< Home

CLI: Example for Configuring Multiple Virtual Systems to Establish IPSec VPN Tunnels with the Peer Gateway Using Independent Public IP Addresses

This example describes how to configure virtual systems to establish IPSec VPN tunnels with the peer gateway using independent public IP addresses.

Networking Requirements

As shown in Figure 1, multiple WAN interfaces are configured on FW_A and each WAN interface has an independent public IP address. Assign the WAN interfaces to different virtual systems, configure IPSec policies for the virtual systems, and apply the IPSec policies to the WAN interfaces to make the virtual systems establish IPSec VPN tunnels with the peer gateway using independent public IP addresses. As a result, the virtual systems can communicate with the peer network securely.

Figure 1 Networking for configuring multiple virtual systems to establish IPSec VPN tunnels with the peer gateway using independent public IP addresses

Data Planning

Item

Data

FW_A

vsysa

WAN interface: GE0/0/1

IP address of the WAN interface: 1.1.1.1/24

Security zone of the WAN interface: Untrust

LAN interface: GE0/0/2

IP address of the LAN interface: 10.1.0.1/24

IP address range of the LAN interface: 10.1.0.0/24

Security zone of the LAN interface: Trust
IPSec configuration

Peer IP address: 3.3.3.3/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

vsysb

WAN interface: GE0/0/3

IP address of the WAN interface: 2.2.2.2/24

Security zone of the WAN interface: Untrust

LAN interface: GE0/0/4

IP address of the LAN interface: 10.2.0.1/24

IP address range of the LAN interface: 10.2.0.0/24

Security zone of the LAN interface: Trust
IPSec configuration

Peer IP address: 4.4.4.4/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

FW_B

Interface: GE0/0/1

IP address: 3.3.3.3/24

Security zone of the interface: Untrust

Interface: GE0/0/2

IP address: 10.3.0.1/24

IP address range of the LAN interface: 10.3.0.0/24

Security zone of the interface: Trust
IPSec configuration

Peer IP address: 1.1.1.1/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

FW_C

Interface: GE0/0/1

IP address: 4.4.4.4/24

Security zone of the interface: Untrust

Interface: GE0/0/2

IP address: 10.4.0.1/24

IP address range of the LAN interface: 10.4.0.0/24

Security zone of the interface: Trust
IPSec configuration

Peer IP address: 2.2.2.2/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

Configuration Roadmap

The configuration roadmap is the same in vsysa and vsysb, and on FW_B and FW_C. This section uses vsysa and FW_B as examples to describe how to configure virtual systems to establish IPSec VPN tunnels with the peer gateway using independent public IP addresses. For configurations of vsysb and FW_C, see those of vsysa and FW_B.

  • For FW_A:

    1. In the root system, create virtual system vsysa and allocate resources to it.
    2. Complete basic configurations of interfaces, routes, and security policies in vsysa.
    3. Configure IPSec policies in vsysa, including basic IPSec policy information, data flow to be protected by IPSec, and negotiation parameters of security proposals.

  • For FW_B:

    1. Complete basic interface configurations.
    2. Configure security policies to allow specific subnets to communicate.
    3. Configure a route to the peer virtual system.
    4. Configure IPSec policies, including basic IPSec policy information, data flow to be protected by IPSec, and negotiation parameters of security proposals.

Procedure

  • Configure FW_A.
    1. Enable virtual systems. 

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] vsys enable

    2. Create virtual system vsysa and allocate resources to it.

      # Configure resource class r1 and set the reserved number and maximum number of IPSec tunnels.

      [FW_A] resource-class r1
[FW_A-resource-class-r1] resource-item-limit ipsec-tunnel reserved-number 10 maximum 500
[FW_A-resource-class-r1] quit

      # Create virtual system vsysa.

      [FW_A] vsys name vsysa
[FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/1
[FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[FW_A-vsys-vsysa] assign resource-class r1
[FW_A-vsys-vsysa] quit

    3. Access vsysa and configure parameters for GE0/0/1 and GE0/0/2.

      # Configure GE0/0/1.

      [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] interface GigabitEthernet 0/0/1
[FW_A-vsysa-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[FW_A-vsysa-GigabitEthernet0/0/1] quit

      # Configure GE0/0/2.

      [FW_A-vsysa] interface GigabitEthernet 0/0/2
[FW_A-vsysa-GigabitEthernet0/0/2] ip address 10.1.0.1 255.255.255.0
[FW_A-vsysa-GigabitEthernet0/0/2] quit

    4. Assign interfaces to security zones.

      # Add GE0/0/2 to the Trust zone.

      [FW_A-vsysa] firewall zone trust
[FW_A-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-vsysa-zone-trust] quit

      # Add GE0/0/1 to the Untrust zone.

      [FW_A-vsysa] firewall zone untrust
[FW_A-vsysa-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-vsysa-zone-untrust] quit

    5. Configure a route to the peer network and a default route to the Internet. Assume that the next-hop IP address of the route from vsysa to the Internet is 1.1.1.2.

      # Configure a route to the peer network.

      [FW_A-vsysa] ip route-static 10.3.0.0 255.255.255.0 1.1.1.2

      # Configure a default route to the Internet.

      [FW_A-vsysa] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

    6. Configure interzone security policies.

      # Configure a security policy from the Trust zone to the Untrust zone.

      [FW_A-vsysa] security-policy
[FW_A-vsysa-policy-security] rule name sec_policy_1
[FW_A-vsysa-policy-security-rule-sec_policy_1] source-zone trust
[FW_A-vsysa-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_1] source-address 10.1.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_1] destination-address 10.3.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_1] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_1] quit

      # Configure a security policy from the Untrust zone to the Trust zone.

      [FW_A-vsysa-policy-security] rule name sec_policy_2
[FW_A-vsysa-policy-security-rule-sec_policy_2] source-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_2] destination-zone trust
[FW_A-vsysa-policy-security-rule-sec_policy_2] source-address 10.3.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_2] destination-address 10.1.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_2] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_2] quit

      # Configure a security policy from the Local zone to the Untrust zone.

      [FW_A-vsysa-policy-security] rule name sec_policy_3
[FW_A-vsysa-policy-security-rule-sec_policy_3] source-zone local
[FW_A-vsysa-policy-security-rule-sec_policy_3] destination-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_3] source-address 1.1.1.1 mask 255.255.255.255
[FW_A-vsysa-policy-security-rule-sec_policy_3] destination-address 3.3.3.3 mask 255.255.255.255
[FW_A-vsysa-policy-security-rule-sec_policy_3] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_3] quit

      # Configure a security policy from the Untrust zone to the Local zone.

      [FW_A-vsysa-policy-security] rule name sec_policy_4
[FW_A-vsysa-policy-security-rule-sec_policy_4] source-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_4] destination-zone local
[FW_A-vsysa-policy-security-rule-sec_policy_4] source-address 3.3.3.3 mask 255.255.255.255
[FW_A-vsysa-policy-security-rule-sec_policy_4] destination-address 1.1.1.1 mask 255.255.255.255
[FW_A-vsysa-policy-security-rule-sec_policy_4] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_4] quit
[FW_A-vsysa-policy-security] quit

      The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    7. Configure an IPSec policy in vsysa and apply the IPSec policy to the interface.

      1. Define the data flow to be protected. Configure an advanced ACL 3000, allowing network segment 10.1.0.0/24 to access network segment 10.3.0.0/24.

        [FW_A-vsysa] acl 3000
[FW_A-vsysa-acl-adv-3000] rule 5 permit ip source 10.1.0.0 0.0.0.255 destination 10.3.0.0 0.0.0.255
[FW_A-vsysa-acl-adv-3000] quit

      2. Configure an IPSec proposal. If you use the default parameters, skip this step.

        [FW_A-vsysa] ipsec proposal tran1
[FW_A-vsysa-ipsec-proposal-tran1] encapsulation-mode auto
[FW_A-vsysa-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-vsysa-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-vsysa-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal.

        [FW_A-vsysa] ike proposal 1
[FW_A-vsysa-ike-proposal-1] encryption-algorithm aes-256
[FW_A-vsysa-ike-proposal-1] authentication-algorithm sha2-256
[FW_A-vsysa-ike-proposal-1] authentication-method pre-share
[FW_A-vsysa-ike-proposal-1] integrity-algorithm hmac-sha2-256
[FW_A-vsysa-ike-proposal-1] prf hmac-sha2-256
[FW_A-vsysa-ike-proposal-1] dh group2
[FW_A-vsysa-ike-proposal-1] quit

      4. Configure an IKE peer.

        [FW_A-vsysa] ike peer a
[FW_A-vsysa-ike-peer-a] ike-proposal 1
[FW_A-vsysa-ike-peer-a] remote-address 3.3.3.3
[FW_A-vsysa-ike-peer-a] pre-shared-key Admin@123
[FW_A-vsysa-ike-peer-a] quit

      5. Create an IPSec policy.

        [FW_A-vsysa] ipsec policy ipsec1 1 isakmp
[FW_A-vsysa-ipsec-policy-isakmp-ipsec1-1] security acl 3000
[FW_A-vsysa-ipsec-policy-isakmp-ipsec1-1] proposal tran1
[FW_A-vsysa-ipsec-policy-isakmp-ipsec1-1] ike-peer a
[FW_A-vsysa-ipsec-policy-isakmp-ipsec1-1] quit

      6. Apply IPSec policy group ipsec1 to GigabitEthernet 0/0/1.

        [FW_A-vsysa] interface GigabitEthernet 0/0/1
[FW_A-vsysa-GigabitEthernet0/0/1] ipsec policy ipsec1
[FW_A-vsysa-GigabitEthernet0/0/1] quit

  • Configure FW_B.
    1. Configure parameters for GE0/0/1 and GE0/0/2.

      # Configure GE0/0/1.

      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 3.3.3.3 255.255.255.0
[FW_B-GigabitEthernet0/0/1] quit

      # Configure GE0/0/2.

      [FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.3.0.1 255.255.255.0
[FW_B-GigabitEthernet0/0/2] quit

    2. Assign interfaces to security zones.

      # Add GE0/0/2 to the Trust zone.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit

      # Add GE0/0/1 to the Untrust zone.

      [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure a route to the peer network and a default route to the Internet. Assume that the next-hop IP address of the route from FW_B to the Internet is 3.3.3.4.

      # Configure a route to the peer network.

      [FW_B] ip route-static 10.1.0.0 255.255.255.0 3.3.3.4

      # Configure a default route to the Internet.

      [FW_B] ip route-static 0.0.0.0 0.0.0.0 3.3.3.4

    4. Configure interzone security policies.

      # Configure a security policy from the Trust zone to the Untrust zone.

      [FW_B] security-policy
[FW_B-policy-security] rule name sec_policy_1
[FW_B-policy-security-rule-sec_policy_1] source-zone trust
[FW_B-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_B-policy-security-rule-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_1] destination-address 10.1.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_1] action permit
[FW_B-policy-security-rule-sec_policy_1] quit

      # Configure a security policy from the Untrust zone to the Trust zone.

      [FW_B-policy-security] rule name sec_policy_2
[FW_B-policy-security-rule-sec_policy_2] source-zone untrust
[FW_B-policy-security-rule-sec_policy_2] destination-zone trust
[FW_B-policy-security-rule-sec_policy_2] source-address 10.1.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_2] destination-address 10.3.0.0 mask 255.255.255.0
[FW_B-policy-security-rule-sec_policy_2] action permit
[FW_B-policy-security-rule-sec_policy_2] quit

      # Configure a security policy from the Local zone to the Untrust zone.

      [FW_B-policy-security] rule name sec_policy_3
[FW_B-policy-security-rule-sec_policy_3] source-zone local
[FW_B-policy-security-rule-sec_policy_3] destination-zone untrust
[FW_B-policy-security-rule-sec_policy_3] source-address 3.3.3.3 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_3] destination-address 1.1.1.1 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_3] action permit
[FW_B-policy-security-rule-sec_policy_3] quit

      # Configure a security policy from the Untrust zone to the Local zone.

      [FW_B-policy-security] rule name sec_policy_4
[FW_B-policy-security-rule-sec_policy_4] source-zone untrust
[FW_B-policy-security-rule-sec_policy_4] destination-zone local
[FW_B-policy-security-rule-sec_policy_4] source-address 1.1.1.1 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_4] destination-address 3.3.3.3 mask 255.255.255.255
[FW_B-policy-security-rule-sec_policy_4] action permit
[FW_B-policy-security-rule-sec_policy_4] quit
[FW_B-policy-security] quit

      The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    5. Configure an IPSec policy on FW_B and apply the IPSec policy to the interface.

      1. Define the data flow to be protected. Configure an advanced ACL 3000, allowing network segment 10.3.0.0/24 to access network segment 10.1.0.0/24.

        [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      2. Configure an IPSec proposal. If you use the default parameters, skip this step.

        [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] encapsulation-mode auto
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal.

        [FW_B] ike proposal 1
[FW_B-ike-proposal-1] encryption-algorithm aes-256
[FW_B-ike-proposal-1] authentication-algorithm sha2-256
[FW_B-ike-proposal-1] authentication-method pre-share
[FW_B-ike-proposal-1] integrity-algorithm hmac-sha2-256
[FW_B-ike-proposal-1] prf hmac-sha2-256
[FW_B-ike-proposal-1] dh group2
[FW_B-ike-proposal-1] quit

      4. Configure an IKE peer.

        [FW_B] ike peer a
[FW_B-ike-peer-a] ike-proposal 1
[FW_B-ike-peer-a] remote-address 1.1.1.1
[FW_B-ike-peer-a] pre-shared-key Admin@123
[FW_B-ike-peer-a] quit

      5. Create an IPSec policy.

        [FW_B] ipsec policy ipsec1 1 isakmp
[FW_B-ipsec-policy-isakmp-ipsec1-1] security acl 3000
[FW_B-ipsec-policy-isakmp-ipsec1-1] proposal tran1
[FW_B-ipsec-policy-isakmp-ipsec1-1] ike-peer a
[FW_B-ipsec-policy-isakmp-ipsec1-1] quit

      6. Apply IPSec policy group ipsec1 to GigabitEthernet 0/0/1.

        [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipsec policy ipsec1
[FW_B-GigabitEthernet0/0/1] quit

Verification

  1. After the configuration is complete, run the ping command on the PC in network A to trigger IKE negotiation.

    If the IKE negotiation succeeds, a tunnel is established and the PC in network C can be pinged. If the IKE negotiation fails, no tunnel is established and the PC in network C cannot be pinged.

  2. On FW_A and FW_B, run the display ike sa and display ipsec sa commands to check whether the SAs are established. Take FW_B as an example. If the following information is displayed, the IKE and IPSec SAs are successfully established. 

    <FW_B> display ike sa      
                                                                                
Ike sa information :                                                            
    Conn-ID       Peer            VPN            Flag(s)                Phase
  ------------------------------------------------------------------------------
    16777239      1.1.1.1                        RD|ST|A                v2:2
    16777232      1.1.1.1                        RD|ST|A                v2:1
                                                                                
  Number of SA entries  : 2                                                     
                                                                                
  Number of SA entries of all cpu : 2                                           
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

    <FW_B> display ipsec sa      
                                                                                
ipsec sa information:                                                           
                                                                                
===============================                                                  
Interface: GigabitEthernet0/0/1                                               
===============================                                                 
                                                                                
  -----------------------------                                                 
  IPSec policy name: "ipsec1"                                                     
  Sequence number  : 1                                                          
  Acl group        : 3000                                                       
  Acl rule         : 5                                                         
  Mode             : ISAKMP                                                     
  -----------------------------                                                 
    Connection ID     : 83903371                                                
    Encapsulation mode: Tunnel                                                  
    Tunnel local      : 3.3.3.3                                             
    Tunnel remote     : 1.1.1.1                                               
    Flow source       : 10.3.0.1/255.255.255.255 0/0                           
    Flow destination  : 10.1.0.1/255.255.255.255 0/0                           
                                                                                
    [Outbound ESP SAs]                                                          
      SPI: 763065754 (0x2d7b759a)                                               
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 0/3079                         
      Max sent sequence-number: 1                                               
      UDP encapsulation used for NAT traversal: N                               
      SA encrypted packets (number/kilobytes): 4/0   
                                                                                
    [Inbound ESP SAs]                                                           
      SPI: 163241969 (0x9badff1)                                                
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 0/3079                         
      Max received sequence-number: 3203668                                     
      UDP encapsulation used for NAT traversal: N 
      SA decrypted packets (number/kilobytes): 4/0                              
      Anti-replay : Disable

Configuration Scripts

The configuration script of the root system on FW_A:

#
sysname FW_A
#
vsys enable 
#
resource-class r1
 resource-item-limit ipsec-tunnel reserved-number 10 maximum 500
#
vsys name vsysa 1
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/2
 assign resource-class r1
#
vsys name vsysb 2
 assign interface GigabitEthernet0/0/3
 assign interface GigabitEthernet0/0/4
 assign resource-class r1
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance vsysa
 ip address 1.1.1.1 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysb
 ip address 2.2.2.2 255.255.255.0
 ipsec policy ipsec2
#
interface GigabitEthernet0/0/4
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0

The configuration script of vsysa on FW_A:

#
switch vsys vsysa 
#
acl number 3000
 rule 5 permit ip source 10.1.0.0 0.0.0.255 destination 10.3.0.0 0.0.0.255 
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer a
 exchange-mode auto
 pre-shared-key %^%#m`wdHMo4eVMY2&*+hDV~BbN&<=zoQ@d{n%=**qR6%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 3.3.3.3
 local-id 1.1.1.1
 remote-address 3.3.3.3 
#
ipsec policy ipsec1 1 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance vsysa
 ip address 1.1.1.1 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 1.1.1.1 mask 255.255.255.255
  destination-address 3.3.3.3 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 3.3.3.3 mask 255.255.255.255
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 10.3.0.0 255.255.255.0 1.1.1.2
#
return

The configuration script of vsysb on FW_A:

#
switch vsys vsysb 
#
acl number 3001
 rule 5 permit ip source 10.2.0.0 0.0.0.255 destination 10.4.0.0 0.0.0.255 
#
ipsec proposal tran2
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 2
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer b
 exchange-mode auto
 pre-shared-key %^%#m`wdHMo4eVMY2&*+hDV~BbN&<=zoQ@d{n%=**qR6%^%#
 ike-proposal 2
 remote-id-type ip
 remote-id 4.4.4.4
 local-id 2.2.2.2
 remote-address 4.4.4.4 
#
ipsec policy ipsec2 1 isakmp
 security acl 3001
 ike-peer b
 proposal tran2
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysb
 ip address 2.2.2.2 255.255.255.0
 ipsec policy ipsec2
#
interface GigabitEthernet0/0/4
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/4
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/3
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address 10.4.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.4.0.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 2.2.2.2 mask 255.255.255.255
  destination-address 4.4.4.4 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 4.4.4.4 mask 255.255.255.255
  destination-address 2.2.2.2 mask 255.255.255.255
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.3
ip route-static 10.4.0.0 255.255.255.0 2.2.2.3
#
return

The configuration script on FW_B:

#
sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer a
 exchange-mode auto
 pre-shared-key %^%#@ama1^ws3/PX+B.f~tnNDy(q~gjoR%dmP6.\U#5~%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 1.1.1.1
 local-id 3.3.3.3
 remote-address 1.1.1.1 
#
ipsec policy ipsec1 1 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 ip address 3.3.3.3 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.4
ip route-static 10.1.0.0 255.255.255.0 3.3.3.4
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 3.3.3.3 mask 255.255.255.255
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 1.1.1.1 mask 255.255.255.255
  destination-address 3.3.3.3 mask 255.255.255.255
  action permit

The configuration script on FW_C:

#
sysname FW_C
#
acl number 3000
 rule 5 permit ip source 10.4.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255 
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer a
 exchange-mode auto
 pre-shared-key %^%#@ama1^ws3/PX+B.f~tnNDy(q~gjoR%dmP6.\U#5~%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 2.2.2.2
 local-id 4.4.4.4
 remote-address 2.2.2.2
#
ipsec policy ipsec1 1 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 ip address 4.4.4.4 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet0/0/2
 ip address 10.4.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 4.4.4.5
ip route-static 10.1.0.0 255.255.255.0 4.4.4.5
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.4.0.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address 10.4.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 4.4.4.4 mask 255.255.255.255
  destination-address 2.2.2.2 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 2.2.2.2 mask 255.255.255.255
  destination-address 4.4.4.4 mask 255.255.255.255
  action permit
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >