Академический Документы
Профессиональный Документы
Культура Документы
Scenarios
Prerequisites
Procedure
Verification
Example
Scenarios
The outband networking mode is used and IP Security (IPSec) is applied to the Gi interface.
Figure 1 shows the specific networking. After IPSec is applied to the Gi interface, an IPSec tunnel is established
between the UGW9811 and authentication, authorization and accounting (AAA) server to secure signaling flows
between the UGW9811 and AAA server.
Figure 1 Typical networking for the interworking with the AAA server (IPSec application on the Gi
interface)
NOTE:
The GGSN and P-GW support this scenario.
Prerequisites
Conditions
You are familiar with the IPSec, VRF, and routing functions.
The SPU that needs to be configured with logical interfaces works normally and no user is activated on the
SPU. No logical interface can be configured on the SPU if the SPU is not started or if it is starting.
You are familiar with the types and naming specifications of interfaces of the UGW9811. For details, see
Logical Interface and Rules for Naming Interfaces.
Data
Category
Access
control list
(ACL) rule
Parameter
protocol
Example
Value
udp
source-ip-address 81.10.254.22
How to Obtain
Negotiated with
the peer device
Description
destination-ipaddress
211.1.128.23
IPSec
proposal
esp
authenticationalgorithm
sha2
Negotiated with
the peer device
esp encryptionalgorithm
3des
Negotiated with
the peer device
Category
Parameter
Example
Value
How to Obtain
Description
algorithm
encapsulationmode
transport
Negotiated with
the peer device
30
Negotiated with
the peer device
encryptionalgorithm
3des
Negotiated with
the peer device
dh
group2
Negotiated with
the peer device
peer-name
ike1
Negotiated with
the peer device
proposal-number
30
key
Local61L3
Negotiated with
the peer device
IKE peer
attribute
command.
pre-shared-key
Category
Parameter
local-id-type
Example
Value
ip
How to Obtain
Negotiated with
the peer device
Description
ip-address
211.1.12 8.23
acl-number
3101
peer-name
ike1
time-based
seconds
3600
Negotiated with
Category
Parameter
Example
Value
How to Obtain
Gi interface
Description
command.
ip-address
81.10.254.22
policy-name
policy1
1.
NOTE:
You must configure the router distinguisher (RD) when establishing a VPN. A VPN instance takes effect
only if the RD is configured.
RDs cannot be directly changed. To change the RD of a VPN instance, delete the VPN instance, create the
VPN instance again, and configure a desired RD for it.
b.
NOTE:
Perform this step when the description of the VPN instance needs to be added or modified.
description
c.
d.
route-distinguisher
e.
f.
2.
In the system view, create an Eth-trunk interface and enter the view of the Eth-trunk interface.
interface eth-trunk
b.
c.
d.
e.
f.
g.
h.
i.
j.
NOTE:
To establish a trunk link, the rate, duplex mode, and flow control mode of the two physical interfaces
connecting to the end devices must be the same. Therefore, after binding a physical interface to an Ethtrunk interface, you must set the negotiation mode of the physical interface to auto negotiation. In this
manner, two physical interfaces of one trunk link have the same rate, duplex mode and flow control mode,
thus ensuring normal communications over the Eth-trunk interface.Configuring optical interfaces to work
in auto negotiation mode is recommended. That is because the NE40E router does not support non-auto
negotiation and optical interfaces working in auto negotiation mode can prevent one-way audio caused by
single-fiber faults.
In the case that Ethernet electrical interfaces are used, you can run speed, duplex, and flow control to
modify the rate, duplex mode, and flow control mode of a physical interface on the UGW9811 the same as
the configurations on the peer physical interface.
In the case that Ethernet optical interfaces are used, the configurations on the two ends must be the same.
That is, if the local interface is configured to work in auto negotiation mode, the peer interface must also
work in this mode. If the rate of the local interface is set to 1000 Mbit/s and the duplex mode is set to fullduplex, the peer interface must also work at the same rate and in the same duplex mode.
k.
l.
3.
Perform 2.g to 2.k to bind the other physical interface to the Eth-trunk interface.
Set IPSec data for IKE negotiation.
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
p.
q.
NOTE:
If the IKE proposal employed by the IKE peer uses the pre-shared key authentication mode, you need to
configure a consistent authentication key. Otherwise, the IKE proposal cannot be used.
r.
local-id-type
NOTE:
In this example, the IKE negotiation mode is active and thus the ID type must be ip.
s.
When the ID type of the IKE peer is IP, you need to configure the peer IP address for the IKE peer.
remote-address
t.
Optional: Enable the IKE dead peer detection (DPD) function to set the transmission interval,
retransmission interval, and number of times that DPD packets are retransmitted.
ike dpd
u.
v.
w.
x.
y.
z.
aa.
4.
b.
Optional: Bind the current interface with the specified VPN instance.
ip binding vpn-instance
c.
d.
e.
5.
NOTE:
A static route to the UGW9811 needs to be configured on the AAA server. The destination IP address is the IP
address of the Gi interface of the UGW9811. The next hop is the IP address of the Eth-trunk interface used for
the interworking between the UGW9811 and AAA server.
6.
b.
c.
Set the operating mode for AAA servers in the RADIUS group.
radius-server mode
d.
Set the IP address, port number, key, and VPN instance of the active AAA authentication server. If
you run this command several times, you can configure multiple active AAA authentication servers.
radius-server authentication
e.
Optional: Set the IP address, port number, key, and VPN instance of the standby AAA
authentication server. If you run this command several times, you can configure multiple standby AAA
authentication servers.
radius-server authentication
f.
Set the IP address, port number, key, and VPN instance of the active AAA accounting server. If
you run this command several times, you can configure multiple active AAA accounting servers.
radius-server accounting
g.
Optional: Set the IP address, port number, key, and VPN instance of the standby AAA accounting
server. If you run this command several times, you can configure multiple standby AAA accounting
servers.
radius-server accounting
h.
i.
j.
k.
l.
m.
n.
Verification
For details about how to verify the configurations, see Commissioning the IPSec Feature.
Example
Task Description
This example shows interworking configurations between the UGW9811 andAAA server in the networking of
outbound networking + IPSec application on the Gi interface.
In this example, ensure that the following requirements are met through data configuration on the UGW9811:
The UGW9811 uses the Eth-trunk interface working in active/standby mode to interwork with the AAA
server.
The UGW9811 uses the default route to establish an IP connection with the AAA server.
The IPSec policy is applied to the Gi interface to secure data transmission between the UGW9811 and
AAA server.
Scripts
1.
2.
3.
5.
Configure the default route to the AAA server. The next hop is the virtual IP address of the VRRP group.
NOTE:
On the routers, you need to configure the static route to the Gi interface. The next hop is the IP address of the
Eth-trunk interface on the UGW9811.
6.
7.