Example for Configuring the IPsec Tunnel in IKE IPsec Policy Template Mode

The NetEngine 8000 F is mainly to establish IPsec tunnels with the Base Transceiver Station (BTS). Therefore, mobile devices on the network of the base station can access an internal network. You can configure IPsec tunnels for multiple BTSs in IPsec policy template mode, therefore adding or reducing BTSs conveniently. The IPsec policy template is configured on the NetEngine 8000 F to receive connections passively; however, the IPsec policy is configured on the device of the BTS to initiate connections.

Networking Requirements

As shown in Figure1 Networking diagram of configuring the IPsec tunnel in IKE IPsec policy template mode, network A connect to the Internet through DeviceA, BTS1 and BTS2 are both connect to the Internet. The routes among DeviceA, BTS1, and BTS2 are reachable.

Figure 1 Networking diagram of configuring the IPsec tunnel in IKE IPsec policy template mode

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/2, respectively.

Mobile devices in two base stations can securely access network A.

Configuration Roadmap

The configuration procedure and roadmap are as follows:

Set the IP addresses for the interfaces.
Create and configure the tunnel interface.
Configure the route of the Internet. Generally, static routes are configured.
Configure the ACL to define the data flows that need to be protected.
Configure the IPsec proposal.
Configure the IKE proposal.
Configure the IKE peer.
Configure the IPsec policy template.
Configure the IPsec service instance group
Apply the IPsec policy to tunnel interface.

Data Preparation

To complete the configuration, you need the following data:

IP addresses of the interfaces
IP addresses of the tunnel interfaces
IP address segments of each network
Pre-shared key
Security protocol, encryption algorithm, and authentication algorithm adopted in an IPsec proposal
Authentication algorithm adopted in an IKE proposal

Procedure

Configure DeviceA.

Set the IP addresses of interfaces.

Set the IP address of GE 0/1/1.

<DeviceA> system-view
[~DeviceA] interface GigabitEthernet 0/1/1
[~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
[*DeviceA-GigabitEthernet0/1/1] quit
[*DeviceA] commit

Set the IP address of GE 0/1/2.

[~DeviceA] interface GigabitEthernet 0/1/2
[~DeviceA-GigabitEthernet0/1/2] ip address 172.16.163.1 24
[*DeviceA-GigabitEthernet0/1/2] quit
[*DeviceA] commit

Create and configure the tunnel interface.

[~DeviceA] interface Tunnel 10
[*DeviceA-Tunnel10] tunnel-protocol ipsec
[*DeviceA-Tunnel10] ip address 10.10.1.1 32
[*DeviceA-Tunnel10] quit
[*DeviceA] commit

Configure the static route to the internet. Assume that the next hop of the route to the internet is 172.16.163.2.
```
[~DeviceA] ip route-static 0.0.0.0 0.0.0.0 172.16.163.2
```
Configure the ACL to define the data flows that need to be protected.
```
[~DeviceA] acl 3000
[*DeviceA-acl-adv-3000] rule permit ip 
[*DeviceA-acl-adv-3000] quit
[*DeviceA] commit
```
The ACL rule allows all IP packets through, so that peer BTSs can be added or reduced conveniently. The ACL rule takes effect according to the route, therefore avoiding risks.

Configure the IPsec proposal with the name as tran1.

[~DeviceA] ipsec proposal tran1
[*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceA-ipsec-proposal-tran1] transform esp
[*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceA-ipsec-proposal-tran1] quit
[*DeviceA] commit

ESP is the default security protocol, and Tunnel is the default encapsulating mode, therefore their configurations are optional.

Configure the IKE proposal with the number as 10.

[~DeviceA] ike proposal 10
[*DeviceA-ike-proposal-10] authentication-method pre-share
[*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
[*DeviceA-ike-proposal-10] dh group14
[*DeviceA-ike-proposal-10] quit
[*DeviceA] commit

The authentication method of pre-shared-key is the default authentication method of IKE, therefore their configurations are optional.

Configure the IKE peer with the name as b.

The setting of the pre-shared key should be identical with that on the peer device.

[~DeviceA] ike peer b
[*DeviceA-ike-peer-b] ike-proposal 10
[*DeviceA-ike-peer-b] pre-shared-key abcde
[*DeviceA-ike-peer-b] quit
[*DeviceA] commit

Configure IKE DPD.

[~DeviceA] ike dpd 100
[*DeviceA] commit

Configure the IPsec policy template with the name as map_temp and with the number as 1.

[~DeviceA] ipsec policy-template map_temp 1
[*DeviceA-ipsec-policy-templet-map_temp-1] security acl 3000
[*DeviceA-ipsec-policy-templet-map_temp-1] proposal tran1
[*DeviceA-ipsec-policy-templet-map_temp-1] ike-peer b
[*DeviceA-ipsec-policy-templet-map_temp-1] quit
[*DeviceA] commit

Refer to IPsec policy template map_temp in IPsec policy map1.
```
[~DeviceA] ipsec policy map1 10 isakmp template map_temp
[*DeviceA] commit
```
The name of the policy template cannot be identical with that of the IPsec policy.

Configure the IPsec service instance group.

[~DeviceA] service-location 1
[*DeviceA-service-location-1] location slot 1
[*DeviceA-service-location-1] commit
[~DeviceA-service-location-1] quit
[~DeviceA] service-instance-group group1
[*DeviceA-service-instance-group-group1] service-location 1
[*DeviceA-service-instance-group-group1] commit
[~DeviceA-service-instance-group-group1] quit

Apply IPsec policy map1 to Tunnel 10.

[~DeviceA] interface Tunnel 10
[~DeviceA-Tunnel10] ipsec policy map1 service-instance-group group1
[*DeviceA-Tunnel10] quit
[*DeviceA] commit

Configuration Files

The configuration file of DeviceA.

#
 sysname DeviceA
#
ike dpd 100
#
acl number 3000
 rule 5 permit ip
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key cipher %^%#.EJ~F"jURXr&0--*9[2(uLl^I@0_]XBJe;=-0x,V%^%#
 ike-proposal 10 
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
# 
ipsec policy-template map_temp 1
 security acl 3000
 ike-peer b
 proposal tran1
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ipsec policy map1 10 isakmp template map_temp
#
interface GigabitEthernet0/1/1
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/1/2  
 ip address 172.16.163.1 255.255.255.0
#
interface Tunnel10
 ip address 10.10.1.1 255.255.255.0
 tunnel-protocol ipsec 
 ipsec policy map1 service-instance-group group1
#
ip route-static 0.0.0.0 0.0.0.0 172.16.163.2
#
return