Web: Example for Configuring an IPSec Tunnel Between Two Gateways Through IKE Negotiation (Using Pre-shared Key Authentication)

This section describes how to configure the IPSec VPN tunnel between two gateways with fixed IP addresses. In this example, both ends can initiate negotiations.

Networking Requirements

As shown in Figure 1, FW_A connects network A to the Internet and FW_B connects network B to the Internet. The networking requirements are as follows:

Network A (10.1.1.0/24) is connected to GigabitEthernet 0/0/3 of FW_A.
Network B (10.1.2.0/24) is connected to GigabitEthernet 0/0/3 of FW_B.
FW_A and FW_B are reachable to each other.

The purpose of this networking is to set up an IPSec tunnel between FW_A and FW_B and to enable the communication between users on network A and network B.

Figure 1 Networking diagram of configuring a site-to-site IPSec tunnel

Data Planning

Item	Data
FW_A	Interface: GigabitEthernet 0/0/3 IP address: 10.1.1.1/24 Security zone: Trust
Interface: GigabitEthernet 0/0/1 IP address: 1.1.3.1/24 Security zone: Untrust
IPSec configuration Scenario: Site-to-site Peer IP Address: 1.1.5.1 Authentication Type: Pre-Shared Key Pre-Shared Key: Test!1234 Local ID: IP Address Peer ID: IP Address
FW_B	Interface: GigabitEthernet 0/0/1 IP address: 1.1.5.1/24 Security zone: Untrust
Interface: GigabitEthernet 0/0/3 IP address: 10.1.2.1/24 Security zone: Trust
IPSec configuration Scenario: Site-to-site Peer IP Address: 1.1.3.1 Authentication Type: Pre-Shared Key Pre-Shared Key: Test!1234 Local ID: IP Address Peer ID: IP Address

Item

Data

FW_A

Interface: GigabitEthernet 0/0/3

IP address: 10.1.1.1/24

Security zone: Trust

Interface: GigabitEthernet 0/0/1

IP address: 1.1.3.1/24

Security zone: Untrust

IPSec configuration

Scenario: Site-to-site

Peer IP Address: 1.1.5.1

Authentication Type: Pre-Shared Key

Pre-Shared Key: Test!1234

Local ID: IP Address

Peer ID: IP Address

FW_B

Interface: GigabitEthernet 0/0/1

IP address: 1.1.5.1/24

Security zone: Untrust

Interface: GigabitEthernet 0/0/3

IP address: 10.1.2.1/24

Security zone: Trust

IPSec configuration

Scenario: Site-to-site

Peer IP Address: 1.1.3.1

Authentication Type: Pre-Shared Key

Pre-Shared Key: Test!1234

Local ID: IP Address

Peer ID: IP Address

Configuration Roadmap

The procedure and roadmap for configuring FW_A and FW_B are similar:

Configure interfaces.
Configure security policies to allow specific subnets to communicate.
Create a static route to the peer end.
Configure the IPSec policy, including basic IPSec policy information, data flow to be protected by IPSec, and proposal parameters for security association negotiation.

Procedure

Configure FW_A.
1. Set an IP address for each interface and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1> and set the following parameters:
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    1.1.3.1/24
  3. Click OK.
  4. Repeat the preceding steps to set the parameters of the GE0/0/3 interface.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.1.1.1/24
2. Configure security policies to allow specific subnets to communicate.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add and set the parameters of the security policy for the Trust->Untrust interzone as follows:
    
    Name
    
    policy_ipsec_1
    
    Source Zone
    
    trust
    
    Destination Zone
    
    untrust
    
    Source Address/Region
    
    10.1.1.0/24
    
    Destination Address/Region
    
    10.1.2.0/24
    
    Action
    
    Permit
  3. Click OK.
  4. Repeat preceding steps to configure security policies for the Untrust -> Trust, Untrust -> Local, and Local -> Untrust interzones.
    
    The parameters of the security policy for the Untrust -> Trust interzone are as follows:
    
    Name
    
    policy_ipsec_2
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    trust
    
    Source Address/Region
    
    10.1.2.0/24
    
    Destination Address/Region
    
    10.1.1.0/24
    
    Action
    
    Permit
    
    The parameters of the security policy for the Untrust -> Local interzone are as follows:
    
    Name
    
    policy_ipsec_3
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    local
    
    Source Address/Region
    
    1.1.5.1/32
    
    Destination Address/Region
    
    1.1.3.1/32
    
    Action
    
    Permit
    
    The parameters of the security policy for the Local -> Untrust interzone are as follows:
    
    Name
    
    policy_ipsec_4
    
    Source Zone
    
    local
    
    Destination Zone
    
    untrust
    
    Source Address/Region
    
    1.1.3.1/32
    
    Destination Address/Region
    
    1.1.5.1/32
    
    Action
    
    Permit
    
    The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
3. Configure a route to the peer end. In this example, the next hop of the route from FW_A to FW_B is 1.1.3.2.
  1. Choose Network > Router > Static Route.
  2. Click Add and set the following parameters.
    
    Destination Address/Mask
    
    10.1.2.0/255.255.255.0
    
    Next Hop
    
    1.1.3.2
  3. Click OK.
  4. Click Add and set the following parameters, and click OK.
    Destination Address/Mask
    
    1.1.5.0/255.255.255.0
    
    Next Hop
    
    1.1.3.2
4. Configure the IPSec tunnel on FW_A.
  1. Choose Network > IPSec > IPSec, click Add, and select Scenario as Site-to-site.
  2. Configure the basic IPSec policy information, specify the remote gateway, and set the pre-shared key to Test!1234.
  3. Under Data Flow to Encrypt, click Add to add a data flow as follows.
    During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:
    
    Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.
    
    Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.
    
    Run the display acl acl-number commands to check ACL information of the destination NAT policy.
    
    Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.
    
    Run the display current-configuration configuration policy-nat command to check source NAT policy information.
    
    Ensure that the IPSec-protected data flow does not match the source NAT policy.
    
    If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.
  4. Optional: Set the parameters of IPSec and IKE. Use the default parameters in this example. If you want to change the value of a parameter, expand Advanced under IKE/IPSec Proposal. You must ensure that the parameter settings are the same on both tunnel ends.
  5. Click Apply. The configuration of FW_A is complete.
Configure FW_B.
1. Set an IP address for each interface and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1> and set the following parameters:
    
    Zone
    
    untrust
    
    IPv4
    
    IP Address
    
    1.1.5.1/24
  3. Click OK.
  4. Repeat the preceding steps to set the parameters of the GE0/0/3 interface.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.1.2.1/24
2. Configure security policies to allow specific subnets to communicate.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add and set the parameters of the security policy for the Trust->Untrust interzone as follows:
    
    Name
    
    policy_ipsec_1
    
    Source Zone
    
    trust
    
    Destination Zone
    
    untrust
    
    Source Address/Region
    
    10.1.2.0/24
    
    Destination Address/Region
    
    10.1.1.0/24
    
    Action
    
    Permit
  3. Click OK.
  4. Repeat preceding steps to configure security policies for the Untrust -> Trust, Untrust -> Local, and Local -> Untrust interzones.
    
    The parameters of the security policy for the Untrust -> Trust interzone are as follows:
    
    Name
    
    policy_ipsec_2
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    trust
    
    Source Address/Region
    
    10.1.1.0/24
    
    Destination Address/Region
    
    10.1.2.0/24
    
    Action
    
    Permit
    
    The parameters of the security policy for the Untrust -> Local interzone are as follows:
    
    Name
    
    policy_ipsec_3
    
    Source Zone
    
    untrust
    
    Destination Zone
    
    local
    
    Source Address/Region
    
    1.1.3.1/32
    
    Destination Address/Region
    
    1.1.5.1/32
    
    Action
    
    Permit
    
    The parameters of the security policy for the Local -> Untrust interzone are as follows:
    
    Name
    
    policy_ipsec_4
    
    Source Zone
    
    local
    
    Destination Zone
    
    untrust
    
    Source Address/Region
    
    1.1.5.1/32
    
    Destination Address/Region
    
    1.1.3.1/32
    
    Action
    
    Permit
    
    The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
3. Configure a route to the peer end. In this example, the next hop of the route from FW_A to FW_B is 1.1.5.2.
  1. Choose Network > Router > Static Route.
  2. Click Add and set the following parameters.
    
    Destination Address/Mask
    
    10.1.1.0/255.255.255.0
    
    Next Hop
    
    1.1.5.2
  3. Click OK.
  4. Click Add and set the following parameters, and click OK.
    Destination Address/Mask
    
    1.1.3.0/255.255.255.0
    
    Next Hop
    
    1.1.5.2
4. Configure the IPSec tunnel on FW_B.
  1. Choose Network > IPSec > IPSec, click Add, and select Scenario as Site-to-site.
  2. Configure the basic IPSec policy information, specify the remote gateway, and set the pre-shared key to Test!1234.
  3. Under Data Flow to Be Encrypted, click Add to add a data flow as follows.
    During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:
    
    Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.
    
    Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.
    
    Run the display acl acl-number commands to check ACL information of the destination NAT policy.
    
    Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.
    
    Run the display current-configuration configuration policy-nat command to check source NAT policy information.
    
    Ensure that the IPSec-protected data flow does not match the source NAT policy.
    
    If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.
  4. Optional: Set the parameters of IPSec and IKE. Use the default parameters in this examples. If you want to change the value of a parameter, expand Advanced under IKE/IPSec Proposal. You must ensure that the parameter settings are the same on both tunnel ends.
  5. Click Apply. The configuration of FW_B is complete.

Zone	untrust
IPv4
IP Address	1.1.3.1/24

Zone	trust
IPv4
IP Address	10.1.1.1/24

Name	policy_ipsec_1
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.1.1.0/24
Destination Address/Region	10.1.2.0/24
Action	Permit

Name	policy_ipsec_2
Source Zone	untrust
Destination Zone	trust
Source Address/Region	10.1.2.0/24
Destination Address/Region	10.1.1.0/24
Action	Permit

Name	policy_ipsec_3
Source Zone	untrust
Destination Zone	local
Source Address/Region	1.1.5.1/32
Destination Address/Region	1.1.3.1/32
Action	Permit

Name	policy_ipsec_4
Source Zone	local
Destination Zone	untrust
Source Address/Region	1.1.3.1/32
Destination Address/Region	1.1.5.1/32
Action	Permit

Destination Address/Mask	10.1.2.0/255.255.255.0
Next Hop	1.1.3.2

Destination Address/Mask	1.1.5.0/255.255.255.0
Next Hop	1.1.3.2

Zone	untrust
IPv4
IP Address	1.1.5.1/24

Zone	trust
IPv4
IP Address	10.1.2.1/24

Name	policy_ipsec_1
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.1.2.0/24
Destination Address/Region	10.1.1.0/24
Action	Permit

Name	policy_ipsec_2
Source Zone	untrust
Destination Zone	trust
Source Address/Region	10.1.1.0/24
Destination Address/Region	10.1.2.0/24
Action	Permit

Name	policy_ipsec_3
Source Zone	untrust
Destination Zone	local
Source Address/Region	1.1.3.1/32
Destination Address/Region	1.1.5.1/32
Action	Permit

Name	policy_ipsec_4
Source Zone	local
Destination Zone	untrust
Source Address/Region	1.1.5.1/32
Destination Address/Region	1.1.3.1/32
Action	Permit

Destination Address/Mask	10.1.1.0/255.255.255.0
Next Hop	1.1.5.2

Destination Address/Mask	1.1.3.0/255.255.255.0
Next Hop	1.1.5.2

Configuration Verification

Access a host or server on the headquarters network from a host on the branch network. The access succeeds.

On FW_A, choose Network > IPSec > Monitor to display the established tunnels.

Policy Name	Status	Local Address	Peer Address
policy_1	IKE and IPSec negotiations succeed.	1.1.3.1	1.1.5.1

On FW_B, choose Network > IPSec > Monitor to display the established tunnels.

Policy Name	Status	Local Address	Peer Address
policy_1	IKE and IPSec negotiations succeed.	1.1.5.1	1.1.3.1

Configuration Scripts

Configuration script on FW_A:

#
acl number 3000
 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 1
 encryption-algorithm aes-256                                                   
 dh group2                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer ike6117323732
 pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%$%$
 ike-proposal 1
 remote-id-type ip
 remote-address 1.1.5.1
#
ipsec proposal prop6117323732
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ipsec policy ipsec6117323788 1 isakmp
 security acl 3000
 ike-peer ike6117323732
 proposal prop6117323732
 tunnel local 1.1.3.1
#
interface GigabitEthernet0/0/3
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 1.1.3.1 255.255.255.0
 ipsec policy ipsec6117323788
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 1.1.5.0 255.255.255.0 1.1.3.2
ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
 rule name policy_ipsec_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  action permit
 rule name policy_ipsec_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.2.0 24
  destination-address 10.1.1.0 24
  action permit
 rule name policy_ipsec_3
  source-zone untrust
  destination-zone local
  source-address 1.1.5.1 32
  destination-address 1.1.3.1 32
  action permit
 rule name policy_ipsec_4
  source-zone local
  destination-zone untrust
  source-address 1.1.3.1 32
  destination-address 1.1.5.1 32
  action permit

Configuration script on FW_B:

#
acl number 3000
 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 1
 encryption-algorithm aes-256                                                   
 dh group2                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer ike6117323732
 pre-shared-key %$%$pFR^=%xE/P^}NS*sN5e(,wne%$%$
 ike-proposal 1
 remote-address 1.1.3.1
#
ipsec proposal prop6117323732
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256 
#
ipsec policy ipsec6117323788 1 isakmp
 security acl 3000
 ike-peer ike6117323732
 proposal prop6117323732
 tunnel local 1.1.5.1
#
interface GigabitEthernet0/0/3
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 1.1.5.1 255.255.255.0
 ipsec policy ipsec6117323788
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 1.1.3.0 255.255.255.0 1.1.5.2
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
 rule name policy_ipsec_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 24
  destination-address 10.1.1.0 24
  action permit
 rule name policy_ipsec_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  action permit
 rule name policy_ipsec_3
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 32
  destination-address 1.1.5.1 32
  action permit
 rule name policy_ipsec_4
  source-zone local
  destination-zone untrust
  source-address 1.1.5.1 32
  destination-address 1.1.3.1 32
  action permit