Establishing an IPsec Tunnel Using PKI

This section describes how to establish an IPsec tunnel using certificate-based authentication.

Networking Requirements

As shown in Figure1 Networking for establishing an IPsec tunnel using certificate-based authentication, network A and network B connect to the Internet through Device A and Device B. The networking environment is as follows:

  • Network A is in the 10.1.1.0/24 subnet. Device A is connected to Network A through GE 0/1/1.

  • Network B is in the 10.1.2.0/24 subnet. Device B is connected to Network B through GE 0/1/1.

  • Routes are reachable between Device A and Device B.

If an IPsec tunnel needs to be established using IKE automatic negotiation to protect data flows between Network A and B, the following requirements must be met:

  • Certificate based authentication is used between Device A and Device B.

  • The tunnel encapsulation mode is used.

  • ESP is used as the security protocol.

  • The encryption algorithm AES is used by ESP.

  • The verification algorithm SHA2-256 is used by ESP.

  • The integrity algorithm HMAC-SHA2-256 is used.

Figure 1 Networking for establishing an IPsec tunnel using certificate-based authentication

Interfaces 1 and 2 in this example represent GE 0/1/1 and GE 0/1/2, respectively.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address for each interface.

  2. Create and configure tunnel interfaces.

  3. Configure public network routes (static routes).

  4. Configure ACL rules to permit data flows that need to be protected.

  5. Configure PKI, and configure PKI certificate access-control-policy using default certificate attributes.

    1. Create a key pair consisting of a public key and a private key.

    2. Configure entity information.

    3. Obtain certificates.

    4. Configure the default access control policy based on certificate attributes.

  6. Establish an IPsec tunnel using security policy auto-negotiation.

Data Preparation

To complete the configuration, you need the following data:

  • IP address of each interface
  • ACL rules
  • Entity information, PKI domain, manual downloading of certificates and access control policy based on certificate attributes
  • Security protocols in the IPsec proposal, encryption algorithm and authentication algorithm, and authentication algorithm in the IKE security proposal

Procedure

  1. Configure Device A.

    # Disable CRL check.

    <DeviceA> system-view
[~DeviceA] undo pki crl check enable

    # Configure an IP address for GigabitEthernet 0/1/1.

    [~DeviceA] interface GigabitEthernet 0/1/1
[~DeviceA-GigabitEthernet0/1/1] ip address 10.1.1.1 24
[*DeviceA-GigabitEthernet0/1/1] quit
[*DeviceA] commit

    # Configure an IP address for GigabitEthernet 0/1/2.

    [~DeviceA] interface GigabitEthernet 0/1/2
[~DeviceA-GigabitEthernet0/1/2] ip address 172.16.163.1 24
[*DeviceA-GigabitEthernet0/1/2] quit
[*DeviceA] commit

    # Enable IPsec.

    [~DeviceA] ipsec enable slot 1
[*DeviceA] commit

    # Create and configure a tunnel interface.

    [~DeviceA] interface Tunnel 10
[*DeviceA-Tunnel10] tunnel-protocol ipsec
[*DeviceA-Tunnel10] ip address 172.19.1.1 24
[*DeviceA-Tunnel10] quit
[*DeviceA] commit

    # Configure a static route to network B, with the outbound interface Tunnel 10 and the next hop 172.20.1.2. The physical address of the next hop of Device A is 172.16.163.2/24.

    [~DeviceA] ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 172.20.1.2
[*DeviceA] ip route-static 172.20.1.2 255.255.255.255 172.16.163.2
[*DeviceA] commit

    # Create the advanced ACL 3000, and configure the rules to filter packets with the source IP address 10.1.1.0/24 and destination IP address 10.1.2.0/24. Packets matching the rules will be encrypted.

    [~DeviceA] acl 3000
[*DeviceA-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[*DeviceA-acl-adv-3000] quit
[*DeviceA] commit

    # Create a public and private key pair.

    [~DeviceA] rsa pki local-key-pair create
[*DeviceA] commit

    # Configure entity information.

    [~DeviceA] pki entity entitya
[*DeviceA-entitya] common-name DeviceA
[*DeviceA-entitya] quit
[*DeviceA] commit

    # Configure a PKI domain.

    [~DeviceA] pki domain domaina
[*DeviceA-domaina] certificate request entity entitya
[*DeviceA-domaina] quit
[*DeviceA] commit

    # Generate the certificate request file named domaina.req.

    [~DeviceA] pki request-certificate domain domaina pkcs10

    # Send the certificate request file to the CA to generate certificates. Assume that the generated local certificate is named local.cer and root CA certificate is named ca.cer.

    # Manually download the local certificate and CA certificate.

    # Import the local certificate and root CA certificate into the memory of the device.

    [~DeviceA] pki import-certificate local filename local.cer
[~DeviceA] pki import-certificate ca filename ca.cer

    # Configure the IPsec security proposal tran1.

    [~DeviceA] ipsec proposal tran1
[*DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceA-ipsec-proposal-tran1] transform esp
[*DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceA-ipsec-proposal-tran1] quit
[*DeviceA] commit

    # Configure the IKE security proposal.

    [~DeviceA] ike proposal 10
[*DeviceA-ike-proposal-10] authentication-method rsa-sig
[*DeviceA-ike-proposal-10] authentication-algorithm sha2-256
[*DeviceA-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*DeviceA-ike-proposal-10] dh group14
[*DeviceA-ike-proposal-10] quit
[*DeviceA] commit

    # Configure IKE peers.

    [~DeviceA] ike peer b
[*DeviceA-ike-peer-b] ike-proposal 10
[*DeviceA-ike-peer-b] certificate local-filename local.cer
[*DeviceA-ike-peer-b] remote-address 172.20.1.2
[*DeviceA-ike-peer-b] quit
[*DeviceA] commit

    # Configure the IPsec policy map1.

    [~DeviceA] ipsec policy map1 10 isakmp
[*DeviceA-ipsec-policy-isakmp-map1-10] security acl 3000
[*DeviceA-ipsec-policy-isakmp-map1-10] proposal tran1
[*DeviceA-ipsec-policy-isakmp-map1-10] ike-peer b
[*DeviceA-ipsec-policy-isakmp-map1-10] quit
[*DeviceA] commit
    # Configure the IPsec service instance group 1.
    [~DeviceA] service-location 1
[*DeviceA-service-location-1] location slot 1
[*DeviceA-service-location-1] commit
[~DeviceA-service-location-1] quit
[~DeviceA] service-instance-group 1
[*DeviceA-service-instance-group-1] service-location 1
[*DeviceA-service-instance-group-1] commit
[~DeviceA-service-instance-group-1] quit

    # Bind map1 to the tunnel interface.

    [~DeviceA] interface Tunnel 10
[~DeviceA-Tunnel10] ipsec policy map1 service-instance-group 1
[*DeviceA-Tunnel10] quit
[*DeviceA] commit

  2. Configure Device B.

    # Disable CRL check.

    <DeviceB> system-view
[~DeviceB] undo pki crl check enable

    # Configure an IP address for GigabitEthernet 0/1/1.

    [~DeviceB] interface GigabitEthernet 0/1/1
[~DeviceB-GigabitEthernet0/1/1] ip address 10.1.2.1 24
[*DeviceB-GigabitEthernet0/1/1] quit
[*DeviceB] commit

    # Configure an IP address for GigabitEthernet 0/1/2.

    [~DeviceB] interface GigabitEthernet 0/1/2
[~DeviceB-GigabitEthernet0/1/2] ip address 172.16.169.1 24
[*DeviceB-GigabitEthernet0/1/2] quit
[*DeviceB] commit

    # Enable IPsec.

    [~DeviceB] ipsec enable slot 1

    # Create and configure a tunnel interface.

    [~DeviceB] interface Tunnel 10
[*DeviceB-Tunnel10] tunnel-protocol ipsec
[*DeviceB-Tunnel10] ip address 172.20.1.2 24
[*DeviceB-Tunnel10] quit
[*DeviceB] commit

    # Configure a static route to network A, with the outbound interface Tunnel 10 and the next hop 172.19.1.1. The physical address of the next hop of Device B is 172.16.169.2/24.

    [~DeviceB] ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 172.19.1.1
[*DeviceB] ip route-static 172.19.1.1 255.255.255.255 172.16.169.2
[*DeviceB] commit

    # Create the advanced ACL 3000, and configure an ACL rule to encrypt the packets with source IP address 10.1.2.0/24 and destination IP address 10.1.2.0/24.

    [~DeviceB] acl 3000
[*DeviceB-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[*DeviceB-acl-adv-3000] quit
[*DeviceB] commit

    # Create a public and private key pair.

    [~DeviceB] rsa pki local-key-pair create

    # Configure entity information.

    [~DeviceB] pki entity entityb
[*DeviceB-entityb] common-name DeviceB
[*DeviceB-entityb] quit
[*DeviceB] commit

    # Configure a PKI domain.

    [~DeviceB] pki domain domainb
[*DeviceB-domainb] certificate request entity entityb
[*DeviceB-domainb] quit
[*DeviceB] commit

    # Generate the certificate request file named domainb.req.

    [~DeviceB] pki request-certificate domain domainb pkcs10

    # Send the certificate request file to the CA to generate certificates. Assume that the generated local certificate is named local.cer and root CA certificate is named ca.cer.

    # Manually download the local certificate and CA certificate.

    # Import the local certificate and root CA certificate into the memory of the device.

    [~DeviceB] pki import-certificate local filename local.cer
[~DeviceB] pki import-certificate ca filename ca.cer

    # Configure the IPsec proposal tran1.

    [~DeviceB] ipsec proposal tran1
[*DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
[*DeviceB-ipsec-proposal-tran1] transform esp
[*DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[*DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes 256
[*DeviceB-ipsec-proposal-tran1] quit
[*DeviceB] commit

    # Configure the IKE security proposal.

    [~DeviceB] ike proposal 10
[*DeviceB-ike-proposal-10] authentication-method rsa-sig
[*DeviceB-ike-proposal-10] authentication-algorithm sha2-256
[*DeviceB-ike-proposal-10] integrity-algorithm hmac-sha2-256
[*DeviceB-ike-proposal-10] dh group14
[*DeviceB-ike-proposal-10] quit
[*DeviceB] commit

    # Configure IKE peers.

    [~DeviceB] ike peer a
[*DeviceB-ike-peer-a] ike-proposal 10
[*DeviceB-ike-peer-a] certificate local-filename local.cer
[*DeviceB-ike-peer-a] remote-address 172.19.1.1
[*DeviceB-ike-peer-a] quit
[*DeviceB] commit

    # Configure the IPsec policy map1.

    [~DeviceB] ipsec policy map1 10 isakmp
[*DeviceB-ipsec-policy-isakmp-map1-10] security acl 3000
[*DeviceB-ipsec-policy-isakmp-map1-10] proposal tran1
[*DeviceB-ipsec-policy-isakmp-map1-10] ike-peer a
[*DeviceB-ipsec-policy-isakmp-map1-10] quit
[*DeviceB] commit
    # Configure the IPsec service instance group 1.
    [~DeviceB] service-location 1
[*DeviceB-service-location-1] location slot 1
[*DeviceB-service-location-1] commit
[~DeviceB-service-location-1] quit
[~DeviceB] service-instance-group 1
[*DeviceB-service-instance-group-1] service-location 1
[*DeviceB-service-instance-group-1] commit
[~DeviceB-service-instance-group-1] quit

    # Bind map1 to the tunnel interface.

    [~DeviceB] interface Tunnel10 
[~DeviceB-Tunnel10] ipsec policy map1 service-instance-group 1
[*DeviceB-Tunnel10] quit
[*DeviceB] commit

Configuration Files

  • Configuration file of Device A.

    #
 sysname DeviceA
#
undo pki crl check enable
#
acl number 3000
  rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec enable slot 1
#
ike proposal 10
 authentication-method rsa-sig
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer b
 ike-proposal 10
 certificate local-filename local.cer
 remote-address 172.20.1.2
#
service-location 1
 location slot 1
#
service-instance-group 1
 service-location 1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#        
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
interface GigabitEthernet0/1/1 
 undo shutdown
 ip address 10.1.1.1 255.255.255.0    
#  
interface GigabitEthernet0/1/2
 undo shutdown
 ip address 172.16.163.1 255.255.255.0     
#  
interface Tunnel10 
 ip address 172.19.1.1 255.255.255.0 
 tunnel-protocol ipsec 
 ipsec policy map1 service-instance-group 1
#
 ip route-static 10.1.2.0 255.255.255.0 Tunnel 10 172.20.1.2
 ip route-static 172.20.1.2 255.255.255.255 172.16.163.2
#
pki entity entitya
 common-name DeviceA
#
pki domain domaina
 certificate request entity entitya
#
return

  • Configuration file of Device B.

    #
 sysname DeviceB
#
undo pki crl check enable
#
acl number 3000
  rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec enable slot 1
#
ike proposal 10
 authentication-method rsa-sig
 encryption-algorithm aes-cbc 256
 dh group14
 authentication-algorithm sha2-256
 integrity-algorithm hmac-sha2-256
#
ike peer a
 certificate local-filename local.cer
 ike-proposal 10
 remote-address 172.19.1.1
#
service-location 1
 location slot 1
#
service-instance-group 1
 service-location 1
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes 256
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#  
interface GigabitEthernet0/1/1 
 undo shutdown
 ip address 10.1.2.1 255.255.255.0    
#  
interface GigabitEthernet0/1/2 
 undo shutdown
 ip address 172.16.169.1 255.255.255.0     
#  
interface Tunnel10 
 ip address 172.20.1.2 255.255.255.0 
 tunnel-protocol ipsec 
 ipsec policy map1 service-instance-group 1
#
 ip route-static 10.1.1.0 255.255.255.0 Tunnel 10 172.19.1.1
 ip route-static 172.19.1.1 255.255.255.255 172.16.169.2
#
pki entity entityb
 common-name DeviceB
#
pki domain domainb
 certificate request entity entityb
#
return
Parent Topic: Configuration Examples for PKI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >