< Home

CLI: Example for Configuring IPSec Tunnels Between the Headquarters and Different Branches Through Certificate Authentication and PSK Authentication

Networking Requirements

A large enterprise has the headquarters and multiple branches. For security purposes, the headquarters and branches establish IPSec tunnels to secure communication between them. Some branches want to use pre-shared key authentication to establish IPSec tunnels with the headquarters, while some branches want to use certificate authentication.

In Figure 1, FW_B in one branch uses pre-shared key authentication to establish an IPSec tunnel with FW_A at the headquarters, and FW_C in another branch uses certificate authentication to establish an IPSec tunnel with FW_A.

Figure 1 Headquarters establishing IPSec tunnels with different branches through certificate authentication and pre-shared key authentication

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure IP addresses for interfaces and add the interfaces to security zones.
  2. Configure security policies to allow devices on specified network segments of private networks to exchange packets.
  3. Configure static routes to ensure reachable routes between networks.
  4. Configure PKI on FW_A and FW_C to apply for local and CA certificates using SCFP.
  5. Configure IPSec policies on FW_A and FW_C for certificate authentication, and configure IPSec policies on FW_A and FW_B for pre-shared key authentication.

Data Preparation

Obtain the fingerprint information of a CA certificate from a CA server. This example uses Windows Server 2008 as the CA server. Assume that the CA server uses a challenge password to process the certificate application and the challenge password is 6AE73F21E6D3571D. The challenge password and fingerprint can be obtained at this URL: http://5.1.1.1:8080/certsrv/mscep_admin. It is assumed that the fingerprint information of the CA certificate is 6330974fb2fe3c52d16bdac40140918b4bcd3ec7 in SHA1 mode and the URL at which the certificate is obtained is http://5.1.1.1:8080/certsrv/mscep/mscep.dll.

Procedure

  • Configure FW_A.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit

    2. Add interfaces to security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure inter-zone security policies.

      # Configure inter-zone security policies between the trust zone and untrust zone.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.0.0 16
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
[FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.0.0 16
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      # Configure inter-zone security policies between the local zone and untrust zone.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.1.1 32
[FW_A-policy-security-rule-policy3] destination-address 2.1.1.1 32
[FW_A-policy-security-rule-policy3] destination-address 3.1.1.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
[FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 2.1.1.1 32
[FW_A-policy-security-rule-policy4] source-address 3.1.1.1 32
[FW_A-policy-security-rule-policy4] destination-address 1.1.1.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    4. Configure a static route to ensure reachable routes between networks. Assume that the next-hop address is 1.1.1.2.

      [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

    5. Use SCEP to apply for certificates online for FW_A.

      1. Create a 2048-bit RSA key pair named rsa_scep and allow it to be exported from the device.

        [FW_A] pki rsa local-key-pair create rsa_scep exportable
 Info: The name of the new key-pair will be: rsa_scep
 The size of the public key ranges from 2048 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
..................+++
.+++

      2. Configure PKI entity information.

        [FW_A] pki entity user01
[FW_A-pki-entity-user01] common-name CN-Cer-FWA
[FW_A-pki-entity-user01] country cn
[FW_A-pki-entity-user01] ip-address 1.1.1.1
[FW_A-pki-entity-user01] state beijing
[FW_A-pki-entity-user01] organization huawei
[FW_A-pki-entity-user01] organization-unit dev
[FW_A-pki-entity-user01] quit

      3. Use SCEP to apply for and update certificates online.

        [FW_A] pki realm abc
# Configure a trusted CA.
[FW_A-pki-realm-abc] ca id ca_root
# Configure the PKI entity to be bound.
[FW_A-pki-realm-abc] entity user01
# Configure the CA certificate fingerprint, for example, 6330974fb2fe3c52d16bdac40140918b4bcd3ec7.
[FW_A-pki-realm-abc] fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7
# Configure the URL of the certificate to be enrolled and apply for a certificate from the CA.
[FW_A-pki-realm-abc] enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra
# Specify an RSA key pair used to apply for a certificate.
[FW_A-pki-realm-abc] rsa local-key-pair rsa_scep
# Specify a challenge password. In this example, the challenge password is 6AE73F21E6D3571D.
[FW_A-pki-realm-abc] password cipher 6AE73F21E6D3571D
[FW_A-pki-realm-abc] quit
# Obtain a CA certificate.
[FW_A] pki get-certificate ca realm abc
 Info: Retrievaling CA/RA certificates,Please wait a while......
 Info: We have received 2 certificates.
 Info: CA certificate fingerprint check OK
 Info: Saving the CA/RA certificate to flash......
 Info: Done.

