BestHub
Sign in
Information Security 13 min read

Configuring an IPSec VPN Between Huawei and Cisco Routers Using Virtual Tunnel Interfaces

This guide explains the security risks of transparent Internet data transmission, introduces IPSec's authentication, encryption, integrity, and anti‑replay features, and provides step‑by‑step Huawei and Cisco router configurations—including interface setup, IKE proposals, IPSec profiles, and verification commands—to securely connect branch and headquarters networks via a VPN.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Configuring an IPSec VPN Between Huawei and Cisco Routers Using Virtual Tunnel Interfaces

Business data transmitted over the Internet is often transparent, exposing passwords, bank accounts, and user identities to theft, tampering, and malicious attacks; deploying IPSec protects data by providing authentication, encryption, integrity checking, and anti‑replay mechanisms.

IPSec (Internet Protocol Security), defined by the IETF, operates at the IP layer to ensure secure communication through source authentication, data encryption, integrity verification, and replay protection.

In typical deployments, IPSec builds a VPN that allows users to connect from any location without geographic restrictions; virtual tunnel interfaces (VTI) are recommended for large branches to protect all traffic without defining ACLs for each flow.

Configuration of RouterA (Huawei) :

[Huawei] system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1
[RouterA] interface Tunnel0/0/0
[RouterA-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0
[RouterA-Tunnel0/0/0] tunnel-protocol ipsec
[RouterA-Tunnel0/0/0] source gigabitethernet 1/0/0
[RouterA-Tunnel0/0/0] destination 1.1.1.10
[RouterA] ospf 2
[RouterA-ospf-2] area 0.0.0.0
[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterA-ike-proposal-5] authentication-algorithm sha1
[RouterA-ike-proposal-5] dh group5
[RouterA-ike-proposal-5] authentication-method pre-share
[RouterA] ike peer RouterA v1
[RouterA-ike-peer-RouterA] ike-proposal 5
[RouterA-ike-peer-RouterA] pre-shared-key cipher huawei@123
[RouterA-ike-peer-RouterA] dpd type periodic
[RouterA-ike-peer-RouterA] dpd msg seq-hash-notify
[RouterA] ipsec proposal RouterA
[RouterA-ipsec-proposal-RouterA] transform esp
[RouterA-ipsec-proposal-RouterA] encapsulation-mode tunnel
[RouterA-ipsec-proposal-RouterA] esp authentication-algorithm sha1
[RouterA-ipsec-proposal-RouterA] esp encryption-algorithm aes-128
[RouterA] ipsec profile profile1
[RouterA-ipsec-profile-profile1] ike-peer RouterA
[RouterA-ipsec-profile-profile1] proposal RouterA
[RouterA] interface tunnel 0/0/0
[RouterA-Tunnel0/0/0] ipsec profile profile1

Configuration of RouterB (Cisco) :

RouterB#configure
RouterB(config)#interface gigabitethernet 0/1
RouterB(config-if)#ip address 1.1.1.10 255.255.255.0
RouterB(config)#interface gigabitethernet 0/2
RouterB(config-if)#ip address 10.3.1.1 255.255.255.0
RouterB(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1
RouterB(config)#interface tunnel 0
RouterB(config-if)#ip address 10.2.1.1 255.255.255.0
RouterB(config-if)#tunnel mode ipsec ipv4
RouterB(config-if)#tunnel source gigabitethernet0/1
RouterB(config-if)#tunnel destination 1.1.2.10
RouterB(config)#router ospf 2
RouterB(config-router)#network 10.2.1.0 0.0.0.255 area 0
RouterB(config-router)#network 10.3.1.0 0.0.0.255 area 0
RouterB(config)#crypto isakmp policy 10
RouterB(config-isakmp)#hash sha
RouterB(config-isakmp)#encryption aes 128
RouterB(config-isakmp)#group 5
RouterB(config-isakmp)#authentication pre-share
RouterB(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth
RouterB(config)#crypto isakmp keepalive 10 periodic
RouterB(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128
RouterB(config-trans)#mode tunnel
RouterB(config)#crypto ipsec profile profile1
RouterB(ipsec-profile)#set transform-set tran1
RouterB(config)#interface tunnel 0
RouterB(config-if)#tunnel protection ipsec profile profile1

Verification : On both routers, run display ike sa (Huawei) or show crypto isakmp sa (Cisco) to confirm that Phase 1 and Phase 2 security associations are established; ping tests and display ipsec statistics esp confirm encrypted traffic between branch and headquarters.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

VPNHuaweiCiscoIPSecTunnel Interface
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment