CLI: Example for Configuring IPSec Intelligent Link Selection(Link switchover based on the link quality probe result)
As the gateway of a branch, the FW uses the IPSec intelligent link selection function for dynamic IPSec tunnel switching.
Networking Requirements
As shown in Figure 1, the headquarters and branch connect to the Internet through FW_A and FW_B, respectively. FW_A connects to the Internet through one link. FW_B connects to the Internet through two links.
Requirements are as follows:
- An IPSec tunnel is established between FW_A and FW_B for the communication between the headquarters and branch.
- FW_B first uses Link 1 to establish an IPSec tunnel to the headquarters. If the IPSec tunnel has a high packet loss ratio or delay, FW_B automatically uses Link 2 to establish another IPSec tunnel.
The local interface in IPSec intelligent link selection can be an interface that dynamically obtains IP addresses through PPPoE or DHCP. That is, when GE0/0/1 or GE0/0/2 on FW_B in Figure 1 obtains IP addresses through PPPoE or DHCP, the IPSec intelligent link selection function is also available.
The method for configuring IPSec intelligent link selection when the local interface has a fixed IP address is the same as that when the local interface obtains IP addresses dynamically.
Data Planning
Item |
FW_A |
FW_B |
|
|---|---|---|---|
Outside interface |
Interface: GigabitEthernet 0/0/1 IP address: 3.3.3.3/24 Security zone: Untrust |
||
Inside interface |
Interface: GigabitEthernet 0/0/3 IP address: 10.1.1.1/24 Security zone: Trust |
Interface: GigabitEthernet 0/0/3 IP address: 10.1.2.1/24 Security zone: Trust |
|
Method of configuring an IPSec policy |
Template |
IKE mode + IPSec intelligent link selection |
|
IPSec proposal |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
IPSec protocol |
ESP |
ESP |
|
ESP authentication algorithm |
SHA2-256 |
SHA2-256 |
|
ESP encryption algorithm |
AES-256 |
AES-256 |
|
IKE proposal |
Authentication method |
Pre-shared key |
Pre-shared key |
Authentication algorithm |
SHA2-256 |
SHA2-256 |
|
Encryption algorithm |
aes-xcbc-96 and hmac-sha2-256 |
aes-xcbc-96 and hmac-sha2-256 |
|
IKE peer |
Negotiation mode |
Main mode |
Main mode |
Pre-shared key |
Admin@123 |
Admin@123 |
|
Identity type |
IP |
IP |
|
Remote IP address |
Unspecified |
3.3.3.3 |
|
Version |
V1 |
V1 |
|
Procedure
- Configure FW_B (Branch).
- Configure security policies to allow specific subnets to communicate.
# Configure policies for the interzone between the Trust zone and the Untrust zone, allowing packets before encapsulation and decapsulated packets through FW_B.
[FW_B] security-policy [FW_B-policy-security] rule name 1 [FW_B-policy-security-rule-1] source-zone trust [FW_B-policy-security-rule-1] destination-zone untrust [FW_B-policy-security-rule-1] source-address 10.1.2.0 24 [FW_B-policy-security-rule-1] destination-address 10.1.1.0 24 [FW_B-policy-security-rule-1] action permit [FW_B-policy-security-rule-1] quit [FW_B-policy-security] rule name 2 [FW_B-policy-security-rule-2] source-zone untrust [FW_B-policy-security-rule-2] destination-zone trust [FW_B-policy-security-rule-2] source-address 10.1.1.0 24 [FW_B-policy-security-rule-2] destination-address 10.1.2.0 24 [FW_B-policy-security-rule-2] action permit [FW_B-policy-security-rule-2] quit
# Configure policies for the interzone between the Local zone and the Untrust zone, allowing IKE negotiation packets through FW_B.
The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
[FW_B-policy-security] rule name 3 [FW_B-policy-security-rule-3] source-zone local [FW_B-policy-security-rule-3] destination-zone untrust [FW_B-policy-security-rule-3] source-address 1.1.1.1 32 [FW_B-policy-security-rule-3] source-address 2.2.2.2 32 [FW_B-policy-security-rule-3] destination-address 3.3.3.3 32 [FW_B-policy-security-rule-3] action permit [FW_B-policy-security-rule-3] quit [FW_B-policy-security] rule name 4 [FW_B-policy-security-rule-4] source-zone untrust [FW_B-policy-security-rule-4] destination-zone local [FW_B-policy-security-rule-4] source-address 3.3.3.3 32 [FW_B-policy-security-rule-4] destination-address 1.1.1.1 32 [FW_B-policy-security-rule-4] destination-address 2.2.2.2 32 [FW_B-policy-security-rule-4] action permit [FW_B-policy-security-rule-4] quit
- Configure IPSec intelligent link selection profiles.
When the local interface dynamically obtains IP addresses through DHCP or PPPoE, local local-address and nexthop nexthop-address in link are obtained from the DHCP or PPPoE server. You do not need to set values for them.
[FW_B] ipsec smart-link profile pro1 [FW_B-ipsec-smart-link-profile-pro1] link 1 interface GigabitEthernet 0/0/1 local 1.1.1.1 nexthop 1.1.1.254 remote 3.3.3.3 [FW_B-ipsec-smart-link-profile-pro1] link 2 interface GigabitEthernet 0/0/2 local 2.2.2.2 nexthop 2.2.2.254 remote 3.3.3.3 [FW_B-ipsec-smart-link-profile-pro1] link-quality-detection interval 1 number 10 [FW_B-ipsec-smart-link-profile-pro1] auto-switch cycles 3 [FW_B-ipsec-smart-link-profile-pro1] link-quality-threshold loss 30 [FW_B-ipsec-smart-link-profile-pro1] link-quality-threshold delay 500
- In this example, the link-quality-detection source source-address destination destination-address command is not used to set the source or destination IP address for tunnel detection packets. Instead, FW_B uses the IP addresses of the local and peer IPSec tunnel interfaces as the source and destination IP addresses of the detection packets respectively.
- You can run the auto-switch preempt enable command to enable automatic switchback to a high-priority link. This function is disabled by default. After this function is enabled, you can run the auto-switch preempt enable delay delay-time command to set the switchback delay. After automatic switchback to a high-priority link in IPSec intelligent link selection is enabled, FW_A continuously detects the quality (packet loss rate and delay) of the high-priority link after the IPSec tunnel is switched to the backup link. If the quality of the high-priority link meets the requirements within the configured switchback delay, FW_A automatically switches the IPSec tunnel back to the high-priority link.
After automatic switchback to a high-priority link is enabled, the tunnel detection parameters in the IPSec intelligent link selection rule on the local device and the data flows to be encrypted in the IPSec policy on the peer device are different in the following configurations compared with those before the automatic switchback function is enabled:
- The source and destination IP addresses of link quality detection packets must be configured in the IPSec intelligent link selection rule on the local device. These IP addresses can not be the IP addresses of the interfaces at the two ends of the IPSec tunnel, they can be the IP addresses contained in the ACL rule.
- An ACL rule that uses the destination IP address of detection packets as the source IP address, the source IP address of the detection packets as the destination IP address, and ICMP as the protocol type must be configured in the IPSec policy of the peer device.
For example, if the source IP address of the detection packets on FW_A (local device) is 10.10.10.10 and the destination IP address is 20.20.20.20, you need to configure the following link quality detection packets on FW_A:
link-quality-detection source 10.10.10.10 destination 20.20.20.20
Configure the following ACL rule on FW_B (peer device):
rule permit icmp source 20.20.20.20 0 destination 10.10.10.10 0
In addition, the link detection addresses are configured on FW>_A and FW_A does not use the IP addresses of the interfaces at the two ends of the link as the source address and destination address of the detection packets. Therefore, you do not need to configure the ACL rule that uses the IP addresses of the interfaces at the two ends of the IPSec tunnel as the source and destination IP addresses on FW_B.
- Configure IPSec.
# Configure ACLs to define the data flows to be protected.
[FW_B] acl 3000 [FW_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [FW_B-acl-adv-3000] quit
# Configure IPSec proposal tran1.
[FW_B] ipsec proposal tran1 [FW_B-ipsec-proposal-tran1] encapsulation-mode tunnel [FW_B-ipsec-proposal-tran1] transform esp [FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256 [FW_B-ipsec-proposal-tran1] quit
# Configure IKE proposal 10.
[FW_B] ike proposal 10 [FW_B-ike-proposal-10] authentication-method pre-share [FW_B-ike-proposal-10] authentication-algorithm sha2-256 [FW_B-ike-proposal-10] integrity-algorithm aes-xcbc-96 hmac-sha2-256 [FW_B-ike-proposal-10] quit
# Configure IKE peer a1.
[FW_B] ike peer a1 [FW_B-ike-peer-a1] ike-proposal 10 [FW_B-ike-peer-a1] remote-address 3.3.3.3 [FW_B-ike-peer-a1] pre-shared-key Admin@123 [FW_B-ike-peer-a1] undo version 2 [FW_B-ike-peer-a1] quit
# Configure IPSec policy group map1.
[FW_B] ipsec policy map1 10 isakmp [FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 [FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 [FW_B-ipsec-policy-isakmp-map1-10] ike-peer a1 [FW_B-ipsec-policy-isakmp-map1-10] smart-link profile pro1 //Reference an IPSec intelligent link selection profile. [FW_B-ipsec-policy-isakmp-map1-10] route inject dynamic [FW_B-ipsec-policy-isakmp-map1-10] quit
The IPSec policy that references an IPSec intelligent link selection profile does not need to apply to the interface. After determining to use a specific link to establish an IPSec tunnel, the FW will apply the IPSec policy that references the IPSec intelligent link selection profile to the local interface of the link.
- Configure security policies to allow specific subnets to communicate.
- Configure FW_A (Headquarters).
- Set an IP address for each interface and assign the interfaces to security zones.
# Set IP addresses for interfaces.
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 3.3.3.3 24 [FW_A-GigabitEthernet0/0/1] service-manage enable [FW_A-GigabitEthernet0/0/1] service-manage ping permit [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24 [FW_A-GigabitEthernet0/0/3] quit
In this example, FW_B pings the IP address of the public interface GE0/0/1 on FW_A to check the tunnel quality. Therefore, the service-manage ping permit command must be run on GE0/0/1. Otherwise, FW_A cannot respond to the ping request from FW_B.
# Assign interfaces to security zones.
[FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit
- Configure security policies to allow specific subnets to communicate.
# Configure policies for the interzone between the Trust zone and the Untrust zone, allowing packets before encapsulation and decapsulated packets through FW_A.
[FW_A] security-policy [FW_A-policy-security] rule name 1 [FW_A-policy-security-rule-1] source-zone trust [FW_A-policy-security-rule-1] destination-zone untrust [FW_A-policy-security-rule-1] source-address 10.1.1.0 24 [FW_A-policy-security-rule-1] destination-address 10.1.2.0 24 [FW_A-policy-security-rule-1] action permit [FW_A-policy-security-rule-1] quit [FW_A-policy-security] rule name 2 [FW_A-policy-security-rule-2] source-zone untrust [FW_A-policy-security-rule-2] destination-zone trust [FW_A-policy-security-rule-2] source-address 10.1.2.0 24 [FW_A-policy-security-rule-2] destination-address 10.1.1.0 24 [FW_A-policy-security-rule-2] action permit [FW_A-policy-security-rule-2] quit
# Configure policies for the interzone between the Local zone and the Untrust zone, allowing IKE negotiation packets through FW_A.
The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
[FW_A-policy-security] rule name 3 [FW_A-policy-security-rule-3] source-zone local [FW_A-policy-security-rule-3] destination-zone untrust [FW_A-policy-security-rule-3] source-address 3.3.3.3 32 [FW_A-policy-security-rule-3] destination-address 1.1.1.1 32 [FW_A-policy-security-rule-3] destination-address 2.2.2.2 32 [FW_A-policy-security-rule-3] action permit [FW_A-policy-security-rule-3] quit [FW_A-policy-security] rule name 4 [FW_A-policy-security-rule-4] source-zone untrust [FW_A-policy-security-rule-4] destination-zone local [FW_A-policy-security-rule-4] source-address 1.1.1.1 32 [FW_A-policy-security-rule-4] source-address 2.2.2.2 32 [FW_A-policy-security-rule-4] destination-address 3.3.3.3 32 [FW_A-policy-security-rule-4] action permit [FW_A-policy-security-rule-4] quit [FW_A-policy-security] quit
- Set an IP address for each interface and assign the interfaces to security zones.
Configuration Verification
After the configuration is complete, run the display ipsec smart-link profile command on FW_B. The command output shows that FW_B at the branch first uses Link 1 (1.1.1.1 -> 3.3.3.3) to establish an IPSec tunnel.
<FW_B> display ipsec smart-link profile name pro1 =========================================== Name :pro1 Detection number :10 Detection interval :1 Detection source IP :1.1.1.1 Detection destination IP :3.3.3.3 Cycles :3 Switched times :0 Switch mode :detection-based State :enable IPSec policy alias :map1 link list: ID local-address remote-address loss(%) delay(ms) state 1 1.1.1.1 3.3.3.3 0 0 active 2 2.2.2.2 3.3.3.3 0 0 inactive ===========================================After you run the display ike sa and display ipsec sa commands on FW_A and FW_B, the output indicates that the SAs are established. Take FW_B as an example. If the following information is displayed, the IKE SA and IPSec SA are successfully established.
<FW_B> display ipsec sa =============================== Interface: GigabitEthernet0/0/1 path MTU: 1500 =============================== ----------------------------- IPsec policy name: "map1" sequence number: 10000 mode: isakmp vpn: public ----------------------------- connection id: 1158 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 0m 14s tunnel local : 1.1.1.1 tunnel remote: 3.3.3.3 flow source: 10.1.2.0-10.1.2.255 0-65535 0 flow destination: 10.1.1.0-10.1.1.255 0-65535 0 [inbound ESP SAs] spi: 35053809 (0x216e0f1) vpn: public said: 182 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 200000000/3586 max received sequence-number: 1 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 128477047 (0x7a86777) vpn: public said: 183 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 200000000/3586 max sent sequence-number: 1 udp encapsulation used for nat traversal: N ----------------------------- IPsec policy name: "map1" sequence number: 10000 mode: isakmp vpn: public ----------------------------- connection id: 1159 rule number: 10 encapsulation mode: tunnel holding time: 0d 0h 0m 15s tunnel local : 1.1.1.1 tunnel remote: 3.3.3.3 flow source: 1.1.1.1-1.1.1.1 0-65535 1 flow destination: 3.3.3.3-3.3.3.3 0-65535 1 [inbound ESP SAs] spi: 262933667 (0xfac0ca3) vpn: public said: 184 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 200000000/3585 max received sequence-number: 7 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 141108708 (0x86925e4) vpn: public said: 185 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 200000000/3585 max sent sequence-number: 8 udp encapsulation used for nat traversal: N
<FW_B> display ike sa current ike sa number: 3 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 1159 3.3.3.3 RD|ST|A v2:2 public 1158 3.3.3.3 RD|ST|A v2:2 public 1157 3.3.3.3 RD|ST|D|A v2:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONEShut down GE0/0/1 on the FW_B and then run the display ipsec smart-link profile command on FW_B. The command output shows that FW_B automatically uses Link 2 (2.2.2.2 -> 3.3.3.3) to establish an IPSec tunnel.
<FW_B> display ipsec smart-link profile name pro1 =========================================== Name :pro1 Detection number :10 Detection interval :1 Detection source IP :2.2.2.2 Detection destination IP :3.3.3.3 Cycles :3 Switched times :0 Switch mode :detection-based State :enable IPSec policy alias :map1 link list: ID local-address remote-address loss(%) delay(ms) state 1 1.1.1.1 3.3.3.3 50 0 inactive 2 2.2.2.2 3.3.3.3 0 0 active ===========================================
Configuration Script
# Configuration script on FW_A (Headquarters):
# acl number 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 rule 10 permit icmp source 3.3.3.3 0 destination 1.1.1.1 0 rule 15 permit icmp source 3.3.3.3 0 destination 2.2.2.2 0 # ike proposal 10 authentication-method pre-share authentication-algorithm sha2-256 integrity-algorithm aes-xcbc-96 hmac-sha2-256 # ike peer b pre-shared-key %$%$921NG0I(@0aT8y@GhOS97G>5%$%$ ike-proposal 10 undo version 2 # ipsec proposal tran1 encapsulation-mode tunnel transform esp esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ipsec policy-template map_temp 1 security acl 3000 ike-peer b proposal tran1 route inject dynamic preference 65 # ipsec policy map1 10 isakmp template map_temp # interface GigabitEthernet0/0/3 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 3.3.3.3 255.255.255.0 ipsec policy map1 service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # security-policy rule name 1 source-zone trust destination-zone untrust source-address 10.1.1.0 24 destination-address 10.1.2.0 24 action permit rule name 2 source-zone untrust destination-zone trust source-address 10.1.2.0 24 destination-address 10.1.1.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 3.3.3.3 32 destination-address 1.1.1.1 32 destination-address 2.2.2.2 32 action permit rule name 4 source-zone untrust destination-zone local source-address 1.1.1.1 32 source-address 2.2.2.2 32 destination-address 3.3.3.3 32 action permit
# Configuration script on FW_B (Branch):
# acl number 3000 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ike proposal 10 authentication-method pre-share authentication-algorithm sha2-256 integrity-algorithm aes-xcbc-96 hmac-sha2-256 # ike peer a1 pre-shared-key %$%$QoAR'zsMp!&5y%7qm\)XOZQH%$%$ ike-proposal 10 remote-address 3.3.3.3 undo version 2 # ipsec proposal tran1 encapsulation-mode tunnel transform esp esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ipsec smart-link profile pro1 link-quality-detection interval 1 number 10 auto-switch cycles 3 link-quality-threshold loss 30 link-quality-threshold delay 500 link 1 interface GigabitEthernet 0/0/1 local 1.1.1.1 nexthop 1.1.1.254 remote 3.3.3.3 link 2 interface GigabitEthernet 0/0/2 local 2.2.2.2 nexthop 2.2.2.254 remote 3.3.3.3 # ipsec policy map1 10 isakmp security acl 3000 ike-peer a1 proposal tran1 smart-link profile pro1 route inject dynamic # interface GigabitEthernet0/0/3 ip address 10.1.2.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 2.2.2.2 255.255.255.0 gateway 2.2.2.254 # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 gateway 1.1.1.254 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 add interface GigabitEthernet0/0/2 # security-policy rule name 1 source-zone trust destination-zone untrust source-address 10.1.2.0 24 destination-address 10.1.1.0 24 action permit rule name 2 source-zone untrust destination-zone trust source-address 10.1.1.0 24 destination-address 10.1.2.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 32 source-address 2.2.2.2 32 destination-address 3.3.3.3 32 action permit rule name 4 source-zone untrust destination-zone local source-address 3.3.3.3 32 destination-address 1.1.1.1 32 destination-address 2.2.2.2 32 action permit