< Home

CLI: Example for Configuring an IPSec Tunnel Between the Headquarters and Branches Through Certificate Authentication (the Headquarters Uses a Certificate Whitelist)

Networking Requirements

A large enterprise has the headquarters and multiple branches. For security purposes, the headquarters and branches establish an IPSec tunnel through certificate authentication to secure communication between them. The enterprise wants to control branch access to the headquarters based on certificates so that only authorized branches can be connected to the headquarters.

In this case, the headquarters can use a certificate attribute access control policy to authenticate the branches' certificates. There are multiple branches, so the configuration workload is heavy, and management and maintenance are inconvenient. Therefore, you are advised to configure a certificate whitelist at the headquarters and add the Common Name (CN) of the branches' certificates to the whitelist. Subsequently, only the branches in the whitelist can be connected to the headquarters.

In Figure 1, FW_B and FW_C in two branches establish an IPSec tunnel with FW_A at the headquarters. The enterprise requires that the headquarters use the certificate whitelist to allow only FW_B to establish an IPSec tunnel with FW_A.

Figure 1 Establishing an IPSec tunnel between the headquarters and branch through certificate authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces and add the interfaces to security zones.
  2. Configure security policies to allow devices on specified network segments of private networks to exchange packets.
  3. Configure static routes to ensure reachable routes between networks.
  4. Configure PKI to apply for local and CA certificates using SCFP.
  5. Configure IPSec policies for certificate authentication, including configuring the data flows to be protected and IPSec proposal negotiation parameters.
  6. Configure a certificate whitelist on FW_A so that the headquarters allows only the branch specified in the certificate whitelist to be connected to it.

Data Preparation

  • Obtain the fingerprint information of a CA certificate from a CA server. This example uses Windows Server 2008 as the CA server. Assume that the CA server uses a challenge password to process the certificate application and the challenge password is 6AE73F21E6D3571D. The challenge password and fingerprint can be obtained at this URL: http://5.1.1.1:8080/certsrv/mscep_admin. It is assumed that the fingerprint information of the CA certificate is 6330974fb2fe3c52d16bdac40140918b4bcd3ec7 in SHA1 mode and the URL at which the certificate is obtained is http://5.1.1.1:8080/certsrv/mscep/mscep.dll.

  • Prepare a certificate whitelist (by creating a TXT file and changing the file name extension from .txt to .xml), add the CN field (CN-Cer-FWB) of the certificate for FW_B to the whitelist, and import the whitelist to the hda1:/pki/public file of the device through TFTP.

    For example, if the certificate whitelist file is cerwhitelist.xml, the format is:

    <SerialnumberList>
<Serialnumber>CN-Cer-FWB</Serialnumber>
</SerialnumberList>

Procedure

  • Configure FW_A.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit

    2. Add interfaces to security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure inter-zone security policies.

      # Configure inter-zone security policies between the trust zone and untrust zone.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.0.0 16
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.0.0 16
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      # Configure inter-zone security policies between the local zone and untrust zone.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.1.1 32
[FW_A-policy-security-rule-policy3] destination-address 2.1.1.1 32
[FW_A-policy-security-rule-policy3] destination-address 3.1.1.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
[FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 2.1.1.1 32
[FW_A-policy-security-rule-policy4] source-address 3.1.1.1 32
[FW_A-policy-security-rule-policy4] destination-address 1.1.1.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    4. Configure a static route to ensure reachable routes between networks. Assume that the next-hop address is 1.1.1.2.

      [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

    5. Use SCEP to apply for certificates online for FW_A.

      1. Create a 2048-bit RSA key pair named rsa_scep and allow it to be exported from the device.

        [FW_A] pki rsa local-key-pair create rsa_scep exportable
 Info: The name of the new key-pair will be: rsa_scep
 The size of the public key ranges from 2048 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
..................+++
.+++

      2. Configure PKI entity information.

        [FW_A] pki entity user01
[FW_A-pki-entity-user01] common-name CN-Cer-FWA
[FW_A-pki-entity-user01] country cn
[FW_A-pki-entity-user01] ip-address 1.1.1.1
[FW_A-pki-entity-user01] state beijing
[FW_A-pki-entity-user01] organization huawei
[FW_A-pki-entity-user01] organization-unit dev
[FW_A-pki-entity-user01] quit

      3. Use SCEP to apply for and update certificates online.

        [FW_A] pki realm abc
# Configure a trusted CA.
[FW_A-pki-realm-abc] ca id ca_root
# Configure the PKI entity to be bound.
[FW_A-pki-realm-abc] entity user01
# Configure the CA certificate fingerprint, for example, 6330974fb2fe3c52d16bdac40140918b4bcd3ec7.
[FW_A-pki-realm-abc] fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7
# Configure the URL of the certificate to be enrolled and apply for a certificate from the CA.
[FW_A-pki-realm-abc] enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra
# Specify an RSA key pair used to apply for a certificate.
[FW_A-pki-realm-abc] rsa local-key-pair rsa_scep
# Specify a challenge password. In this example, the challenge password is 6AE73F21E6D3571D.
[FW_A-pki-realm-abc] password cipher 6AE73F21E6D3571D
[FW_A-pki-realm-abc] quit
# Obtain a CA certificate.
[FW_A] pki get-certificate ca realm abc
 Info: Retrievaling CA/RA certificates,Please wait a while......
 Info: We have received 2 certificates.
 Info: CA certificate fingerprint check OK
 Info: Saving the CA/RA certificate to flash......
 Info: Done.

        The obtained CA certificate is named abc_ca.cer and saved in the device storage medium.

        # Import the CA certificate to the memory.

        [FW_A] pki import-certificate ca filename abc_ca.cer
 The CA's Subject is /CN=ca_root 
 The CA's fingerprint is:
   MD5  fingerprint:1135 25D8 96D3 5936 C382 35EA 2CEE 80EB 
   SHA1 fingerprint:6330 974F B2FE 3C52 D16B DAC4 0140 918B 4BCD 3EC7
 Is the fingerprint correct?(Y/N):y
 Info: Succeeded in importing file.

        # Enable the automatic certificate enrollment and update function and configure the certificate to be updated automatically and the RSA key pair to be updated together with the certificate when 60% of the validity period passes.

        [FW_A] pki realm abc
[FW_A-pki-realm-abc] auto-enroll 60 regenerate 2048
[FW_A-pki-realm-abc] quit

        The device automatically obtains the local certificate abc_local.cer and installs it to the memory.

      4. # Import the certificate whitelist to the memory.
        [FW_A] pki import whitelist filename cerwhitelist.xml

    6. Configure an IPSec policy and apply it to an interface.

      # Configure an IPSec proposal.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

      # Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method rsa-signature
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit

      # Configure an IKE peer.

      [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] pki realm abc
[FW_A-ike-peer-b] pki validate-certificate whitelist enable
[FW_A-ike-peer-b] quit

      # Configure an IPSec policy.

      [FW_A] ipsec policy-template use1 10
[FW_A-ipsec-policy-templet-use1-10] proposal tran1
[FW_A-ipsec-policy-templet-use1-10] ike-peer b
[FW_A-ipsec-policy-templet-use1-10] quit
[FW_A] ipsec policy map1 10 isakmp template use1

      # Apply the IPSec policy to an interface.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  • Configure FW_B.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 2.1.1.1 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/3] quit

    2. Add interfaces to security zones.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure inter-zone security policies.

      # Configure inter-zone security policies between the trust zone and untrust zone.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      # Configure inter-zone security policies between the local zone and untrust zone.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 2.1.1.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.1.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
[FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.1.1 32
[FW_B-policy-security-rule-policy4] destination-address 2.1.1.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

    4. Configure a static route to ensure reachable routes between networks. Assume that the next-hop address is 2.1.1.2.

      [FW_B] ip route-static 0.0.0.0 0.0.0.0 2.1.1.2

    5. Use SCEP to apply for certificates online for FW_B.

      1. Create a 2048-bit RSA key pair named rsa_scep_b and allow it to be exported from the device.

        [FW_B] pki rsa local-key-pair create rsa_scep_b exportable
 Info: The name of the new key-pair will be: rsa_scep_b
 The size of the public key ranges from 2048 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...                                                        
..................+++                                                           
.+++

      2. Configure PKI entity information.

        [FW_B] pki entity user02
[FW_B-pki-entity-user02] common-name CN-Cer-FWB
[FW_B-pki-entity-user02] country cn
[FW_B-pki-entity-user02] ip-address 2.1.1.1
[FW_B-pki-entity-user02] state beijing
[FW_B-pki-entity-user02] organization huawei
[FW_B-pki-entity-user02] organization-unit dev
[FW_B-pki-entity-user02] quit

      3. Use SCEP to apply for and update certificates online.

        [FW_B] pki realm b
# Configure a trusted CA.
[FW_B-pki-realm-b] ca id ca_root
# Configure the PKI entity to be bound.
[FW_B-pki-realm-b] entity user02
# Configure the CA certificate fingerprint, for example, 6330974fb2fe3c52d16bdac40140918b4bcd3ec7.
[FW_B-pki-realm-b] fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7
# Configure the URL of the certificate to be enrolled and apply for a certificate from the CA.
[FW_B-pki-realm-b] enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra
# Specify an RSA key pair used to apply for a certificate.
[FW_B-pki-realm-b] rsa local-key-pair rsa_scep_b
# Specify a challenge password. In this example, the challenge password is 6AE73F21E6D3571D.
[FW_B-pki-realm-b] password cipher 6AE73F21E6D3571D
[FW_B-pki-realm-b] quit
# Obtain a CA certificate.
[FW_B] pki get-certificate ca realm b
 Info: Retrievaling CA/RA certificates,Please wait a while......
 Info: We have received 2 certificates.
 Info: CA certificate fingerprint check OK
 Info: Saving the CA/RA certificate to flash......
 Info: Done.

        The obtained CA certificate is named b_ca.cer and saved in the device storage medium.

        # Import the CA certificate to the memory.

        [FW_B] pki import-certificate ca filename b_ca.cer 
 The CA's Subject is /CN=ca_root 
 The CA's fingerprint is:
   MD5  fingerprint:1135 25D8 96D3 5936 C382 35EA 2CEE 80EB 
   SHA1 fingerprint:6330 974F B2FE 3C52 D16B DAC4 0140 918B 4BCD 3EC7 
 Is the fingerprint correct?(Y/N):y
 Info: Succeeded in importing file.

        # Enable the automatic certificate enrollment and update function and configure the certificate to be updated automatically and the RSA key pair to be updated together with the certificate when 60% of the validity period passes.

        [FW_B] pki realm b
[FW_B-pki-realm-b] auto-enroll 60 regenerate 2048
[FW_B-pki-realm-b] quit

        The device automatically obtains the local certificate b_local.cer and installs it to the memory.

    6. Configure an IPSec policy and apply it to an interface.

      # Define the data flow to be protected.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      # Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

      # Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method rsa-signature
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_B-ike-proposal-10] quit

      # Configure an IKE peer and enable PKI certificate whitelist check.

      [FW_B] ike peer a 
[FW_B-ike-peer-a] ike-proposal 10 
[FW_B-ike-peer-a] remote-address 1.1.1.1 
[FW_B-ike-peer-a] pki realm b
[FW_B-ike-peer-a] quit

      # Configure an IPSec policy.

      [FW_B] ipsec policy map1 10 isakmp 
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_B-ipsec-policy-isakmp-map1-10] quit

      # Apply the IPSec policy group map1 to an interface.

      [FW_B] interface GigabitEthernet 0/0/1 
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

  • Configure FW_C.

    For details, see the configuration of FW_B.

Verification

  1. After the preceding configurations are complete, PC2 can ping PC1 successfully, but PC3 cannot ping PC1.

  2. Run the display ike sa command on FW_A, finding that an IKE SA and an IPSec SA have been set up with FW_B.

    <FW_A> display ike sa
IE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    16777239    2.1.1.1:500           RD|A     v2:2   IP          2.1.1.1
    16777232    2.1.1.1:500           RD|A     v2:1   IP          2.1.1.1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
pki entity user01
 country CN                                                                     
 state beijing                                                                  
 organization huawei                                                            
 organization-unit dev                                                         
 common-name CN-Cer-FWA
 ip-address 1.1.1.1                                                             
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256
 authentication-method rsa-signature
 integrity-algorithm hmac-sha2-256    
 prf hmac-sha2-256 
#
ike peer b
 ike-proposal 10 
 pki realm abc
 pki validate-certificate whitelist enable
#
ipsec policy-template use1 10
 ike-peer b
 proposal tran1
#
ipsec policy map1 10 isakmp template use1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
pki realm abc
 ca id ca_root                                                                  
 enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra             
 entity user01                                                                  
 fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7                      
 rsa local-key-pair rsa_scep                                                    
 password cipher %^%#D=}""x(9%D~E<v0tx4S'WBY!#o9D[,"mnO*s<0xR%^%#
 auto-enroll 60 regenerate
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.0.0 mask 255.255.0.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.0.0 mask 255.255.0.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.1.1 mask 255.255.255.255
    destination-address 2.1.1.1 mask 255.255.255.255
    destination-address 3.1.1.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 2.1.1.1 mask 255.255.255.255
    source-address 3.1.1.1 mask 255.255.255.255
    destination-address 1.1.1.1 mask 255.255.255.255
    action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
pki entity user02
 country CN
 state beijing
 organization huawei
 organization-unit dev
 common-name CN-Cer-FWB
 ip-address 2.1.1.1
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256
  authentication-method rsa-signature
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 ike-proposal 10
 remote-address 1.1.1.1 
 pki realm b
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 2.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
#
pki realm b
 ca id ca_root                                                                  
 enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra             
 entity user02                                                                  
 fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7                      
 rsa local-key-pair rsa_scep_b                                                  
 password cipher %^%#D=}""x(9%D~E<v0tx4S'WBY!#o9D[,"mnO*s<0xR%^%#
 auto-enroll 60 regenerate
 #
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 2.1.1.1 mask 255.255.255.255
    destination-address 1.1.1.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.1.1 mask 255.255.255.255
    destination-address 2.1.1.1 mask 255.255.255.255
    action permit
#
return

  • FW_C configuration file

    #
 sysname FW_C
#
pki entity user02
 country CN
 state beijing
 organization huawei
 organization-unit dev
 common-name CN-Cer-FWC
 ip-address 3.1.1.1
#
acl number 3000
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256
  authentication-method rsa-signature
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 ike-proposal 10
 remote-address 1.1.1.1 
 pki realm b
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 3.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 3.1.1.2
#
pki realm b
 ca id ca_root                                                                  
 enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra             
 entity user02                                                                  
 fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7                      
 rsa local-key-pair rsa_scep_b                                                  
 password cipher %^%#D=}""x(9%D~E<v0tx4S'WBY!#o9D[,"mnO*s<0xR%^%#
 auto-enroll 60 regenerate
 #
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.3.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.3.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 3.1.1.1 mask 255.255.255.255
    destination-address 1.1.1.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.1.1 mask 255.255.255.255
    destination-address 3.1.1.1 mask 255.255.255.255
    action permit
#
return
Parent Topic: Application of IPSec in Other Scenarios
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >