< Home

CLI: A Branch Accesses Different VPN Resources at the Headquarters Through an IPSec Tunnel

Networking Requirements

In Figure 1, FW_A is the headquarters gateway, and FW_B is the branch gateway. Different resources at the headquarters are isolated using VPNs. The branch needs to securely access these resources through an IPSec tunnel.

Figure 1 Networking diagram

Configuration Roadmap

Configure an IPSec policy using an IPSec policy template on FW_A to respond to the branch access request. Only one VPN instance can be bound to the IKE peer of FW_A, so VPNs need to import routes from each other for inter-VPN traffic forwarding if the branch needs to access different VPN resources at the headquarters.

  1. Perform basic configurations, including configuring IP addresses for interfaces, adding interfaces to security zones, configuring inter-zone security policies, and configuring static routes.

  2. Configure IPSec policies, including IPSec proposals, data flows to be encrypted, and IKE proposals.

Procedure

  • On FW_A, configure VPN instances, configure IP addresses for interfaces, add interfaces to security zones, and configure inter-zone security policies.
    1. Configure VPN instances.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] ip vpn-instance vpn1
[FW_A-vpn-instance-vpn1] route-distinguisher 100:1
[FW_A-vpn-instance-vpn1] quit
[FW_A] ip vpn-instance vpn2
[FW_A-vpn-instance-vpn2] route-distinguisher 200:1
[FW_A-vpn-instance-vpn2] quit
[FW_A] ip vpn-instance vpn3
[FW_A-vpn-instance-vpn3] route-distinguisher 300:1
[FW_A-vpn-instance-vpn3] quit

    2. Configure IP addresses for interfaces.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip binding vpn-instance vpn1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip binding vpn-instance vpn2
[FW_A-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip binding vpn-instance vpn3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.3.1 24
[FW_A-GigabitEthernet0/0/3] quit

    3. Add interfaces to security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    4. Configure inter-zone security policies between the local zone and zone where the inbound interface resides.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone local
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 1.1.1.1 24
[FW_A-policy-security-rule-policy1] destination-address 2.1.1.1 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone local
[FW_A-policy-security-rule-policy2] source-address 2.1.1.1 24
[FW_A-policy-security-rule-policy2] destination-address 1.1.1.1 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

    5. Configure inter-zone security policies between the trust zone and untrust zone.

      The untrust zone is a security zone where tunnel interfaces reside.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone trust
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 10.1.0.0 16
[FW_A-policy-security-rule-policy3] destination-address 10.1.4.0 24
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
[FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone trust
[FW_A-policy-security-rule-policy4] source-address 10.1.4.0 24
[FW_A-policy-security-rule-policy4] destination-address 10.1.0.0 16
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    6. Configure a static route to the branch. The following assumes that the next-hop address is 1.1.1.2.

      [FW_A] ip route-static vpn-instance vpn1 2.1.1.0 255.255.255.0 1.1.1.2

    7. Configure routes among VPNs so that VPN 1 can reach VPN 2 and VPN 3 using routes.

      [FW_A] ip route-static vpn-instance vpn1 10.1.2.0 24 vpn-instance vpn2 10.1.2.2
[FW_A] ip route-static vpn-instance vpn1 10.1.3.0 24 vpn-instance vpn3 10.1.3.2
[FW_A] ip route-static vpn-instance vpn2 10.1.4.0 24 vpn-instance vpn1 1.1.1.2
[FW_A] ip route-static vpn-instance vpn3 10.1.4.0 24 vpn-instance vpn1 1.1.1.2

  • Configure an IPSec policy on FW_A.
    1. Configure an IPSec proposal.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    2. Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] authentication-algorithm sha2-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit

    3. Configure an IKE peer.

      [FW_A] ike peer vpn
[FW_A-ike-peer-vpn] ike-proposal 10
[FW_A-ike-peer-vpn] pre-shared-key Test!123
[FW_A-ike-peer-vpn] sa binding vpn-instance vpn1
[FW_A-ike-peer-vpn] quit

    4. Configure an IPSec policy.

      [FW_A] ipsec policy-template use1 10
[FW_A-ipsec-policy-templet-use1-10] proposal tran1
[FW_A-ipsec-policy-templet-use1-10] ike-peer vpn
[FW_A-ipsec-policy-templet-use1-10] flow-vrf check disable
[FW_A-ipsec-policy-templet-use1-10] quit
[FW_A] ipsec policy map1 10 isakmp template use1

      If VPNs import routes from each other for inter-VPN traffic forwarding, you need to run the flow-vrf check disable command to disable the check of the VPN instance in data flows during IPSec encryption/decryption.

    5. Apply the IPSec policy to an interface.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  • Perform basic configurations on FW_B.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 2.1.1.1 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.1.4.1 24
[FW_B-GigabitEthernet0/0/2] quit

    2. Add interfaces to security zones.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure inter-zone security policies.

      1. Configure inter-zone security policies between the trust zone and untrust zone.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.4.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.0.0 16
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.0.0 16
[FW_B-policy-security-rule-policy2] destination-address 10.1.4.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure inter-zone security policies between the local zone and untrust zone.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 2.1.1.1 24
[FW_B-policy-security-rule-policy3] destination-address 1.1.1.1 24
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
[FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.1.1 24
[FW_B-policy-security-rule-policy4] destination-address 2.1.1.1 24
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

      You can configure inter-zone security policies between the local zone and untrust zone to allow devices on both ends of an IPSec tunnel to communicate with each other.

    4. Configure a static route to the headquarters. The following assumes that the next-hop address is 2.1.1.2.

      [FW_B] ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
[FW_B] ip route-static 10.1.0.0 255.255.0.0 2.1.1.2

  • Configure an IPSec policy on FW_B.
    1. Configure an advanced ACL 3000.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 10 permit ip source 10.1.4.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_B-acl-adv-3000] rule 15 permit ip source 10.1.4.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[FW_B-acl-adv-3000] quit

    2. Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] authentication-algorithm sha2-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_B-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_B] ike peer vpn
[FW_B-ike-peer-vpn] ike-proposal 10
[FW_B-ike-peer-vpn] remote-address 1.1.1.1
[FW_B-ike-peer-vpn] pre-shared-key Test!123
[FW_B-ike-peer-vpn] quit

    5. Configure an IPSec policy map1.

      [FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer vpn
[FW_B-ipsec-policy-isakmp-map1-10] quit

    6. Apply the IPSec policy map1 to an interface.

      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

Verification

  1. Ping PC2 and PC3 from PC4. The ping succeeds.

  2. You can run the display ike sa command on the FWs to view SA establishment information. The following example shows the command output of FW_A.

    <FW_A> display ike sa 

IKE SA information:
  Conn-ID    Peer     VPN   Flag(s)  Phase  RemoteType  RemoteID
  -------------------------------------------------------------------
  117477245  2.1.1.1  vpn1  RD|A     v2:2   IP          2.1.1.1
  117477244  2.1.1.1  vpn1  RD|A     v2:2   IP          2.1.1.1
  117477243  2.1.1.1  vpn1  RD|A     v2:1   IP          2.1.1.1

  Number of IKE SA : 2
  -------------------------------------------------------------------
                                                           
  Flag Description:           
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Configuration Scripts

  • FW_A configuration scripts

    #
 sysname FW_A
#                                                                               
ip vpn-instance vpn1                                                            
 route-distinguisher 100:1                                                      
#
ip vpn-instance vpn2                                                            
 route-distinguisher 200:1                                                      
#
ip vpn-instance vpn3                                                            
 route-distinguisher 300:1                                                      
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256                                               
#                                                                               
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256
#                                                                               
ike peer vpn
 pre-shared-key %^%#5$\vJ~&IS==EJ=Eq^`3@GA[a!Xa}eIm'-GPK]_K@%^%#
 ike-proposal 10                                                    
 sa binding vpn-instance vpn1
# 
ipsec policy-template use1 10
 ike-peer vpn
 proposal tran1
 flow-vrf check disable
#
ipsec policy map1 10 isakmp template use1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip binding vpn-instance vpn1
 ip address 1.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip binding vpn-instance vpn2
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip binding vpn-instance vpn3
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust                                           
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/3
#                                                                               
firewall zone untrust                                         
 add interface GigabitEthernet0/0/1
#  
ip route-static vpn-instance vpn1 2.1.1.0 255.255.255.0 1.1.1.2
ip route-static vpn-instance vpn1 10.1.2.0 24 vpn-instance vpn2 10.1.2.2
ip route-static vpn-instance vpn1 10.1.3.0 24 vpn-instance vpn3 10.1.3.2
ip route-static vpn-instance vpn2 10.1.4.0 24 vpn-instance vpn1 1.1.1.2
ip route-static vpn-instance vpn3 10.1.4.0 24 vpn-instance vpn1 1.1.1.2
#  
security-policy
 rule name policy1
  source-zone local
  destination-zone untrust
  source-address 1.1.1.0 255.255.255.0
  destination-address 2.1.1.0 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone local
  source-address 2.1.1.0 255.255.255.0
  destination-address 1.1.1.0 255.255.255.0
  action permit
 rule name policy3
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 255.255.0.0
  destination-address 10.1.4.0 255.255.255.0
  action permit
 rule name policy4
  source-zone trust
  destination-zone untrust
  source-address 10.1.4.0 255.255.255.0
  destination-address 10.1.0.0 255.255.0.0
  action permit
# 
return

  • FW_B configuration scripts

    #
 sysname FW_B
#                                                                               
acl number 3000                                                        
 rule 10 permit ip source 10.1.4.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 15 permit ip source 10.1.4.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                             
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256                                               
#                                                                               
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256
# 
ike peer vpn
 pre-shared-key %^%#5$\vJ~&IS==EJ=Eq^`3@GA[a!Xa}eIm'-GPK]_K@%^%#
 ike-proposal 10                                                                 
 remote-address 1.1.1.1                                                       
#                                                                               
ipsec policy map1 10 isakmp                                                      
 security acl 3000                                                              
 ike-peer vpn                                        
 proposal tran1                                                                  
#                                                                               
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 2.1.1.1 255.255.255.0
 ipsec policy map1
#  
interface GigabitEthernet0/0/2      
 undo shutdown
 ip address 10.1.4.1 255.255.255.0                                             
#                                                                               
firewall zone trust                                           
 add interface GigabitEthernet0/0/2 
#                                                                               
firewall zone untrust                                         
 add interface GigabitEthernet0/0/1
#                                                                               
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
ip route-static 10.1.0.0 255.255.0.0 2.1.1.2
#                                                                               
security-policy
 rule name policy1
  source-zone untrust
  destination-zone trust
  source-address 10.1.4.0 255.255.255.0
  destination-address 10.1.0.0 255.255.0.0
  action permit
 rule name policy2
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 255.255.0.0
  destination-address 10.1.4.0 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 2.1.1.0 255.255.255.0
  destination-address 1.1.1.0 255.255.255.0
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.1.0 255.255.255.0
  destination-address 2.1.1.0 255.255.255.0
  action permit
#
return
Parent Topic: Service Isolation by Combining IPSec and VPN Multi-instance
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic