Configuring an IPSec VPN Between Huawei and Cisco Routers Using Virtual Tunnel Interfaces

Business data transmitted over the Internet is often transparent, exposing passwords, bank accounts, and user identities to theft, tampering, and malicious attacks; deploying IPSec protects data by providing authentication, encryption, integrity checking, and anti‑replay mechanisms.

IPSec (Internet Protocol Security), defined by the IETF, operates at the IP layer to ensure secure communication through source authentication, data encryption, integrity verification, and replay protection.

In typical deployments, IPSec builds a VPN that allows users to connect from any location without geographic restrictions; virtual tunnel interfaces (VTI) are recommended for large branches to protect all traffic without defining ACLs for each flow.

Configuration of RouterA (Huawei) :

[Huawei] system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.1.2.10 255.255.255.0 [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0 [RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 [RouterA] interface Tunnel0/0/0 [RouterA-Tunnel0/0/0] ip address 10.2.1.2 255.255.255.0 [RouterA-Tunnel0/0/0] tunnel-protocol ipsec [RouterA-Tunnel0/0/0] source gigabitethernet 1/0/0 [RouterA-Tunnel0/0/0] destination 1.1.1.10 [RouterA] ospf 2 [RouterA-ospf-2] area 0.0.0.0 [RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterA] ike proposal 5 [RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128 [RouterA-ike-proposal-5] authentication-algorithm sha1 [RouterA-ike-proposal-5] dh group5 [RouterA-ike-proposal-5] authentication-method pre-share [RouterA] ike peer RouterA v1 [RouterA-ike-peer-RouterA] ike-proposal 5 [RouterA-ike-peer-RouterA] pre-shared-key cipher huawei@123 [RouterA-ike-peer-RouterA] dpd type periodic [RouterA-ike-peer-RouterA] dpd msg seq-hash-notify [RouterA] ipsec proposal RouterA [RouterA-ipsec-proposal-RouterA] transform esp [RouterA-ipsec-proposal-RouterA] encapsulation-mode tunnel [RouterA-ipsec-proposal-RouterA] esp authentication-algorithm sha1 [RouterA-ipsec-proposal-RouterA] esp encryption-algorithm aes-128 [RouterA] ipsec profile profile1 [RouterA-ipsec-profile-profile1] ike-peer RouterA [RouterA-ipsec-profile-profile1] proposal RouterA [RouterA] interface tunnel 0/0/0 [RouterA-Tunnel0/0/0] ipsec profile profile1

Configuration of RouterB (Cisco) :

RouterB#configure RouterB(config)#interface gigabitethernet 0/1 RouterB(config-if)#ip address 1.1.1.10 255.255.255.0 RouterB(config)#interface gigabitethernet 0/2 RouterB(config-if)#ip address 10.3.1.1 255.255.255.0 RouterB(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1 RouterB(config)#interface tunnel 0 RouterB(config-if)#ip address 10.2.1.1 255.255.255.0 RouterB(config-if)#tunnel mode ipsec ipv4 RouterB(config-if)#tunnel source gigabitethernet0/1 RouterB(config-if)#tunnel destination 1.1.2.10 RouterB(config)#router ospf 2 RouterB(config-router)#network 10.2.1.0 0.0.0.255 area 0 RouterB(config-router)#network 10.3.1.0 0.0.0.255 area 0 RouterB(config)#crypto isakmp policy 10 RouterB(config-isakmp)#hash sha RouterB(config-isakmp)#encryption aes 128 RouterB(config-isakmp)#group 5 RouterB(config-isakmp)#authentication pre-share RouterB(config)#crypto isakmp key huawei@123 address 0.0.0.0 no-xauth RouterB(config)#crypto isakmp keepalive 10 periodic RouterB(config)#crypto ipsec transform-set tran1 esp-sha-hmac esp-aes 128 RouterB(config-trans)#mode tunnel RouterB(config)#crypto ipsec profile profile1 RouterB(ipsec-profile)#set transform-set tran1 RouterB(config)#interface tunnel 0 RouterB(config-if)#tunnel protection ipsec profile profile1

Verification : On both routers, run display ike sa (Huawei) or show crypto isakmp sa (Cisco) to confirm that Phase 1 and Phase 2 security associations are established; ping tests and display ipsec statistics esp confirm encrypted traffic between branch and headquarters.