[Huawei]
ike proposal 1
[Huawei-ike-proposal-1]
encryption-algorithm 3des-cbc
[Huawei-ike-proposal-1]
authentication-method rsa-signature
[Huawei-ike-proposal-1]
authentication-algorithm sha1
[Huawei-ike-proposal-1]
quit
[Huawei]
ike peer routerb v2
[Huawei-ike-peer-routerb]
ike-proposal 1
[Huawei-ike-peer-routerb]
local-address 2.2.2.1
[Huawei-ike-peer-routerb]
remote-address 1.1.1.1
[Huawei-ike-peer-routerb]
pki realm testb
Step 5
Configure access control lists (ACLs) and define the data flows to be protected in the ACLs.
# Configure RouterA.
[Huawei]
acl 3000
[Huawei-acl-adv-3000]
rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.1
0
[Huawei-acl-adv-3000]
rule 15 permit ip source 10.1.1.1 0 destination 11.1.1.1 0
[Huawei-acl-adv-3000]
quit
# Configure RouterB.
[Huawei]
acl 3000
[Huawei-acl-adv-3000]
rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0
[Huawei-acl-adv-3000]
rule 10 permit ip source 11.1.1.1 0 destination 10.1.1.1 0
[Huawei-acl-adv-3000]
quit
Step 6
Configure IPSec to protect data flows between two subnets.
# Configure RouterA.
[Huawei]
ipsec proposal routera
[Huawei-ipsec-proposal-routera]
transform esp
[Huawei-ipsec-proposal-routera]
esp authentication-algorithm sha1
[Huawei-ipsec-proposal-routera]
esp encryption-algorithm 3des
[Huawei-ipsec-proposal-routera]
quit
[Huawei]
ipsec policy routera 1 isakmp
[Huawei-ipsec-policy-isakmp-routera-1]
security acl 3000
[Huawei-ipsec-policy-isakmp-routera-1]
ike-peer routera
[Huawei-ipsec-policy-isakmp-routera-1]
proposal
routera
[Huawei-ipsec-policy-isakmp-routera-1]
quit
# Configure RouterB.
[Huawei]
ipsec proposal routerb
[Huawei-ipsec-proposal-routerb]
transform esp
[Huawei-ipsec-proposal-routerb]
esp authentication-algorithm sha1
[Huawei-ipsec-proposal-routerb]
esp encryption-algorithm 3des
[Huawei-ipsec-proposal-routerb]
quit
[Huawei]
ipsec policy routerb 1 isakmp
[Huawei-ipsec-policy-isakmp-routerb-1]
security acl 3000
[Huawei-ipsec-policy-isakmp-routerb-1]
ike-peer routerb
[Huawei-ipsec-policy-isakmp-routerb-1]
proposal
routerb
[Huawei-ipsec-policy-isakmp-routerb-1]
quit
Step 7
Bind IPSec policies to interfaces.
# Configure RouterA.
[Huawei]
interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1]
ipsec policy routera
[Huawei-GigabitEthernet0/0/1]
quit
# Configure RouterB.
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security
12 PKI Configuration
Issue 02 (2012-03-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
258