< Home

Web: Example for Configuring Multiple Virtual Systems to Establish IPSec VPN Tunnels with the Peer Gateway Using the Same Public IP Addresses

This example describes how to configure virtual systems to establish IPSec VPN tunnels with the peer gateway using the same public IP address in the root system.

Networking Requirements

As shown in Figure 1, FW_A has only one public IP address and multiple virtual systems use this IP address to establish IPSec VPN tunnels with the peer gateway. IPSec policies are configured in the root system and applied to the WAN interface of the root system. The traffic of virtual systems is protected to implement secure access between the virtual system network and the peer network.

Figure 1 Networking for configuring multiple virtual systems to establish IPSec VPN tunnels with the peer gateway using the same public IP address

Data Planning

Item

Data

FW_A

public

WAN interface: GE0/0/1

IP address of the WAN interface: 1.1.1.1/24

Security zone of the WAN interface: Untrust

LAN interface: virtual interface Virtual-if0 in public

Security zone of the LAN interface: Trust

IPSec configuration

Local ID type: IP address

Local ID: 1.1.1.1

Peer ID type: any

Peer ID:
  • vsysa: 3.3.3.3
  • vsysb: 4.4.4.4

Authentication mode: pre-shared key

Key type: multi-key

Pre-shared key:
  • vsysa: Admin@123
  • vsysb: Admin@123

vsysa

WAN interface: virtual interface Virtual-if1 in vsysa

Security zone of the WAN interface: Untrust

LAN interface: GE0/0/2

IP address of the LAN interface: 10.1.0.1/24

IP address range of the LAN interface: 10.1.0.0/24

Security zone of the LAN interface: Trust

vsysb

WAN interface: virtual interface Virtual-if2 in vsysb

Security zone of the WAN interface: Untrust

LAN interface: GE0/0/4

IP address of the LAN interface: 10.2.0.1/24

IP address range of the LAN interface: 10.2.0.0/24

Security zone of the LAN interface: Trust

FW_B

Interface: GE0/0/1

IP address: 3.3.3.3/24

Security zone of the interface: Untrust

Interface: GE0/0/2

IP address: 10.3.0.1/24

IP address range of the LAN interface: 10.3.0.0/24

Security zone of the interface: Trust

IPSec configuration

Peer IP address: 1.1.1.1/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

FW_C

Interface: GE0/0/1

IP address: 4.4.4.4/24

Security zone of the interface: Untrust

Interface: GE0/0/2

IP address: 10.4.0.1/24

IP address range of the LAN interface: 10.4.0.0/24

Security zone of the interface: Trust

IPSec configuration

Peer IP address: 2.2.2.2/24

Authentication mode: pre-shared key

Pre-shared key: Admin@123

Local ID: IP address

Peer ID: any

Configuration Roadmap

The configuration roadmap is the same in vsysa and vsysb, and on FW_B and FW_C. This section uses vsysa and FW_B as examples to describe how to configure virtual systems to establish IPSec VPN tunnels with the peer gateway using the same public IP address. For configurations of vsysb and FW_C, see those of vsysa and FW_B.

  • For FW_A:

    1. In the root system, create virtual system vsysa and allocate resources to it.
    2. Complete basic configurations of interfaces, routes, and security policies in the root system.
    3. Complete basic configurations of interfaces, routes, and security policies in vsysa.
    4. Configure IPSec policies in the root system and bind them to vsysa.

  • For FW_B:

    1. Complete basic interface configurations.
    2. Configure security policies to allow specific subnets to communicate.
    3. Configure a route to the peer virtual system.
    4. Configure IPSec policies, including basic IPSec policy information, data flow to be protected by IPSec, and negotiation parameters of security proposals.

Procedure

  • Configure FW_A.
    1. Choose Dashboard from the main menu. In the Device Information pane, click Configure following the Virtual System option to enable the virtual system function.

    2. Configure the virtual system resource class.

      1. Choose System > Virtual System > Resource Class.

      2. Click Add. In the displayed dialog box, create system resource class r1 in vsysa and set the reserved number and maximum number of IPSec tunnels, as shown in the following figure.

        The reserved number of IPSec tunnels configured for a virtual system cannot be greater than the maximum number of IPSec tunnels.

    3. In the root system, create virtual system vsysa and allocate resources to it.

      1. Choose System > Virtual System > Virtual System.

      2. Click Add. In the displayed dialog box, click the Basic Settings tab. Complete virtual system configurations, as shown in the following figure.

      3. Click the Interface Settings tab. Click Add and assign interfaces to the virtual system, as shown in the following figure.

      4. Click OK.

    4. In the root system, set IP addresses for the interfaces and assign the interfaces to security zones. The IP address of Virtual-if0 can be any value as long as it does not conflict with the IP address of any other interface.

      1. Choose Network > Interface.

      2. Click Edit following GE0/0/1. In the displayed dialog box, set the IP address and security zone, as shown in the following figure.

      3. Click Edit following Virtual-if0. In the displayed dialog box, set the IP address and security zone, as shown in the following figure.

    5. Configure routes in the root system. Assume that the next-hop IP address of the route from FW_A to the Internet is 1.1.1.2.

      1. Choose Network > Route > Static Route.

      2. Click Add. In the displayed dialog box, add a default route to the Internet, as shown in the following figure.

      3. If users in the root system need to access hosts in vsysa, you must click Add to configure a static route from the root system to vsysa.

        Interaction packets sent from the peer through the IPSec tunnel are decapsulated and forwarded to the corresponding virtual system by querying the flow table. The static route configured here is not used for reverse packet forwarding during IPSec communication.

    6. Configure security policies in the root system.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and select Add Security Policy. In the displayed dialog box, configure security policies as follows.

        # Configure a security policy from the Trust zone to the Untrust zone, allowing intranet users to access the Internet.

        Virtual system administrators can configure more strict security policies abased on the IP addresses of intranet employees. Therefore, the root system administrator does not need to specify the IP address range.

        # Configure a security policy from the Local zone to the Untrust zone.

        # Configure a security policy from the Untrust zone to the Local zone.

        The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    7. Configure interfaces in vsysa.

      1. Select vsysa from the Virtual System drop-down list in the upper right corner to access vsysa.

      2. Choose Network > Interface.

      3. Click Edit following GE0/0/2. In the displayed dialog box, set the IP address and security zone, as shown in the following figure.

      4. Click Edit following Virtual-if1. In the displayed dialog box, set the IP address and security zone, as shown in the following figure.

    8. Configure security policies in vsysa.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and select Add Security Policy. In the displayed dialog box, configure security policies as follows.

        # Configure a security policy from the Trust zone to the Untrust zone.

        # Configure a security policy from the Untrust zone to the Trust zone.

    9. Configure IPSec policies in the root system.

      1. Select public from the Virtual System drop-down list in the upper right corner to access the root system.

      2. Choose Network > IPSec > IPSec. Click Add, set Scenario to Site-to-multisite, and set Peer Type to Branch gateway.

      3. Configure basic IPSec policy information. Set Authentication Type to Pre-Shared Key and Key Type to Different.

      4. Click Add in IKE User Information List. In the displayed dialog box, add information about an IKE user and set the pre-shared key to Admin@123.

        The traffic protected by the template-based IPSec tunnel configured on the local end involves multiple virtual systems. Therefore, you do not need to configure the data flow to be encrypted when configuring IPSec policies in the root system. The data flow to be encrypted is determined by the negotiation with the peer end.

      5. Select Reverse Route Injection below Data Flow to Encrypt to enable this function. If Reverse Route Injection is selected, the device automatically installs the routes pointed to the peer network.

      6. Configure the security proposal.

        Use the default parameters. To modify a parameter, click Advanced in IKE/IPSec Proposal. Security proposal configurations used on both ends of a tunnel must be the same.

      7. Click Apply to complete the configurations of FW_A.

  • Configure FW_B.
    1. Set interface IP addresses and assign the interfaces to security zones on FW_B.

      1. Choose Network > Interface.

      2. Click Edit following GE0/0/1 and GE0/0/2. In the displayed dialog box, complete basic interface configurations, as shown in the following figure.

    2. Configure security policies on FW_B to allow specific subnets to communicate.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and select Add Security Policy. In the displayed dialog box, configure security policies as follows.

        # Configure a security policy from the Trust zone to the Untrust zone.

        # Configure a security policy from the Untrust zone to the Trust zone.

        # Configure a security policy from the Local zone to the Untrust zone.

        # Configure a security policy from the Untrust zone to the Local zone.

        The local-untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

    3. Configure routes on FW_B. Assume that the next-hop IP address of the route from FW_B to the Internet is 3.3.3.4.

      1. Choose Network > Route > Static Route.

      2. Click Add. In the displayed dialog box, add a default route to the Internet, as shown in the following figure.

      3. Click Add. In the displayed dialog box, add a default route to the peer FW_B, as shown in the following figure.

    4. Configure IPSec policies on FW_B.

      1. Choose Network > IPSec > IPSec. Click Add and set Scenario to Site-to-site.

      2. Configure the basic IPSec policy information, specify the remote gateway, and set the pre-shared key to Admin@123.

      3. In Data Flow to Encrypt, click Add to add a data flow as follows.

      4. Configure the security proposal.

        Use the default parameters. To modify a parameter, click Advanced in IKE/IPSec Proposal. Security proposal configurations used on both ends of a tunnel must be the same.

      5. Click Apply.

Verification

  1. Access a host or server on network C from a host on network A. The access succeeds.

  2. In the root system on FW_A, choose Network > IPSec > Monitor to display the established tunnels.

  3. On FW_B, choose Network > IPSec > Monitor to display the established tunnels.

Configuration Scripts

The configuration script of the root system on FW_A:

#
sysname FW_A
#
vsys enable 
#
resource-class r1
 resource-item-limit ipsec-tunnel reserved-number 10 maximum 500 
#
vsys name vsysa 1
 assign interface GigabitEthernet0/0/2
 assign resource-class r1
#
vsys name vsysb 2
 assign interface GigabitEthernet0/0/3
 assign resource-class r1
#
ipsec proposal prop28121938566
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike user-table 1
 user vsysa
  id-type any 3.3.3.3
  pre-shared-key %^%#V}9n%q.+sR7c'lP8K~+E4k=dT%&\bM,4rj=i%<*%^%#
  vpn-instance-traffic name vsysa
 user vsysb
  id-type any 4.4.4.4
  pre-shared-key %^%#V}9n%q.+sR7c'lP8K~+E4k=dT%&\bM,4rj=i%<*%^%#
  vpn-instance-traffic name vsysb
#
ike peer ike281219385666
 exchange-mode auto
 ike-proposal 1
 local-id 1.1.1.1
 user-table 1
#
ipsec policy-template tpl281219385666 1
 ike-peer ike281219385666
 proposal prop28121938566
 route inject dynamic
 alias ipsec_policy_1
 sa duration traffic-based 5242880
 sa duration time-based 3600
#
ipsec policy ipsec2812193856 10000 isakmp template tpl281219385666
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
 ipsec policy ipsec2812193856
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface Virtual-if0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
security-policy
 rule name to_internet
  source-zone trust
  destination-zone untrust
  action permit
 rule name sec_policy_1
  source-zone local
  destination-zone untrust
  source-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 10.1.0.0 255.255.255.0 vpn-instance vsysa
ip route-static 10.2.0.0 255.255.255.0 vpn-instance vsysb

The configuration script of vsysa on FW_A:

#
switch vsys vsysa 
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
#
return

The configuration script of vsysb on FW_A:

#
switch vsys vsysb 
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address 10.4.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.4.0.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
#
return

The configuration script on FW_B:

#
sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255 
#
ipsec proposal prop24121543361
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike241215433617
 exchange-mode auto
 pre-shared-key %^%#@ama1^ws3/PX+B.f~tnNDy(q~gjoR%dmP6.\U#5~%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 1.1.1.1
 local-id 3.3.3.3
 remote-address 1.1.1.1 
#
ipsec policy ipsec2412154336 1 isakmp
 security acl 3000
 ike-peer ike241215433617
 proposal prop24121543361
 tunnel local applied-interface
 alias ipsec_policy_1 
 sa trigger-mode auto
 sa duration traffic-based 5242880
 sa duration time-based 3600
#
interface GigabitEthernet0/0/1
 ip address 3.3.3.3 255.255.255.0
 ipsec policy ipsec2412154336
#
interface GigabitEthernet0/0/2
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.4
ip route-static 10.1.0.0 255.255.255.0 3.3.3.4
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 3.3.3.3 mask 255.255.255.255
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 1.1.1.1 mask 255.255.255.255
  destination-address 3.3.3.3 mask 255.255.255.255
  action permit

The configuration script on FW_C:

#
sysname FW_C
#
acl number 3000
 rule 5 permit ip source 10.4.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255 
#
ipsec proposal prop24121543361
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal 1
 encryption-algorithm aes-256 
 dh group2 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike241215433617
 exchange-mode auto
 pre-shared-key %^%#@ama1^ws3/PX+B.f~tnNDy(q~gjoR%dmP6.\U#5~%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 2.2.2.2
 local-id 4.4.4.4
 remote-address 2.2.2.2
#
ipsec policy ipsec2412154336 1 isakmp
 security acl 3000
 ike-peer ike241215433617
 proposal prop24121543361
 tunnel local applied-interface
 alias ipsec_policy_1 
 sa trigger-mode auto
 sa duration traffic-based 5242880
 sa duration time-based 3600
#
interface GigabitEthernet0/0/1
 ip address 4.4.4.4 255.255.255.0
 ipsec policy ipsec2412154336
#
interface GigabitEthernet0/0/2
 ip address 10.4.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 4.4.4.5
ip route-static 10.2.0.0 255.255.255.0 4.4.4.5
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.4.0.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address 10.4.0.0 mask 255.255.255.0
  action permit
 rule name sec_policy_3
  source-zone local
  destination-zone untrust
  source-address 4.4.4.4 mask 255.255.255.255
  destination-address 2.2.2.2 mask 255.255.255.255
  action permit
 rule name sec_policy_4
  source-zone untrust
  destination-zone local
  source-address 2.2.2.2 mask 255.255.255.255
  destination-address 4.4.4.4 mask 255.255.255.255
  action permit
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >