< Home

Web: Example for Configuring Site-to-Site IPSec VPN Using Pre-shared Key Authentication

This section describes how to configure the IPSec VPN tunnel between two gateways with fixed IP addresses. In this example, both ends can initiate negotiations.

Networking Requirements

As shown in Figure 1, FW_A connects network A to the Internet and FW_B connects network B to the Internet. The networking requirements are as follows:

  • Network A (10.1.1.0/24) is connected to GigabitEthernet 0/0/3 of FW_A.

  • Network B (10.1.2.0/24) is connected to GigabitEthernet 0/0/3 of FW_B.

  • FW_A and FW_B are reachable to each other.

The purpose of this networking is to set up an IPSec tunnel between FW_A and FW_B and to enable the communication between users on network A and network B.

Figure 1 Networking diagram of configuring a site-to-site IPSec tunnel

Data Planning

Item

Data

FW_A

Interface: GigabitEthernet 0/0/3

IP address: 10.1.1.1/24

Security zone: Trust

Interface: GigabitEthernet 0/0/1

IP address: 1.1.3.1/24

Security zone: Untrust

IPSec configuration

Scenario: Site-to-site

Peer IP Address: 1.1.5.1

Authentication Type: Pre-Shared Key

Pre-Shared Key: Test!1234

Local ID: IP Address

Peer ID: IP Address

FW_B

Interface: GigabitEthernet 0/0/1

IP address: 1.1.5.1/24

Security zone: Untrust

Interface: GigabitEthernet 0/0/3

IP address: 10.1.2.1/24

Security zone: Trust

IPSec configuration

Scenario: Site-to-site

Peer IP Address: 1.1.3.1

Authentication Type: Pre-Shared Key

Pre-Shared Key: Test!1234

Local ID: IP Address

Peer ID: IP Address

Configuration Roadmap

The procedure and roadmap for configuring FW_A and FW_B are similar:

  1. Configure interfaces.
  2. Configure security policies to allow specific subnets to communicate.
  3. Create a static route to the peer end.
  4. Configure the IPSec policy, including basic IPSec policy information, data flow to be protected by IPSec, and proposal parameters for security association negotiation.

Procedure

  • Configure FW_A.
    1. Set an IP address for each interface and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE0/0/1> and set the following parameters:

        Zone

        untrust

        IPv4

        IP Address

        1.1.3.1/24
      3. Click OK.

      4. Repeat the preceding steps to set the parameters of the GE0/0/3 interface.

        Zone

        trust

        IPv4

        IP Address

        10.1.1.1/24

    2. Configure security policies to allow specific subnets to communicate.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and set the parameters of the security policy for the Trust->Untrust interzone as follows:

        Name

        policy_ipsec_1

        Source Zone

        trust

        Destination Zone

        untrust

        Source Address/Region

        10.1.1.0/24

        Destination Address/Region

        10.1.2.0/24

        Action

        Permit
      3. Click OK.

      4. Repeat preceding steps to configure security policies for the Untrust -> Trust, Untrust -> Local, and Local -> Untrust interzones.

        The parameters of the security policy for the Untrust -> Trust interzone are as follows:

        Name

        policy_ipsec_2

        Source Zone

        untrust

        Destination Zone

        trust

        Source Address/Region

        10.1.2.0/24

        Destination Address/Region

        10.1.1.0/24

        Action

        Permit

        The parameters of the security policy for the Untrust -> Local interzone are as follows:

        Name

        policy_ipsec_3

        Source Zone

        untrust

        Destination Zone

        local

        Source Address/Region

        1.1.5.1/32

        Destination Address/Region

        1.1.3.1/32

        Action

        Permit

        The parameters of the security policy for the Local -> Untrust interzone are as follows:

        Name

        policy_ipsec_4

        Source Zone

        local

        Destination Zone

        untrust

        Source Address/Region

        1.1.3.1/32

        Destination Address/Region

        1.1.5.1/32

        Action

        Permit

        The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    3. Configure a route to the peer end. In this example, the next hop of the route from FW_A to FW_B is 1.1.3.2.

      1. Choose Network > Router > Static Route.

      2. Click Add and set the following parameters.

        Destination Address/Mask

        10.1.2.0/255.255.255.0

        Next Hop

        1.1.3.2

      3. Click OK.

      4. Click Add and set the following parameters, and click OK.

        Destination Address/Mask

        1.1.5.0/255.255.255.0

        Next Hop

        1.1.3.2

    4. Configure the IPSec tunnel on FW_A.

      1. Choose Network > IPSec > IPSec, click Add, and select Scenario as Site-to-site.

      2. Configure the basic IPSec policy information, specify the remote gateway, and set the pre-shared key to Test!1234.

      3. Under Data Flow to Encrypt, click Add to add a data flow as follows.

        During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:

        • Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.

          Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.

        • Run the display acl acl-number commands to check ACL information of the destination NAT policy.

          Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.

        • Run the display current-configuration configuration policy-nat command to check source NAT policy information.

          Ensure that the IPSec-protected data flow does not match the source NAT policy.

        If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.

      4. Optional: Set the parameters of IPSec and IKE. Use the default parameters in this example. If you want to change the value of a parameter, expand Advanced under IKE/IPSec Proposal. You must ensure that the parameter settings are the same on both tunnel ends.
      5. Click Apply. The configuration of FW_A is complete.

  • Configure FW_B.
    1. Set an IP address for each interface and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE0/0/1> and set the following parameters:

        Zone

        untrust

        IPv4

        IP Address

        1.1.5.1/24
      3. Click OK.

      4. Repeat the preceding steps to set the parameters of the GE0/0/3 interface.

        Zone

        trust

        IPv4

        IP Address

        10.1.2.1/24

    2. Configure security policies to allow specific subnets to communicate.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and set the parameters of the security policy for the Trust->Untrust interzone as follows:

        Name

        policy_ipsec_1

        Source Zone

        trust

        Destination Zone

        untrust

        Source Address/Region

        10.1.2.0/24

        Destination Address/Region

        10.1.1.0/24

        Action

        Permit
      3. Click OK.

      4. Repeat preceding steps to configure security policies for the Untrust -> Trust, Untrust -> Local, and Local -> Untrust interzones.

        The parameters of the security policy for the Untrust -> Trust interzone are as follows:

        Name

        policy_ipsec_2

        Source Zone

        untrust

        Destination Zone

        trust

        Source Address/Region

        10.1.1.0/24

        Destination Address/Region

        10.1.2.0/24

        Action

        Permit

        The parameters of the security policy for the Untrust -> Local interzone are as follows:

        Name

        policy_ipsec_3

        Source Zone

        untrust

        Destination Zone

        local

        Source Address/Region

        1.1.3.1/32

        Destination Address/Region

        1.1.5.1/32

        Action

        Permit

        The parameters of the security policy for the Local -> Untrust interzone are as follows:

        Name

        policy_ipsec_4

        Source Zone

        local

        Destination Zone

        untrust

        Source Address/Region

        1.1.5.1/32

        Destination Address/Region

        1.1.3.1/32

        Action

        Permit

        The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    3. Configure a route to the peer end. In this example, the next hop of the route from FW_A to FW_B is 1.1.5.2.

      1. Choose Network > Router > Static Route.

      2. Click Add and set the following parameters.

        Destination Address/Mask

        10.1.1.0/255.255.255.0

        Next Hop

        1.1.5.2

      3. Click OK.

      4. Click Add and set the following parameters, and click OK.

        Destination Address/Mask

        1.1.3.0/255.255.255.0

        Next Hop

        1.1.5.2

    4. Configure the IPSec tunnel on FW_B.

      1. Choose Network > IPSec > IPSec, click Add, and select Scenario as Site-to-site.
      2. Configure the basic IPSec policy information, specify the remote gateway, and set the pre-shared key to Test!1234.

      3. Under Data Flow to Be Encrypted, click Add to add a data flow as follows.

        During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:

        • Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.

          Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.

        • Run the display acl acl-number commands to check ACL information of the destination NAT policy.

          Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.

        • Run the display current-configuration configuration policy-nat command to check source NAT policy information.

          Ensure that the IPSec-protected data flow does not match the source NAT policy.

        If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.

      4. Optional: Set the parameters of IPSec and IKE. Use the default parameters in this examples. If you want to change the value of a parameter, expand Advanced under IKE/IPSec Proposal. You must ensure that the parameter settings are the same on both tunnel ends.
      5. Click Apply. The configuration of FW_B is complete.

Configuration Verification

Access a host or server on the headquarters network from a host on the branch network. The access succeeds.

On FW_A, choose Network > IPSec > Monitor to display the established tunnels.

Policy Name

Status

Local Address

Peer Address

policy_1

IKE and IPSec negotiations succeed.

1.1.3.1

1.1.5.1

On FW_B, choose Network > IPSec > Monitor to display the established tunnels.

Policy Name

Status

Local Address

Peer Address

policy_1

IKE and IPSec negotiations succeed.

1.1.5.1

1.1.3.1

Configuration Scripts

  • Configuration script on FW_A:

    #
acl number 3000
 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ike proposal 1
 encryption-algorithm aes-256                                                   
 dh group2                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer ike6117323732
 pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%$%$
 ike-proposal 1
 remote-id-type ip
 remote-address 1.1.5.1
#
ipsec proposal prop6117323732
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ipsec policy ipsec6117323788 1 isakmp
 security acl 3000
 ike-peer ike6117323732
 proposal prop6117323732
 tunnel local 1.1.3.1
#
interface GigabitEthernet0/0/3
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 1.1.3.1 255.255.255.0
 ipsec policy ipsec6117323788
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 1.1.5.0 255.255.255.0 1.1.3.2
ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
 rule name policy_ipsec_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  action permit
 rule name policy_ipsec_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.2.0 24
  destination-address 10.1.1.0 24
  action permit
 rule name policy_ipsec_3
  source-zone untrust
  destination-zone local
  source-address 1.1.5.1 32
  destination-address 1.1.3.1 32
  action permit
 rule name policy_ipsec_4
  source-zone local
  destination-zone untrust
  source-address 1.1.3.1 32
  destination-address 1.1.5.1 32
  action permit

  • Configuration script on FW_B:

    #
acl number 3000
 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ike proposal 1
 encryption-algorithm aes-256                                                   
 dh group2                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer ike6117323732
 pre-shared-key %$%$pFR^=%xE/P^}NS*sN5e(,wne%$%$
 ike-proposal 1
 remote-address 1.1.3.1
#
ipsec proposal prop6117323732
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256 
#
ipsec policy ipsec6117323788 1 isakmp
 security acl 3000
 ike-peer ike6117323732
 proposal prop6117323732
 tunnel local 1.1.5.1
#
interface GigabitEthernet0/0/3
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 1.1.5.1 255.255.255.0
 ipsec policy ipsec6117323788
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 1.1.3.0 255.255.255.0 1.1.5.2
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
 rule name policy_ipsec_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 24
  destination-address 10.1.1.0 24
  action permit
 rule name policy_ipsec_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  action permit
 rule name policy_ipsec_3
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 32
  destination-address 1.1.5.1 32
  action permit
 rule name policy_ipsec_4
  source-zone local
  destination-zone untrust
  source-address 1.1.5.1 32
  destination-address 1.1.3.1 32
  action permit
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >