H3C SR6600 Routers DVPN Configuration Example

Transcription

1 H3C SR6600 Routers DVPN Configuration Example Keywords: DVPN, VPN, VAM, AAA, IPsec, GRE Abstract: This document describes the DVPN configuration example for the H3C SR6600 Routers Series. Acronyms: Acronym AAA DVPN GRE IPsec VAM VPN Full spelling Authentication Accounting Authorization Dynamic Virtual Private Network Generic Routing Encapsulation IP Security VPN Address Management Virtual Private Network Hangzhou H3C Technologies Co., Ltd. 1

2 Contents Feature overview 3 Application scenarios 3 Configuration guidelines 3 DVPN configuration example 4 Network requirement 4 Configuration considerations 5 Software version used 5 Configuration procedures 5 Configuring the routers 5 Configure imc 13 Verification 16 References 18 Protocols and standards 18 Related documentation 18 Hangzhou H3C Technologies Co., Ltd. 2

3 Feature overview Nowadays, enterprises usually establish VPNs to connect their branches across the public network. However, branches of an enterprise usually use dynamically assigned IP addresses to access the public network, and a branch cannot know the public IP addresses of other branches in advance. This makes it difficult for establishing VPNs. The DVPN solution is intended to address this issue. DVPN collects, maintains, and distributes dynamic public addresses through the VAM protocol, making VPN establishment available between enterprise branches that use dynamic addresses to access the public network. Application scenarios DVPN is a type of Layer 3 VPN. Encapsulation on the public network is regarded as the encapsulation at the data link layer of the private network. DVPN supports AAA identity authentication of VAM clients on the VAM server. DVPN extends a tunnel interface. It supports point-to-multipoint tunnels by allowing for multiple point-to-point tunnels on one tunnel interface. To establish point-to-multipoint tunnels, on the hub end, you perform the tunnel configuration for only once, instead of doing so for each tunnel, greatly reducing the configuration workload. DVPN tunnels use IPsec to protect all the forwarded data, providing data privacy, authenticity, and replay protection. A DVPN mode supports multiple VPN domains. This improves network device utility and networking flexibility, and reduces customers investment in devices. DVPN supports backup for key nodes, satisfying the requirements of carriers and enterprises for high network availability. Configuration guidelines Note the following when you configure DVPN: If you specify a source interface for a tunnel interface, the tunnel interface takes the primary IP address of the source interface as the tunnel s source address. To configure multiple DVPN tunnels that use GRE encapsulation, you must configure a unique source address or source interface for each tunnel. In the same VPN domain, you must ensure that the private addresses of all tunnel interfaces belong to the same subnet. Hangzhou H3C Technologies Co., Ltd. 3

4 DVPN configuration example Network requirement NOTE: In this example, the routing protocol is OSPF. In this case, The DR priority of the hub must be higher than that of a spoke. H3C recommends that you set the DR priority to 0 for spokes, so that the spokes do not participate in DR/BDR election. In the full mesh network, the primary VAM server and the secondary VAM server manage and maintain information about each node. The AAA server takes charge of VAM client authentication and accounting. The two hubs back up each other and perform data forwarding and exchange routing information. Establish a permanent tunnel between each hub-spoke pair. Dynamically establish a tunnel between the spokes in the same VPN to exchange data. Figure 1 Network diagram for a full-mesh DVPN Hub 1 Hub 2 GE1/1 GE1/1 IP network GE1/1 AAA server Primary VAM server GE1/1 GE1/1 Secondary VAM server GE1/1 GE1/1 Spoke 1 Spoke 2 Spoke 3 Site 1 Site 2 Site 3 Site 4 Device Interface IP address Device Interface IP address Hub 1 GE 1/ /24 Spoke 1 GE 1/ /24 Tunnel /24 Tunnel /24 Hub 2 GE 1/ /24 Spoke 2 GE 1/ /24 Tunnel /24 Tunnel /24 Spoke 3 GE 1/ /24 Tunnel /24 AAA server /24 Primary VAM server GE 1/ /24 Secondary VAM server GE 1/ //24 Hangzhou H3C Technologies Co., Ltd. 4

5 Configuration considerations Perform the following configuration to configure DVPN: Configure AAA and VAM Server on the DVPN servers. Configure VAM Client, IPsec profile, DVPN tunnel parameters, and routing on the DVPN clients. Software version used [SR6600] display version H3C Comware Platform Software Comware Software, Version 5.20, Feature 2602P02 Copyright (c) Hangzhou H3C Tech. Co., Ltd. All rights reserved. H3C SR6602 uptime is 0 week, 4 days, 5 hours, 24 minutes CPU type: RMI XLR MHz 2048M bytes DDR2 SDRAM Memory 4M bytes Flash Memory PCB Version: Ver.B Logic Version: 2.0 Basic BootWare Version: 1.16 Extend BootWare Version: 1.32 [FIXED PORT] CON (Hardware)Ver.B, (Driver)1.0, (Cpld)2.0 [FIXED PORT] AUX (Hardware)Ver.B, (Driver)1.0, (Cpld)2.0 [FIXED PORT] GE 0/0 (Hardware)Ver.B, (Driver)1.0, (Cpld)1.0 [FIXED PORT] GE 0/1 (Hardware)Ver.B, (Driver)1.0, (Cpld)1.0 [FIXED PORT] GE 0/2 (Hardware)Ver.B, (Driver)1.0, (Cpld)1.0 [FIXED PORT] GE 0/3 (Hardware)Ver.B, (Driver)1.0, (Cpld)1.0 [SLOT 1] HIM-8GBE (Hardware)Ver.B, (Driver)1.0, (Cpld)2.0 [SLOT 2] HIM-8GBE (Hardware)Ver.B, (Driver)1.0, (Cpld)2.0 Configuration procedures Configuring the routers 1. Configure the primary VAM server. Configure IP addresses for the interfaces. (Details not shown) Configure AAA. <PrimaryServer> system-view # Configure RADIUS scheme radsun. [PrimaryServer] radius scheme radsun [PrimaryServer-radius-radsun] primary authentication [PrimaryServer-radius-radsun] primary accounting [PrimaryServer-radius-radsun] key authentication expert [PrimaryServer-radius-radsun] key accounting expert [PrimaryServer-radius-radsun] server-type extended [PrimaryServer-radius-radsun] user-name-format without-domain Hangzhou H3C Technologies Co., Ltd. 5

6 [PrimaryServer-radius-radsun] quit # Create ISP domain domain1 and specify the AAA methods for the ISP domain. [PrimaryServer] domain domain1 [PrimaryServer-isp-domain1] authentication dvpn radius-scheme radsun [PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun [PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun [PrimaryServer-isp-domain1] quit [PrimaryServer] domain default enable domain1 Configure the VAM server function. # Specify a listening IP address for the VAM server. [PrimaryServer] vam server ip-address # Create VPN domain 1. [PrimaryServer] vam server vpn 1 # Configure the pre-shared key as 123. [PrimaryServer-vam-server-vpn-1] pre-shared-key simple 123 # Use CHAP to authenticate VAM clients. [PrimaryServer-vam-server-vpn-1] authentication-method chap # Specify IP addresses for the hubs in VPN domain 1. [PrimaryServer-vam-server-vpn-1] hub private-ip [PrimaryServer-vam-server-vpn-1] hub private-ip [PrimaryServer-vam-server-vpn-1] quit # Enable the VAM server function of all VPN domains. [PrimaryServer] vam server enable all 2. Configure the secondary VAM server. The secondary VAM server has the same configuration as the primary VAM server, except for the listening IP address. 3. Configure hub 1. Configure IP addresses for the interfaces. (Details not shown) Configure the VAM client function. <Hub1> system-view # Create VAM client dvpn1hub1 for VPN domain 1. [Hub1] vam client name dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] vpn 1 # Specify the IP addresses of the primary and secondary VAM servers and set the pre-shared key for the VAM client. [Hub1-vam-client-name-dvpn1hub1] server primary ip-address [Hub1-vam-client-name-dvpn1hub1] server secondary ip-address [Hub1-vam-client-name-dvpn1hub1] pre-shared-key simple 123 # Configure a local user, and specify the username as dvpn_user and password as dvpn_user. [Hub1-vam-client-name-dvpn1hub1] user dvpn_user password simple dvpn_user [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit Hangzhou H3C Technologies Co., Ltd. 6

7 Configure an IPsec profile. # Configure an IPsec proposal. [Hub1] ipsec proposal vam [Hub1-ipsec-proposal-vam] encapsulation-mode tunnel [Hub1-ipsec-proposal-vam] transform esp [Hub1-ipsec-proposal-vam] esp encryption-algorithm des [Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub1-ipsec-proposal-vam] quit # Configure an IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure an IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] proposal vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit Configure a DVPN tunnel. # Configure tunnel interface Tunnel1 for VPN domain 1, and UDP as the tunnel encapsulation protocol. [Hub1] interface tunnel 1 [Hub1-Tunnel1] tunnel-protocol dvpn udp [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address [Hub1-Tunnel1] source GigabitEthernet 1/1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit Configure OSPF. # Configure OSPF process 100 to advertise network [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area ] network [Hub1-ospf-100-area ] quit # Configure OSPF process 200 to advertise network [Hub1] ospf 200 [Hub1-ospf-200] area 0 [Hub1-ospf-200-area ] network [Hub1-ospf-200-area ] quit 4. Configure hub 2. Configure IP addresses for the interfaces. (Details not shown) Configure the VAM client function. <Hub2> system-view # Create VAM client dvpn1hub2 for VPN domain 1. Hangzhou H3C Technologies Co., Ltd. 7

8 [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the primary and secondary VAM servers and set the pre-shared key for the VAM client. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Configure a local user, and specify the username as dvpn_user and password as dvpn_user. [Hub2-vam-client-name-dvpn1hub2] user dvpn_user password simple dvpn_user [Hub2-vam-client-name-dvpn1hub2] client enable [Hub2-vam-client-name-dvpn1hub2] quit Configure an IPsec profile. # Configure an IPsec proposal. [Hub2] ipsec proposal vam [Hub2-ipsec-proposal-vam] encapsulation-mode tunnel [Hub2-ipsec-proposal-vam] transform esp [Hub2-ipsec-proposal-vam] esp encryption-algorithm des [Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Hub2-ipsec-proposal-vam] quit # Configure an IKE peer. [Hub2] ike peer vam [Hub2-ike-peer-vam] pre-shared-key abcde [Hub2-ike-peer-vam] quit # Configure an IPsec profile. [Hub2] ipsec profile vamp [Hub2-ipsec-profile-vamp] proposal vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2 [Hub2-ipsec-profile-vamp] quit Configure DVPN tunnels. # Configure tunnel interface Tunnel1 for VPN domain 1, and UDP as the tunnel encapsulation protocol. [Hub2] interface tunnel 1 [Hub2-Tunnel1] tunnel-protocol dvpn udp [Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address [Hub2-Tunnel1] source GigabitEthernet 1/1 [Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit Configure OSPF. # Configure OSPF process 100 to advertise network [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area ] network [Hub2-ospf-100-area ] quit Hangzhou H3C Technologies Co., Ltd. 8

9 # Configure OSPF process 200 to advertise network [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area ] network [Hub2-ospf-200-area ] quit 5. Configure spoke 1. Configure IP addresses for the interfaces. (Details not shown) Configure the VAM client function. <Spoke1> system-view # Create VAM client dvpn1spoke1 for VPN domain 1. [Spoke1] vam client name dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] vpn 1 # Specify the IP addresses of the primary and secondary VAM servers and set the pre-shared key for the VAM client. [Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address [Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address [Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123 # Configure a local user, and specify the username as dvpn_user and password as dvpn_user. [Spoke1-vam-client-name-dvpn1spoke1] user dvpn_user password simple dvpn_user [Spoke1-vam-client-name-dvpn1spoke1] client enable [Spoke1-vam-client-name-dvpn1spoke1] quit Configure an IPsec profile. # Configure an IPsec proposal. [Spoke1] ipsec proposal vam [Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke1-ipsec-proposal-vam] transform esp [Spoke1-ipsec-proposal-vam] esp encryption-algorithm des [Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-proposal-vam] quit # Configure an IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure an IPsec profile. [Spoke1] ipsec profile vamp [Spoke1-ipsec-profile-vamp] proposal vam [Spoke1-ipsec-profile-vamp] ike-peer vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 [Spoke1-ipsec-profile-vamp] quit Configure a DVPN tunnel. # Configure tunnel interface Tunnel1 for VPN domain 1, and UDP as the tunnel encapsulation protocol. [Spoke1] interface tunnel 1 [Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 Hangzhou H3C Technologies Co., Ltd. 9

10 [Spoke1-Tunnel1] ip address [Spoke1-Tunnel1] source GigabitEthernet 1/1 [Spoke1-Tunnel1] ospf network-type broadcast [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit Configure OSPF. # Configure OSPF process 100 to advertise network [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area ] network [Spoke1-ospf-100-area ] quit # Configure OSPF process 200 to advertise network [Spoke1] ospf 200 [Spoke1-ospf-200] area 0 [Spoke1-ospf-200-area ] network Configure spoke 2. Configure IP addresses for the interfaces. (Details not shown) Configure the VAM client function. <Spoke2> system-view # Create VAM client dvpn1spoke2 for VPN domain 1. [Spoke2] vam client name dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] vpn 1 # Specify the IP addresses of the primary and secondary VAM servers and set the pre-shared key for the VAM client. [Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Configure a local user, and specify the username as dvpn_user and password as dvpn_user. [Spoke2-vam-client-name-dvpn1spoke2] user dvpn_user password simple dvpn_user [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit Configure an IPsec profile. # Configure an IPsec proposal. [Spoke2] ipsec proposal vam [Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke2-ipsec-proposal-vam] transform esp [Spoke2-ipsec-proposal-vam] esp encryption-algorithm des [Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-proposal-vam] quit # Configure an IKE peer. [Spoke2] ike peer vam [Spoke2-ike-peer-vam] pre-shared-key abcde [Spoke2-ike-peer-vam] quit # Configure an IPsec profile. Hangzhou H3C Technologies Co., Ltd. 10

11 [Spoke2] ipsec profile vamp [Spoke2-ipsec-profile-vamp] proposal vam [Spoke2-ipsec-profile-vamp] ike-peer vam [Spoke2-ipsec-profile-vamp] sa duration time-based 600 [Spoke2-ipsec-profile-vamp] pfs dh-group2 [Spoke2-ipsec-profile-vamp] quit Configure a DVPN tunnel. # Configure tunnel interface Tunnel1 for VPN domain 1, and UDP as the tunnel encapsulation protocol. [Spoke2] interface tunnel 1 [Spoke2-Tunnel1] tunnel-protocol dvpn udp [Spoke2-Tunnel1] vam client dvpn1spoke2 [Spoke2-Tunnel1] ip address [Spoke2-Tunnel1] source GigabitEthernet 1/1 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit Configure OSPF. # Configure OSPF process 100 to advertise network [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area ] network [Spoke2-ospf-100-area ] quit # Configure OSPF process 200 to advertise network [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area ] network [Spoke2-ospf-200-area ] quit 7. Configure spoke 3. Configure IP addresses for the interfaces. (Details not shown) Configure the VAM client function. <Spoke3> system-view # Create VAM client dvpn1spoke3 for VPN domain 1. [Spoke3] vam client name dvpn1spoke3 [Spoke3-vam-client-name-dvpn1spoke3] vpn 1 # Specify the IP addresses of the primary and secondary VAM servers and set the pre-shared key for the VAM client. [Spoke3-vam-client-name-dvpn1spoke3] server primary ip-address [Spoke3-vam-client-name-dvpn1spoke3] server secondary ip-address [Spoke3-vam-client-name-dvpn1spoke3] pre-shared-key simple 123 # Configure a local user, and specify the username as dvpn_user and password as dvpn_user. [Spoke3-vam-client-name-dvpn1spoke3] user dvpn_user password simple dvpn_user [Spoke3-vam-client-name-dvpn1spoke3] client enable [Spoke3-vam-client-name-dvpn1spoke3] quit Configure an IPsec profile. Hangzhou H3C Technologies Co., Ltd. 11

12 # Configure an IPsec proposal. [Spoke3] ipsec proposal vam [Spoke3-ipsec-proposal-vam] encapsulation-mode tunnel [Spoke3-ipsec-proposal-vam] transform esp [Spoke3-ipsec-proposal-vam] esp encryption-algorithm des [Spoke3-ipsec-proposal-vam] esp authentication-algorithm sha1 [Spoke3-ipsec-proposal-vam] quit # Configure an IKE peer. [Spoke3] ike peer vam [Spoke3-ike-peer-vam] pre-shared-key abcde [Spoke3-ike-peer-vam] quit # Configure an IPsec profile. [Spoke3] ipsec profile vamp [Spoke3-ipsec-profile-vamp] proposal vam [Spoke3-ipsec-profile-vamp] ike-peer vam [Spoke3-ipsec-profile-vamp] sa duration time-based 600 [Spoke3-ipsec-profile-vamp] pfs dh-group2 [Spoke3-ipsec-profile-vamp] quit Configure DVPN tunnels. # Configure tunnel interface Tunnel1 for VPN domain 1, and use UDP as the tunnel encapsulation protocol. [Spoke3] interface tunnel 1 [Spoke3-Tunnel1] tunnel-protocol dvpn udp [Spoke3-Tunnel1] vam client dvpn1spoke3 [Spoke3-Tunnel1] ip address [Spoke3-Tunnel1] source GigabitEthernet 1/1 [Spoke3-Tunnel1] ospf network-type broadcast [Spoke3-Tunnel1] ospf dr-priority 0 [Spoke3-Tunnel1] ipsec profile vamp [Spoke3-Tunnel1] quit Configure OSPF. # Configure OSPF process 100 to advertise network [Spoke3] ospf 100 [Spoke3-ospf-100] area 0 [Spoke3-ospf-100-area ] network [Spoke3-ospf-100-area ] quit # Configure OSPF process 200 to advertise network [Spoke3] ospf 200 [Spoke3-ospf-200] area 0 [Spoke3-ospf-200-area ] network Hangzhou H3C Technologies Co., Ltd. 12

13 Configure imc imc version Adding access devices Configure the primary and secondary VAM servers as the access devices. The following steps take the primary VAM server as an example. 1. Log in to the imc. Click the Service tab, and then select User Access Manager > Access Device from the navigation tree to enter the access device management page. Click Add. 2. Click Add Manually. Hangzhou H3C Technologies Co., Ltd. 13

14 3. Type the access device s IP address. To add only one access device, type the same IP address in the Start IP and End IP text boxes. Click OK. 4. Configure the access parameters as needed, and then click OK. Hangzhou H3C Technologies Co., Ltd. 14

15 5. The access device is successfully added. Configuring a service policy 1. Click the Service tab. Select User Access Manager > Service Configuration from the navigation tree. On the service configuration page, click Add. 2. In the Basic Information area, type dvpn_test in the Service Name text box. Configuring a user account 1. Click the User tab. Select User Management > Add User from the navigation tree. Type dvpn_user for both User Name and Identity Number. Click OK. Hangzhou H3C Technologies Co., Ltd. 15

16 2. The user is added successfully. 3. Click Add Access User. Type dvpn_user for both the account name and password. Select the access service dvpn_test. Configure other parameters as needed. Verification After the hub and spoke devices pass AAA authentication, you can see their registration information on the primary and secondary VAM servers. # Display address mapping information about all VAM clients that have registered with the primary VAM server. [PrimaryServer] display vam server address-map all VPN name: 1 Total address-map number: 5 Private-ip Public-ip Type Holding time Hub 0H 52M 7S Hub 0H 47M 31S Spoke 0H 28M 25S Hangzhou H3C Technologies Co., Ltd. 16

17 Spoke 0H 19M 15S Spoke 0H 19M 10S # Display address mapping information about all VAM clients that have registered with the secondary VAM server. [SecondaryServer] display vam server address-map all VPN name: 1 Total address-map number: 5 Private-ip Public-ip Type Holding time Hub 0H 55M 3S Hub 0H 50M 30S Spoke 0H 31M 24S Spoke 0H 22M 15S Spoke 0H 19M 10S The output shows that hub 1, hub 2, spoke 1, spoke 2, and spoke 3 all have registered the address mapping information with the VAM servers. # Display the DVPN tunnel information on hub 1. [Hub1] display dvpn session all Interface: Tunnel1 VPN name: 1 Total number: 4 Private IP: Public IP: Session type: Hub-Hub State: SUCCESS Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 1 control packets 87 multicasts, 0 errors Output: 106 packets, 99 data packets, 7 control packets 87 multicasts, 10 errors Private IP: Public IP: Session type: Hub-Spoke State: SUCCESS Holding time: 0h 8m 7s Input: 164 packets, 163 data packets, 1 control packets 154 multicasts, 0 errors Output: 77 packets, 76 data packets, 1 control packets 155 multicasts, 0 errors Private IP: Public IP: Session type: Hub-Spoke State: SUCCESS Holding time: 0h 27m 13s Input: 174 packets, 167 data packets, 7 control packets 160 multicasts, 0 errors Output: 172 packets, 171 data packets, 1 control packets 165 multicasts, 0 errors Hangzhou H3C Technologies Co., Ltd. 17

18 Private IP: Public IP: Session type: Hub-Spoke State: SUCCESS Holding time: 0h 8m 7s Input: 184 packets, 18 data packets, 1 control packets 104 multicasts, 0 errors Output: 177 packets, 176 data packets, 1 control packets 105 multicasts, 0 errors The output shows that in VPN 1, hub 1 has established a permanent tunnel with hub 2, spoke 1, spoke 2, and spoke 3, respectively. # On spoke 2, ping the private address of spoke 3. [Spoke2] ping PING : 56 data bytes, press CTRL_C to break Reply from : bytes=56 Sequence=1 ttl=254 time=5 ms Reply from : bytes=56 Sequence=2 ttl=254 time=5 ms Reply from : bytes=56 Sequence=3 ttl=254 time=5 ms Reply from : bytes=56 Sequence=4 ttl=254 time=4 ms Reply from : bytes=56 Sequence=5 ttl=254 time=4 ms ping statistics packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms The output shows that spoke 2 and spoke 3 can ping each other, which indicates that a tunnel is established dynamically between spoke 2 and spoke 3. References Protocols and standards RFC2401, Security Architecture for the Internet Protocol RFC2402, IP Authentication Header RFC2406, IP Encapsulating Security Payload Related documentation H3C SR6600 Routers Configuration Guides-Release 2603 H3C SR6600 Routers Command References-Release 2603 Hangzhou H3C Technologies Co., Ltd. 18