CLI: Applying IPSec Services in Load Balancing Scenarios
This section provides an example for configuring IPSec services in load balancing scenarios.
Networking Requirements
As shown in Figure 1, the service load balancer (SLB) at the network egress distributes traffic from the eNodeB to network A. FW_A and FW_B are IPSec gateways, forming a cluster server. For the security of access from the eNodeB to network A, you must establish an IPSec tunnel between the eNodeB and FW (FW_A and FW_B) and configure the SLB to evenly distribute IPSec traffic from the eNodeB to the FW. That is, traffic can be evenly distributed to FW_A and FW_B.
Configuration Roadmap
- Configure the SLB.
In this example, the FW serves as the SLB.
-
The configuration of FW_B is similar to that of FW_A, and will not be described in detail.
Data Planning
Function |
SLB |
FW_A |
FW_B |
|---|---|---|---|
Basic configuration |
Interface: GE0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust |
Interface: GE0/0/1 IP address: 192.168.1.1/24 Security zone: Untrust |
Interface: GE0/0/1 IP address: 192.168.2.1/24 Security zone: Untrust |
Interface: GE0/0/2 IP address: 192.168.1.2/24 Security zone: DMZ |
Interface: GE0/0/2 IP address: 10.1.2.1/24 Security zone: Trust |
Interface: GE0/0/2 IP address: 10.1.3.1/24 Security zone: Trust |
|
Interface: GE0/0/3 IP address: 192.168.2.2/24 Security zone: DMZ |
- |
- |
|
IPSec function |
- |
Tunnel establishment mode: policy template IPSec proposal
IKE proposal
IKE peer
|
Tunnel establishment mode: policy template IPSec proposal
IKE proposal
IKE peer
|
Load balancing function |
Real server group grp1 includes the following real servers: |
- |
- |
Virtual server vs1:
|
- Configure the SLB.
- Set the IP addresses of the interfaces and add the interfaces to corresponding security zones.
<sysname> system-view [sysname] sysname SLB [SLB] interface GigabitEthernet 0/0/1 [SLB-GigabitEthernet0/0/1] ip address 1.1.1.1 24 [SLB-GigabitEthernet0/0/1] quit [SLB] interface GigabitEthernet 0/0/2 [SLB-GigabitEthernet0/0/2] ip address 192.168.1.2 24 [SLB-GigabitEthernet0/0/2] quit [SLB] interface GigabitEthernet 0/0/3 [SLB-GigabitEthernet0/0/3] ip address 192.168.2.2 24 [SLB-GigabitEthernet0/0/3] quit [SLB] firewall zone untrust [SLB-zone-untrust] add interface GigabitEthernet 0/0/1 [SLB-zone-untrust] quit [SLB] firewall zone dmz [SLB-zone-dmz] add interface GigabitEthernet 0/0/2 [SLB-zone-dmz] add interface GigabitEthernet 0/0/3 [SLB-zone-dmz] quit
- Configure interzone security policies.
[SLB] security-policy [SLB-policy-security] rule name untrust_dmz_inbound [SLB-policy-security-rule-untrust_dmz_inbound] source-zone untrust [SLB-policy-security-rule-untrust_dmz_inbound] destination-zone dmz [SLB-policy-security-rule-untrust_dmz_inbound] destination-address 192.168.1.0 24 [SLB-policy-security-rule-untrust_dmz_inbound] destination-address 192.168.2.0 24 [SLB-policy-security-rule-untrust_dmz_inbound] action permit [SLB-policy-security-rule-untrust_dmz_inbound] quit [SLB-policy-security] quit
- Configure server load balancing.
# Enable the SLB function.
[SLB] slb enable
# Configure a load balancing algorithm.
[SLB] slb [SLB-slb] group 1 grp1 [SLB-slb-group-1] metric roundrobin
# Add real servers to the real server group.
[SLB-slb-group-1] rserver 1 rip 192.168.1.1 weight 1 [SLB-slb-group-1] rserver 2 rip 192.168.2.1 weight 1 [SLB-slb-group-1] quit
# Configure a protocol type for the virtual server.
[SLB-slb] vserver 1 vs1 [SLB-slb-vserver-1] protocol udp
# Configure a virtual server IP address.
[SLB-slb-vserver-1] vip 1 2.2.2.2
# Associate the virtual server with the real server group.
[SLB-slb-vserver-1] group grp1 [SLB-slb-vserver-1] quit [SLB-slb] quit
- Set the IP addresses of the interfaces and add the interfaces to corresponding security zones.
- Configure FW_A.
- Set interface IP addresses and assign the interfaces to security zones.# Set an IP address for interface GigabitEthernet 0/0/1 and assign it to the Untrust zone.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 192.168.1.1 24 [FW_A-GigabitEthernet0/0/1] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit
# Set an IP address for interface GigabitEthernet 0/0/2 and assign it to the Trust zone.
[FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 10.1.2.1 24 [FW_A-GigabitEthernet0/0/2] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/2 [FW_A-zone-trust] quit
- Configure security policies.
- Configure the security policy between Trust and Untrust zones. This policy permits service packets before IPSec encapsulation and after decapsulation.
[FW_A] security-policy [FW_A-policy-security] rule name ipsec_tu [FW_A-policy-security-rule-ipsec_tu] source-zone trust [FW_A-policy-security-rule-ipsec_tu] destination-zone untrust [FW_A-policy-security-rule-ipsec_tu] source-address 10.1.1.0 24 [FW_A-policy-security-rule-ipsec_tu] action permit [FW_A-policy-security-rule-ipsec_tu] quit [FW_A-policy-security] rule name ipsec_ut [FW_A-policy-security-rule-ipsec_ut] source-zone untrust [FW_A-policy-security-rule-ipsec_ut] destination-zone trust [FW_A-policy-security-rule-ipsec_ut] destination-address 10.1.1.0 24 [FW_A-policy-security-rule-ipsec_ut] action permit [FW_A-policy-security-rule-ipsec_ut] quit [FW_A-policy-security] quit
- Configure the security policy between Local and Untrust zones. This policy permits IPSec negotiation packets.
The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
[FW_A] security-policy [FW_A-policy-security] rule name ipsec_lu [FW_A-policy-security-rule-ipsec_lu] source-zone local [FW_A-policy-security-rule-ipsec_lu] destination-zone untrust [FW_A-policy-security-rule-ipsec_lu] source-address 192.168.1.1 32 [FW_A-policy-security-rule-ipsec_lu] action permit [FW_A-policy-security-rule-ipsec_lu] quit [FW_A-policy-security] rule name ipsec_ul [FW_A-policy-security-rule-ipsec_ul] source-zone untrust [FW_A-policy-security-rule-ipsec_ul] destination-zone local [FW_A-policy-security-rule-ipsec_ul] destination-address 192.168.1.1 32 [FW_A-policy-security-rule-ipsec_ul] action permit [FW_A-policy-security-rule-ipsec_ul] quit [FW_A-policy-security] quit
- Configure the security policy between Trust and Untrust zones. This policy permits service packets before IPSec encapsulation and after decapsulation.
- Configure a route from the eNodeB to network A.
In this example, the next hop from FW_A to network A is 10.1.2.2, and the next hop of the route to the eNodeB is 192.168.1.2.
[FW_A] ip route-static 10.1.1.0 24 10.1.2.2 [FW_A] ip route-static 0.0.0.0 0.0.0.0 192.168.1.2
- Configure IPSec.
- Define the protected data flows.
If link health check is enabled on the SLB, you must configure a rule in the ACL to block traffic from 192.168.1.2. Otherwise, the link health check function is invalid.
[FW_A] acl 3000 [FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 [FW_A-acl-adv-3000] quit
- Configure the IPSec proposal.
[FW_A] ipsec proposal tran1 [FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256 [FW_A-ipsec-proposal-tran1] quit
- Configure the IKE proposal.
[FW_A] ike proposal 10 [FW_A-ike-proposal-10] authentication-method pre-share [FW_A-ike-proposal-10] encryption-algorithm aes-256 [FW_A-ike-proposal-10] dh group2 [FW_A-ike-proposal-10] authentication-algorithm sha2-256
- Configure the IKE peer.
[FW_A] ike peer enodeb [FW_A-ike-peer-enodeb] pre-shared-key Admin@123 [FW_A-ike-peer-enodeb] ike-proposal 10 [FW_A-ike-peer-enodeb] quit
- Create an IPSec policy template.
[FW_A] ipsec policy-template template 1 [FW_A-ipsec-policy-templet-map_temp-1] security acl 3000 [FW_A-ipsec-policy-templet-map_temp-1] ike-peer enodeb [FW_A-ipsec-policy-templet-map_temp-1] proposal tran1 [FW_A-ipsec-policy-templet-map_temp-1] quit
- Reference the IPSec policy template in the IPSec policy.
[FW_A] ipsec policy map1 10 isakmp template template - Apply the IPSec policy to GigabitEthernet 0/0/1.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ipsec policy map1 [FW_A-GigabitEthernet0/0/1] quit
- Define the protected data flows.
- Set interface IP addresses and assign the interfaces to security zones.
- Configure FW_B.
The configuration of FW_B is similar to that of FW_A. You can configure FW_B by referring to the configuration of FW_A.
Verification
- Check static server map entries on the SLB. If corresponding server map entries exist, the server load balancing is successfully configured.
[SLB] display firewall server-map static Current Total Server-map : 2 Type: SLB, ANY -> 2.2.2.2[grp1/0], Zone:---, protocol:udp Vpn: public -> public
- View the session table on the SLB. If a session exists and the destination IP address of the request packet is changed from the virtual server IP address to the IP address of a real server, the server load balancing is successfully configured.
[SLB] display firewall session table verbose Current Total Sessions : 2 udp VPN: public --> public ID: c487fb5ba7d8458875c5758ad84 Zone: trust --> trust TTL: 00:02:00 Left: 00:02:00 Recv Interface: GigabitEthernet0/0/0 Interface: GigabitEthernet0/0/1 NextHop: 3.3.3.1 MAC: 5254-0012-3513 <--packets: 58851 bytes: 5,094,045 --> packets: 58851 bytes: 5,094,029 1.1.1.2:4500[1.1.1.1:2049] --> 2.2.2.2:4500[192.168.1.1:4500] PolicyName: --- udp VPN: public --> public ID: c487fb5ba7d8300f6b45758ad81 Zone: trust --> trust TTL: 00:02:00 Left: 00:01:58 Recv Interface: GigabitEthernet0/0/0 Interface: GigabitEthernet0/0/1 NextHop: 3.3.3.1 MAC: 5254-0012-3513 <--packets: 58858 bytes: 5,094,842 --> packets: 58857 bytes: 5,095,021 1.1.1.3:4500[1.1.1.1:2048] --> 2.2.2.2:4500[192.168.2.1:4500] PolicyName: ---
- After a while, view the running status of the virtual server on the SLB. The ratio of total sessions on the two real servers is 1:1.
[SLB] display slb vserver verbose vs1 Virtual Server Information(Total 1) -------------------------------------------------------------------------------- ------------- Virtual Server Name : vsr1 Virtual Server ID : 0 Virtual Server IP : 2.2.2.2 Protocol : udp Virtual Server Port : any Http X-forward Enable : Disable Virtual Server Max-conn : -- Persistence Name/ID : a/0 Persistence Type : source-ip Group Name : grp1 Group ID : 0 Current Connection : 2 RserverID IP Address Weight Status Ratio TotalSession CurSession 0 192.168.1.1 1 Admin-Active 50.55% 10 2 0 192.168.2.1 1 Admin-Active 49.45% 11 2 -------------------------------------------------------------------------------- - Run the display ipsec sa on FW_A. You can see that the IPSec tunnel has been established.
[FW]display ipsec sa 2016-06-13 05:49:46.570 ipsec sa information: =============================== Interface: GigabitEthernet0/0/1 =============================== ----------------------------- IPSec policy name: "map1" Sequence number : 1 Acl group : 3000 Acl rule : 5 Mode : Template ----------------------------- Connection ID : 339 Encapsulation mode: Tunnel Tunnel local : 192.168.1.2 Tunnel remote : 192.168.1.2 Flow source : 10.1.1.0/255.255.255.0 0/0 Flow destination : 10.1.4.0/255.255.255.255 0/0 [Outbound ESP SAs] SPI: 1534118999 (0x5b70cc57) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/3490 Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: Y SA encrypted packets (number/bytes): 0/0 [Inbound ESP SAs] SPI: 1743339630 (0x67e9406e) Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128 SA remaining key duration (kilobytes/sec): 10485760/3490 Max received sequence-number: 1 UDP encapsulation used for NAT traversal: Y SA decrypted packets (number/bytes): 0/0 Anti-replay : Enable Anti-replay window size: 1024
Configuration Scripts
Configuration script of the SLB:
# sysname SLB # slb enable # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 192.168.2.2 255.255.255.0 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 add interface GigabitEthernet0/0/3 # slb group 1 grp1 metric roundrobin rserver 1 rip 192.168.1.1 weight 1 rserver 2 rip 192.168.2.1 weight 1 vserver 1 vs1 vip 1 2.2.2.2 protocol udp vport any group grp1 # security-policy rule name untrust_dmz_inbound source-zone untrust destination-zone dmz destination-address 192.168.1.0 24 destination-address 192.168.2.0 24 action permit # return
Configuration script of FW_A:
# acl 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group2 authentication-algorithm sha2-256 authentication-method pre-share # ike peer enodeb pre-shared-key %^%#yUSb-oM,AZO>QmMci+eB\/F:JAxu6=[J-`VrlXeF%^%# ike-proposal 10 # ipsec policy-template template 1 security acl 3000 ike-peer enodeb proposal tran1 # ipsec policy map1 10 isakmp template template # firewall zone untrust add interface GigabitEthernet 0/0/1 # firewall zone trust add interface GigabitEthernet0/0/2 # security-policy rule name ipsec_tu source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 action permit rule name ipsec_ut source-zone untrust destination-zone trust destination-address 10.1.1.0 mask 255.255.255.0 action permit rule name ipsec_lu source-zone local destination-zone untrust source-address 192.168.1.1 mask 255.255.255.255 action permit rule name ipsec_ul source-zone untrust destination-zone local destination-address 192.168.1.1 mask 255.255.255.255 action permit # ip route-static 10.1.1.0 255.255.255.0 10.1.2.2 ip route-static 0.0.0.0 0.0.0.0 192.168.1.2
Configuration script of FW_B:
# acl 3000 rule 5 permit ip source 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 10 encryption-algorithm aes-256 dh group2 authentication-algorithm sha2-256 authentication-method pre-share # ike peer enodeb pre-shared-key %^%#yUSb-oM,AZO>QmMci+eB\/F:JAxu6=[J-`VrlXeF%^%# ike-proposal 10 # ipsec policy-template template 1 security acl 3000 ike-peer enodeb proposal tran1 # ipsec policy map1 10 isakmp template template # firewall zone untrust add interface GigabitEthernet 0/0/1 # firewall zone trust add interface GigabitEthernet0/0/2 # ip route-static 10.1.1.0 255.255.255.0 10.1.3.2 ip route-static 0.0.0.0 0.0.0.0 192.168.2.2 # security-policy rule name ipsec_tu source-zone trust destination-zone untrust source-address 10.1.1.0 mask 255.255.255.0 action permit rule name ipsec_ut source-zone untrust destination-zone trust destination-address 10.1.1.0 mask 255.255.255.0 action permit rule name ipsec_lu source-zone local destination-zone untrust source-address 192.168.2.1 mask 255.255.255.255 action permit rule name ipsec_ul source-zone untrust destination-zone local destination-address 192.168.2.1 mask 255.255.255.255 action permit