Defining Data Flows to Be Protected
Context
ACL Keyword Usage
Each ACL rule is a deny or permit clause. In IPSec applications, a permit clause identifies a data flow protected by IPSec, and a deny clause identifies a data flow that is not protected by IPSec. An ACL can contain multiple rules. A packet is processed according to the first rule that it matches.
In the outbound direction of an SA
If a packet matches a permit clause, IPSec encapsulates and sends the packet. If a packet matches a deny clause or does not match a permit clause, IPSec directly forwards the packet. A matched permit clause indicates that a data flow needs to be protected and a pair of SAs is created.
In the inbound direction of an SA
The packet protected by IPSec is decrypted and the packet not protected by IPSec is forwarded.
If (Optional) Configuring IPSec Check is performed, the device re-checks whether the IP header of the decrypted IPSec packet is in the range defined by the ACL. If the decrypted IPSec packet matches the permit clause, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit clause, the device discards the IPSec packet.
Precautions
The protocols defined in the ACLs on both ends of the IPSec tunnel must be the same. For example, if the protocol on one end is IP, the protocol must also be IP on the other end.
- When ACL rules at both ends of an IPSec tunnel mirror each other, SAs can be set up successfully no matter which party initiates negotiation. If ACL rules at both ends of an IPSec tunnel do not mirror each other, SAs can be set up successfully only when the range specified by ACL rules on the initiator is included in the range specified by ACL rules on the responder or the two ranges have overlapping ACL rules. It is recommended that ACL rules at both ends of an IPSec tunnel mirror each other. That is, the source and destination addresses of an ACL rule at one end are the destination and source addresses of an ACL rule at the other end. The IKEv1 and IKEv2 configurations are as follows:
- For IKEv1, mirroring is not necessary. SAs can be set up successfully as long as the range specified by ACL rules configured on the initiator is included in that of the responder. The devices use overlapping ACL rules as the negotiation result. However, IKEv1 does not support the matching of the port number range in ACL rules. Only the start port number in the port number range is used for IPSec tunnel negotiation.
For IKEv2, mirroring is not necessary. SAs can be set up successfully as long as the ranges specified by ACL rules configured on the initiator and responder have overlapping ACL rules. The devices use overlapping ACL rules as the negotiation result.
When address-set is specified in ACL rules:If the IPsec tunnel is triggered by traffic, ensure that the address sets referenced by the ACL rules that match the traffic on the initiator and responder overlap. Otherwise, the IPsec tunnel fails to be established.
If the IPsec tunnel is automatically triggered, ensure that the address sets referenced by each ACL rule of the initiator and responder overlap. Otherwise, the IPsec tunnel fails to be established.
Avoid overlapped address segments in ACL rules. Rules with overlapped address segments may affect each other, causing data flow mismatch or IPSec tunnel flapping.
The ACL referenced in an IPSec policy group cannot contain rules of the same ID.
ACL rules referenced in all IPSec policies of an IPSec policy group cannot overlap. In the following example, ACL 3001 and ACL 3002 overlap.
acl number 3001 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
acl number 3002 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
When the responder uses an IPSec policy template, note the following points:
If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator.
If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect because NAT is performed first. You can use the following methods:
Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL rule referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT.
Configure the ACL rule referenced by NAT to match the IP address translated by NAT.
Procedure
- Run system-view
The system view is displayed.
- Select the ACL according to the actual requirements.
Run acl [ number ] acl-number [ vpn-instance vpn-instance-name ]
An advanced ACL is created and the advanced ACL view is displayed. acl-number ranges from 3000 to 3999.
According to the actual requirements, choose one of the following configurations.
- Run the rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any | address-set address-set-name } | source { source-address source-wildcard | any | address-set address-set-name } | dscp dscp ] * command to configure a rule to match the IP protocol.
- Run the rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port eq port | source { source-address source-wildcard | any } | source-port eq port | dscp dscp ] * command to configure a rule to match the TCP protocol.
- Run the rule [ rule-id ] { deny | permit } udp [ destination { destination-address destination-wildcard | any } | destination-port eq port | source { source-address source-wildcard | any } | source-port eq port | dscp dscp ] * command to configure a rule to match the UDP protocol.
- Run the rule [ rule-id ] { deny | permit } gre [ destination { destination-address destination-wildcard | any | address-set address-set-name } | source { source-address source-wildcard | any | address-set address-set-name } | dscp dscp | precedence precedence | tos tos | time-range time-name | logging ] * command to configure a rule to match the GRE protocol.
Only IKEv2 supports the address-set parameter, and the address set contains at most 15 IP addresses.
Run acl ipv6 [ number ] acl-number [ vpn-instance vpn-instance-name ]
An advanced ACL is created and the advanced IPv6 ACL view is displayed. acl-number ranges from 3000 to 3999.
According to the actual requirements, choose one of the following configurations.
- Run the rule [ rule-id ] { deny | permit } ipv6 [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | logging ] * command to configure a rule to match the IP protocol.
- Run the rule [ rule-id ] { deny | permit } tcp [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port [ port2 ] | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port [ port2 ] | time-range time-name | logging ] * command to configure a rule to match the TCP protocol.
- Run the rule [ rule-id ] { deny | permit } udp [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port [ port2 ] | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port [ port2 ] | time-range time-name | logging ] * command to configure a rule to match the UDP protocol.
- Run the rule [ rule-id ] { deny | permit } gre [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | logging ] * command to configure a rule to match the GRE protocol.
Configuration Guidelines
The configurations of rules vary in different scenarios. For details, see the following examples:
If IPSec references an ACL created in a virtual system, create a virtual system, enter the virtual system, and then create an ACL.
The following describes how to create ACL 3001 in a virtual system.
[sysname] vsys enable [sysname] vsys name vsa [sysname-vsys-vsa] quit [sysname] switch vsys vsa <sysname-vsa> system-view [sysname-vsa] acl 3001 [sysname-vsa-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
Site-to-Site IPSec VPN
A site-to-site IPSec tunnel is set up between gateway A and gateway B. Gateway A protects subnet 10.1.1.0/24 and gateway B protects subnet 192.168.196.0/24.
Configurations on gateway A:
[sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
Configurations on gateway B:
[sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
If multiple data flows on each gateway need IPSec protection, the ACL configurations are as follows:
Configurations on gateway A:
[sysname] ip address-set sou1 type object [sysname-object-address-set-sou1] address 0 10.1.1.0 mask 24 [sysname-object-address-set-sou1] address 1 10.2.1.0 mask 24 [sysname-object-address-set-sou1] address 2 10.3.1.0 mask 24 [sysname-object-address-set-sou1] quit [sysname] ip address-set den1 type object [sysname-object-address-set-den1] address 0 192.168.106.0 mask 24 [sysname-object-address-set-den1] address 1 192.168.136.0 mask 24 [sysname-object-address-set-den1] address 2 192.168.196.0 mask 24 [sysname-object-address-set-den1] quit [sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source address-set sou1 destination address-set den1
Configurations on gateway B:
[sysname] ip address-set sou1 type object [sysname-object-address-set-sou1] address 0 192.168.106.0 mask 24 [sysname-object-address-set-sou1] address 1 192.168.136.0 mask 24 [sysname-object-address-set-sou1] address 2 192.168.196.0 mask 24 [sysname-object-address-set-sou1] quit [sysname] ip address-set den1 type object [sysname-object-address-set-den1] address 0 10.1.1.0 mask 24 [sysname-object-address-set-den1] address 1 10.2.1.0 mask 24 [sysname-object-address-set-den1] address 2 10.3.1.0 mask 24 [sysname-object-address-set-den1] quit [sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source address-set sou1 destination address-set den1
Hub-Spoke IPSec VPN
Hub-Spoke IPSec tunnels are set up between the headquarters and branches. The headquarters resides at subnet 192.168.196.0/24; branch A resides at subnet 10.1.1.0/24; branch B resides at subnet 10.1.2.0/24.
- To allow the communication between branches and the headquarters but forbid the communication between branches, configure the ACL for the branch network in the same way as in the site-to-site IPSec VPN. Note that the destination address of the ACL at the headquarters must include all branch subnets.
The ACL at the headquarters is configured as follows:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [sysname-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [sysname-acl-adv-3001] quit
- To allow the communication between branches and the headquarters, and between branches through the headquarters, set the source address of the ACL at the headquarters to all subnets of the headquarters and branches. Set the destination address to all branch subnets. The source addresses of the ACLs at the branch offices remain, but the destination addresses must be the subnets of the headquarters and all other branches.
The ACL at the headquarters is configured as follows:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [sysname-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [sysname-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [sysname-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [sysname-acl-adv-3001] quit
The ACL at branch A is configured as follows:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [sysname-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255 [sysname-acl-adv-3001] quit
The ACL at branch B is configured as follows:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [sysname-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 192.168.196.0 0.0.0.255 [sysname-acl-adv-3001] quit
IPSec Gateway with NAT Configured
If endpoint A uses NAT only for the Internet access, not for IPSec traffic, you must reject the IPSec traffic from NAT.
Endpoint A protects network 10.1.1.0/24 and endpoint B protects network 192.168.196.0/24. The ACL and NAT configurations on endpoint A are as follows:
# Define the data flow to be protected.
[sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255 [sysname-acl-adv-3001] quit
# Exclude the networks connected by the IPSec tunnel from the NAT policy.[sysname] nat-policy [sysname-policy-nat] rule name no_nat [sysname-policy-nat-rule-no_nat] source-zone trust [sysname-policy-nat-rule-no_nat] destination-zone untrust [sysname-policy-nat-rule-no_nat] source-address 10.1.1.0 24 [sysname-policy-nat-rule-no_nat] destination-address 192.168.196.0 24 [sysname-policy-nat-rule-no_nat] action no-nat [sysname-policy-nat-rule-no_nat] quit [sysname-policy-nat] rule name easy_ip [sysname-policy-nat-rule-easy_ip] source-zone trust [sysname-policy-nat-rule-easy_ip] egress-interface GigabitEthernet 0/0/1 [sysname-policy-nat-rule-easy_ip] action source-nat easy-ip [sysname-policy-nat-rule-easy_ip] quit [sysname-policy-nat] quit
Configurations on gateway B:
[sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
- If the two networks overlap, endpoint A performs NAT for all traffic and then performs IPSec.
If the networks protected by endpoints A and B are both network 10.1.1.0/24, the private addresses are translated to 10.1.2.1, the configurations on endpoints A and B are as follows:
On endpoint A:
[sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [sysname-acl-adv-3001] quit
On endpoint B:
[sysname] acl 3001 [sysname-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [sysname-acl-adv-3001] quit
L2TP over IPSec
In a scenario where L2TP over IPSec is deployed, IPSec protects data flows that are encapsulated through L2TP, that is, data flows sent from the LAC to the LNS or from the LNS to the LAC.If the LAC uses a fixed IP address, source and destination network segments in ACL rules are addresses of public interfaces (LAC-side outbound interface and LNS-side inbound interface) on devices at both ends. Assume that the IP address of the LAC-side outbound interface is 1.1.1.1/24 and the IP address of the LNS-side inbound interface is 1.2.1.1/24.
Configuration on the LAC:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0 [sysname-acl-adv-3001] quit
Configuration on the LNS:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0 [sysname-acl-adv-3001] quit
If the LAC does not use a fixed IP address, specify UDP port 1701 in an ACL to match L2TP over IPSec data flows. On the LAC, configure destination UDP port 1701.
Configuration on the LAC:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit udp destination-port eq 1701 [sysname-acl-adv-3001] quit
Configuration on the LNS:
[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit udp source-port eq 1701 [sysname-acl-adv-3001] quit
GRE over IPSec
When a GRE over IPSec tunnel is set up using an ACL, data flows protected by IPSec are encapsulated with the GRE header. The source and destination network segments of an ACL are source and destination addresses of the GRE tunnel, that is, addresses of gateway interfaces at both ends.
Assume that the public addresses on endpoints A and B are 1.1.1.1/24 and 1.2.1.1/24, respectively.
Configuration on endpoint A:[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0 [sysname-acl-adv-3001] quit
Configuration on endpoint B:[sysname] acl number 3001 [sysname-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0 [sysname-acl-adv-3001] quit