ip-address ]
Required
No Hub is configured by default.
-
1-10
z The public IP address is optional. When a Hub registers, the VAM server will get the public address of the Hub. If you specify both the private and public addresses of a Hub on the server, the server considers a client being a valid Hub only when both the public and private addresses that the client registers with the server match those configured on the server.
z Currently, up to two Hubs and 200 Spokes can be configured in a VPN domain.
Configuring the Pre-Shared Key of the VAM Server
The pre-shared key is used to generate the keys for securing the channels between the server and a client. In the connection initialization process, the pre-shared key is used to generate the initial key for validating and encrypting connection requests and connection responses. If encryption and authentication is needed for subsequent packets, the pre-shared key is also used to generate the connection key for validating and encrypting the subsequent packets.
Follow these steps to configure the pre-shared key of the VAM server:
To do Use the command Remarks
Enter system view system-view
Enter VPN domain view vam server vpn vpn-name
Configure the pre-shared key of
the VAM server
pre-shared-key { cipher | simple } key-string
Required
No pre-shared key exists by
default.
Configuring Keepalive Parameters
A client sends keepalive packets to the server periodically, while the server sends responses back to prove its existence. If a server receives no keepalive packets from a client within a specified period (which equals the product of the keepalive interval and the maximum number of transmission attempts), the server removes information about the client and logs off the client.
You can set the interval at which a client sends keepalive packets and the maximum number of transmission attempts. After a client registers with the server, the server sends these settings to the client through its response packet.
Follow these steps to configure keepalive parameters:
To do Use the command Remarks
Enter system view system-view
Enter VPN domain view vam server vpn vpn-name
Set the keepalive interval keepalive interval time-interval Optional
10 seconds by default
Set the maximum number of
transmission attempts keepalive retry retry-times
Optional
3 by default
-
1-11
Your keepalive settings only apply to the clients registered after the configuration. The clients registered before that continue to use the old settings.
Configuring a VAM Client
VAM Client Configuration Task List
Complete the following tasks to configure a VAM client:
Task Remarks
Creating a VAM Client Required
Setting the VAM Protocol Packet Retransmission Interval Optional
Specifying the Primary VAM Server Required
Specifying the Secondary VAM Server Optional
Configuring the Username and Password Optional
Specifying the VPN Domain of the VAM Client Required
Specifying the Pre-Shared Key of the VAM Client Required
Enabling VAM Client Required
Creating a VAM Client
Follow these steps to create a VAM client:
To do Use the command Remarks
Enter system view system-view
Create a VAM client and enter
its view vam client name client-name
Required
No client is created by default.
Setting the VAM Protocol Packet Retransmission Interval
If a client sends a VAM protocol packet to the server but receives no response in a specified period of time, it retransmits the packet. A VAM protocol packet can be a connection request, negotiation acknowledgement, registration request, or authentication request.
Follow these steps to set the interval for retransmitting a VAM protocol packet:
To do Use the command Remarks
Enter system view system-view
-
1-12
Enter VAM client view vam client name client-name
Set the VAM protocol packet
retransmission interval resend interval time-interval
Optional
5 seconds by default
The maximum number of attempts to retransmit a VAM protocol packet is always 3; it is unmodifiable.
Specifying the Primary VAM Server
Follow these steps to specify the primary VAM server:
To do Use the command Remarks
Enter system view system-view
Enter VAM client view vam client name client-name
Specify the primary VAM server server primary ip-address
ip-address [ port port-number ]
Required
Not specified by default
Specifying the Secondary VAM Server
Follow these steps to specify the secondary VAM server:
To do Use the command Remarks
Enter system view system-view
Enter VAM client view vam client name client-name
Specify the primary VAM server server secondary ip-address ip-address [ port port-number]
Required
Not specified by default
Configuring the Username and Password
A client needs a username and a password to be authenticated by the server. You can configure the username and password for a client by creating a local user.
Follow these steps to configure a username and password for a VAM client:
To do Use the command Remarks
Enter system view system-view
Enter VAM client view vam client name client-name
-
1-13
Configure a username and
password for the client
user username password { cipher |
simple } string
Required
Not configured by default
Only one local user can be configured for a VAM client.
Specifying the VPN Domain of the VAM Client
Follow these steps to specify the VPN domain of the VAM client:
To do Use the command Remarks
Enter system view system-view
Enter VAM client view vam client name client-name
Specify the VPN domain of the
VAM client vpn vpn-name
Required
A VAM client does not belong to
any VPN domain by default.
Specifying the Pre-Shared Key of the VAM Client
The pre-shared key is used to generate the keys for security of the channels between the server and a client.
Follow these steps to specify the pre-shared key of the VAM client:
To do Use the command Remarks
Enter system view system-view
Enter VAM client view vam client name client-name
Specify the pre-shared key of
the VAM client
pre-shared-key { cipher | simple } key-string
Required
Not specified by default
In a VPN domain, all the VAM clients and the VAM server must be configured with the same pre-shared key.
Enabling VAM Client
Follow these steps to enable VAM client:
-
1-14
To do Use the command Remarks
Enter system view system-view
Enable VAM client for
all VAM clients or a
specified VAM client
vam client enable { all |
name client-name }
vam client name client-name
Enable VAM client
Enable VAM client for a
VAM client client enable
Required
Use either approach.
Disabled by default
Configuring an IPsec Profile
An IPsec profile can be used to secure the transmission of data packets and control packets over a DVPN tunnel. It uses the security protocol of ESP and employs IKE for security policy negotiation.
Configuration Prerequisites
Complete these tasks before configuring an IPsec profile:
z Configure the IPsec proposals for the IPsec profile to reference
z Configure the IKE peer for the IPsec profile to reference
For detailed configuration information about IPsec and IKE, refer to IPsec Configuration in the Security Volume.
Configuration Procedure
Follow the following steps to configure an IPsec profile:
To do Use the command Remarks
Enter system view system-view
Create an IPsec profile and enter
IPsec profile view ipsec profile profile-name
Required
By default, no IPsec profile is
created.
Specify the IPsec proposals for the
IPsec profile to reference proposal proposal-name&
Required
By default, an IPsec profile
references no IPsec proposal.
Specify the IKE peer for the IPsec
profile to reference ike-peer peer-name
Required
By default, an IPsec profile
references no IKE peer
-
1-15
Enable and configure perfect
forward secrecy (PFS)
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
Optional
By default, PFS is not used for
negotiation.
For information about PFS, refer to
IPsec Configuration in the Security
Volume.
Configure the SA lifetime sa duration { time-based
seconds | traffic-based kilobytes }
Optional
By default, an IPsec profile uses
the global SA lifetime.
z An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec proposals. IKE searches for IPsec proposals that match at both ends during negotiation. If no match is found, SAs cannot be established and the packets requiring IPsec protection will be discarded.
z When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.
z When an IPsec profile is used to protect DVPN traffic, the IPsec proposals referenced by the IPsec profile must be configured to use the ESP protocol.
z As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer that an IPsec profile references does not take effect on the initiator.
z For information about commands ipsec profile, proposal, ike-peer, pfs and sa duration, refer to IPsec Commands in the Security Volume.
z For information about global SA lifetime, refer to IPsec Configuration in the Security Volume.
Configuring the DVPN Tunnel Parameters
Configuration Prerequisites
IP addresses have been configured for the source interfaces (VLAN interfaces, Ethernet interfaces, or Loopback interfaces) of the virtual tunnel interfaces and there are routes available between the interfaces.
Configuration Procedure
Follow these steps to configure a DVPN tunnel:
To do Use the command Remarks
Enter system view system-view
-
1-16
Create a tunnel interface and enter
its view interface tunnel number
Required
No tunnel interface is created by
default.
Configure a private IPv4 address
for the tunnel interface
ip address ip-address { mask |
mask-length } [ sub ]
Required
A tunnel interface has no private
IPv4 address configured by
default.
Configure the tunnel mode as
DVPN tunnel-protocol dvpn udp
Required
The default tunnel mode varies
with device model.
The two ends of a tunnel must
work in the same tunnel mode.
Specify the source address or
interface of the tunnel interface
source { ip-address | interface-type interface-number }
Required
The source IP address is the IP
address of the physical interface
that sends the DVPN packets.
A tunnel interface has no source
address or interface configured by
default.
Bind a VAM client to the tunnel
interface vam client client-name
Required
A DVPN tunnel interface must be
bound to a VAM client; otherwise
the tunnel interface cannot come
up.
The client to be bound must exist
and has not been bound to any
other tunnel interface.
No VAM client is bound to a DVPN
tunnel interface by default.
Set the DVPN keepalive interval
and transmission attempt limit keepalive [ seconds [ times ] ]
Optional
The defaults are as follows:
z 10 seconds for the DVPN
keepalive interval,
z 3 times for the transmission
attempt limit.
Set the idle timeout for the
Spoke-Spoke tunnel
dvpn session idle-time time-interval
Optional
300 seconds by default
Set the DVPN tunneling quiet
period
dvpn session dumb-time time-interval
Optional
120 seconds by default
-
1-17
Specify the network type of the
OSPF interface
ospf network-type { broadcast |
p2mp }
Required
Not specified by default
A DVPN tunnel can use only two
types of OSPF interfaces:
broadcast and point to multi-point
(P2MP).
Set the DR priority of the OSPF
interface ospf dr-priority priority
Optional for a Hub, while required
for a Spoke.
By default, the interface DR priority
is 1.
The DR priority of a Hub should be
higher than that of a Spoke. It is
recommended to set the DR
priority of a Spoke to 0 to keep the
Spoke from participating in
DR/BDR election.
Bind an IPsec profile to the DVPN
tunnel interface ipsec profile ipsec-profile-name
Optional
By default, no IPsec profile is
bound to a DVPN tunnel interface.
The IPsec profile to be bound must
already exist.
Associate the tunnel interface with
a VPN instance
ip binding vpn-instance vpn-instance-name
Optional
To isolate individual VPN domains,
you need to configure VPN
multi-instance to distinguish routes
of private networks.
By default, a tunnel interface is
associated with no VPN instance.
-
1-18
z If you configure the source address of a tunnel interface by specifying the source interface, the tunnel takes the primary IP address of the source interface as its source address.
z Tunnel interfaces of the same VPN domain must be configured with private addresses in the same segment.
z Tunnel interfaces of the same VPN domain must be configured with the same DVPN keepalive interval and transmission attempt limit.
z A DVPN tunnel interface can reference only one IPsec profile. To change the IPsec profile referenced by a DVPN tunnel interface, you need to cancel the reference of the current IPsec profile and then apply a new IPsec profile to the tunnel interface.
z When configuring the network type of an OSPF interface, select broadcast for a full mesh network and P2MP for a Hub-Spoke network.
z For details about commands interface tunnel, tunnel-protocol, and source, refer to Tunneling Commands of the IP Services Volume. For information about command ipsec profile, refer to IPsec Commands in the Security Volume.
z For details about the ospf network-type and ospf dr-priority commands, refer to OSPF Commands of the IP Routing Volume.
z For details about VPN multi-instance configuration, refer to MPLS L3VPN Configuration of the MPLS Volume.
Configuring Routing
After you establish private networks across the public network using DVPN, you need to perform routing configuration for devices in the private networks. In private networks of this type, route-related operations, such as neighbor discovery, route updating, routing table establishment, are done over DVPN tunnels. Routing information is exchanged between Hubs or Hubs and Spokes; it is not exchanged between Spokes. Currently, OSPF can be used in DVPN networks.
For information about OSPF configuration on DVPN clients, refer to OSPF Configuration in the IP Routing Volume.
Displaying and Maintaining DVPN
To do Use the command Remarks
Display address mapping
information about VAM clients
registered with the VAM server
display vam server address-map { all | vpn
vpn-name [ private-ip private-ip ] }
Available in any view
Display statistics about VAM
clients registered with the VAM
server
display vam server statistic { all
| vpn vpn-name } Available in any view
Display registration information
about VAM clients
display vam client
{ address-map | fsm } [ client-name ]
Available in any view
-
1-19
Display information about DVPN
tunnels
display dvpn session { all |
interface interface-type
interface-number [ private-ip ip-address ] }
Available in any view
Display information about a
specified or all IPsec profiles
display ipsec profile [ name profile-name ]
Available in any view
Remove DVPN tunnels
reset dvpn session { all |
interface interface-type
interface-number [ private-ip ip-address ] }
Available in user view
For information about command display ipsec profile, refer to IPsec Commands in the Security Volume.
DVPN Configuration Examples
Full Mesh DVPN Configuration Example
Network requirements z In the full mesh networks shown in Figure 1-6, the primary VAM server (main) and the secondary
VAM server (backup) manage and maintain information about the nodes. The AAA server takes charge of VAM client authentication and accounting. With each being the backup of the other, the two Hubs perform data forwarding and routing information exchange.
z Permanent tunnels are established between each Hub-Spoke pair.
z Spokes in the same VPN exchange data through dynamically established tunnels between them.
-
1-20
Figure 1-6 Network diagram for full mesh DVPN configuration
Hub 1 Hub 2
Spoke 1 Spoke 3
Site 1 Site 3
Spoke 2
Site 2
IP networkVPN 1 Hub-to-Spoke static tunnel
VPN 2 Hub-to-Spoke static tunnel
Spoke-to-Spoke dynamic tunnelMain server
Backup server
Eth1/1 Eth1/1
Eth1/1 Eth1/1 Eth1/1
Tunnel1Tunnel2
Tunnel1Tunnel2
Tunnel1 Tunnel1Tunnel2 Tunnel2
Eth1/1
Eth1/1
AAA server
Eth1/2 Eth1/2 Eth1/2
VPN 1 and VPN 2 Hub-to-Hub static tunnel
Device Interface IP address Device Interface IP address Hub 1 Eth1/1 192.168.1.1/24 Spoke 1 Eth1/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 Eth1/2 10.0.3.1/24 Tunnel2 10.0.2.1/24 Tunnel1 10.0.1.3/24 Hub 2 Eth1/1 192.168.1.2/24 Spoke 2 Eth1/1 192.168.1.4/24 Tunnel1 10.0.1.2/24 Eth1/2 10.0.4.1/24 Tunnel2 10.0.2.2/24 Tunnel1 10.0.1.4/24 Main server Eth1/1 192.168.1.22/24 Tunnel2 10.0.2.4/24 Backup server Eth1/1 192.168.1.33//24 Spoke 3 Eth1/1 192.168.1.5/24 AAA server 192.168.1.11/24 Eth1/2 10.0.5.1/24 Tunnel2 10.0.2.3/24
Configuration procedure 1) Configure the primary VAM server (main)
z Configure IP addresses for the interfaces (omitted)
z Configure AAA system-view # Configure RADIUS scheme radsun. [MainServer] radius scheme radsun [MainServer-radius-radsun] primary authentication 192.168.1.11 1812 [MainServer-radius-radsun] primary accounting 192.168.1.11 1813 [MainServer-radius-radsun] key authentication expert [MainServer-radius-radsun] key accounting expert [MainServer-radius-radsun] server-type standard [MainServer-radius-radsun] user-name-format with-domain [MainServer-radius-radsun] quit # Configure ISP domain domain1 to use RADIUS scheme radsun. [MainServer] domain domain1 [MainServer-isp-domain1] authentication default radius-scheme radsun [MainServer-isp-domain1] accounting default radius-scheme radsun [MainServer-isp-domain1] quit [MainServer] domain default enable domain1 z Configure the VAM server
# Specify the listening address of the server.
-
1-21
[MainServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [MainServer] vam server vpn 1 # Set the pre-shared key to 123. [MainServer-vam-server-vpn-1] pre-shared-key simple 123 # Set the VAM client authentication mode to CHAP. [MainServer-vam-server-vpn-1] authentication-method chap # Specify the IP addresses of the Hubs for VPN 1. [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.1 [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.2 [MainServer-vam-server-vpn-1] quit # Create VPN domain 2. [MainServer] vam server vpn 2 # Set the pre-shared key to 456. [MainServer-vam-server-vpn-2] pre-shared-key simple 456 # Set the VAM client authentication mode to PAP. [MainServer-vam-server-vpn-2] authentication-method pap # Specify the IP addresses of the Hubs for VPN 2. [MainServer-vam-server-vpn-2] hub private-ip 10.0.2.1 [MainServer-vam-server-vpn-2] hub private-ip 10.0.2.2 [MainServer-vam-server-vpn-1] quit # Enable VAM server for all VPNs. [MainServer] vam server enable all 2) Configure the secondary VAM server (backup)
Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server and are thus omitted.
3) Configure Hub 1
z Configure IP addresses for the interfaces (omitted)
z Configure the VAM clients system-view # Create a VAM client named dvpn1hub1 for VPN 1. [Hub1] vam client name dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33 [Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123 # Create a local user named dvpn1hub1, setting the password as dvpn1hub1. [Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit # Create a VAM client named dvpn2hub1 for VPN 2. [Hub1] vam client name dvpn2hub1 [Hub1-vam-client-name-dvpn2hub1] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn2hub1] server secondary ip-address 192.168.1.33 [Hub1-vam-client-name-dvpn2hub1] pre-shared-key simple 456
-
1-22
# Create a local user named dvpn2hub1, setting the password as dvpn2hub1. [Hub1-vam-client-name-dvpn2hub1] user dvpn2hub1 password simple dvpn2hub1 [Hub1-vam-client-name-dvpn2hub1] client enable [Hub1-vam-client-name-dvpn2hub1] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Hub1] ipsec proposal vam [Hub1-ipsec-proposal-vam] encapsulation-mode tunnel [Hub1-ipsec-proposal-vam] transform esp [Hub1-ipsec-proposal-vam] esp encryption-algorithm des [Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub1-ipsec-proposal-vam] quit # Configure the IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] proposal vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit z Configure DVPN tunnels
# Configure tunnel interface Tunnel 1 for VPN 1. [Hub1] interface tunnel 1 [Hub1-Tunnel1] tunnel-protocol dvpn udp [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0 [Hub1-Tunnel1] source ethernet 1/1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit # Configure tunnel interface Tunnel 2 for VPN 2. [Hub1] interface tunnel 2 [Hub1-Tunnel2] tunnel-protocol dvpn udp [Hub1-Tunnel2] vam client dvpn2hub1 [Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0 [Hub1-Tunnel2] source ethernet 1/1 [Hub1-Tunnel2] ospf network-type broadcast [Hub1-Tunnel2] ipsec profile vamp [Hub1-Tunnel2] quit z Configure OSPF
# Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks. [Hub1] ospf 200 [Hub1-ospf-200] area 0
-
1-23
[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255 [Hub1-ospf-200-area-0.0.0.0] quit [Hub1] ospf 300 [Hub1-ospf-300] area 0 [Hub1-ospf-300-area-0.0.0.0] network 10.0.2.1 0.0.0.255 4) Configure Hub 2
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM clients. system-view # Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2. [Hub2-vam-client-name-dvpn1hub2] user dvpn1hub2 password simple dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] client enable [Hub2-vam-client-name-dvpn1hub2] quit # Create a VAM client named dvpn2hub2 for VPN 2. [Hub2] vam client name dvpn2hub2 [Hub2-vam-client-name-dvpn2hub2] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn2hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn2hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn2hub2] pre-shared-key simple 456 # Create a local user named dvpn2hub2, setting the password as dvpn2hub2. [Hub2-vam-client-name-dvpn2hub2] user dvpn2hub2 password simple dvpn2hub2 [Hub2-vam-client-name-dvpn2hub2] client enable [Hub2-vam-client-name-dvpn2hub2] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Hub2] ipsec proposal vam [Hub2-ipsec-proposal-vam] encapsulation-mode tunnel [Hub2-ipsec-proposal-vam] transform esp [Hub2-ipsec-proposal-vam] esp encryption-algorithm des [Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub2-ipsec-proposal-vam] quit # Configure the IKE peer. [Hub2] ike peer vam [Hub2-ike-peer-vam] pre-shared-key abcde [Hub2-ike-peer-vam] quit # Configure the IPsec profile. [Hub2] ipsec profile vamp [Hub2-ipsec-profile-vamp] proposal vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2 [Hub2-ipsec-profile-vamp] quit
-
1-24
z Configure the DVPN tunnels.
# Configure tunnel interface Tunnel 1 for VPN 1. [Hub2] interface tunnel 1 [Hub2-Tunnel1] tunnel-protocol dvpn udp [Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source ethernet 1/1 [Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit # Configure tunnel interface Tunnel 2 for VPN 2. [Hub2] interface tunnel 2 [Hub2-Tunnel2] tunnel-protocol dvpn udp [Hub2-Tunnel2] vam client dvpn2hub2 [Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0 [Hub2-Tunnel2] source ethernet 1/1 [Hub2-Tunnel2] ospf network-type broadcast [Hub2-Tunnel2] ipsec profile vamp [Hub2-Tunnel2] quit z Configure OSPF
# Configure OSPF for the public network. [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255 [Hub2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255 [Hub2-ospf-200-area-0.0.0.0] quit [Hub2] ospf 300 [Hub2-ospf-300] area 0 [Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255 5) Configure Spoke 1
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn1spoke1 for VPN 1. [Spoke1] vam client name dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22 [Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33 [Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123 # Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1. [Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] client enable [Spoke1-vam-client-name-dvpn1spoke1] quit z Configure the IPsec profile
# Configure the IPsec proposal.
-
1-25
[Spoke1] ipsec proposal vam [Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke1-ipsec-proposal-vam] transform esp [Spoke1-ipsec-proposal-vam] esp encryption-algorithm des [Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure the IPsec profile. [Spoke1] ipsec profile vamp [Spoke1-ipsec-profile-vamp] proposal vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 [Spoke1-ipsec-profile-vamp] quit z Configure the DVPN tunnel.
# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke1] interface tunnel 1 [Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type broadcast [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit z Configure OSPF
# Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke1] ospf 200 [Spoke1-ospf-200] area 0 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255 6) Configure Spoke 2
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn1spoke2 for VPN 1. [Spoke2] vam client name dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.
-
1-26
[Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit # Create a VAM client named dvpn2spoke2 for VPN 2. [Spoke2] vam client name dvpn2spoke2 [Spoke2-vam-client-name-dvpn1spoke2] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn2spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn2spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn2spoke2] pre-shared-key simple 456 # Create a local user named dvpn2spoke2, setting the password as dvpn2spoke2. [Spoke2-vam-client-name-dvpn1spoke2] user dvpn2spoke2 password simple dvpn2spoke2 [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Spoke2] ipsec proposal vam [Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke2-ipsec-proposal-vam] transform esp [Spoke2-ipsec-proposal-vam] esp encryption-algorithm des [Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke2] ike peer vam [Spoke2-ike-peer-vam] pre-shared-key abcde [Spoke2-ike-peer-vam] quit # Configure the IPsec profile. [Spoke2] ipsec profile vamp [Spoke2-ipsec-profile-vamp] proposal vam [Spoke2-ipsec-profile-vamp] ike-peer vam [Spoke2-ipsec-profile-vamp] sa duration time-based 600 [Spoke2-ipsec-profile-vamp] pfs dh-group2 [Spoke2-ipsec-profile-vamp] quit z Configure the DVPN tunnels.
# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke2] interface tunnel 1 [Spoke2-Tunnel1] tunnel-protocol dvpn udp [Spoke2-Tunnel1] vam client dvpn1spoke2 [Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0 [Spoke2-Tunnel1] source ethernet 1/1 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit # Configure tunnel interface Tunnel 2 for VPN 2. [Spoke2] interface tunnel 2 [Spoke2-Tunnel2] tunnel-protocol dvpn udp [Spoke2-Tunnel2] vam client dvpn2spoke2 [Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0 [Spoke2-Tunnel2] source ethernet 1/1 [Spoke2-Tunnel2] ospf network-type broadcast
-
1-27
[Spoke2-Tunnel2] ipsec profile vamp [Spoke2-Tunnel2] quit z Configure OSPF
# Configure OSPF for the public network. [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255 [Spoke2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] quit [Spoke2] ospf 300 [Spoke2-ospf-300] area 0 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.4.1 0.0.0.255 7) Configure Spoke 3
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn2spoke3 for VPN 2. [Spoke3] vam client name dvpn2spoke3 [Spoke3-vam-client-name-dvpn2spoke3] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke3-vam-client-name-dvpn2spoke3] server primary ip-address 192.168.1.22 [Spoke3-vam-client-name-dvpn2spoke3] server secondary ip-address 192.168.1.33 [Spoke3-vam-client-name-dvpn2spoke3] pre-shared-key simple 456 # Create a local user named dvpn2spoke3, setting the password as dvpn2spoke3. [Spoke3-vam-client-name-dvpn2spoke3] user dvpn2spoke3 password simple dvpn2spoke3 [Spoke3-vam-client-name-dvpn2spoke3] client enable [Spoke3-vam-client-name-dvpn2spoke3] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Spoke3] ipsec proposal vam [Spoke3-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke3-ipsec-proposal-vam] transform esp [Spoke3-ipsec-proposal-vam] esp encryption-algorithm des [Spoke3-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke3-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke3] ike peer vam [Spoke3-ike-peer-vam] pre-shared-key abcde [Spoke3-ike-peer-vam] quit # Configure the IPsec profile. [Spoke3] ipsec profile vamp [Spoke3-ipsec-profile-vamp] proposal vam [Spoke3-ipsec-profile-vamp] ike-peer vam [Spoke3-ipsec-profile-vamp] sa duration time-based 600 [Spoke3-ipsec-profile-vamp] pfs dh-group2
-
1-28
[Spoke3-ipsec-profile-vamp] quit z Configure the DVPN tunnel.
# Configure tunnel interface Tunnel 2 for VPN 2. [Spoke3] interface tunnel 2 [Spoke3-Tunnel2] tunnel-protocol dvpn udp [Spoke3-Tunnel2] vam client dvpn2spoke3 [Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0 [Spoke3-Tunnel2] source ethernet 1/1 [Spoke3-Tunnel2] ospf network-type broadcast [Spoke3-Tunnel2] ospf dr-priority 0 [Spoke3-Tunnel2] ipsec profile vamp [Spoke3-Tunnel2] quit z Configure OSPF
# Configure OSPF for the public network. [Spoke3] ospf 100 [Spoke3-ospf-100] area 0 [Spoke3-ospf-100-area-0.0.0.0] network 192.168.1.5 0.0.0.255 [Spoke3-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke3] ospf 200 [Spoke3-ospf-200] area 0 [Spoke3-ospf-200-area-0.0.0.0] network 10.0.2.3 0.0.0.255 [Spoke3-ospf-200-area-0.0.0.0] network 10.0.5.1 0.0.0.255 8) Verify the configuration
# Display the address mapping information of all VAM clients registered with the primary VAM server (main). [MainServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 52M 7S 10.0.1.2 192.168.1.2 Hub 0H 47M 31S 10.0.1.3 192.168.1.3 Spoke 0H 28M 25S 10.0.1.4 192.168.1.4 Spoke 0H 19M 15S VPN name: 2 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.2.1 192.168.1.1 Hub 0H 51M 44S 10.0.2.2 192.168.1.2 Hub 0H 46M 45S 10.0.2.3 192.168.1.5 Spoke 0H 11M 25S 10.0.2.4 192.168.1.4 Spoke 0H 18M 32S # Display the address mapping information of all VAM clients registered with the secondary VAM server (backup). [BackupServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 55M 3S 10.0.1.2 192.168.1.2 Hub 0H 50M 30S
-
1-29
10.0.1.3 192.168.1.3 Spoke 0H 31M 24S 10.0.1.4 192.168.1.4 Spoke 0H 22M 15S VPN name: 2 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.2.1 192.168.1.1 Hub 0H 54M 43S 10.0.2.2 192.168.1.2 Hub 0H 49M 44S 10.0.2.3 192.168.1.5 Spoke 0H 14M 24S 10.0.2.4 192.168.1.4 Spoke 0H 21M 32S The above output indicates that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the VAM servers.
# Display the DVPN tunnel information of Hub 1. [Hub1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 3 Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Hub-Hub State: SUCCESS Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 1 control packets 87 multicasts, 0 errors Output: 106 packets, 99 data packets, 7 control packets 87 multicasts, 10 errors Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 8m 7s Input: 164 packets, 163 data packets, 1 control packets 54 multicasts, 0 errors Output: 77 packets, 76 data packets, 1 control packets 55 multicasts, 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.4 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 27m 13s Input: 174 packets, 167 data packets, 7 control packets 160 multicasts, 0 errors Output: 172 packets, 171 data packets, 1 control packets 165 multicasts, 0 errors Interface: Tunnel2 VPN name: 2 Total number: 3 Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Hub-Hub
-
1-30
State: SUCCESS Holding time: 0h 12m 10s Input: 183 packets, 182 data packets, 1 control packets 0 multicasts, 0 errors Output: 186 packets, 185 data packets, 1 control packets 155 multicasts, 0 errors Private IP: 10.0.2.4 Public IP: 192.168.1.4 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 26m 39s Input: 174 packets, 169 data packets, 5 control packets 162 multicasts, 0 errors Output: 173 packets, 172 data packets, 1 control packets 167 multicasts, 0 errors Private IP: 10.0.2.3 Public IP: 192.168.1.5 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 19m 30s Input: 130 packets, 127 data packets, 3 control packets 120 multicasts, 0 errors Output: 127 packets, 126 data packets, 1 control packets 119 multicasts, 0 errors The above information indicates that:
z In VPN 1, Hub 1 has established a permenent tunnel with Hub 2, Spoke 1, and Spoke 2 respectively.
z In VPN 2, Hub 1 has established a permenent tunnel with Hub 2, Spoke 2, and Spoke 3 respectively.
The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
# Display the DVPN tunnel information of Spoke 2. [Spoke2] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 2 Private IP: 10.0.1.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 1m 22s Input: 381 packets, 380 data packets, 1 control packets 374 multicasts, 0 errors Output: 384 packets, 376 data packets, 8 control packets 369 multicasts, 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 21m 53s Input: 251 packets, 249 data packets, 1 control packets
-
1-31
230 multicasts, 0 errors Output: 252 packets, 240 data packets, 7 control packets 224 multicasts, 0 errors Interface: Tunnel2 VPN name: 2 Total number: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 2m 47s Input: 383 packets, 382 data packets, 1 control packets 377 multicasts, 0 errors Output: 385 packets, 379 data packets, 6 control packets 372 multicasts, 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 1 control packets 231 multicasts, 0 errors Output: 251 packets, 241 data packets, 7 control packets 225 multicasts, 0 errors The above information indicates that Spoke 2 has established a permenent Hub-Spoke tunnel with Hub 1 and Hub 2 respectively in both VPN 1 and VPN 2.
The DVPN tunnel information of Spoke 1 and Spoke 3 is similar to that of Spoke 2.
# On Spoke 2, ping private address 10.0.5.1 of Spoke 3. [Spoke2] ping 10.0.5.1 PING 10.0.5.1: 56 data bytes, press CTRL_C to break Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms --- 10.0.5.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms # Display the DVPN tunnel information of interface Tunnel 2 on Spoke 2. [Spoke2] display dvpn session interface tunnel 2 Interface: Tunnel2 VPN name: 2 Total number: 3 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 10m 0s Input: 451 packets, 450 data packets, 1 control packets
-
1-32
435 multicasts, 0 errors Output: 453 packets, 447 data packets, 6 control packets 430 multicasts, 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 1 control packets 231 multicasts, 0 errors Output: 251 packets, 241 data packets, 7 control packets 225 multicasts, 0 errors Private IP: 10.0.2.3 Public IP: 192.168.1.5 Session type: Spoke-Spoke State: SUCCESS Holding time: 0h 0m 0s Input: 1 packets, 0 data packets, 1 control packets 0 multicasts, 0 errors Output: 1 packets, 0 data packets, 1 control packets 0 multicasts, 0 errors The above information indicates that a Spoke-Spoke tunnel has been established dynamically between Spoke 2 and Spoke 3.
Hub-Spoke DVPN Configuration Example
Network requirements z In the Hub-Spoke networks shown in Figure 1-7, data is forwarded along Hub-Spoke tunnels. The
primary and secondary VAM servers (the main and backup servers in the following figure) manage and maintain information about the nodes. The AAA server takes charge of VAM client authentication and accounting. With each being the backup of the other, the two Hubs perform data forwarding and routing information exchange.
z Permanent tunnels are established between each Hub-Spoke pair.
-
1-33
Figure 1-7 Network diagram for Hub-Spoke DVPN configuration
Hub 1 Hub 2
Spoke 1
Site 1
IP network
VPN 1 Hub-to-Spoke static tunnel
Main server
Backup server
Eth1/1 Eth1/1
Eth1/1
Tunnel1 Tunnel1
Tunnel1
Eth1/1
Eth1/1
AAA server
Spoke 2
Site 1
Eth1/1 Tunnel1VPN 1 and VPN 2 Hub-to-Hub static tunnel
Eth1/2 Eth1/2
Device Interface IP address Device Interface IP address Hub 1 Eth1/1 192.168.1.1/24 Spoke 1 Eth1/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 Eth1/2 10.0.2.1/24 Hub 2 Eth1/1 192.168.1.2/24 Tunnel1 10.0.1.3/24 Tunnel1 10.0.1.2/24 Spoke 2 Eth1/1 192.168.1.4/24 Main server Eth1/1 192.168.1.22/24 Eth1/2 10.0.3.1/24 Backup server Eth1/1 192.168.1.33//24 Tunnel1 10.0.1.4/24 AAA server 192.168.1.11/24
Configuration procedure 1) Configure the primary VAM server (main)
z Configure IP addresses for the interfaces (omitted).
z Configure AAA. system-view # Configure RADIUS scheme radsun. [MainServer] radius scheme radsun [MainServer-radius-radsun] primary authentication 192.168.1.11 1812 [MainServer-radius-radsun] primary accounting 192.168.1.11 1813 [MainServer-radius-radsun] key authentication expert [MainServer-radius-radsun] key accounting expert [MainServer-radius-radsun] server-type standard [MainServer-radius-radsun] user-name-format with-domain [MainServer-radius-radsun] quit # Configure ISP domain domain1 to use RADIUS scheme radsun. [MainServer] domain domain1 [MainServer-isp-domain1] authentication default radius-scheme radsun [MainServer-isp-domain1] accounting default radius-scheme radsun [MainServer-isp-domain1] quit [MainServer] domain default enable domain1 z Configure the VAM server
# Specify the listening address of the server. [MainServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [MainServer] vam server vpn 1
-
1-34
# Set the pre-shared key to 123. [MainServer-vam-server-vpn-1] pre-shared-key simple 123 # Set VAM client authentication mode to CHAP. [MainServer-vam-server-vpn-1] authentication-method chap # Specify the IP addresses of the Hubs for VPN 1. [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.1 [MainServer-vam-server-vpn-1] hub private-ip 10.0.1.2 # Enable VAM server for all VPNs. [MainServer] vam server enable all 2) Configure the secondary VAM server (backup)
Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server and are thus omitted.
3) Configure Hub 1
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn1hub1 for VPN 1. [Hub1] vam client name dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.33 [Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123 # Create a local user named dvpn1hub1, setting the password as dvpn1hub1. [Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Hub1] ipsec proposal vam [Hub1-ipsec -proposal-vam] encapsulation-mode tunnel [Hub1-ipsec -proposal-vam] transform esp [Hub1-ipsec -proposal-vam] esp encryption-algorithm des [Hub1-ipsec -proposal-vam] esp authentication-algorithm sha1 [Hub1-ipsec -proposal-vam] quit # Configure the IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] proposal vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit z Configure DVPN tunnels.
# Configure tunnel interface Tunnel 1 for VPN 1. [Hub1] interface tunnel 1
-
1-35
[Hub1-Tunnel1] tunnel-protocol dvpn udp [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0 [Hub1-Tunnel1] source ethernet 1/1 [Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit z Configure OSPF
# Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Hub1] ospf 200 [Hub1-ospf-200] area 0 [Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255 4) Configure Hub 2
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2. [Hub2-vam-client-name-dvpn1hub2] user dvpn1hub2 password simple dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] client enable [Hub2-vam-client-name-dvpn1hub2] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Hub2] ipsec proposal vam [Hub2-ipsec-proposal-vam] encapsulation-mode tunnel [Hub2-ipsec-proposal-vam] transform esp [Hub2-ipsec-proposal-vam] esp encryption-algorithm des [Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub2-ipsec-proposal-vam] quit # Configure the IKE peer. [Hub2] ike peer vam [Hub2-ike-peer-vam] pre-shared-key abcde [Hub2-ike-peer-vam] quit # Configure the IPsec profile. [Hub2] ipsec profile vamp [Hub2-ipsec-profile-vamp] proposal vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2
-
1-36
[Hub2-ipsec-profile-vamp] quit z Configure the DVPN tunnel.
# Configure tunnel interface Tunnel 1 for VPN 1. [Hub2] interface tunnel 1 [Hub2-Tunnel1] tunnel-protocol dvpn udp [Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source ethernet 1/1 [Hub2-Tunnel1] ospf network-type p2mp [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit z Configure OSPF
# Configure OSPF for the public network. [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255 [Hub2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255 5) Configure Spoke 1
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn1spoke1 for VPN 1. [Spoke1] vam client name dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22 [Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33 [Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123 # Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1. [Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] client enable [Spoke1-vam-client-name-dvpn1spoke1] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Spoke1] ipsec proposal vam [Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke1-ipsec-proposal-vam] transform esp [Spoke1-ipsec-proposal-vam] esp encryption-algorithm des [Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-proposal-vam] quit # Configure the IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure the IPsec profile. [Spoke1] ipsec profile vamp
-
1-37
[Spoke1-ipsec-profile-vamp] proposal vam [Spoke1-ipsec-profile-vamp] ike-peer vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 z Configure the DVPN tunnel.
# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke1] interface tunnel 1 [Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type p2mp [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit z Configure OSPF
# Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke1] ospf 200 [Spoke1-ospf-200] area 0 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.2.1 0.0.0.255 6) Configure Spoke 2
z Configure IP addresses for the interfaces (omitted).
z Configure the VAM client. system-view # Create a VAM client named dvpn1spoke2 for VPN 1. [Spoke2] vam client name dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2. [Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit z Configure the IPsec profile
# Configure the IPsec proposal. [Spoke2] ipsec proposal vam [Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke2-ipsec-proposal-vam] transform esp [Spoke2-ipsec-proposal-vam] esp encryption-algorithm des [Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-proposal-vam] quit # Configure the IKE peer.
-
1-38
[Spoke2] ike peer vam [Spoke2-ike-peer-vam] pre-shared-key abcde [Spoke2-ike-peer-vam] quit # Configure the IPsec profile. [Spoke2] ipsec profile vamp [Spoke2-ipsec-profile-vamp] proposal vam [Spoke2-ipsec-profile-vamp] ike-peer vam [Spoke2-ipsec-profile-vamp] sa duration time-based 600 [Spoke2-ipsec-profile-vamp] pfs dh-group2 [Spoke2-ipsec-profile-vamp] quit z Configure the DVPN tunnel.
# Configure tunnel interface Tunnel 1 for VPN 1. [Spoke2] interface tunnel 1 [Spoke2-Tunnel1] tunnel-protocol dvpn udp [Spoke2-Tunnel1] vam client dvpn1spoke2 [Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0 [Spoke2-Tunnel1] source ethernet 1/1 [Spoke2-Tunnel1] ospf network-type p2mp [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit z Configure OSPF
# Configure OSPF for the public network. [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255 [Spoke2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255 7) Verify the configuration
# Display the address mapping information of all VAM clients registered with the primary VAM server (main). [MainServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 7M 35S 10.0.1.2 192.168.1.2 Hub 0H 13M 8S 10.0.1.3 192.168.1.3 Spoke 0H 3M 58S 10.0.1.4 192.168.1.4 Spoke 0H 0M 29S # Display the address mapping information of all VAM clients registered with the secondary VAM server (backup). [BackupServer] display vam server address-map all VPN name: 1 Total address-map number: 4
-
1-39
Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 Hub 0H 8M 46S 10.0.1.2 192.168.1.2 Hub 0H 14M 58S 10.0.1.3 192.168.1.3 Spoke 0H 5M 9S 10.0.1.4 192.168.1.4 Spoke 0H 1M 40S The above output indicates that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping information with the VAM servers.
# Display the DVPN tunnel information of Hub 1. [Hub1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 3 Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Hub-Hub State: SUCCESS Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 1 control packets 87 multicasts, 0 errors Output: 106 packets, 99 data packets, 7 control packets 87 multicasts, 10 errors Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 4m 32s Input: 36 packets, 18 data packets, 18 control packets 10 multicasts, 0 errors Output: 35 packets, 17 data packets, 18 control packets 11 multicasts, 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.4 Session type: Hub-Spoke State: SUCCESS Holding time: 0h 3m 15s Input: 20 packets, 0 data packets, 20 control packets 0 multicasts, 0 errors Output: 20 packets, 6 data packets, 14 control packets 6 multicasts, 0 errors The above information indicates that in VPN 1, Hub 1 has established a permenent tunnel with Hub 2, Spoke 1, and Spoke 2 respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
# Display the DVPN tunnel information of Spoke 1. [Spoke1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 2 Private IP: 10.0.1.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 1m 22s
-
1-40
Input: 381 packets, 380 data packets, 1 control packets 374 multicasts, 0 errors Output: 384 packets, 376 data packets, 8 control packets 369 multicasts, 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 21m 53s Input: 251 packets, 249 data packets, 1 control packets 230 multicasts, 0 errors Output: 252 packets, 240 data packets, 7 control packets 224 multicasts, 0 errors The above information indicates that in VPN 1, Spoke 1 has established a permenent Hub-Spoke tunnel with Hub 1 and Hub 2 respectively. The DVPN tunnel information of Spoke 2 is similar to that of Spoke 1.
# On Spoke 1, ping private address 10.0.3.1 of Spoke 2. [Spoke1] ping 10.0.3.1 PING 10.0.3.1: 56 data bytes, press CTRL_C to break Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms Reply from 10.0.3.1: bytes=56 Sequence=2 ttl=254 time=54 ms Reply from 10.0.3.1: bytes=56 Sequence=3 ttl=254 time=5 ms Reply from 10.0.3.1: bytes=56 Sequence=4 ttl=254 time=6 ms Reply from 10.0.3.1: bytes=56 Sequence=5 ttl=254 time=37 ms --- 10.0.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 5/21/54 ms # Display the DVPN tunnel information of Spoke 1. [Spoke1] display dvpn session all Interface: Tunnel2 VPN name: 2 Total number: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: Spoke-Hub State: SUCCESS Holding time: 1h 10m 0s Input: 451 packets, 450 data packets, 1 control packets 435 multicasts, 0 errors Output: 453 packets, 447 data packets, 6 control packets 430 multicasts, 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: Spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 1 control packets 231 multicasts, 0 errors Output: 251 packets, 241 data packets, 7 control packets
-
1-41
225 multicasts, 0 errors The above information indicates that Spoke 1 and Spoke 2 have no dynamic Spoke-Spoke tunnel established between them, and they exchange data through the Hub.
-
2-1
2 GRE Configuration Support for some features on the MSR series is shown below:
Feature MSR 900 MSR 20-1X MSR 20 MSR 30 MSR 50
GRE-IPSec tunnel application Yes Yes Yes Yes Yes
z Support for some commands may vary with device models. For relevant information, refer to the corresponding command manual.
z All the MSR series routers are centralized devices. z The MSR series routers support VPN instances, therefore supporting the vpn-instance keyword.
When configuring GRE, go to these sections for information you are interested in:
z GRE Overview z Configuring a GRE over IPv4 Tunnel z Configuring a GRE over IPv6 Tunnel z Displaying and Maintaining GRE z GRE over IPv4 Tunnel Configuration Examples z GRE over IPv6 Tunnel Configuration Examples z Troubleshooting GRE
GRE Overview
Introduction to GRE
Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol.
A GER tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 2-1 depicts the encapsulation and de-encapsulation processes.
Figure 2-1 X protocol networks interconnected through the GRE tunnel
-
2-2
The following takes the network shown in Figure 2-1 as an example to describe how an X protocol packet traverses the IP network through a GRE tunnel.
Encapsulation process
1) After receiving an X protocol packet through the interface connected to Group 1, Router A submits it to the X protocol for processing.
2) The X protocol checks the destination address field in the packet header to determine how to route the packet.
3) If the packet must be tunneled to reach its destination, Router A sends it to the tunnel interface. 4) Upon receipt of the packet, the tunnel interface encapsulates it in a GRE packet. Then, the system
encapsulates the packet in an IP packet and forwards the IP packet based on its destination address and the routing table.
Format of an encapsulated packet
Figure 2-2 shows the format of an encapsulated packet.
Figure 2-2 Format of an encapsulated packet
As an example, Figure 2-3 shows the format of an X packet encapsulated for transmission over an IP tunnel.
Figure 2-3 Format of an X packet encapsulated for transmission over an IP tunnel
These are the terms involved:
z Payload: Packet that needs to be encapsulated and transmitted. z Passenger protocol: Protocol that the payload packet uses, IPX in the example. z Encapsulation or carrier protocol: Protocol used to encapsulate the payload packet, that is, GRE. z Delivery or transport protocol: Protocol used to encapsulate the GRE packet and then forward the
packet to the other end of the tunnel, IP in this example.
Depending on the transport protocol, two tunnel modes are present: GRE over IPv4 and GRE over IPv6.
De-encapsulation process
De-encapsulation is the reverse process of encapsulation:
1) Upon receiving an IP packet from the tunnel interface, Router B checks the destination address.
-
2-3
2) If the destination is itself, Router B strips off the IP header of the packet and submits the resulting packet to the GRE protocol.
3) The GRE protocol checks the key, checksum and sequence number in the packet, and then strips off the GRE header and submits the payload to the X protocol for forwarding.
Encapsulation and de-encapsulation processes on both ends of the GRE tunnel and the resulting increase in data volumes will degrade the forwarding efficiency for the GRE-enabled device to some extent.
GRE Security Options
For the purpose of tunnel security, GRE provides two options: tunnel interface key and end-to-end checksum.
According to RFC 1701,
z If the Key Present field of a GRE packet header is set to 1, the Key field will carry the key for the receiver to authenticate the source of the packet. This key must be the same at both ends of a tunnel. Otherwise, packets delivered over the tunnel will be discarded.
z If the Checksum Present bit of a GRE packet header is set to 1, the Checksum field contains valid information. The sender calculates the checksum for the GRE header and the payload and sends the packet containing the checksum to the peer. The receiver calculates the checksum for the received packet and compar
top related