DSVPN Interworking Between The AR and Cisco Device: Huawei Technologies Co., Ltd. All Rights Reserved

DSVPN Interworking Between the AR and Cisco Device
DSVPN Interworking
Between the AR and Cisco
Device
Prepared By Router Entry Team 3 Date 2014-07-14

Reviewed By Router Entry Team 3 Date
Approved By Date
Huawei Technologies Co., Ltd.

All rights reserved
(For Internal User Only)
2015-7-17 HUAWEI Confidential Page 1, Total 47

DSVPN Interworking Between the AR and Cisco Device ........................1
1 Abstract .................................................................................................3
2 DSVPN Interworking Between the AR G3 Router and Cisco Device.4

2.1 Test Version ................................................................................................ 4
2.2 DSVPN Interworking Between the AR and Cisco Device ...................... 4
2.2.1 DSVPN without the Shortcut Function ......................................................... 4
1. Test Item and Networking ...................................................................................... 4
2. Configuration Roadmap ......................................................................................... 5
3. Test Result ............................................................................................................... 7
2.2.2 DSVPN with the Shortcut Function............................................................. 10
1. Test Item and Networking .................................................................................... 10
2. Configuration Roadmap ....................................................................................... 11
3. Test Result ............................................................................................................. 13
2.2.3 DSVPN + NAT ............................................................................................... 15
3. Test Result ............................................................................................................. 19
2.2.4 DSVPN over IPSec ........................................................................................ 21
3. Test Result ............................................................................................................. 25
2.2.5 DSVPN over IPSec + NAT ........................................................................... 34
3. Test Result ............................................................................................................. 39

1 Abstract
 This document provides guidance to DSVPN interworking between the AR and Cisco device.
The scenarios mainly involve Central Bank of Egypt, TravelSky Technology Limited, and
Algeria resale projects.
 The test guidance involves four common scenarios:
(a) DSVPN without the shortcut function
(b) DSVPN with the shortcut function
(c) DSVPN + NAT
(d) DSVPN over IPSec
(e) DSVPN over IPSec + NAT
 This document records the device configuration and version information during DSVPN
interworking between the AR G3 router and Cisco device, which can be used as the
reference for test personnel of customers, technical support engineers, and R&D.

2 DSVPN Interworking Between the AR G3 Router and

Cisco Device
2.1 Test Version
Testing team Customer testing team of enterprise network product line
Date 2014-07-09 to 2014-07-14
Place Customer test lab of Nanjing Research Center
AR version Software version AR1220V: V200R005C10SPC300
information Hardware model Device model: AR1220V
Card type:
Cisco version Software version C2951 Software (C2951-UNIVERSALK9-M),
information Version 15.1(4)M3, REL
Hardware model CISCO2951/K9
2.2 DSVPN Interworking Between the AR and Cisco Device
2.2.1 DSVPN without the Shortcut Function
1. Test Item and Networking
Actual Networking

G0/0
Spoke
Core G0/0
network
Hub
G0/0
Spoke
Networking Constructed in the Lab
tunnel 172.168.0.2
192.168.2.2
G0/0/2
tunnel 172.168.0.1
192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
Scenario without the shortcut function: Branches learn routes from each other.
A small- or medium-sized network has a few branches, and the branches can learn routes from
each other by deploying DSVPN without the shortcut function. In this scenario, the next hop to a
destination subnet is the tunnel address of the destination branch. This deployment has a low
requirement on the performance of the hub and spokes because the devices only have to learn a
small number of routes.
2. Configuration Roadmap
Interface and route configuration:
AR1 CISCO (Hub)

# !
interface GigabitEthernet0/0/2 interface GigabitEthernet0/1
ip address 192.168.2.2 255.255.255.0 ip address 192.168.1.1 255.255.255.0

# duplex auto
ospf 1 speed auto
area 0.0.0.0 !
network 192.168.2.0 0.0.0.255 router ospf 1
# network 192.168.1.0 0.0.0.255 area 0
!
AR2 CISCO (Spoke)

# !
# duplex auto
interface GigabitEthernet0/0/2 speed auto
ip address 192.168.2.1 255.255.255.0 !
# router ospf 1
interface GigabitEthernet1/0/0 network 192.168.4.0 0.0.0.255 area 0
ip address 192.168.4.1 255.255.255.0 !
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
DSVPN configuration:
AR1 CISCO (Hub)

# !
interface Tunnel0/0/5 interface Tunnel5
tunnel-protocol gre p2mp no ip redirects
source GigabitEthernet0/0/2 ip nhrp authentication test
ospf network-type broadcast ip nhrp map multicast dynamic
ospf dr-priority 0 ip nhrp network-id 1000
nhrp authentication simple test ip nhrp holdtime 900
nhrp registration no-unique ip ospf network broadcast
nhrp registration interval 600 tunnel source GigabitEthernet0/1
nhrp network-id 1000 tunnel mode gre multipoint
nhrp entry holdtime seconds 900 !
nhrp entry 172.168.0.1 192.168.1.1 register interface Loopback5

# ip address 1.1.1.1 255.255.255.255

interface LoopBack5 !
ip address 3.3.3.3 255.255.255.255 router ospf 2
# router-id 172.168.0.1
ospf 2 router-id 172.168.0.2 network 1.1.1.1 0.0.0.0 area 0
area 0.0.0.0 network 172.168.0.0 0.0.0.255 area 0
network 3.3.3.3 0.0.0.0 !
network 172.168.0.0 0.0.0.255
#
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp authentication test
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp nhs 172.168.0.1
ip ospf network broadcast
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
3. Test Result
Check NHRP registration information:
Huawei:
[Huawei]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub

-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/5
Created time : 03d:21h:30m:20s
Expire time : --
Number of nhrp peers: 1

[Huawei]ping -a 3.3.3.3 5.5.5.5
PING 5.5.5.5: 56 data bytes, press CTRL_C to break
Reply from 5.5.5.5: bytes=56 Sequence=1 ttl=254 time=8 ms
--- 5.5.5.5 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/8 ms

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.4 32 192.168.4.2 172.168.0.4 dynamic route tunnel
-------------------------------------------------------------------------------
Created time : 00:00:04
Expire time : 00:14:56
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.2 32 192.168.2.2 172.168.0.2 dynamic local
-------------------------------------------------------------------------------

CISCO (Spoke):
cisco#show ip nhrp
172.168.0.1/32 via 172.168.0.1
Tunnel5 created 02:16:02, never expire
Type: static, Flags: used
NBMA address: 192.168.1.1
172.168.0.2/32
Tunnel5 created 00:05:26, expire 00:09:33
Type: dynamic, Flags: router negative used

172.168.0.4/32 via 172.168.0.4
Type: dynamic, Flags: router unique local
(no-socket)
cisco#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==================================================================
Interface: Tunnel5, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.168.0.1 UP 02:16:06 S
1 192.168.2.2 172.168.0.2 UP 00:05:31 D
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Type: dynamic, Flags: registered
172.168.0.4/32 via 172.168.0.4
Router#show dmvpn
===================================================================

Type:Hub, NHRP Peers:2,
----- --------------- --------------- ----- -------- -----
1 192.168.2.2 172.168.0.2 UP 02:20:07 D
1 192.168.4.2 172.168.0.4 UP 02:19:39 D

2.2.2 DSVPN with the Shortcut Function
Actual Networking
G0/0
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.2.2
G0/0/2
tunnel 172.168.0.1
192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
DSVPN with the shortcut function: Branches have only summarized routes to the central office.
On a large-sized network with many branch subnets, spokes need to learn many routes from other
branches. If the shortcut function is not configured, the spokes must save routing information on
the entire network. This requires spokes to maintain a large routing table and provide high
performance because many CPU and memory resources are consumed for computing of dynamic
routing protocols. To reduce the number of routes saved on spokes, DSVPN with the shortcut
function can be deployed. In this scenario, the next hop to a destination subnet is the tunnel

address of the hub.
AR1 CISCO (Hub)

