Example for Configuring VXLAN over IPsec

VXLAN packets are unencrypted and vulnerable if being simply transmitted on networks. You can configure VXLAN over IPsec to ensure secure transmission of VXLAN packets.

Networking Requirements

Figure 1 shows the networking diagram.

Figure 1 VXLAN over IPsec networking

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/2, respectively.



  • Network A belongs to subnetwork 10.1.1.0/24 and is connected to Device A through GE 0/1/2.

  • Network B belongs to subnetwork 10.1.2.0/24 and is connected to Device B through GE 0/1/2.

  • Device A and Device B are routable.

The network must meet the following requirements:

  • VMs in different data centers can communicate with each other.

  • Data transmitted between PCA and PCB is encrypted.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a VXLAN IP address.
  2. Configure a VXLAN service access point.
  3. Configure a VXLAN tunnel.
  4. Configure an ACL rule.
  5. Configure an IKE proposal.
  6. Configure an IPsec proposal.
  7. Configure an IKE peer.
  8. Configure an IPsec policy.
  9. Configure an IPsec service instance group.
  10. Create and configure an IPsec tunnel.
  11. Configure a static route that imports traffic into the tunnel.

Data Preparation

To complete the configuration, you need the following data:

  • IP addresses of the interfaces
  • VLAN ID and VXLAN gateway address of the VM
  • The tunnel mode, IP address, source address, and destination address of the tunnel interface
  • IP address segment of each network
  • Pre-shared key
  • Security protocols, encryption algorithms, and authentication algorithms used in the IPsec proposal
  • Encryption algorithm and authentication algorithm that an IKE proposal uses

Procedure

  • Configure Device A.
    1. Configure IP addresses for interfaces.

      Configure Device A.

      <HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] interface loopback 1
[*DeviceA-LoopBack1] ip address 1.1.1.1 32
[*DeviceA-LoopBack1] quit
[*DeviceA] interface gigabitethernet 0/1/1
[*DeviceA-GigabitEthernet0/1/1] ip address 192.168.1.1 16
[*DeviceA-GigabitEthernet0/1/1] quit
[*DeviceA] commit

    2. Configure a service access point.

      [~DeviceA] bridge-domain 10
[*DeviceA-bd10] quit
[*DeviceA] interface gigabitethernet0/1/2.1 mode l2
[*DeviceA-GigabitEthernet0/1/2.1] encapsulation dot1q vid 10
[*DeviceA-GigabitEthernet0/1/2.1] rewrite pop single
[*DeviceA-GigabitEthernet0/1/2.1] bridge-domain 10
[*DeviceA-GigabitEthernet0/1/2.1] quit
[*DeviceA] commit

    3. Configure a VXLAN tunnel

      [~DeviceA] bridge-domain 10
[~DeviceA-bd10] vxlan vni 1
[*DeviceA-bd10] quit
[~DeviceA] interface loopback 2
[*DeviceA-LoopBack2] ip address 3.3.3.3 32
[*DeviceA-LoopBack2] quit
[*DeviceA] interface nve 1
[*DeviceA-Nve1] source 3.3.3.3
[*DeviceA-Nve1] vni 1 head-end peer-list 4.4.4.4
[*DeviceA-Nve1] quit
[*DeviceA] commit

    4. Configure advanced ACL 3000.

      [~DeviceA] acl 3000
[*DeviceA-acl-adv-3000] rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
[*DeviceA-acl-adv-3000] quit
[*DeviceA] commit

    5. Configure an IPsec proposal named tran1.

      [~DeviceA] ipsec proposal tran1
[*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceA-ipsec-proposal-tran1] transform esp
[*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceA-ipsec-proposal-tran1] quit
[*DeviceA] commit

    6. Configure an IKE proposal numbered 10.

      [~DeviceA] ike proposal 10
[*DeviceA-ike-proposal-10] authentication-method pre-share
[*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
[*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*DeviceA-ike-proposal-10] dh group14
[*DeviceA-ike-proposal-10] quit
[*DeviceA] commit

    7. Configure an IKE peer named b.

      • The setting of the pre-shared key should be identical with that on the peer device.

