< Home

CLI: Two Gateways Establish an IPSec IPv4 over IPv6 Tunnel Based on Physical Interfaces

Networking Requirements

In Figure 1, two IPv4 networks are connected to the IPv6 public network through FW_A and FW_B respectively. Traffic transmitted between the two IPv4 networks needs to be protected.

The two IPv4 networks communicate with each other over the IPv6 public network. An IPSec IPv4 over IPv6 tunnel can be established between FW_A and FW_B to enable users of the two IPv4 networks to communicate over the IPSec tunnel.

Figure 1 Two gateways establishing an IPSec IPv4 over IPv6 tunnel based on physical interfaces

Configuration Roadmap

The configuration roadmap is as follows:

  1. Perform basic interface configurations.
  2. Configure security policies to allow devices on specified network segments of private networks to exchange packets.
  3. Configure routes to the remote internal network.
  4. Configure an IPSec policy. IPSec policy basic information, data flows to be encrypted, and IPSec proposal negotiation parameters.

Procedure

  1. Configure FW_A, including configuring IP addresses for interfaces, adding interfaces to security zones, configuring inter-zone security policies, and configuring static routes.
    1. Configure IP addresses for interfaces.

      1. Configure an IP address for GigabitEthernet 0/0/3.

        <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit

      2. Configure an IP address for GigabitEthernet 0/0/1.

        [sysname_A] ipv6
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/1] ipv6 enable
[FW_A-GigabitEthernet0/0/1] ipv6 address 1::1:1 120
[FW_A-GigabitEthernet0/0/1] quit

    2. Add interfaces to security zones.

      1. Add GigabitEthernet 0/0/3 to the trust zone.

        [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the untrust zone.

        [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure inter-zone security policies.

      1. Configure inter-zone security policies between the trust zone and untrust zone.

        [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      2. Configure inter-zone security policies between the local zone and untrust zone.

        You can configure inter-zone security policies between the local zone and untrust zone to allow devices on both ends of an IPSec tunnel to communicate with each other.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP.

        [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.3.0 24
[FW_A-policy-security-rule-policy3] source-address 1::1:1 120
[FW_A-policy-security-rule-policy3] destination-address 1.1.5.0 24
[FW_A-policy-security-rule-policy3] destination-address 2::1:1 120
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
[FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 1.1.5.0 24
[FW_A-policy-security-rule-policy4] source-address 2::1:1 120
[FW_A-policy-security-rule-policy4] destination-address 1.1.3.0 24
[FW_A-policy-security-rule-policy4] destination-address 1::1:1 120
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    4. Configure static routes to the destination network B. Assume that next-hop address reaching network B is 1::1:2 and the outbound interface is GigabitEthernet 0/0/1.

      [FW_A] ip route-static 10.1.2.0 255.255.255.0 GigabitEthernet 0/0/1
[FW_A] ipv6 route-static 2::1:0 120 1::1:2

  2. Configure an IPSec policy on FW_A and apply the policy to an interface.
    1. Define data flows to be protected.

      [FW_A] acl 3000
[FW_A-acl6-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl6-adv-3000] quit

    2. Configure an IPSec proposal. You can retain default parameters.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_A-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 2::1:1
[FW_A-ike-peer-b] pre-shared-key Test!1234
[FW_A-ike-peer-b] quit

    5. Configure an IPSec policy.

      [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit

    6. Apply the IPSec policy group map1 to GigabitEthernet 0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  3. Configure FW_B, including configuring IP addresses for interfaces, adding interfaces to security zones, configuring inter-zone security policies, and configuring static routes.
    1. Configure IP addresses for interfaces.

      1. Configure an IP address for GigabitEthernet 0/0/3.

        <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/3] quit

      2. Configure an IP address for GigabitEthernet 0/0/1.

        [FW_B] ipv6
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 1.1.5.1 24
[FW_B-GigabitEthernet0/0/1] ipv6 enable
[FW_B-GigabitEthernet0/0/1] ipv6 address 2::1:1 120
[FW_B-GigabitEthernet0/0/1] quit

    2. Add interfaces to security zones.

      1. Add GigabitEthernet 0/0/3 to the trust zone.

        [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the untrust zone.

        [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure inter-zone security policies.

      1. Configure inter-zone security policies between the trust zone and untrust zone.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure inter-zone security policies between the local zone and untrust zone.

        Inter-zone security policies between the local zone and untrust zone determine whether IKE negotiation packets can pass through the FW. In these policies, you can use source and destination addresses or use protocols and ports as matching conditions. This example configures source and destination addresses as matching conditions. To use protocols and ports as matching conditions, you need to enable the ESP protocol and UDP port 500.

        You can configure inter-zone security policies between the local zone and untrust zone to allow devices on both ends of an IPSec tunnel to communicate with each other.

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 1.1.5.0 24
[FW_B-policy-security-rule-policy3] source-address 2::1:1 120
[FW_B-policy-security-rule-policy3] destination-address 1.1.3.0 24
[FW_B-policy-security-rule-policy3] destination-address 1::1:1 120
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
[FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.3.0 24
[FW_B-policy-security-rule-policy4] source-address 1::1:1 120
[FW_B-policy-security-rule-policy4] destination-address 1.1.5.0 24
[FW_B-policy-security-rule-policy4] destination-address 2::1:1 120
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

    4. Configure static routes to the destination network A. Assume that next-hop address reaching network A is 2::1:2 and the outbound interface is GigabitEthernet 0/0/1.

      [FW_B] ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet 0/0/1
[FW_B] ipv6 route-static 1::1:0 120 2::1:2

  4. Configure an IPSec policy on FW_B and apply the policy to an interface.
    1. Define data flows to be protected.

      [FW_B] acl 3000
[FW_B-acl6-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl6-adv-3000] quit

    2. Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_B-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_B] ike peer a 
[FW_B-ike-peer-a] ike-proposal 10 
[FW_B-ike-peer-a] remote-address 1::1:1 
[FW_B-ike-peer-a] pre-shared-key Test!1234 
[FW_B-ike-peer-a] quit

    5. Configure an IPSec policy.

      [FW_B] ipsec policy map1 10 isakmp 
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_B-ipsec-policy-isakmp-map1-10] quit

    6. Apply the IPSec policy group map1 to GigabitEthernet 0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1 
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

Verifying the Configuration

  1. Ping PC2 from PC1 to trigger IKE negotiation.

    IKE negotiation succeeds. After an IPSec tunnel is established, PC1 can ping PC2 successfully, and data transmitted between PC1 and PC2 is encrypted.

  2. Run the display ike sa command on the FW, finding that an IKE SA and an IPSec SA have been established successfully. The following uses the display of FW_B as an example.

    <FW_B> display ike sa      
IKE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    16777239    1::1:1:500            RD|ST|A  v2:2   IP          1::1:1
    16777232    1::1:1:500            RD|ST|A  v2:1   IP          1::1:1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
ipv6
# 
acl number 3000  
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256
#
ike peer b
 pre-shared-key %^%#~VJ8=%0CN8A<c.;h~`m0yrf5NFYhDG=.]4T_D(_&%^%#
 ike-proposal 10
 remote-address 2::1:1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ipv6 enable
 ip address 1.1.3.1 255.255.255.0
 ipv6 address 1::1:1/120 
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.2.0 255.255.255.0 GigabitEthernet0/0/1
#
ipv6 route-static 2::1:0 120 1::1:2  
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.3.0 mask 255.255.255.0
  source-address 1::1:1 120
  destination-address 1.1.5.0 mask 255.255.255.0
  destination-address 2::1:1 120
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.5.0 mask 255.255.255.0
  source-address 2::1:1 120
  destination-address 1.1.3.0 mask 255.255.255.0
  destination-address 1::1:1 120
  action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
ipv6
#
acl number 3000  
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %^%#~VJ8=%0CN8A<c.;h~`m0yrf5NFYhDG=.]4T_D(_&%^%#
 ike-proposal 10
 remote-address 1::1:1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ipv6 enable
 ip address 1.1.5.1 255.255.255.0
 ipv6 address 2::1:1/120 
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet0/0/1
#
ipv6 route-static 1::1:0 120 2::1:2
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.5.0 mask 255.255.255.0
  source-address 2::1:1 120
  destination-address 1.1.3.0 mask 255.255.255.0
  destination-address 1::1:1 120
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.0 mask 255.255.255.0
  source-address 1::1:1 120
  destination-address 1.1.5.0 mask 255.255.255.0
  destination-address 2::1:1 120
  action permit
#
return
Parent Topic: Application of IPSec in Other Scenarios
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >