< Home

CLI: Example for Configuring Multiple Virtual Systems to Establish IPSec VPN Tunnels with the Peer Gateway Using the Same Public IP Address

This example describes how to configure virtual systems to establish IPSec VPN tunnels with the peer gateway using the same public IP address in the root system.

Networking Requirements

As shown in Figure 1, FW_A has only one public IP address and multiple virtual systems use this IP address to establish IPSec VPN tunnels with the peer gateway. IPSec policies are configured in the root system and applied to the WAN interface of the root system. The traffic of virtual systems is protected to implement secure access between the virtual system network and the peer network.

Figure 1 Networking for configuring multiple virtual systems to establish IPSec VPN tunnels with the peer gateway using the same public IP address

Data Planning

Item

Data

FW_A

public

WAN interface: GE0/0/1

IP address of the WAN interface: 1.1.1.1/24

Security zone of the WAN interface: Untrust

LAN interface: virtual interface Virtual-if0 in public

Security zone of the LAN interface: Trust
IPSec configuration

Local ID type: IP address

Local ID: 1.1.1.1

Peer ID type: any

Peer ID:
  • vsysa: 3.3.3.3
  • vsysb: 4.4.4.4

Authentication mode: pre-shared key

Key type: multi-key

Pre-shared key:
  • vsysa: Admin@123
  • vsysb: Admin@123

vsysa

WAN interface: virtual interface Virtual-if1 in vsysa

Security zone of the WAN interface: Untrust

LAN interface: GE0/0/2

IP address of the LAN interface: 10.1.0.1/24

IP address range of the LAN interface: 10.1.0.0/24

Security zone of the LAN interface: Trust

vsysb

WAN interface: virtual interface Virtual-if2 in vsysb

Security zone of the WAN interface: Untrust

LAN interface: GE0/0/4

IP address of the LAN interface: 10.2.0.1/24

IP address range of the LAN interface: 10.2.0.0/24

Security zone of the LAN interface: Trust

FW_B

Interface: GE0/0/1

IP address: 3.3.3.3/24

Security zone of the interface: Untrust

Interface: GE0/0/2

IP address: 10.3.0.1/24

IP address range of the LAN interface: 10.3.0.0/24

Security zone of the interface: Trust
IPSec configuration

Peer IP address: 1.1.1.1/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

FW_C

Interface: GE0/0/1

IP address: 4.4.4.4/24

Security zone of the interface: Untrust

Interface: GE0/0/2

IP address: 10.4.0.1/24

IP address range of the LAN interface: 10.4.0.0/24

Security zone of the interface: Trust
IPSec configuration

Peer IP address: 1.1.1.1/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

Configuration Roadmap

The configuration roadmap is the same in vsysa and vsysb, and on FW_B and FW_C. This section uses vsysa and FW_B as examples to describe how to configure virtual systems to establish IPSec VPN tunnels with the peer gateway using the same public IP address. For configurations of vsysb and FW_C, see those of vsysa and FW_B.

  • For FW_A:

    1. In the root system, create virtual system vsysa and allocate resources to it.
    2. Complete basic configurations of interfaces, routes, and security policies in the root system.
    3. Complete basic configurations of interfaces, routes, and security policies in vsysa.
    4. Configure IPSec policies in the root system and bind them to vsysa.

  • For FW_B:

    1. Complete basic interface configurations.
    2. Configure security policies to allow specific subnets to communicate.
    3. Configure a route to the peer virtual system.
    4. Configure IPSec policies, including basic IPSec policy information, data flow to be protected by IPSec, and negotiation parameters of security proposals.

Procedure

  • Configure FW_A.
    1. Enable virtual systems. 

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] vsys enable

    2. Create virtual system vsysa and allocate resources to it.

      # Configure resource class r1 and set the reserved number and maximum number of IPSec tunnels.

      [FW_A] resource-class r1
[FW_A-resource-class-r1] resource-item-limit ipsec-tunnel reserved-number 10 maximum 500
[FW_A-resource-class-r1] quit

      # Create virtual system vsysa.

      [FW_A] vsys name vsysa
[FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[FW_A-vsys-vsysa] assign resource-class r1
[FW_A-vsys-vsysa] quit

    3. Configure parameters for GE0/0/1 and Virtual-if0.

      # Configure GE0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[FW_A-GigabitEthernet0/0/1] quit

      # Configure Virtual-if0.

      [FW_A] interface Virtual-if0
[FW_A-Virtual-if0] ip address 172.16.0.1 255.255.255.0
[FW_A-Virtual-if0] quit

    4. In the root system, set IP addresses for the interfaces and assign the interfaces to security zones.

      # Add Virtual-if0 to the Trust zone.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface Virtual-if0
[FW_A-zone-trust] quit

      # Add GE0/0/1 to the Untrust zone.

      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    5. Configure routes in the root system. Assume that the next-hop IP address of the route from FW_A to the Internet is 1.1.1.2.

      # If users in the root system need to access hosts in vsysa, you must configure a static route from the root system to vsysa.

      [FW_A] ip route-static 10.1.0.0 255.255.255.0 vpn-instance vsysa
      Interaction packets sent from the peer through the IPSec tunnel are decapsulated and forwarded to the corresponding virtual system by querying the flow table. The static route configured here is not used for reverse packet forwarding during IPSec communication.

      # Configure a default route to the Internet.

      [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

    6. Configure interzone security policies in the root system.

      # Configure a security policy from the Trust zone to the Untrust zone, allowing intranet users to access the Internet.

      [FW_A] security-policy
[FW_A-policy-security] rule name to_internet
[FW_A-policy-security-rule-sec_policy_1] source-zone trust
[FW_A-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_A-policy-security-rule-sec_policy_1] action permit
[FW_A-policy-security-rule-sec_policy_1] quit
      Virtual system administrators can configure more strict security policies abased on the IP addresses of intranet employees. Therefore, the root system administrator does not need to specify the IP address range.

      # Configure a security policy from the Local zone to the Untrust zone.

      [FW_A-policy-security] rule name sec_policy_1
[FW_A-policy-security-rule-sec_policy_3] source-zone local
[FW_A-policy-security-rule-sec_policy_3] destination-zone untrust
[FW_A-policy-security-rule-sec_policy_3] source-address 1.1.1.1 mask 255.255.255.255
[FW_A-policy-security-rule-sec_policy_3] destination-address 3.3.3.3 mask 255.255.255.255
[FW_A-policy-security-rule-sec_policy_3] action permit
[FW_A-policy-security-rule-sec_policy_3] quit

      # Configure a security policy from the Untrust zone to the Local zone.

      [FW_A-policy-security] rule name sec_policy_2
[FW_A-policy-security-rule-sec_policy_4] source-zone untrust
[FW_A-policy-security-rule-sec_policy_4] destination-zone local
[FW_A-policy-security-rule-sec_policy_4] source-address 3.3.3.3 mask 255.255.255.255
[FW_A-policy-security-rule-sec_policy_4] destination-address 1.1.1.1 mask 255.255.255.255
[FW_A-policy-security-rule-sec_policy_4] action permit
[FW_A-policy-security-rule-sec_policy_4] quit
[FW_A-policy-security] quit

      The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    7. Access vsysa and configure parameters for GE0/0/2 and Virtual-if1.

      # Configure GE0/0/2.

      [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] interface GigabitEthernet 0/0/2
[FW_A-vsysa-GigabitEthernet0/0/2] ip address 10.1.0.1 255.255.255.0
[FW_A-vsysa-GigabitEthernet0/0/2] quit

      # Configure Virtual-if1.

      [FW_A-vsysa] interface Virtual-if1
[FW_A-vsysa-Virtual-if1] ip address 172.16.1.1 255.255.255.0
[FW_A-vsysa-Virtual-if1] quit

    8. In vsysa, set IP addresses for the interfaces and assign the interfaces to security zones.

      # Add GE0/0/2 to the Trust zone.

      [FW_A-vsysa] firewall zone trust
[FW_A-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-vsysa-zone-trust] quit

      # Add Virtual-if1 to the Untrust zone.

      [FW_A-vsysa] firewall zone untrust
[FW_A-vsysa-zone-untrust] add interface Virtual-if1
[FW_A-vsysa-zone-untrust] quit

    9. Configure interzone security policies in vsysa.

      # Configure a security policy from the Trust zone to the Untrust zone.

      [FW_A-vsysa] security-policy
[FW_A-vsysa-policy-security] rule name sec_policy_1
[FW_A-vsysa-policy-security-rule-sec_policy_1] source-zone trust
[FW_A-vsysa-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_1] source-address 10.1.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_1] destination-address 10.3.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_1] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_1] quit

      # Configure a security policy from the Untrust zone to the Trust zone.

      [FW_A-vsysa-policy-security] rule name sec_policy_2
[FW_A-vsysa-policy-security-rule-sec_policy_2] source-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_2] destination-zone trust
[FW_A-vsysa-policy-security-rule-sec_policy_2] source-address 10.3.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_2] destination-address 10.1.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_2] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_2] quit

    10. Return to the root system. Configure an IPSec policy and apply the IPSec policy to the interface.

      1. Return to the root system.

        [FW_A-vsysa] return
<FW_A> system-view

      2. Configure an IPSec proposal. If you use the default parameters, skip this step.

        [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode auto
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal.

        [FW_A] ike proposal 1
[FW_A-ike-proposal-1] encryption-algorithm aes-256
[FW_A-ike-proposal-1] authentication-algorithm sha2-256
[FW_A-ike-proposal-1] authentication-method pre-share
[FW_A-ike-proposal-1] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-1] prf hmac-sha2-256
[FW_A-ike-proposal-1] dh group2
[FW_A-ike-proposal-1] quit

      4. Create an IKE user table, access the IKE user table view, and configure user vsysa.

        [FW_A] ike user-table 1
[FW_A-ike-user-table-1] user vsysa
[FW_A-ike-user-table-1-vsysa] id-type any 3.3.3.3
[FW_A-ike-user-table-1-vsysa] pre-shared-key Admin@123
[FW_A-ike-user-table-1-vsysa] vpn-instance-traffic name vsysa
[FW_A-ike-user-table-1-vsysa] quit
[FW_A-ike-user-table-1] quit

      5. Configure an IKE peer.

        [FW_A] ike peer a
[FW_A-ike-peer-a] ike-proposal 1
[FW_A-ike-peer-a] local-id 1.1.1.1
[FW_A-ike-peer-a] user-table 1
[FW_A-ike-peer-a] quit

      6. Create an IPSec policy template and access the IPSec policy template view.

        [FW_A] ipsec policy-template template1 1
[FW_A-ipsec-policy-template-template1-1] ike-peer a
[FW_A-ipsec-policy-template-template1-1] proposal tran1
[FW_A-ipsec-policy-template-template1-1] route inject dynamic
[FW_A-ipsec-policy-template-template1-1] quit

      7. Reference the IPSec policy template in the IPSec policy.

        [FW_A] ipsec policy ipsec1 1 isakmp template template1

      8. Apply IPSec policy group ipsec1 to GigabitEthernet 0/0/1.

        [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy ipsec1
[FW_A-GigabitEthernet0/0/1] quit

  • Configure FW_B.
    1. Configure parameters for GE0/0/1 and GE0/0/2.

      # Configure GE0/0/1.

      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 3.3.3.3 255.255.255.0
[FW_B-GigabitEthernet0/0/1] quit

      # Configure GE0/0/2.

      [FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.3.0.1 255.255.255.0
[FW_B-GigabitEthernet0/0/2] quit

    2. Assign interfaces to security zones.

      # Add GE0/0/2 to the Trust zone.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit

      # Add GE0/0/1 to the Untrust zone.

      [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure a route to the peer network and a default route to the Internet. Assume that the next-hop IP address of the route from FW_B to the Internet is 3.3.3.4.

      # Configure a route to the peer network.

      [FW_B] ip route-static 10.1.0.0 255.255.255.0 3.3.3.4

      # Configure a default route to the Internet.

      [FW_B] ip route-static 0.0.0.0 0.0.0.0 3.3.3.4

    4. Configure interzone security policies.

      # Configure a security policy from the Trust zone to the Untrust zone.

      [FW_B] security-policy
[FW_B-policy-security] rule name sec_policy_1
[FW_B-policy-security-rule-sec_policy_1] source-zone trust
[FW_B-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_B-policy-security-rule-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_1] destination-address 10.1.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_1] action permit
[FW_B-policy-security-rule-sec_policy_1] quit

      # Configure a security policy from the Untrust zone to the Trust zone.

      [FW_B-policy-security] rule name sec_policy_2
[FW_B-policy-security-rule-sec_policy_2] source-zone untrust
[FW_B-policy-security-rule-sec_policy_2] destination-zone trust
[FW_B-policy-security-rule-sec_policy_2] source-address 10.1.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_2] destination-address 10.3.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_2] action permit
[FW_B-policy-security-rule-sec_policy_2] quit

      # Configure a security policy from the Local zone to the Untrust zone.

      [FW_B-policy-security] rule name sec_policy_3
[FW_B-policy-security-rule-sec_policy_3] source-zone local
[FW_B-policy-security-rule-sec_policy_3] destination-zone untrust
[FW_B-policy-security-rule-sec_policy_3] source-address 3.3.3.3 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_3] destination-address 1.1.1.1 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_3] action permit
[FW_B-policy-security-rule-sec_policy_3] quit

      # Configure a security policy from the Untrust zone to the Local zone.

      [FW_B-policy-security] rule name sec_policy_4
[FW_B-policy-security-rule-sec_policy_4] source-zone untrust
[FW_B-policy-security-rule-sec_policy_4] destination-zone local
[FW_B-policy-security-rule-sec_policy_4] source-address 1.1.1.1 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_4] destination-address 3.3.3.3 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_4] action permit
[FW_B-policy-security-rule-sec_policy_4] quit
[FW_B-policy-security] quit

      The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    5. Configure an IPSec policy on FW_B and apply the IPSec policy to the interface.

      1. Define the data flow to be protected. Configure an advanced ACL 3000, allowing network segment 10.3.0.0/24 to access network segment 10.1.0.0/24.

        [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      2. Configure an IPSec proposal. If you use the default parameters, skip this step.

        [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] encapsulation-mode auto
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal.

        [FW_B] ike proposal 1
[FW_B-ike-proposal-1] encryption-algorithm aes-256
[FW_B-ike-proposal-1] authentication-algorithm sha2-256
[FW_B-ike-proposal-1] authentication-method pre-share
[FW_B-ike-proposal-1] integrity-algorithm hmac-sha2-256
[FW_B-ike-proposal-1] prf hmac-sha2-256
[FW_B-ike-proposal-1] dh group2
[FW_B-ike-proposal-1] quit

      4. Configure an IKE peer.

        [FW_B] ike peer a
[FW_B-ike-peer-a] ike-proposal 1
[FW_B-ike-peer-a] remote-address 1.1.1.1
[FW_B-ike-peer-a] pre-shared-key Admin@123
[FW_B-ike-peer-a] quit

      5. Create an IPSec policy.

        [FW_B] ipsec policy ipsec1 1 isakmp
[FW_B-ipsec-policy-isakmp-ipsec1-1] security acl 3000
[FW_B-ipsec-policy-isakmp-ipsec1-1] proposal tran1
[FW_B-ipsec-policy-isakmp-ipsec1-1] ike-peer a
[FW_B-ipsec-policy-isakmp-ipsec1-1] quit

      6. Apply IPSec policy group ipsec1 to GigabitEthernet 0/0/1.

        [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipsec policy ipsec1
[FW_B-GigabitEthernet0/0/1] quit

Verification

  1. After the configuration is complete, run the ping command on the PC in network A to trigger IKE negotiation.

    If the IKE negotiation succeeds, a tunnel is established and the PC in network C can be pinged. If the IKE negotiation fails, no tunnel is established and the PC in network C cannot be pinged.

  2. On FW_A and FW_B, run the display ike sa and display ipsec sa commands to check whether the SAs are established. Take FW_B as an example. If the following information is displayed, the IKE and IPSec SAs are successfully established. 

    <FW_B> display ike sa      
                                                                                
Ike sa information :                                                            
    Conn-ID       Peer            VPN            Flag(s)                Phase
  ------------------------------------------------------------------------------
    16777239      1.1.1.1                        RD|ST|A                v2:2
    16777232      1.1.1.1                        RD|ST|A                v2:1
                                                                                
  Number of SA entries  : 2                                                     
                                                                                
  Number of SA entries of all cpu : 2                                           
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

    <FW_B> display ipsec sa      
                                                                                
ipsec sa information:                                                           
                                                                                
===============================                                                  
Interface: GigabitEthernet0/0/1                                               
===============================                                                 
                                                                                
  -----------------------------                                                 
  IPSec policy name: "ipsec1"                                                     
  Sequence number  : 1                                                          
  Acl group        : 3000                                                       
  Acl rule         : 5                                                         
  Mode             : ISAKMP                                                     
  -----------------------------                                                 
    Connection ID     : 83903371                                                
    Encapsulation mode: Tunnel                                                  
    Tunnel local      : 3.3.3.3                                             
    Tunnel remote     : 1.1.1.1                                               
    Flow source       : 10.3.0.1/255.255.255.255 0/0                           
    Flow destination  : 10.1.0.1/255.255.255.255 0/0                           
                                                                                
    [Outbound ESP SAs]                                                          
      SPI: 763065754 (0x2d7b759a)                                               
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 0/3079                         
      Max sent sequence-number: 1                                               
      UDP encapsulation used for NAT traversal: N                               
      SA encrypted packets (number/kilobytes): 4/0   
                                                                                
    [Inbound ESP SAs]                                                           
      SPI: 163241969 (0x9badff1)                                                
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 0/3079                         
      Max received sequence-number: 3203668                                     
      UDP encapsulation used for NAT traversal: N 
      SA decrypted packets (number/kilobytes): 4/0                              
      Anti-replay : Disable

Configuration Scripts

The configuration script of the root system on FW_A:

#
sysname FW_A
#
vsys enable 
#
resource-class r1
 resource-item-limit ipsec-tunnel reserved-number 10 maximum 500 
#
vsys name vsysa 1
 assign interface GigabitEthernet0/0/2
 assign resource-class r1
#
vsys name vsysb 2
 assign interface GigabitEthernet0/0/3
 assign resource-class r1
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike user-table 1
 user vsysa
  id-type any 3.3.3.3
  pre-shared-key %^%#V}9n%q.+sR7c'lP8K~+E4k=dT%&\bM,4rj=i%<*%^%#
  vpn-instance-traffic name vsysa
 user vsysb
  id-type any 4.4.4.4
  pre-shared-key %^%#V}9n%q.+sR7c'lP8K~+E4k=dT%&\bM,4rj=i%<*%^%#
  vpn-instance-traffic name vsysb
#
ike peer a
 exchange-mode auto
 ike-proposal 1
 local-id 1.1.1.1
 user-table 1
#
ipsec policy-template template1 1
 ike-peer a
 proposal tran1
 route inject dynamic
#
ipsec policy ipsec1 1 isakmp template template1
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface Virtual-if0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
security-policy
 rule name to_internet
  source-zone trust
  destination-zone untrust
  action permit
 rule name sec_policy_1
  source-zone local
  destination-zone untrust
  source-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 10.1.0.0 255.255.255.0 vpn-instance vsysa
ip route-static 10.2.0.0 255.255.255.0 vpn-instance vsysb

The configuration script of vsysa on FW_A:

#
switch vsys vsysa 
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
#
return

The configuration script of vsysb on FW_A:

#
switch vsys vsysb 
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address 10.4.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.4.0.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
#
return

The configuration script on FW_B:

#
sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer a
 exchange-mode auto
 pre-shared-key %^%#@ama1^ws3/PX+B.f~tnNDy(q~gjoR%dmP6.\U#5~%^%#
 ike-proposal 1
 remote-address 1.1.1.1 
#
ipsec policy ipsec1 1 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 ip address 3.3.3.3 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.4
ip route-static 10.1.0.0 255.255.255.0 3.3.3.4
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 3.3.3.3 mask 255.255.255.255
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 1.1.1.1 mask 255.255.255.255
  destination-address 3.3.3.3 mask 255.255.255.255
  action permit

The configuration script on FW_C:

#
sysname FW_C
#
acl number 3000
 rule 5 permit ip source 10.4.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255 
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer a
 exchange-mode auto
 pre-shared-key %^%#@ama1^ws3/PX+B.f~tnNDy(q~gjoR%dmP6.\U#5~%^%#
 ike-proposal 1
 remote-address 1.1.1.1
#
ipsec policy ipsec1 1 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 ip address 4.4.4.4 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip address 10.4.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 4.4.4.5
ip route-static 10.2.0.0 255.255.255.0 4.4.4.5
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.4.0.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address 10.4.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 4.4.4.4 mask 255.255.255.255
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 1.1.1.1 mask 255.255.255.255
  destination-address 4.4.4.4 mask 255.255.255.255
  action permit
Parent Topic: Application of IPSec in Virtual System
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic