Example for Configuring VXLAN over IPsec in an Active-Active Scenario

In a scenario where a data center is interconnected with an enterprise site, a CE is dual-homed to a VXLAN network, which enhances VXLAN access reliability and implements rapid convergence in the case of a fault. IPsec encapsulation implements encrypted packet transmission, securing packet transmission.

Networking Requirements

On the network shown in Figure 1, CE1 is dual-homed to PE1 and PE2, and PE1 and PE2 use a virtual address as the VTEP address of the source NVE interface. In this way, the CPE is aware of only one remote NVE interface and establishes a static VXLAN tunnel with the anycast VTEP address. VXLAN packets are transmitted in plain text on the network, which is insecure. IPsec encapsulation implements encrypted packet transmission, securing packet transmission.

Figure 1 Networking for configuring VXLAN over IPsec in an active-active scenario

Interfaces 1 through 3 in this example represent GE 0/1/1, GE 0/1/8, and GE 0/1/16, respectively.

**Table 1** Interface IP addresses
Device	Interface	IP address
PE1	GE 0/1/1	10.1.20.1/24
	GE 0/1/2	192.168.1.1/24
	GE 0/1/3	10.1.1.1/24
	Loopback 0	1.1.1.1/32
	Loopback 1	3.3.3.3/32
	Loopback 2	5.5.5.5/32
PE2	GE 0/1/1	10.1.20.2/24
	GE 0/1/2	192.168.2.1/24
	GE 0/1/3	10.1.2.1/24
	Loopback 0	2.2.2.2/32
	Loopback 1	3.3.3.3/32
	Loopback 2	5.5.5.5/32
CE1	GE 0/1/1	192.168.1.2/24
CE1	GE 0/1/2	192.168.2.2/24
CPE	GE 0/1/1	10.1.1.2/24
	Loopback 0	4.4.4.4/32
	Loopback 1	6.6.6.6/32

Configuration Roadmap

The configuration roadmap is as follows:

Configure an IGP on the CEs, PEs, and CPE to implement Layer 2 network connectivity.
Configure service access points on PE1 and PE2 so that CE1 can be dual-homed to PE1 and PE2.
Establish static VXLAN tunnels between the PEs and CPE so that the PEs and CEP can communicate.
Establish a bypass VXLAN tunnel between PE1 and PE2 so that PE1 and PE2 can communicate.
(Optional) Configure a UDP port on the PEs to prevent the receiving of replicated packets.
Configure IPsec on the PEs and CPE and establish IPsec tunnels.

Data Preparation

To complete the configuration, you need the following data:

Interfaces and their IP addresses
EVPN instance names
VPN targets of the received and sent routes in EVPN instances
Preshared key
Security protocol, encryption algorithm, and authentication algorithm to be adopted by IPsec
Encryption algorithm and authentication algorithm that an IKE proposal uses

Procedure

Assign an IP address to each interface on each node, and configure loopback interface addresses.
For detailed configurations, see Configuration Files.
Configure an IGP. In this example, IS-IS is used.
For detailed configurations, see Configuration Files.

Enable EVPN capabilities.

# Configure PE1.

<PE1> system-view
[~PE1] evpn
[*PE1-evpn] vlan-extend private enable
[*PE1-evpn] vlan-extend redirect enable
[*PE1-evpn] local-remote frr enable
[*PE1-evpn] bypass-vxlan enable
[*PE1-evpn] quit
[*PE1] commit

The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

Configure a BGP peer relationship between PE1 and PE2.

# Configure PE1.

[~PE1] bgp 100
[*PE1-bgp] peer 2.2.2.2 as-number 100
[*PE1-bgp] peer 2.2.2.2 connect-interface LoopBack 1
[*PE1-bgp] ipv4-family unicast
[*PE1-bgp-af-ipv4] undo synchronization
[*PE1-bgp-af-ipv4] peer 2.2.2.2 enable
[*PE1-bgp-af-ipv4] quit
[*PE1-bgp] l2vpn-family evpn
[*PE1-bgp-af-evpn] undo policy vpn-target
[*PE1-bgp-af-evpn] peer 2.2.2.2 enable
[*PE1-bgp-af-evpn] peer 2.2.2.2 advertise encap-type vxlan
[*PE1-bgp-af-evpn] quit
[*PE1-bgp] quit
[*PE1] commit

The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

Create a VXLAN tunnel.

Configure EVPN instances and bind them to BDs on the PEs.

# Configure PE1.

[~PE1] evpn vpn-instance evpn1 bd-mode
[*PE1-evpn-instance-evpn1] route-distinguisher 11:11
[*PE1-evpn-instance-evpn1] vpn-target 1:1 export-extcommunity
[*PE1-evpn-instance-evpn1] vpn-target 1:1 import-extcommunity
[*PE1-evpn-instance-evpn1] quit
[*PE1] bridge-domain 10
[*PE1-bd10] vxlan vni 10 split-horizon-mode
[*PE1-bd10] evpn binding vpn-instance evpn1
[*PE1-bd10] quit
[*PE1] commit

The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

Enable ingress replication on the PEs.

# Configure the CPE.

[~CPE] interface nve 1
[*CPE-Nve1] source 4.4.4.4
[*CPE-Nve1] vni 10 head-end peer-list 3.3.3.3
[*CPE-Nve1] quit
[*CPE] commit

# Configure PE1.

[~PE1] interface nve 1
[*PE1-Nve1] source 3.3.3.3
[*PE1-Nve1] bypass source 1.1.1.1
[*PE1-Nve1] mac-address 00e0-fc12-7890
[*PE1-Nve1] vni 10 head-end peer-list protocol bgp
[*PE1-Nve1] vni 10 head-end peer-list 4.4.4.4
[*PE1-Nve1] quit
[*PE1] commit

The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

Configure CE1 to access the PEs.

Configure PE1.

[*PE1] e-trunk 1
[*PE1-e-trunk-1] priority 10
[*PE1-e-trunk-1] peer-address 2.2.2.2 source-address 1.1.1.1
[*PE1-e-trunk-1] quit
[*PE1] interface eth-trunk 1
[*PE1-Eth-Trunk1] mac-address 00e0-fc12-3456
[*PE1-Eth-Trunk1] mode lacp-static
[*PE1-Eth-Trunk1] e-trunk 1
[*PE1-Eth-Trunk1] e-trunk mode force-master
[*PE1-Eth-Trunk1] es track evpn-peer 2.2.2.2
[*PE1-Eth-Trunk1] esi 0000.0001.0001.0001.0001
[*PE1-Eth-Trunk1] quit
[*PE1] interface eth-trunk1.1 mode l2
[*PE1-Eth-Trunk1.1] encapsulation dot1q vid 1
[*PE1-Eth-Trunk1.1] rewrite pop single
[*PE1-Eth-Trunk1.1] bridge-domain 10
[*PE1-Eth-Trunk1.1] quit
[~PE1] commit

The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

(Optional) Configure a UDP port on the PEs to prevent the receiving of replicated packets.
# Configure PE1.
```
[~PE1] evpn enhancement port 1345
[*PE1] commit
```
The same UDP port number must be set for the PEs in the active state.

The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

Configure IPsec on PE1.

Configure advanced ACL 3000.

[~PE1] acl 3000
[*PE1-acl-adv-3000] rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
[*PE1acl-adv-3000] quit
[*PE1] commit

Configure an IPsec proposal named tran1.

[~PE1] ipsec proposal tran1
[*PE1-ipsec-proposal-tran1] encapsulation-mode tunnel
[*PE1-ipsec-proposal-tran1] transform esp
[*PE1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*PE1-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*PE1-ipsec-proposal-tran1] quit
[*PE1] commit

Configure an IKE proposal numbered 10.

[~PE1] ike proposal 10
[*PE1-ike-proposal-10] authentication-method pre-share
[*PE1-ike-proposal-10] authentication-algorithm sha2-256
[*PE1-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*PE1-ike-proposal-10] dh group14
[*PE1-ike-proposal-10] quit
[*PE1] commit

Configure an IKE peer named b.

[~PE1] ike peer b
[*PE1-ike-peer-b] ike-proposal 10
[*PE1-ike-peer-b] remote-address 4.4.4.4
[*PE1-ike-peer-b] pre-shared-key abcde
[*PE1-ike-peer-b] quit
[*PE1] commit

The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

Configure an IPsec policy named map1 and numbered 10.

[~PE1] ipsec policy map1 10 isakmp
[*PE1-ipsec-policy-isakmp-map1-10] security acl 3000
[*PE1-ipsec-policy-isakmp-map1-10] proposal tran1
[*PE1-ipsec-policy-isakmp-map1-10] ike-peer b
[~PE1-ipsec-policy-isakmp-map1-10] local-address 3.3.3.3
[*PE1-ipsec-policy-isakmp-map1-10] quit
[*PE1] commit

Configure the IPsec service instance group.

[~PE1] service-location 1
[*PE1-service-location-1] location slot 1
[*PE1-service-location-1] commit
[~PE1-service-location-1] quit
[~PE1] service-instance-group group1
[*PE1-service-instance-group-group1] service-location 1
[*PE1-service-instance-group-group1] commit
[~PE1-service-instance-group-group1] quit

Create and configure an IPsec tunnel.

[~PE1] interface Tunnel 1
[*PE1-Tunnel1] ip address 10.11.1.1 255.255.255.255
[*PE1-Tunnel1] tunnel-protocol ipsec
[*PE1-Tunnel1] ipsec policy map1 service-instance-group group1
[*PE1-Tunnel1] quit
[*PE1] commit

Configure static routes that import traffic into the tunnel.
```
[~PE1] ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2
[*PE1] ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6
[*PE1] commit
```
The configuration of PE2 is similar to the configuration of PE1. For configuration details, see Configuration Files in this section.

Configure IPsec on the CPE.

Configure advanced ACL 3000.

[~CPE] acl 3000
[*CPE-acl-adv-3000] rule 5 permit ip
[*CPE-acl-adv-3000] quit
[*CPE] commit

Configure an IPsec proposal named tran1.

[~CPE] ipsec proposal tran1
[*CPE-ipsec-proposal-tran1] encapsulation-mode tunnel
[*CPE-ipsec-proposal-tran1] transform esp
[*CPE-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*CPE-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*CPE-ipsec-proposal-tran1] quit
[*CPE] commit

Configure an IKE proposal numbered 10.

[~CPE] ike proposal 10
[*CPE-ike-proposal-10] authentication-method pre-share
[*CPE-ike-proposal-10] authentication-algorithm sha2-256
[*CPE-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*CPE-ike-proposal-10] dh group14
[*CPE-ike-proposal-10] quit
[*CPE] commit

Configure an IKE peer named 1.

[~CPE] ike peer 1
[*CPE-ike-peer-1] ike-proposal 10
[*CPE-ike-peer-1] remote-address 5.5.5.5
[*CPE-ike-peer-1] pre-shared-key abcde
[*CPE-ike-peer-1] quit
[*CPE] commit

The pre-shared key configured on the local device must be the same as that configured on the IKE peer.

Configure an IPsec policy template named temp1 and numbered 1.

[~CPE] ipsec policy-template temp1 1
[*CPE-ipsec-policy-templet-temp1-1] security acl 3000
[*CPE-ipsec-policy-templet-temp1-1] proposal tran1
[*CPE-ipsec-policy-templet-temp1-1] ike-peer 1
[*CPE-ipsec-policy-templet-temp1-1] local-address 6.6.6.6
[*CPE-ipsec-policy-templet-temp1-1] quit
[*CPE] commit

Create a security policy based on the policy template.

[~CPE] ipsec policy 1 1 isakmp template temp1
[*CPE] commit

Configure the IPsec service instance group.

[~CPE] service-location 1
[*CPE-service-location-1] location slot 1
[*CPE-service-location-1] commit
[~CPE-service-location-1] quit
[~CPE] service-instance-group group1
[*CPE-service-instance-group-group1] service-location 1
[*CPE-service-instance-group-group1] commit
[~CPE-service-instance-group-group1] quit

Create and configure an IPsec tunnel.

[~CPE] interface Tunnel 1
[*CPE-Tunnel1] ip address 10.22.2.2 255.255.255.255
[*CPE-Tunnel1] tunnel-protocol ipsec
[*CPE-Tunnel1] ipsec policy 1 service-instance-group group1
[*CPE-Tunnel1] quit
[*CPE] commit

Configure static routes that import traffic into the tunnel.

[~CPE] ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
[*CPE] commit

Configuration Files

PE1 configuration file

#
sysname PE1
#
evpn enhancement port 1345
#
evpn
 vlan-extend private enable
 vlan-extend redirect enable
 local-remote frr enable
 bypass-vxlan enable
#
evpn vpn-instance evpn1 bd-mode
 route-distinguisher 11:11
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
 evpn binding vpn-instance evpn1
#  
acl number 3000
  rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
#
e-trunk 1
 priority 10
 peer-address 2.2.2.2 source-address 1.1.1.1
#
isis 1
 network-entity 10.0000.0000.0001.00
 frr
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 6.6.6.6
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 5.5.5.5
#
interface Eth-Trunk1
 mac-address 00e0-fc12-3456
 mode lacp-static
 e-trunk 1
 e-trunk mode force-master
 es track evpn-peer 2.2.2.2
 esi 0000.0001.0001.0001.0001
#
interface Eth-Trunk1.1 mode l2
 encapsulation dot1q vid 1
 rewrite pop single
 bridge-domain 10
#
interface GigabitEthernet 0/1/1
 undo shutdown
 ip address 10.1.20.1 255.255.255.0
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface LoopBack2
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface Nve1
 source 3.3.3.3
 bypass source 1.1.1.1
 mac-address 00e0-fc12-7890
 vni 10 head-end peer-list protocol bgp
 vni 10 head-end peer-list 4.4.4.4
#
bgp 100
 peer 2.2.2.2 as-number 100
 peer 2.2.2.2 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 2.2.2.2 enable
#
 l2vpn-family evpn
  undo policy vpn-target
  peer 2.2.2.2 enable
  peer 2.2.2.2 advertise encap-type vxlan
#
interface Tunnel1 
 ip address 10.11.1.1 255.255.255.0
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.1.2        
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
#
return

PE2 configuration file

#
sysname PE2
#
evpn enhancement port 1345
#
evpn
 vlan-extend redirect enable
 vlan-extend private enable
 local-remote frr enable
 bypass-vxlan enable
#
evpn vpn-instance evpn1 bd-mode
 route-distinguisher 22:22
 vpn-target 1:1 export-extcommunity
 vpn-target 1:1 import-extcommunity
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
 evpn binding vpn-instance evpn1
#
acl number 3000
  rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 2.2.2.2
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 5.5.5.5
#

e-trunk 1
 priority 10
 peer-address 1.1.1.1 source-address 2.2.2.2
#
isis 1
 network-entity 10.0000.0000.0002.00
 frr
#
interface Eth-Trunk1
 mac-address 00e0-fc12-3456
 mode lacp-static
 e-trunk 1
 e-trunk mode force-master
 es track evpn-peer 1.1.1.1
 esi 0000.0001.0001.0001.0001
#
interface Eth-Trunk1.1 mode l2
 encapsulation dot1q vid 1
 rewrite pop single
 bridge-domain 10
#
interface GigabitEthernet 0/1/1
 undo shutdown
  ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface LoopBack2
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface Nve1
 source 3.3.3.3
 bypass source 2.2.2.2
 mac-address 00e0-fc12-7890
 vni 10 head-end peer-list protocol bgp
 vni 10 head-end peer-list 4.4.4.4
#
bgp 100
 peer 1.1.1.1 as-number 100
 peer 1.1.1.1 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.1 enable
 #
 l2vpn-family evpn
  undo policy vpn-target
  peer 1.1.1.1 enable
  peer 1.1.1.1 advertise encap-type vxlan
 #
interface Tunnel1 
 ip address 10.11.1.1 255.255.255.0
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 6.6.6.6 255.255.255.255 GigabitEthernet0/1/3 10.1.2.2        
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 6.6.6.6   
#
return

CE configuration file

#
sysname CE
#
vlan batch 1 to 4094
#
interface Eth-Trunk1
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 1
#
interface GigabitEthernet 0/1/1
  undo shutdown
 eth-trunk 1
#
interface GigabitEthernet 0/1/2
 undo shutdown
 eth-trunk 1
#
return

CPE configuration file

#
sysname CPE
#
bridge-domain 10
 vxlan vni 10 split-horizon-mode
#
acl number 3000
  rule 5 permit ip
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256 
 integrity-algorithm hmac-sha2-256
#
ike peer 1
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 5.5.5.5
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes 256
#                                         
ipsec policy-template temp1 1
#
 security acl 3000
 ike-peer 1
 proposal tran1
 local-address 6.6.6.6
#
ipsec policy 1 1 isakmp template temp1
#
isis 1
 network-entity 20.0000.0000.0001.00
 frr
#
interface GigabitEthernet 0/1/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
 isis enable 1
#
interface GigabitEthernet 0/1/1.1 mode l2
 encapsulation dot1q vid 10
 rewrite pop single
 bridge-domain 10
#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
 isis enable 1
#
interface LoopBack1
 ip address 6.6.6.6 255.255.255.255
 isis enable 1
#
interface Nve1
 source 4.4.4.4
 vni 10 head-end peer-list 3.3.3.3
#
interface Tunnel1 
 ip address 10.22.2.2 255.255.255.255                                             
 tunnel-protocol ipsec 
 ipsec policy 1 service-instance-group group1                                                                         
#
 ip route-static 5.5.5.5 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
#
return

Parent Topic: Configuration Examples for VXLAN

Copyright © Huawei Technologies Co., Ltd.

Copyright © Huawei Technologies Co., Ltd.

< Previous topic Next topic >