      [~DeviceA] ike peer b
[*DeviceA-ike-peer-b] ike-proposal 10
[*DeviceA-ike-peer-b] remote-address 2.2.2.2
[*DeviceA-ike-peer-b] pre-shared-key abcde
[*DeviceA-ike-peer-b] quit
[*DeviceA] commit

    8. Configure an IPsec policy named map1 and numbered 10.

      [~DeviceA] ipsec policy map1 10 isakmp
[*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
[*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
[*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
[~DeviceA-ipsec-policy-isakmp-map1-10] local-address 1.1.1.1
[*DeviceA-ipsec-policy-isakmp-map1-10] quit
[*DeviceA] commit

    9. Configure the IPsec service instance group.

      [~DeviceA] service-location 1
[*DeviceA-service-location-1] location slot 1
[*DeviceA-service-location-1] commit
[~DeviceA-service-location-1] quit
[~DeviceA] service-instance-group group1
[*DeviceA-service-instance-group-group1] service-location 1
[*DeviceA-service-instance-group-group1] commit
[~DeviceA-service-instance-group-group1] quit

    10. Create and configure an IPsec tunnel.

      [~DeviceA] interface Tunnel 1
[*DeviceA-Tunnel1] ip address unnumbered interface loopback1
[*DeviceA-Tunnel1] tunnel-protocol ipsec
[*DeviceA-Tunnel1] ipsec policy map1 service-instance-group group1
[*DeviceA-Tunnel1] quit
[*DeviceA] commit

    11. Configure a static route that imports traffic into the tunnel.

      [~DeviceA] ip route-static 2.2.2.2 255.255.255.255 GigabitEthernet0/1/1 192.168.2.1
[*DeviceA] ip route-static 4.4.4.4 255.255.255.255 Tunnel1 2.2.2.2
[*DeviceA] commit

  • Configure Device B.
    1. Configure IP addresses for interfaces.

      Configure Device B.

      <HUAWEI> system-view
[~HUAWEI] sysname DeviceB
[*HUAWEI] commit
[~DeviceB] interface loopback 1
[*DeviceB-LoopBack1] ip address 2.2.2.2 32
[*DeviceB-LoopBack1] quit
[*DeviceB] interface gigabitethernet 0/1/1
[*DeviceB-GigabitEthernet0/1/1] ip address 192.168.2.1 16
[*DeviceA-GigabitEthernet0/1/1] quit
[*DeviceB] commit

    2. Configure a service access point.

      [~DeviceB] bridge-domain 10
[*DeviceB-bd10] quit
[*DeviceB] interface gigabitethernet0/1/2.1 mode l2
[*DeviceB-GigabitEthernet0/1/2.1] encapsulation dot1q vid 10
[*DeviceB-GigabitEthernet0/1/2.1] rewrite pop single
[*DeviceB-GigabitEthernet0/1/2.1] bridge-domain 10
[*DeviceB-GigabitEthernet0/1/2.1] quit
[*DeviceB] commit

    3. Configure a VXLAN tunnel.

      [~DeviceB] bridge-domain 10
[~DeviceB-bd10] vxlan vni 1
[*DeviceB-bd10] quit
[~DeviceB] interface loopback 2
[*DeviceB-LoopBack2] ip address 4.4.4.4 32
[*DeviceB-LoopBack2] quit
[*DeviceB] interface nve 1
[*DeviceB-Nve1] source 4.4.4.4
[*DeviceB-Nve1] vni 1 head-end peer-list 3.3.3.3
[*DeviceB-Nve1] quit
[*DeviceB] commit

    4. Configure advanced ACL 3000.

      [~DeviceB] acl 3000
[*DeviceB-acl-adv-3000] rule 5 permit ip
[*DeviceB-acl-adv-3000] quit
[*DeviceB] commit

    5. Configure an IPsec proposal named tran1.

      [~DeviceB] ipsec proposal tran1
[*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceB-ipsec-proposal-tran1] transform esp
[*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceB-ipsec-proposal-tran1] quit
[*DeviceB] commit

    6. Configure an IKE proposal numbered 10.

      [~DeviceB] ike proposal 10
[*DeviceB-ike-proposal-10] authentication-method pre-share
[*DeviceB-ike-proposal-10] authentication-algorithm sha2-256
[*DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*DeviceB-ike-proposal-10] dh group14
[*DeviceB-ike-proposal-10] quit
[*DeviceB] commit

    7. Configure an IKE peer named 1.

      • The setting of the pre-shared key should be identical with that on the peer device.

      [~DeviceB] ike peer 1
[*DeviceB-ike-peer-1] ike-proposal 10
[*DeviceB-ike-peer-1] remote-address 1.1.1.1
[*DeviceB-ike-peer-1] pre-shared-key abcde
[*DeviceB-ike-peer-1] quit
[*DeviceB] commit

    8. Configure an IPsec template named temp1 and numbered 1.

      [~DeviceB] ipsec policy-template temp1 1
[*DeviceB-ipsec-policy-templet-temp1-1] security acl 3000
[*DeviceB-ipsec-policy-templet-temp1-1] proposal tran1
[*DeviceB-ipsec-policy-templet-temp1-1] ike-peer 1
[*DeviceB-ipsec-policy-templet-temp1-1] local-address 2.2.2.2
[*DeviceB-ipsec-policy-templet-temp1-1] quit
[*DeviceB] commit

    9. Create an IPsec policy based on the IPsec template.

      [~DeviceB] ipsec policy 1 1 isakmp template temp1
[*DeviceB] commit

    10. Configure the IPsec service instance group.

      [~DeviceB] service-location 1
[*DeviceB-service-location-1] location slot 1
[*DeviceB-service-location-1] commit
[~DeviceB-service-location-1] quit
[~DeviceB] service-instance-group group1
[*DeviceB-service-instance-group-group1] service-location 1
[*DeviceB-service-instance-group-group1] commit
[~DeviceB-service-instance-group-group1] quit

    11. Create and configure an IPsec tunnel.

      [~DeviceB] interface Tunnel 1
[*DeviceB-Tunnel1] ip address unnumbered interface loopback1
[*DeviceB-Tunnel1] tunnel-protocol ipsec
[*DeviceB-Tunnel1] ipsec policy 1 service-instance-group group1
[*DeviceB-Tunnel1] quit
[*DeviceB] commit

    12. Configure a static route that imports traffic into the tunnel.

      [~DeviceB] ip route-static 1.1.1.1 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
[*DeviceB] commit

Configuration Files

  • Device A configuration file

    #
 sysname DeviceA
#
bridge-domain 10
 vxlan vni 1
#
acl number 3000
 rule 5 permit ip source 3.3.3.3 0 destination 4.4.4.4 0
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 10
 remote-address 2.2.2.2
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
 local-address 1.1.1.1
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 192.168.1.1 255.255.0.0
# 
interface GigabitEthernet0/1/2
 undo shutdown
#
interface GigabitEthernet0/1/2.1 mode l2
 encapsulation dot1q vid 10
 rewrite pop single
 bridge-domain 10
#
interface loopback1
 ip address 1.1.1.1 255.255.255.255
#
interface loopback2
 ip address 3.3.3.3 255.255.255.255
#
interface Nve1
 source 3.3.3.3
 vni 1 head-end peer-list 4.4.4.4
#
interface Tunnel1
 ip address unnumbered interface loopback1
 tunnel-protocol ipsec
 ipsec policy map1 service-instance-group group1
#
ip route-static 2.2.2.2 255.255.255.255 GigabitEthernet0/1/1 192.168.2.1
ip route-static 4.4.4.4 255.255.255.255 Tunnel1 2.2.2.2   
#
return
  • Device B configuration file
    #
 sysname DeviceB
#
bridge-domain 10
 vxlan vni 1
#
acl number 3000
 rule 5 permit ip
#
service-location 1
 location slot 1
#
service-instance-group group1
 service-location 1
#
ike proposal 10
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer 1
 pre-shared-key %$%$THBGMJK2659z"C(T{J"-,.2n%$%$
 ike-proposal 1
 remote-address 1.1.1.1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy-template temp1 1
#
 security acl 3000
 ike-peer 1
 proposal tran1
 local-address 2.2.2.2
#
ipsec policy 1 1 isakmp template temp1
#
interface GigabitEthernet0/1/1
 undo shutdown
 ip address 192.168.2.1 255.255.0.0
#
interface GigabitEthernet0/1/2
 undo shutdown
#
interface GigabitEthernet0/1/2.1 mode l2
 encapsulation dot1q vid 10
 rewrite pop single
 bridge-domain 10
#
interface loopback1
 ip address 2.2.2.2 255.255.255.255
#
interface loopback2
 ip address 4.4.4.4 255.255.255.255
#
interface Nve1
 source 4.4.4.4
 vni 1 head-end peer-list 3.3.3.3
#
interface Tunnel1
 ip address unnumbered interface loopback1
 tunnel-protocol ipsec
 ipsec policy 1 service-instance-group group1
#
 ip route-static 1.1.1.1 255.255.255.255 GigabitEthernet0/1/1 192.168.1.1
#
return
Parent Topic: Example for Configuring VXLAN over IPsec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.