Web: Example for Configuring a Base Station to Obtain an IP Address from the FW Using the IKEv2 Configuration Payload
This section provides an example to describe how to enable a base station to use the IKEv2 configuration payload to obtain the private IP address from the FW after the FW establishes an IPSec tunnel with the base station.
Networking Requirements
As shown in Figure 1, the FW is deployed at the egress of network A, and the base station needs to securely communicate with the server on network A.
The FW needs to use IKEv2 to establish an IPSec tunnel with the base station and assign a private IP address of network A to the base station for the base station and network A to communicate.
Configuration Roadmap
- Complete the basic configurations of the FW.
- Create a template IPSec policy on the FW, because the access is always initiated from the Base Station to the server on network A.
- For the configuration of the Base Station, refer to the documents of the Base Station.
Procedure
- Complete the basic configurations of the FW.
- Set interface IP addresses and assign the interfaces to security zones.
- Configure security policies to allow specific subnets to communicate.
Click Add and set the following parameters for the Trust -> Untrust interzone policy. In the example, the private subnet assigned to the base station is 10.1.2.0/24.
Name
policy1
Source Zone
trust
Destination Zone
untrust
Source Address/Region
10.1.1.0/24
Destination Address/Region
10.1.2.0/24
Action
Permit
- Click OK.
Repeat the preceding steps to configure Untrust -> Trust, Untrust -> Local, and Local -> Untrust interzone policies.
The parameters of the security policy for the Untrust -> Trust interzone are as follows.
Name
policy2
Source Zone
untrust
Destination Zone
trust
Source Address/Region
10.1.2.0/24
Destination Address/Region
10.1.1.0/24
Action
Permit
The parameters of the Untrust -> Local interzone policy are as follows.
Name
policy3
Source Zone
untrust
Destination Zone
local
Source Address/Region
2.2.2.2/32
Destination Address/Region
1.1.1.1/32
Action
Permit
The parameters of the Local -> Untrust interzone policy are as follows.
Name
policy4
Source Zone
local
Destination Zone
untrust
Source Address/Region
1.1.1.1/32
Destination Address/Region
2.2.2.2/32
Action
Permit
The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
- Configure a default route. In the example, the next-hop IP address to the Internet is 1.1.1.2.
- Configure the IPSec tunnel on FW_A.
- Choose , click Add, and set the parameters shown in the following figure.
In the example, the pre-shared key is Admin@123, and the default parameters are used for the security proposal. To change parameter values, expand the Advanced settings of IKE/IPSec Proposal. The security proposals used by the tunnel ends must be the same.
Create an address pool in advance. The parameter settings are provided in the following figure.
Configure one data flow to be encrypted. The parameter settings are provided in the following figure.
- Click Apply in the IPSec policy configuration to complete the configuration of the FW.
- Choose , click Add, and set the parameters shown in the following figure.
Verification
After the configuration is complete, view the IPSec tunnel status on the FW. If the following information is displayed, the IPSec tunnel is established. 
If the base station has obtained the IP address assigned by the FW, and the base station and the server on network A can communicate properly, the service configuration succeeds.
Configuration Scripts
#
system-view
#
acl number 3005
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ip pool pool
section 0 10.1.2.1 10.1.2.10
#
service-scheme l2tpSScheme_1453722654786
dhcp-server group dhcpGroup1453722654787
ip-pool pool
#
ike proposal 2
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ipsec proposal prop25119505373
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike peer ike251195053730
pre-shared-key %@%@/TtI*ib{a8;\cWUI"To#2n[\%@%@
ike-proposal 2
local-id 1.1.1.1
service-scheme l2tpSScheme_1453722654786
#
ipsec policy-template tpl251195053730 1
security acl 3005
ike-peer ike251195053730
proposal prop25119505373
alias policy1
scenario point-to-multi-point ikev2-user-access
#
ipsec policy ipsec2511950543 10000 isakmp template tpl251195053730
#
interface GigabitEthernet 0/0/3
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/1
ip address 1.1.1.1 255.255.255.0
ipsec policy ipsec2511950543
#
firewall zone untrust
add interface GigabitEthernet0/0/1
#
firewall zone trust
add interface GigabitEthernet0/0/3
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
action permit
rule name policy2
source-zone untrust
destination-zone trust
source-address 10.1.2.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name policy3
source-zone untrust
destination-zone local
source-address 2.2.2.2 mask 255.255.255.255
destination-address 1.1.1.1 mask 255.255.255.255
action permit
rule name policy4
source-zone local
destination-zone untrust
source-address 1.1.1.1 mask 255.255.255.255
destination-address 2.2.2.2 mask 255.255.255.255
action permit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2