Networking requirements | Huawei v200r001 specification

User Manual - Configuration Guide (Volume 3)	Chapter 5
Versatile Routing Platform	Configuration of IKE
Flag meaning:
RD--Ready ST--Stayalive RT--Replaced FD--Fading

Execute the following command to clear security association 1.

Quidway# clear crypto ike sa 1

Then the SA will show the following information:

Quidway# show crypto ike sa

conn-id		peer	flags	phase	doi
2		202.38.0.2	RDST	2	IPSEC
Flag meaning:
RD--Ready ST--Stayalive RT--Replaced FD--Fading
Table SC-5-9Description about the command field show crypto ike sa

			Operation			Command

	Security channel ID					conn-id
	Peer IP address of this SA					peer
	Show the status of this SA
	NONE means this SA is being established
	READY means this SA has been established successfully
	STAYALIVE means that lifetime is negotiated, and this SA will be refreshed					Flags
	in fixed interval.					Flags
	in fixed interval.
	REPLACED means that a timeout has happened
	FADING means this SA has been replaced, and will be cleared
	automatically after some time
	Phase of SA					phase
	Explanation domain of SA					doi

2)Show IKE security policy Quidway# show crypto ike policy

Protection suite priority 15 encryption algorithm: DES - CBC hash algorithm: MD5 authentication method: Pre-Shared Key Diffie-Hellman Group: MODP1024 Lifetime: 5000 seconds, no volume limit

Protection suite priority 20 encryption algorithm: DES - CBC hash algorithm: SHA authentication method: Pre-Shared Key Diffie-Hellman Group: MODP768

lifetime: 10000 seconds, no volume limit Default protection suite

encryption algorithm: DES - CBC

hash algorithm: SHA

authentication method: Pre-Shared Key

Diffie-Hellman Group: MODP768

Lifetime: 86400 seconds, no volume limit

The information shows the protection priority, encryption algorithm, hashing algorithm, authentication algorithm, Diffie-Hellman group and IKE SA lifetime.

5.4Typical Configuration of IKE

I.Networking requirements

z Hosts A and B communicates securely, and a security channel is established with IKE automatic negotiation between security gateways A and B.

5-6

Image 12

Huawei v200r001 user manual Networking requirements, Show IKE security policy Quidway# show crypto ike policy

Contents

Huawei V200R001 Manual Version T2-080168-20011213-C-1.5 BOM31010868 Contents About This Manual Format Description Key Bracket, e.g. Enter , Tab , Backspace , or aKey 1 + Key Key 1, Key Symbol Action Description Security Configuration SC Huawei Configuration of IKE II. IKE features IKE Configuration Task List Creating IKE Security Policy Select Authentication Algorithm No IKE security policy is created by defaultSelect Encryption Algorithm Set Pre-shared Key Select Hashing AlgorithmSelect DH Group ID Set Lifetime of IKE Association SA Show IKE SA parameter Quidway# show crypto ike sa Networking requirements Show IKE security policy Quidway# show crypto ike policy II. Networking diagram III. Configuration procedure Problem 1 Invalid user ID information VPN Configuration VPN Table of Contents VPN features VPN Overview According to operation mode Classification of IP VPN II. According to the layer where the tunnel is III. According to service purpose IV. According to networking model Configuration of L2TP Brief Introduction to L2TP ProtocolOverview of Vpdn Brief induction to Vpdn 2 L2TP Protocol III. Method to realize VpdnTunnel and session II. Control message and data message III. Two typical L2TP tunnel modes IV. Call setup flow of L2TP tunnel Call setup flow of L2TP channel is shown in the following Features of L2TP protocol Figure VPN-2-3Call setup flow of L2TP channel Configuring L2TP 1 L2TP Configuration Task ListConfiguring at LAC Side Disable Vpdn to run by default II. Create Vpdn group Configuring at LNS Side Disable Vpdn running by defaultIV. Set the connection request to originate L2TP channel Table VPN-2-4L2TP attribute table III. Create/delete virtual interface template No vpdn group group-numberAccept dialin l2tp virtual-template virtual No accept dialin Optional configuration III. Force local end to perform Chap authenticationSet local name of channel Local end does not perform Chap authentication by default LCP does not renegotiate by defaultIV. LNS forces LCP to renegotiate Set domain name delimiter and search sequence VII. Enable/disable hiding AV pairs Disable hiding AV pairs by default Monitoring and Maintenance of L2TP VIII. Force to disconnect tunnel Typical Configuration of L2TP Show l2tp session command domainNAS-Initialized VPN Networking requirement III. Configuration procedure Figure VPN-2-5Networking diagram of Client-Initialized VPN Client-Initialized VPN Single User Interconnects Headquarters via Router Chapter Fault Diagnosis of L2TP Configuration of GRE Brief Introduction to GRE ProtocolBrief introduction to the protocol II. Applicable range Figure VPN-3-2Format of transmission message in the tunnel Configuring GRE GRE Configuration Task List Setting the Source Address of Tunnel Interface Setting the Destination Address of Tunnel InterfaceCreating Virtual Tunnel Interface Setting the Network Address of Tunnel Interface Setting the Encapsulation Mode of Tunnel Interface MessageSetting the Identification Key Word of Tunnel Interface Setting Tunnel Interface to Check with Check Sum Monitoring and Maintenance of GRE Disable tunnel interface to check with check sum by defaultShow interface tunnel tunnel-number Typical Configuration of GRE Figure VPN-3-6Networking diagram of GRE application Chapter Troubleshooting GRE Reliability Configuration LC Configuration of Backup Center Configuration of Hsrp Configuration of Backup Center Backup Center OverviewConfiguring the Backup Center Configuration Task List Backup logic-channel logic-channel No backup delay Configuring Routes for Main and Backup Interfaces Backup state-down numberBackup state-up interval-time Monitoring and Maintaining of Backup Center Typical Configuration of Backup CenterAn example of Backup Between Interfaces An Example of Multiple Backup Interfaces Chapter Chapter Configuration of Hsrp Hsrp Overview Configuring Hsrp Starting Hsrp Function Setting Router’s Priority in Hsrp Hot Standby Group Setting Router’s Preemption Mode in Hsrp Standby GroupSetting Hsrp Authorization Word Standby group-number preempt Setting Hsrp Timer Table LC-2-4Set Hsrp authorization wordStandby group-numberauthentication string Monitoring the Specified Interface Using Actual Interface MAC Address Modifying Virtual MAC AddressTable LC-2-6Monitor the specified interface Typical Configurations of Hsrp An example for single hot standby group configurationMonitoring and Maintaining Hsrp Show relevant Hsrp information Quidway# show standby 202.38.160.111 An example for setting Hsrp to monitor a specified interface An example for multiple hot standby groups configuration Fault Diagnosis and Troubleshooting of Hsrp QoS Configuration QC CAR Configuration Example Configure CAR Rules Based on the MAC AddressApply CAR Rules to Packets Which is Matched the ACL Three service types of QoS Best-effort ServiceII.Integrated Service QoS Overview III. Differentiated Service Functions of QoS Chapter II. CAR Committed Access Rate Traffic Classification and PolicingTraffic Classification and Policing Introduction to Traffic Classification Features of Token Bucket Introduction to Traffic Policing Introduction to CAR II.Traffic Measuring with Token BucketIII Complicacy Evaluation CAR Configuration CAR Configuration Task ListNo CAR rule is specified by default Specify CAR rules Monitoring and Maintenance of CAR Table QC-2-3Monitoring and maintenance of CARApply the CAR Rule on the Interface Show CAR statistics Quidway# show car interface serial CAR Configuration Example II.ConfigurationApplying CAR Rules to All Packets Requirements III. Configuration Apply CAR Rules to Packets Which is Matched the ACL Configure CAR Rules Based on the Priority Level Configure CAR Rules Based on the MAC AddressII.Networking diagram Chapter Congestion Management Congestion and Congestion ManagementAbout Congestion Congestion Management Policy IV. WFQ Weighted Fair Queuing Fifo QueuingII. PQ Priority Queuing III. CQ Custom Queuing Selecting Congestion Management Policy Working Principle of Congestion Management Policy No. Advantages Disadvantages Queue Fifo III. CQ Configuration of Congestion Management Configuring PQPQ Configuration task list II. Configuring priority queue Priority-list list-number interface type number high medium Normal low Table QC-3-7Configuration of queue length of priority queue Interface adopts Fifo queuing by defaultIII. Applying priority queue to the interface IV. Maintaining and monitoring the priority queue Configuring CQ CQ configuration task listII. Configuring the custom queue Operation Command Configure the default custom queue No custom-list list-number interface type number III. Applying custom queue to the interface No custom-list list-number queue queue-number limitCustom-list list-number queue queue-number byte-count No custom-list list-number queue queue-number byte-count Configuring WFQ WFQ configuration task listII. Configuring the weighted fair queue III. Maintenance and monitoring of the weighted fair queue Configuration Example of Congestion Management PQ Configuration ExampleCQ Configuration Example Figre QC-3-6Networking diagram of CQ Configuration Versatile Routing Platform Troubleshooting of Congestion Management DDR Configuration DC Configuring Synchronous/Asynchronous Serial Port Using DDR DDR ConfigurationDDR in Which the Router Calls Back PC Configuration of Modem Management DDR Configuration Brief Introduction to Dial ConfigurationIntroduction to DDR Technology Preparing DDR Configuration Figure DC-1-1DDR configuration preparation flow Configuring DDR Configuring Legacy DDRConfiguration tasks of Legacy DDR include II. Configure an interface to send calls Dialer string dial-string isdn-address Dialer rotary-group number III. Configure an interface to receive calls Figure DC-1-2Schematic diagram of Dialer Rotary Group IV. Configure an interface to send and receive calls Versatile Routing Platform DDR Configuration Set the attribute parameters of Legacy DDR Table DC-1-13Set the idle time of busy interface Table DC-1-16Set access control of the dial interface Access-list access-list-numberdeny permitAccess-list access-list-number deny permit Permit deny Configuring Dialer Profile Default interval is 300 secondsIntroduction to Dialer Profile II. Configuration task list of Dialer Profile III. Configure a logic dial interfaceIV. Set the attribute parameters of a dial interface Configuring Callback Bind physical interfaces for a dialer poolSignificance of callback II. Terms and abbreviations IV. Configure Isdn calling line identification callback Dialer caller remote-number callbackOr dialer caller remote-number Interface dialer Configure PPP callback User name callback-dialstring telephone-number Chapter Table DC-1-28Client end using Legacy DDR to configure PPP Configuring DDR Special Functions Configure Isdn dedicated line II. Configure autodial III. Configure cyclic use of dialer mapAutodial interval is 300 seconds by default Monitoring and Maintenance of DDR Table DC-1-34Configure cyclic use of dialer mapName Meaning DDR Typical Configuration Example Legacy DDRNetwork requirements Chapter Dialer Profile Chapter Networking diagram II. Configuration procedurePoint-to-Point DDR Chapter Chapter Point-to-Multipoint DDR 8810063 Chapter Chapter Multipoint-to-Multipoint DDR 88100528810148 III. Configuration procedure Chapter Chapter Chapter Chapter DDR Bearing IPX Chapter Chapter Chapter DDR Bearing IP and IPX at the Same Time Chapter Chapter Chapter Flow Control of Dialer Profile MP over Dialer Profile-Case RouterA RouterB BRI02.2 661012 Chapter Figure DC-1-11Networking diagram of DDR Case Channels for Dial-up and Connection to the Remote End Case Chapter Two Serial Ports for Dial-up and Remote Dial Connection Case One Serial Port for Dial-up and Remote Dial Connection Case Chapter DDR for Access Service Chapter Chapter Chapter Chapter DDR for Inter-Router Callback Chapter DDR in Which the Router Calls Back PC III. Configuration procedure DDR for Autodial DDR Using Dialer Map Cyclically DDR Using Dialer Map as Backup Solution 1 Logical interface as backup interface Chapter Precautions for DDR Configuration Configuring Dialer-groupConfiguring Synchronous/Asynchronous Serial Port Using DDR Configuring Network Layer Address Configuring PPP In Dialer Profile Configuration Mode Apply PAP authentication Chapter II. Apply Chap authentication Chapter Configuring PPP In Legacy DDR Configuration Mode Chapter II. Apply Chap authentication Chapter Troubleshooting DDR Configure Dialer-listDDR Fault Diagnosis Whether modem is normal III. Check whether dialer-group is configured IV. Check whether dialer-list is configured correctly Chapter DDR Fault Elimination Troubleshooting with DDR Debugging Information How to acquire DDR debugging informationInformation displayed at the calling end Information displayed at the call receiving end DDR link negotiation Down on interface Configuration of Modem Management Modem Management Functions Provided by VRP1.4Modem Script Function Timeout seconds Key words Description Configuring Modem Management Modem Management Configuration Task ListConfiguring Modem Call-In and Call-Out Authorities Configuring Modem Script Configuring Modem Answer Mode Executing Modem Script ManuallySpecifying the Event to Trigger Modem Script Typical Configuration of Modem Management Managing Modem with Modem Script Networking requirements Configuration requirements Router Initialization with Initialization ScriptDirect Dial with Script Interactively Connect Cisco Router Through Modem VoIP Configuration VC VoIP Configuration IP Fax Configuration E1 Voice Configuration GK Client ConfigurationIphc Configuration Versatile Routing Platform Table of Contents VoIP Configuration VoIP Overview VoIP Principle Basic compositionII. H.323 protocol stack IP Voice Implementation over VRP III. a typical telephone call processing by VoIP IP Voice Feature over VRP Switch Router Capacity channel Chapter VoIP Configuration Task List Configuring Dial-peer Pots dial-peer configuration II. VoIP dial-peer configuration Configuring Dial Terminator Ip precedence priority-number Configuring Abbreviated Dialing Configuring Voice PortBy default, we do not configure the dial terminator By default, we do not configure the abbreviated dialing Table VC-1-6Configuring voice-port Configuring Global Number Match Policy Configuring the Recovery Method of Voice BoardBy default, please use the shortest number match policy VoIP Monitoring and Maintenance By default, Watchdog is enabled KHT Rcvccactivecall Channel = Status = Chtransframe Typical VoIP Configuration Examples Configuring Router FXS Port for Interconnection III. Configuration procedures Shanghai Chapter Figure VC-1-7RouterShenzhen FXO works in the Plar mode LAN VoIP Troubleshooting III. Configuration description IP Fax Configuration Configuring IP FaxTask List of IP Fax Configuration Overview to IP Fax Checking If Configuring Fax to Use ECM Mode Configuring Fax RateGateway does not use ECM mode by default Configuring Fax Train Mode Configuring Fax Local-train Threshold ValueBy default, the fax rate will be determined by voice mode Mode is local-train mode local by default Configuring Gateway Carrier Transmit Energy Level Fax protocol t38 ls-redundancy numberNo fax protocol t38 ls-redundancy Fax protocol t38 hs-redundancy number Monitoring and Maintenance of IP Fax By default, T.38 protocol is usedBy default, rtp protocol is used Typical Configuration of IP Fax Versatile Routing Platform IP Fax Configuration Chapter E1 Voice Configuration Overview of E1 Voice ConfigurationFunction of E1 Voice Usage of cE1/PRI Interface Features of E1 Voice Signaling modes supportedII. Protocols and standards supported III. Support single stage dialing and two-stage dialing E1 Voice Configuration Configuration Task List of E1 VoiceConfiguring Pots dial-peer IV. Integrated transmission of voice and data Configuring VoIP dial-peer Table VC-3-1Configuration Commands of Pots dial-peerIncoming called-number number No incoming called-number Configuring the Basic Parameters of E1 Interface Table VC-3-2Configuration Commands of VoIP dial-peer Configuring Voice Port E1 Interface Table VC-3-3Configuration Commands of E1 Interface Configuring E1 Voice R2 Signaling Configuring DS0 groupTable VC-3-4Configuration Commands of E1 Voice Port II. Configuring Related Parameters of R2 Signaling By default, the system has not created any DS0 group Table VC-3-6Configuration Commands of R2 Signaling Configuring the Basic Parameters of Isdn PRI Interface Pri-group timeslots timeslots-listNo pri-group Interface serial serial-no Monitoring and Maintenance of E1 Voice Configuring Voice Port Isdn PRI InterfaceMaintaining the MFC Channel and Circuit of the Specified TS II. show Command Related to E1 Voice Quidway# show voice-port III. debug Commands Related to E1 Voice R2 signalling call statistics Typical Configuration Examples of E1 Voice Table VC-3-11debug Commands of E1 VoiceRouter Connected to PBX through E1 Voice Port Versatile Routing Platform Router Connected to PBX in Isdn PRI Mode Two-stage Dialing Configuration II. Netwoking diagram Parameter configuration of Beijing-side router Transmission of Data and Voice Simultaneously Fault Diagnosis and Troubleshooting of E1 Voice GK Client Configuration Configuration of GK ClientConfiguration Task List of GK Client Configuring One Interface as H.323 Gateway Interface Configuring Gateway Alias Configure the GK Server Name and AddressBy default, GK Client function is deactivated Activating or Deactivate GK Client Function Configuring Tech-Prefix Configuring GK Interworking ModeBy default, there is not any tech-prefix Typical Configuration Examples of GK Client Be default, the GK interworking mode is cisco modeVersatile Routing Platform GK Client Configuration Chapter Fault Diagnosis and Troubleshooting of GK Client Iphc Configuration Overview of Iphc Iphc Configuration Configuration Task List of IphcEnable/disable RTP header compression No ip rtp compression-connections Configure the Cisco-compatible RTP header compression Configure the deleting of udpchk field from UDP headerBy default, the udpchk field in UDP packet field is set to No ip tcp header-compression Monitoring and Maintenance of Iphc Table VC-5-6Monitoring and Maintenance of Iphc How Are We Doing Excellent Good Fair Poor Mistake Suggested Correction Line No