CLI: Example for Configuring IPSec to Allow Mobile Users to Access the Headquarters

Networking Requirements

As shown in Figure 1, the FW connects the headquarters to the Internet. Mobile users use APs to access the headquarters through an IPSec tunnel. The FW negotiates IPSec tunnels with APs in IKEv2 mode. EAP authentication is implemented on APs through the RADIUS server, which allocates IP addresses to the APs. The AP deployment and configuration details are omitted in this example.

Figure 1 Configuring IPSec to allows mobile users to access the headquarters

Data Plan

Item	Data
FW	Interface number: GigabitEthernet 0/0/3 IP address: 10.1.1.1/24
	Interface number: GigabitEthernet 0/0/1 IP address: 20.1.1.1/24
	IPSec configuration IPSec policy type: policy template Pre-shared key: Test!123 Security protocol: ESP ESP authentication algorithm: SHA2-256 ESP encryption algorithm: AES-128 Local ID type: IP address Peer ID type: any IKE version: IKEv2 IKEv2 authentication method: EAP
	RADIUS configuration Shared key: Testforser!12345 Authentication port: 1812
	Address pool 10.6.1.1 to 10.6.1.254
AP	IP address: 20.2.2.3/24
AP	IPSec configuration IPSec policy type: ISAKMP IPSec policy Pre-shared key: Test!123 Security protocol: ESP ESP authentication algorithm: SHA2-256 ESP encryption algorithm: AES-128 Remote IP address: 20.1.1.1 Local ID type: IP address Peer ID type: any IKE version: IKEv2 IKEv2 authentication method: EAP
Other configurations	Configure routes on the AP and RADIUS server to make them reachable to each other.
Other configurations	Addresses in the address pool cannot be in the same network segment as the headquarters server. To ensure communication between APs and the headquarters, configure a static route on the headquarters server to the network segment of the IP address pool, and specify 10.1.1.1 as the next hop.

Configuration Roadmap

Complete the basic configurations of the FW.
Create an IPSec policy using the template on the FW, because the headquarters server does not actively initiate access requests to the AP.
Configure a RADIUS server template, authentication template, and domain on the FW to perform RADIUS authentication on the access users and allocate IP addresses to the APs.

Procedure

Perform basic configurations on the FW, including setting the interface IP addresses, adding interfaces to security zones, and configuring interzone security policies and static routes.

Set the interface IP addresses.

Set the IP address of GigabitEthernet 0/0/3.

<sysname> system-view
[sysname] sysname FW
[FW] GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW-GigabitEthernet0/0/3] quit

Set the IP address of GigabitEthernet 0/0/1.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 20.1.1.1 24
[FW-GigabitEthernet0/0/1] quit

Add interfaces to corresponding security zones.

Add GigabitEthernet 0/0/3 to the Trust zone.

[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Add GigabitEthernet 0/0/1 to the Untrust zone.

[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

Configure interzone security policies.

# Configure the security policies between the Trust and Untrust zones.

[FW] security-policy
[FW-policy-security] rule name policy_ipsec_1
[FW-policy-security-rule-policy_ipsec_1] source-zone trust
[FW-policy-security-rule-policy_ipsec_1] destination-zone untrust
[FW-policy-security-rule-policy_ipsec_1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy_ipsec_1] action permit
[FW-policy-security-rule-policy_ipsec_1] quit
[FW-policy-security] rule name policy_ipsec_2
[FW-policy-security-rule-policy_ipsec_2] source-zone untrust
[FW-policy-security-rule-policy_ipsec_2] destination-zone trust
[FW-policy-security-rule-policy_ipsec_2] destination-address 10.1.1.0 24 
[FW-policy-security-rule-policy_ipsec_2] action permit
[FW-policy-security-rule-policy_ipsec_2] quit

# The security policies for the Local-Untrust interzone enable successful tunnel establishment.

The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

[FW-policy-security] rule name policy_ipsec_3
[FW-policy-security-rule-policy_ipsec_3] source-zone local
[FW-policy-security-rule-policy_ipsec_3] destination-zone untrust
[FW-policy-security-rule-policy_ipsec_3] source-address 20.1.1.1 32 
[FW-policy-security-rule-policy_ipsec_3] destination-address 20.2.2.3 32 
[FW-policy-security-rule-policy_ipsec_3] action permit
[FW-policy-security-rule-policy_ipsec_3] quit
[FW-policy-security] rule name policy_ipsec_4
[FW-policy-security-rule-policy_ipsec_4] source-zone untrust
[FW-policy-security-rule-policy_ipsec_4] destination-zone local
[FW-policy-security-rule-policy_ipsec_4] source-address 20.2.2.3 32 
[FW-policy-security-rule-policy_ipsec_4] destination-address 20.1.1.1 32 
[FW-policy-security-rule-policy_ipsec_4] action permit
[FW-policy-security-rule-policy_ipsec_4] quit
[FW-policy-security] quit

Configure the static routes between the AP and mobile devices. Assume that the next hop of the routes is 20.1.1.2.
```
[FW] ip route-static 10.6.1.0 255.255.255.0 20.1.1.2
[FW] ip route-static 20.2.2.3 255.255.255.0 20.1.1.2
```

Configure EAP authentication on the FW.
1. Set an IP address pool.
```
[FW] ip pool pool1
[FW-ip-pool-pool1] section 1 10.6.1.1 10.6.1.254
[FW-ip-pool-pool1] quit
```
2. Configure RADIUS server parameters.
  # Configure a RADIUS server template, shared key, and server IP address, and port number. The IP address is the address of the RADIUS server, and the default authentication port is UDP 1812.
```
[FW] radius-server template aaa
[FW-radius-aaa] radius-server shared-key cipher Testforser!12345 
[FW-radius-aaa] radius-server authentication 10.1.1.5 1812
[FW-radius-aaa] quit
```
  The shared key, server IP address, and port number in the template must be the same as those configured on the RADIUS server.
3. Configure the authentication scheme. The authentication mode is RADIUS.
```
[FW] aaa
[FW-aaa] authentication-scheme eap
[FW-aaa-authen-eap] authentication-mode radius
[FW-aaa-authen-eap] quit
```
4. Configure the service scheme used by remote access users.
```
[FW] aaa
[FW-aaa] service-scheme eap 
[FW-aaa-service-eap] ip-pool pool1
[FW-aaa-service-eap] quit 
```
5. Configure the authentication domain and apply the RADIUS server template and the authentication scheme to the domain.
  # Set the domain named abcd.org that AP users belong to and set the parameters. Note that the parameter settings are stored in the SIM card of the AP, and you must obtain the domain name in advance. The format of the domain name is abcd.mnc001.mcc460.3gppnetwork.org. The address pool in the service scheme is used to allocate IP addresses to the APs.
  
  The address pool cannot be in the same network segment as the headquarters server. To ensure that the AP can normally access the headquarters server, configure a static route to the network segment of the IP address pool on the headquarters server, and specify 10.1.1.1 as the next hop.
```
[FW-aaa] domain abcd.org
[FW-aaa-domain-abcd.org] service-type internetaccess ike
[FW-aaa-domain-abcd.org] authentication-scheme eap
[FW-aaa-domain-abcd.org] radius-server aaa
[FW-aaa-domain-abcd.org] service-scheme eap
```
  To implement user name-based policy control on VPN access users, the internetaccess parameter must be specified.

Configure IPSec on the FW.

Define the data flow to be protected. The destination IP address in the ACL is an IP address in the address pool defined in the abcd.org domain. In this way, mobile users can access intranet servers through the AP.
```
[FW] acl 3003
[FW-acl-adv-3003] rule 5 permit ip destination 10.6.1.0 0.0.0.255
[FW-acl-adv-3003] quit
```
Configure an IPSec proposal. The default parameters may not be configured.
```
[FW] ipsec proposal ap
[FW-ipsec-proposal-ap] quit
```

Configure an IKE proposal The default parameters may not be configured.

[FW] ike proposal 1
[FW-ike-proposal-1] dh group14
[FW-ike-proposal-1] quit

Configure an IKE peer. IKEv2 that supports EAP authentication is used.

[FW] ike peer ap
[FW-ike-peer-ap] ike-proposal 1
[FW-ike-peer-ap] pre-shared-key Test!123
[FW-ike-peer-ap] service-scheme eap
[FW-ike-peer-ap] remote-address ip-pool 0 
[FW-ike-peer-ap] undo version 1
[FW-ike-peer-ap] quit

Configure IKE dead peer detection (DPD) and set the DPD mode to on-demand and DPD message sending interval to 10s to detect the tunnel connectivity.
```
[FW] ike dpd type on-demand
[FW] ike dpd retransmit-interval 10
```

Create an IPSec policy template.

[FW] ipsec policy-template ap 1
[FW-ipsec-policy-templet-ap-1] security acl 3003
[FW-ipsec-policy-templet-ap-1] ike-peer ap
[FW-ipsec-policy-templet-ap-1] proposal ap
[FW-ipsec-policy-templet-ap-1] quit

Create an IPSec policy.

[FW] ipsec policy app 1 isakmp template ap

Apply the IPSec policy to an interface.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ipsec policy app
[FW-GigabitEthernet0/0/1] quit

Configure the AP.
For the detailed AP configuration, see related AP documents. In this example, the default IPSec configurations of the AP are the same as those of the FW. If the IPSec configurations are different, change them to be the same as those of the FW.

Verification

Mobile users can access the headquarters server through the AP. The AP has obtained an IP address that is within the 10.4.1.1/24-10.4.1.254/24 range.

Run the display ike sa command on the FW to view the established IKE SAs.

<FW> display ike sa
IKE SA information :  
------------------------------------------------------------------------
Conn-ID   Peer          VPN   Flag(s)   Phase   RemoteType  RemoteID
------------------------------------------------------------------------
8388112   20.2.2.3:500        RD|A      v2:2    IP          20.2.2.3
8388111   20.2.2.3:500        RD|A      v2:1    IP          20.2.2.3
                                                                                
  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Run the display ipsec sa command on the FW to view the established IPSec SAs.

<FW> display ipsec sa

===============================
Interface: GigabitEthernet0/0/1
===============================

  -----------------------------
  IPSec policy name: "app"
  Sequence number  : 1
  Acl group        : 3003                                                       
  Acl rule         : 5  
  Mode             : Template
  -----------------------------
    Connection ID     : 41746
    Encapsulation mode: tunnel
    Tunnel local      : 20.1.1.1    
    Tunnel remote     : 20.2.2.3
    Flow source       : 10.1.1.2/255.255.255.255 0/0
    flow destination  : 10.6.1.10/255.255.255.255 0/0

    [Outbound ESP SAs]
      SPI: 1969821731 (0x75691823)
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128  
      SA remaining key duration (kilobytes/sec): 3952910/3600
      Max sent sequence-number: 1
      UDP encapsulation used for NAT traversal: N                               
      SA encrypted packets (number/kilobytes): 4/0  

    [Inbound ESP SAs]
      SPI:  3482732912 (0xcf964970)
      Proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
      SA remaining key duration (kilobytes/sec): 8192000/3600
      Max received sequence-number: 1
      UDP encapsulation used for NAT traversal: N 
      SA decrypted packets (number/kilobytes): 4/0                              
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024

Configuration Files

FW configuration file

#
 sysname FW
#
ike dpd type on-demand
ike dpd retransmit-interval 10
#
radius-server template aaa
 radius-server shared-key cipher %^%#c!;|:_ari9ou6Z4MfQXQS;FF%^%#
 radius-server authentication 10.1.1.5 1812
#
ip pool pool1
 section 1 10.6.1.1 10.6.1.254
#
aaa
 authentication-scheme eap
  authentication-mode radius
 service-scheme eap 
  ip-pool pool1
 domain abcd.org
  service-type internetaccess ike
  authentication-scheme eap
  radius-server aaa
  service-scheme eap
#
acl 3003
 rule 5 permit ip destination 10.6.1.0 0.0.0.255
#
ipsec proposal ap
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 1
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256
#
ike peer ap
 ike-proposal 1
 pre-shared-key %^%#y4li.Io&^K|/RQH(B(6%d2<X%^%#
 service-scheme eap
 remote-address ip-pool 0
 undo version 1
#
ipsec policy-template ap 1
 security acl 3003
 ike-peer ap
 proposal ap
#
ipsec policy app 1 isakmp template ap
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 20.1.1.1 255.255.255.0
 ipsec policy app
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
security-policy
 rule name policy_ipsec_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 255.255.255.0
  action permit
 rule name policy_ipsec_2
  source-zone untrust
  destination-zone trust
  destination-address 10.1.1.0 255.255.255.0
  action permit
 rule name policy_ipsec_3
  source-zone local
  destination-zone untrust
  source-address 20.1.1.1 255.255.255.255
  destination-address 20.2.2.3 255.255.255.255
  action permit
 rule name policy_ipsec_4
  source-zone untrust
  destination-zone local
  source-address 20.2.2.3 255.255.255.255
  destination-address 20.1.1.1 255.255.255.255
  action permit
#
ip route-static 10.6.1.0 255.255.255.0 20.1.1.2
ip route-static 20.2.2.3 255.255.255.0 20.1.1.2
#
return