# !
# duplex auto
ospf 1 speed auto
area 0.0.0.0 !
# network 192.168.1.0 0.0.0.255 area 0
!
AR2 CISCO (Spoke)

# !
# duplex auto
ip address 192.168.2.1 255.255.255.0 !
# router ospf 1
ip address 192.168.4.1 255.255.255.0 !
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
AR1 CISCO (Hub)

# !


ospf network-type p2mp ip nhrp map multicast dynamic
nhrp authentication simple test ip nhrp redirect
nhrp shortcut ip ospf network point-to-multipoint
nhrp network-id 1000 tunnel source GigabitEthernet0/1
nhrp entry 172.168.0.1 192.168.1.1 register tunnel mode gre multipoint
# !
interface LoopBack5 interface Loopback5
# !
ospf 2 router-id 172.168.0.2 router ospf 2
area 0.0.0.0 router-id 172.168.0.1
network 3.3.3.3 0.0.0.0 network 1.1.1.1 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 network 172.168.0.0 0.0.0.255 area 0
# !
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp nhs 172.168.0.1
ip nhrp shortcut
ip ospf network point-to-multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!

3. Test Result
Huawei:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --

[Huawei]ping -a 3.3.3.3 5.5.5.5

0.00% packet loss

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
5.5.5.5 32 192.168.4.2 172.168.0.4 dynamic route network
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
3.3.3.3 32 192.168.2.2 172.168.0.2 dynamic local
-------------------------------------------------------------------------------

CISCO (Spoke):
cisco#show ip nhrp
172.168.0.1/32 via 172.168.0.1
cisco#ping 3.3.3.3 source 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
cisco#show ip nhrp
3.3.3.3/32
Type: dynamic, Flags: router negative
5.5.5.5/32 via 172.168.0.4
(no-socket)
172.168.0.1/32 via 172.168.0.1
172.168.0.2/32
Type: dynamic, Flags: router negative implicit
cisco# show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
2 192.168.2.2 172.168.0.2 UP 00:02:30 D
172.168.0.2 UP 00:02:30 D
1 192.168.1.1 172.168.0.1 UP 02:45:32 S
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
172.168.0.4/32 via 172.168.0.4
Type: dynamic, Flags: registered used
Router#show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
1 192.168.2.2 172.168.0.2 UP 02:45:52 D
1 192.168.4.2 172.168.0.4 UP 02:45:25 D
2.2.3 DSVPN + NAT
Actual Networking
G0/0 NAT
Spoke
Core G0/0
network
Hub
G0/0
Spoke

tunnel 172.168.0.2
192.168.10.2
G0/0/2
192.168.10.1 NAT
E0/0/8
192.168.2.2 tunnel 172.168.0.1
E0/0/0 192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
The AR functions as the branch device, and the Cisco device is deployed in the headquarters. The
AR connects to the headquarters through DSVPN, and a NAT device is deployed on the network
between the AR and headquarters. DSVPN packets needs to traverse the NAT device. Here, there
are a few branches. The branches can learn routes from each other so that the next hop to a
destination subnet is the tunnel address of the destination branch. This deployment has a low
requirement on the performance of the hub and spokes because the devices only have to learn a
small number of routes.
AR1 CISCO (Hub)

# !
# duplex auto
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 speed auto
# !
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
!
AR2 CISCO (Spoke)

# !


# duplex auto
ip address 192.168.2.1 255.255.255.0 !
# router ospf 1
ip address 192.168.4.1 255.255.255.0 !
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
NAT
#
interface Ethernet0/0/0
undo portswitch
ip address 192.168.2.2 255.255.255.0
nat server global 192.168.2.10 inside
192.168.10.2
#
ip address 192.168.10.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
AR1 CISCO (Hub)

# !

# ip address 1.1.1.1 255.255.255.255
# router-id 172.168.0.1
network 3.3.3.3 0.0.0.0 !
network 172.168.0.0 0.0.0.255
#
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp nhs 172.168.0.1
ip ospf priority 0
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!

3. Test Result
Huawei:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --

[Huawei]ping 5.5.5.5

0.00% packet loss

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.2 32 192.168.10.2 172.168.0.2 dynamic local
-------------------------------------------------------------------------------

CISCO (Spoke):
cisco#show ip nhrp
172.168.0.1/32 via 172.168.0.1
172.168.0.2/32
(Claimed NBMA address: 192.168.10.2)
172.168.0.4/32 via 172.168.0.4
(no-socket)
cisco#show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.168.0.1 UP 03:46:40 S
1 192.168.2.10 172.168.0.2 UP 00:04:47 DN
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 2d18h, expire 00:14:45
Type: dynamic, Flags: registered used
172.168.0.4/32 via 172.168.0.4
Router #show dmvpn
===================================================================


----- --------------- --------------- ----- -------- -----
1 192.168.2.10 172.168.0.2 UP 00:20:28 DN
1 192.168.4.2 172.168.0.4 UP 1d20h D
2.2.4 DSVPN over IPSec
Actual Networking
G0/0
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.2.2
G0/0/2
tunnel 172.168.0.1
192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
The AR is a branch device, and the headquarters and another branch use Cisco devices. IPSec is
used on the network to encrypt data. Here, there are a few branches. The branches can learn routes
from each other so that the next hop to a destination subnet is the tunnel address of the destination
branch. This deployment has a low requirement on the performance of the hub and spokes because

the devices only have to learn a small number of routes.
AR1 CISCO (Hub)

# !
# duplex auto
ospf 1 speed auto
area 0.0.0.0 !
# network 192.168.1.0 0.0.0.255 area 0
!
AR2 CISCO (Spoke)

# !
# duplex auto
ip address 192.168.2.1 255.255.255.0 !
# router ospf 1
ip address 192.168.4.1 255.255.255.0 !
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
AR1 CISCO (Hub)

# !

# ip address 1.1.1.1 255.255.255.255
# router-id 172.168.0.1
network 3.3.3.3 0.0.0.0 !
network 172.168.0.0 0.0.0.255
#
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp nhs 172.168.0.1
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
IPSec configuration:
AR1 CISCO (Hub)

# !
ipsec proposal test crypto isakmp policy 100
# authentication pre-share
ike proposal 1 crypto isakmp key huawei123 address 0.0.0.0
# !
ike peer test v1 crypto ipsec transform-set test esp-des
pre-shared-key simple huawei123 esp-md5-hmac
ike-proposal 1 !
# crypto ipsec profile test
ipsec profile test set transform-set test
ike-peer test !
proposal test interface Tunnel5
# ip address 172.168.0.1 255.255.255.0
interface Tunnel0/0/5 no ip redirects
ip address 172.168.0.2 255.255.255.0 ip nhrp authentication test
tunnel-protocol gre p2mp ip nhrp map multicast dynamic
source GigabitEthernet0/0/2 ip nhrp network-id 1000
ospf network-type broadcast ip nhrp holdtime 900
ospf dr-priority 0 ip ospf network broadcast
ipsec profile test tunnel source GigabitEthernet0/1
nhrp authentication simple test tunnel mode gre multipoint
nhrp registration no-unique tunnel protection ipsec profile test
nhrp registration interval 600 !
nhrp network-id 1000
nhrp entry holdtime seconds 900
nhrp entry 172.168.0.1 192.168.1.1 register
#
CISCO (Spoke)
!
crypto isakmp policy 100
authentication pre-share
crypto isakmp key huawei123 address 0.0.0.0
!
crypto ipsec transform-set test esp-des
esp-md5-hmac
!
crypto ipsec profile test
set transform-set test
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
no ip redirects
ip nhrp map multicast 192.168.1.1
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp holdtime 900
ip nhrp nhs 172.168.0.1
ip nhrp registration no-unique
ip nhrp registration timeout 600
tunnel protection ipsec profile test
!
3. Test Result
Huawei:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --

[Huawei]ping -a 3.3.3.3 5.5.5.5

0.00% packet loss

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.2 32 192.168.2.2 172.168.0.2 dynamic local
-------------------------------------------------------------------------------

CISCO (Spoke):
cisco#show ip nhrp
172.168.0.1/32 via 172.168.0.1
cisco#
cisco#ping 3.3.3.3 sour
cisco#ping 3.3.3.3 source 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
cisco#show ip nhrp
172.168.0.1/32 via 172.168.0.1
172.168.0.2/32
172.168.0.4/32 via 172.168.0.4
(no-socket)
cisco#show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.168.0.1 UP 23:40:31 S
1 192.168.2.2 172.168.0.2 UP 00:00:13 D
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
172.168.0.4/32 via 172.168.0.4
Router#show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
1 192.168.2.2 172.168.0.2 UP 23:18:13 D
1 192.168.4.2 172.168.0.4 UP 1d03h D
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
172.168.0.4/32 via 172.168.0.4
Router#show dmvpn

===================================================================

----- --------------- --------------- ----- -------- -----
1 192.168.2.10 172.168.0.2 UP 21:55:14 DN
1 192.168.4.2 172.168.0.4 UP 03:50:25 D
Huawei:
[Huawei]display ike proposal number 1
-------------------------------------------
IKE Proposal: 1
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
CISCO (Spoke):
cisco#show crypto isakmp policy
Global IKE policy

Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
CISCO (Hub):
Router#show crypto isakmp policy
Global IKE policy

Check whether the IPSec algorithms at both ends are consistent.
Huawei:
[Huawei]display ipsec proposal name test
IPSec proposal name: test

Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96

Encryption DES
CISCO (Spoke):
cisco#show crypto ipsec transform-set test
Transform set test: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
CISCO (Hub):
Router#show crypto ipsec transform-set test
Check the IKE status at both ends.
Huawei:
[Huawei]display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
124 192.168.1.1 0 RD|ST 2
105 192.168.1.1 0 RD|ST 1
126 192.168.4.2 0 RD 2
125 192.168.4.2 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
CISCO (Spoke):
cisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.2 192.168.4.2 QM_IDLE 9012 ACTIVE
192.168.1.1 192.168.4.2 QM_IDLE 9011 ACTIVE
CISCO (Hub):
Router#show crypto isakmp sa
192.168.1.1 192.168.4.2 QM_IDLE 9770 ACTIVE
192.168.1.1 192.168.2.2 QM_IDLE 9769 ACTIVE
Check IPSec SAs at both ends.
Huawei:
[Huawei]display ipsec sa
===============================
Interface: Tunnel0/0/5
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "test"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 124
Tunnel local : 192.168.2.2

Tunnel remote : 192.168.1.1
Qos pre-classify : Disable
Qos group :-
[Outbound ESP SAs]

SPI: 3994326913 (0xee149781)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 423613360/2410
Max sent sequence-number: 122
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]

SPI: 2389174382 (0x8e67e86e)
Max received sequence-number: 139
Anti-replay window size: 32
-----------------------------
Mode : PROF-Template
-----------------------------
Connection ID : 126
Qos group :-
[Outbound ESP SAs]

SPI: 354188903 (0x151c7e67)
[Inbound ESP SAs]

SPI: 3166189471 (0xbcb8379f)
CISCO (Spoke):
cisco#show crypto ipsec sa
interface: Tunnel5
Crypto map tag: Tunnel5-head-0, local addr 192.168.4.2
protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.4.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9885, #pkts encrypt: 9885, #pkts digest: 9885

#pkts decaps: 9911, #pkts decrypt: 9911, #pkts verify: 9911
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.4.2, remote crypto endpt.: 192.168.1.1

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xC1BD6080(3250413696)
PFS (Y/N): N, DH group: none
inbound esp sas:

spi: 0xC1BE711C(3250483484)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 135, flow_id: Onboard VPN:135, sibling_flags 80000046, crypto m
ap: Tunnel5-head-0
sa timing: remaining key lifetime (k/sec): (4513056/2953)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xC1BD6080(3250413696)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


current outbound spi: 0xBCB8379F(3166189471)

inbound esp sas:

spi: 0x151C7E67(354188903)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xBCB8379F(3166189471)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

CISCO (Hub):
Router#show crypto ipsec sa
interface: Tunnel5


current outbound spi: 0x8E67E86E(2389174382)

inbound esp sas:

spi: 0xEE149781(3994326913)
conn id: 1405, flow_id: Onboard VPN:1405, sibling_flags 80000046, crypto
map: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x8E67E86E(2389174382)
map: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


current outbound spi: 0xC1BE711C(3250483484)
inbound esp sas:

spi: 0xC1BD6080(3250413696)
map: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xC1BE711C(3250483484)
map: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
2.2.5 DSVPN over IPSec + NAT
Actual Networking
G0/0 NAT
Spoke
Core G0/0
network
Hub
G0/0
Spoke

tunnel 172.168.0.2
192.168.10.2
G0/0/2
192.168.10.1 NAT
E0/0/8
192.168.2.2 tunnel 172.168.0.1
E0/0/0 192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
The AR is a branch device, and the headquarters and another branch use Cisco devices. IPSec is
used on the network to encrypt data. Here, there are a few branches. The branches can learn routes
from each other so that the next hop to a destination subnet is the tunnel address of the destination
branch. This deployment has a low requirement on the performance of the hub and spokes because
the devices only have to learn a small number of routes.
AR1 CISCO (Hub)

# !
# duplex auto
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1 speed auto
# !
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
!
AR2 CISCO (Spoke)

# !
# duplex auto


ip address 192.168.2.1 255.255.255.0 !
# router ospf 1
ip address 192.168.4.1 255.255.255.0 !
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
NAT
#
acl number 3000
rule 5 permit ip
#
undo portswitch
ip address 192.168.2.2 255.255.255.0
nat outbound 3000
#
ip address 192.168.10.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
AR1 CISCO (Hub)

# !


# ip address 1.1.1.1 255.255.255.255
# router-id 172.168.0.1
network 3.3.3.3 0.0.0.0 !
network 172.168.0.0 0.0.0.255
#
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp nhs 172.168.0.1
ip ospf priority 0
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
IPSec configuration:
AR1 CISCO (Hub)

# !
ike local-name spoke hostname hub
# !
ipsec proposal test crypto isakmp policy 10
# authentication pre-share
ike proposal 1 crypto isakmp key huawei address 0.0.0.0
# 0.0.0.0
ike peer test v1 !
exchange-mode aggressive !
pre-shared-key simple huawei crypto ipsec transform-set test esp-des
ike-proposal 1 esp-md5-hmac
nat traversal !
# crypto ipsec profile test
ipsec profile test set transform-set test
ike-peer test !
proposal test interface Tunnel5
# ip address 172.168.0.1 255.255.255.0
interface Tunnel0/0/5 no ip redirects
ip address 172.168.0.2 255.255.255.0 ip nhrp authentication test
tunnel-protocol gre p2mp ip nhrp map multicast dynamic
source GigabitEthernet0/0/2 ip nhrp network-id 1000
ospf network-type broadcast ip nhrp holdtime 900
ospf dr-priority 0 ip ospf network broadcast
ipsec profile test tunnel source GigabitEthernet0/1
nhrp authentication simple test tunnel mode gre multipoint
nhrp registration no-unique tunnel protection ipsec profile test
nhrp registration interval 600 !
nhrp network-id 1000
nhrp entry holdtime seconds 900
nhrp entry 172.168.0.1 192.168.1.1 register
#
CISCO (Spoke)
!
hostname spoke
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key huawei address 0.0.0.0
0.0.0.0
!
!
crypto ipsec transform-set test esp-des

esp-md5-hmac
!
crypto ipsec profile test
set transform-set test
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
no ip redirects
ip nhrp map multicast 192.168.1.1
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp holdtime 900
ip nhrp nhs 172.168.0.1
ip nhrp registration no-unique
ip nhrp registration timeout 600
tunnel protection ipsec profile test
!
3. Test Result

Huawei:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Expire time : --
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.168.0.2 32 192.168.10.2 172.168.0.2 dynamic local
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

CISCO (Spoke):
spoke#show ip nhrp
172.168.0.1/32 via 172.168.0.1
Tunnel5 created 3d17h, never expire
172.168.0.2/32 via 172.168.0.2
Type: dynamic, Flags: temporary
spoke#show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
2 192.168.1.1 172.168.0.1 UP 18:31:43 S
172.168.0.2 UP 00:02:13 D
CISCO (Hub):
hub#show ip nhrp
172.168.0.2/32 via 172.168.0.2
172.168.0.4/32 via 172.168.0.4
hub#show dmvpn
===================================================================

----- --------------- --------------- ----- -------- -----
1 192.168.10.2 172.168.0.2 UP 1d16h D

1 192.168.4.2 172.168.0.4 UP 18:32:45 D
Huawei:
[Huawei]display ike proposal number 1
-------------------------------------------
IKE Proposal: 1
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
CISCO (Spoke):
spoke#show crypto isakmp policy
Global IKE policy

CISCO (Hub):
hub#show crypto isakmp policy
Global IKE policy

Check whether the IPSec algorithms at both ends are consistent.
Huawei:
[Huawei]display ipsec proposal name test
IPSec proposal name: test

Transform : esp-new
ESP protocol : Authentication MD5-HMAC-96
Encryption DES
CISCO (Spoke):
spoke#show crypto ipsec transform-set test
CISCO (Hub):
hub#show crypto ipsec transform-set test
Check the IKE status at both ends.
Huawei:
[Huawei]dis ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
240 192.168.4.2 0 RD|ST 2
236 192.168.4.2 0 RD|ST 1
220 192.168.1.1 0 RD|ST 2
201 192.168.1.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
CISCO (Spoke):
spoke#show crypto isakmp sa
192.168.4.2 192.168.2.2 QM_IDLE 9080 ACTIVE
192.168.1.1 192.168.4.2 QM_IDLE 9069 ACTIVE
CISCO (Hub):
hub#show crypto isakmp sa
192.168.1.1 192.168.4.2 QM_IDLE 9076 ACTIVE
192.168.1.1 192.168.2.2 QM_IDLE 9077 ACTIVE
192.168.1.1 192.168.2.2 QM_IDLE 9075 ACTIVE
Check IPSec SAs at both ends.
Huawei:
[Huawei]display ipsec sa
===============================
Interface: Tunnel0/0/5
Path MTU: 1500
===============================
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 241
Qos group :-
[Outbound ESP SAs]

SPI: 284196648 (0x10f07f28)
UDP encapsulation used for NAT traversal: Y
[Inbound ESP SAs]

SPI: 3849975624 (0xe579f748)
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 246
Qos group :-
[Outbound ESP SAs]

SPI: 1345962118 (0x5039c086)
[Inbound ESP SAs]

SPI: 3773813910 (0xe0efd496)
CISCO (Spoke):
spoke#show crypto ipsec sa
interface: Tunnel5


current outbound spi: 0xF1AB2B73(4054526835)
inbound esp sas:

spi: 0x6F70109F(1869615263)
ap: Tunnel5-head-0

IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xF1AB2B73(4054526835)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


current outbound spi: 0x721F2528(1914643752)
inbound esp sas:

spi: 0xB254FE31(2991914545)
in use settings ={Tunnel UDP-Encaps, }
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:

outbound esp sas:

spi: 0x721F2528(1914643752)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

CISCO (Hub):
hub#show crypto ipsec sa
interface: Tunnel5


current outbound spi: 0x6F70109F(1869615263)
inbound esp sas:

spi: 0xF1AB2B73(4054526835)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x6F70109F(1869615263)

ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


current outbound spi: 0xE579F748(3849975624)
inbound esp sas:

spi: 0x7BDD428B(2078098059)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
spi: 0x10F07F28(284196648)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xB4D57D9E(3033890206)

ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
spi: 0xE579F748(3849975624)
ap: Tunnel5-head-0
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

DSVPN Interworking Between The AR and Cisco Device: Huawei Technologies Co., Ltd. All Rights Reserved

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

DSVPN Interworking Between The AR and Cisco Device: Huawei Technologies Co., Ltd. All Rights Reserved

Transféré par

Droits d'auteur :

Formats disponibles

DSVPN Interworking Between the AR and Cisco Device

Prepared By Router Entry Team 3 Date 2014-07-14

Huawei Technologies Co., Ltd.

2015-7-17 HUAWEI Confidential Page 1, Total 47

DSVPN Interworking Between the AR and Cisco Device ........................1

2 DSVPN Interworking Between the AR G3 Router and Cisco Device.4

1. Test Item and Networking ...................................................................................... 4

2. Configuration Roadmap ......................................................................................... 5

3. Test Result ............................................................................................................... 7

2.2.2 DSVPN with the Shortcut Function............................................................. 10

1. Test Item and Networking .................................................................................... 10

2. Configuration Roadmap ....................................................................................... 11

3. Test Result ............................................................................................................. 13

2.2.3 DSVPN + NAT ............................................................................................... 15

1. Test Item and Networking .................................................................................... 15

2. Configuration Roadmap ....................................................................................... 16

3. Test Result ............................................................................................................. 19

2.2.4 DSVPN over IPSec ........................................................................................ 21

1. Test Item and Networking .................................................................................... 21

2. Configuration Roadmap ....................................................................................... 22

3. Test Result ............................................................................................................. 25

2.2.5 DSVPN over IPSec + NAT ........................................................................... 34

1. Test Item and Networking .................................................................................... 34

2. Configuration Roadmap ....................................................................................... 35

3. Test Result ............................................................................................................. 39

2015-7-17 HUAWEI Confidential Page 2, Total 47

Algeria resale projects.

 The test guidance involves four common scenarios:

(a) DSVPN without the shortcut function

(b) DSVPN with the shortcut function

(c) DSVPN + NAT

(d) DSVPN over IPSec

(e) DSVPN over IPSec + NAT

2015-7-17 HUAWEI Confidential Page 3, Total 47

2 DSVPN Interworking Between the AR G3 Router and

2.1 Test Version

Testing team Customer testing team of enterprise network product line

Date 2014-07-09 to 2014-07-14

Place Customer test lab of Nanjing Research Center

AR version Software version AR1220V: V200R005C10SPC300

information Hardware model Device model: AR1220V

Cisco version Software version C2951 Software (C2951-UNIVERSALK9-M),

information Version 15.1(4)M3, REL

Hardware model CISCO2951/K9

2.2 DSVPN Interworking Between the AR and Cisco Device

2.2.1 DSVPN without the Shortcut Function

1. Test Item and Networking

2015-7-17 HUAWEI Confidential Page 4, Total 47

Networking Constructed in the Lab

small number of routes.

Interface and route configuration:

AR1 CISCO (Hub)

2015-7-17 HUAWEI Confidential Page 5, Total 47

AR2 CISCO (Spoke)

AR1 CISCO (Hub)

2015-7-17 HUAWEI Confidential Page 6, Total 47

# ip address 1.1.1.1 255.255.255.255

Check NHRP registration information:

2015-7-17 HUAWEI Confidential Page 7, Total 47

Number of nhrp peers: 1

--- 5.5.5.5 ping statistics ---

[Huawei]display nhrp peer all

Number of nhrp peers: 3