        The obtained CA certificate is named abc_ca.cer and saved in the device storage medium.

        # Import the CA certificate to the memory.

        [FW_A] pki import-certificate ca filename abc_ca.cer
 The CA's Subject is /CN=ca_root 
 The CA's fingerprint is:
   MD5  fingerprint:1135 25D8 96D3 5936 C382 35EA 2CEE 80EB 
   SHA1 fingerprint:6330 974F B2FE 3C52 D16B DAC4 0140 918B 4BCD 3EC7
 Is the fingerprint correct?(Y/N):y
 Info: Succeeded in importing file.

        # Enable the automatic certificate enrollment and update function and configure the certificate to be updated automatically and the RSA key pair to be updated together with the certificate when 60% of the validity period passes.

        [FW_A] pki realm abc
[FW_A-pki-realm-abc] auto-enroll 60 regenerate 2048
[FW_A-pki-realm-abc] quit

        The device automatically obtains the local certificate abc_local.cer and installs it to the memory.

    6. Configure an IPSec policy and apply it to an interface.

      # Configure an IPSec proposal.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

      # Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method rsa-signature
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] quit
[FW_A] ike proposal 11
[FW_A-ike-proposal-11] authentication-method pre-share
[FW_A-ike-proposal-11] encryption-algorithm aes-256
[FW_A-ike-proposal-11] dh group14
[FW_A-ike-proposal-11] quit

      # Configure an IKE peer.

      The parameter adaptive mode cannot be configured on an IKE peer.

      The headquarters uses IPSec policies configured using an IPSec policy template. Therefore, only one IKE peer can be configured, and the IKE peer cannot reference any IKE proposal. Based on the IKE proposals of branches, the headquarters starts with the highest-priority IKE proposal and matches the peer in the order of priority until it finds a matching IKE proposal to use.

      However, when IKEv2 is used, the IKE proposals sent by branches to the headquarters do not carry the authentication mode. If the algorithms in the IKE proposals of different branches are the same, the headquarters cannot identify the authentication modes used by the branches and match an incorrect IKE proposal. As a result, IKE negotiation fails on both ends. To prevent this problem, ensure that IKE proposals of different branches are different when IKEv2 is used.

      [FW_A] ike peer b
[FW_A-ike-peer-b] undo version 2
[FW_A-ike-peer-b] pre-shared-key Huawei@123
[FW_A-ike-peer-b] pki realm abc
[FW_A-ike-peer-b] quit

      # Configure an IPSec policy.

      [FW_A] ipsec policy-template use1 10
[FW_A-ipsec-policy-templet-use1-10] proposal tran1
[FW_A-ipsec-policy-templet-use1-10] ike-peer b
[FW_A-ipsec-policy-templet-use1-10] quit
[FW_A] ipsec policy map1 10 isakmp template use1

      # Apply the IPSec policy to an interface.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  • Configure FW_B.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 2.1.1.1 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/3] quit

    2. Add interfaces to security zones.

      [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure inter-zone security policies.

      # Configure inter-zone security policies between the trust zone and untrust zone.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
[FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      # Configure inter-zone security policies between the local zone and untrust zone.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 2.1.1.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.1.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
[FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.1.1 32
[FW_B-policy-security-rule-policy4] destination-address 2.1.1.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

    4. Configure a static route to ensure reachable routes between networks. Assume that the next-hop address is 2.1.1.2.

      [FW_B] ip route-static 0.0.0.0 0.0.0.0 2.1.1.2

    5. Configure an IPSec policy and apply it to an interface.

      # Define the data flow to be protected.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      # Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

      # Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] quit

      # Configure an IKE peer.

      [FW_B] ike peer a 
[FW_B-ike-peer-a] undo version 2
[FW_B-ike-peer-a] ike-proposal 10 
[FW_B-ike-peer-a] remote-address 1.1.1.1 
[FW_B-ike-peer-a] pre-shared-key Huawei@123
[FW_B-ike-peer-a] quit

      # Configure an IPSec policy.

      [FW_B] ipsec policy map1 10 isakmp 
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_B-ipsec-policy-isakmp-map1-10] quit

      # Apply the IPSec policy group map1 to an interface.

      [FW_B] interface GigabitEthernet 0/0/1 
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

  • Configure FW_C.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW_C
[FW_C] interface GigabitEthernet 0/0/1
[FW_C-GigabitEthernet0/0/1] ip address 3.1.1.1 24
[FW_C-GigabitEthernet0/0/1] quit
[FW_C] interface GigabitEthernet 0/0/3
[FW_C-GigabitEthernet0/0/3] ip address 10.1.3.1 24
[FW_C-GigabitEthernet0/0/3] quit

    2. Add interfaces to security zones.

      [FW_C] firewall zone trust
[FW_C-zone-trust] add interface GigabitEthernet 0/0/3
[FW_C-zone-trust] quit
[FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_C-zone-untrust] quit

    3. Configure inter-zone security policies.

      # Configure inter-zone security policies between the trust zone and untrust zone.

      [FW_C] security-policy
[FW_C-policy-security] rule name policy1
[FW_C-policy-security-rule-policy1] source-zone trust
[FW_C-policy-security-rule-policy1] destination-zone untrust
[FW_C-policy-security-rule-policy1] source-address 10.1.3.0 24
[FW_C-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_C-policy-security-rule-policy1] action permit
[FW_C-policy-security-rule-policy1] quit
[FW_C-policy-security] rule name policy2
[FW_C-policy-security-rule-policy2] source-zone untrust
[FW_C-policy-security-rule-policy2] destination-zone trust
[FW_C-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_C-policy-security-rule-policy2] destination-address 10.1.3.0 24
[FW_C-policy-security-rule-policy2] action permit
[FW_C-policy-security-rule-policy2] quit

      # Configure inter-zone security policies between the local zone and untrust zone.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_C-policy-security] rule name policy3
[FW_C-policy-security-rule-policy3] source-zone local
[FW_C-policy-security-rule-policy3] destination-zone untrust
[FW_C-policy-security-rule-policy3] source-address 3.1.1.1 32
[FW_C-policy-security-rule-policy3] destination-address 1.1.1.1 32
[FW_C-policy-security-rule-policy3] action permit
[FW_C-policy-security-rule-policy3] quit
[FW_C-policy-security] rule name policy4
[FW_C-policy-security-rule-policy4] source-zone untrust
[FW_C-policy-security-rule-policy4] destination-zone local
[FW_C-policy-security-rule-policy4] source-address 1.1.1.1 32
[FW_C-policy-security-rule-policy4] destination-address 3.1.1.1 32
[FW_C-policy-security-rule-policy4] action permit
[FW_C-policy-security-rule-policy4] quit
[FW_C-policy-security] quit

    4. Configure a static route to ensure reachable routes between networks. Assume that the next-hop address is 3.1.1.2.

      [FW_C] ip route-static 0.0.0.0 0.0.0.0 3.1.1.2

    5. Use SCEP to apply for certificates online for FW_C.

      1. Create a 2048-bit RSA key pair named rsa_scep_b and allow it to be exported from the device.

        [FW_C] pki rsa local-key-pair create rsa_scep_b exportable
 Info: The name of the new key-pair will be: rsa_scep_b
 The size of the public key ranges from 2048 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...                                                        
..................+++                                                           
.+++

      2. Configure PKI entity information.

        [FW_C] pki entity user02
[FW_C-pki-entity-user02] common-name CN-Cer-FWC
[FW_C-pki-entity-user02] country cn
[FW_C-pki-entity-user02] ip-address 3.1.1.1
[FW_C-pki-entity-user02] state beijing
[FW_C-pki-entity-user02] organization huawei
[FW_C-pki-entity-user02] organization-unit dev
[FW_C-pki-entity-user02] quit

      3. Use SCEP to apply for and update certificates online.

        [FW_C] pki realm b
# Configure a trusted CA.
[FW_C-pki-realm-b] ca id ca_root
# Configure the PKI entity to be bound.
[FW_C-pki-realm-b] entity user02
# Configure the CA certificate fingerprint, for example, 6330974fb2fe3c52d16bdac40140918b4bcd3ec7.
[FW_C-pki-realm-b] fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7
# Configure the URL of the certificate to be enrolled and apply for a certificate from the CA.
[FW_C-pki-realm-b] enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra
# Specify an RSA key pair used to apply for a certificate.
[FW_C-pki-realm-b] rsa local-key-pair rsa_scep_b
# Specify a challenge password. In this example, the challenge password is 6AE73F21E6D3571D.
[FW_C-pki-realm-b] password cipher 6AE73F21E6D3571D
[FW_C-pki-realm-b] quit
# Obtain a CA certificate.
[FW_C] pki get-certificate ca realm b
 Info: Retrievaling CA/RA certificates,Please wait a while......
 Info: We have received 2 certificates.
 Info: CA certificate fingerprint check OK
 Info: Saving the CA/RA certificate to flash......
 Info: Done.

        The obtained CA certificate is named b_ca.cer and saved in the device storage medium.

        # Import the CA certificate to the memory.

        [FW_C] pki import-certificate ca filename b_ca.cer 
 The CA's Subject is /CN=ca_root 
 The CA's fingerprint is:
   MD5  fingerprint:1135 25D8 96D3 5936 C382 35EA 2CEE 80EB 
   SHA1 fingerprint:6330 974F B2FE 3C52 D16B DAC4 0140 918B 4BCD 3EC7 
 Is the fingerprint correct?(Y/N):y
 Info: Succeeded in importing file.

        # Enable the automatic certificate enrollment and update function and configure the certificate to be updated automatically and the RSA key pair to be updated together with the certificate when 60% of the validity period passes.

        [FW_C] pki realm b
[FW_C-pki-realm-b] auto-enroll 60 regenerate 2048
[FW_C-pki-realm-b] quit

        The device automatically obtains the local certificate b_local.cer and installs it to the memory.

    6. Configure an IPSec policy and apply it to an interface.

      # Define the data flow to be protected.

      [FW_C] acl 3000
[FW_C-acl-adv-3000] rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_C-acl-adv-3000] quit

      # Configure an IPSec proposal.

      [FW_C] ipsec proposal tran1
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_C-ipsec-proposal-tran1] quit

      # Configure an IKE proposal.

      [FW_C] ike proposal 10
[FW_C-ike-proposal-10] authentication-method rsa-signature
[FW_C-ike-proposal-10] encryption-algorithm aes-256
[FW_C-ike-proposal-10] dh group14
[FW_C-ike-proposal-10] quit

      # Configure an IKE peer.

      [FW_C] ike peer a 
[FW_C-ike-peer-a] undo version 2
[FW_C-ike-peer-a] ike-proposal 10 
[FW_C-ike-peer-a] remote-address 1.1.1.1 
[FW_C-ike-peer-a] pki realm b
[FW_C-ike-peer-a] quit

      # Configure an IPSec policy.

      [FW_C] ipsec policy map1 10 isakmp 
[FW_C-ipsec-policy-isakmp-map1-10] security acl 3000 
[FW_C-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_C-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_C-ipsec-policy-isakmp-map1-10] quit

      # Apply the IPSec policy group map1 to an interface.

      [FW_C] interface GigabitEthernet 0/0/1 
[FW_C-GigabitEthernet0/0/1] ipsec policy map1
[FW_C-GigabitEthernet0/0/1] quit

Verification

  1. After the preceding configurations are complete, PC2 and PC3 can ping PC1 successfully.

  2. Run the display ike sa command on FW_A, finding that an IKE SA and an IPSec SA have been set up with the branches.

    <FW_A> display ike sa
IE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    16777223    2.1.1.1:500           RD|A     v1:2   IP          2.1.1.1
    16777221    2.1.1.1:500           RD|A     v1:1   IP          2.1.1.1
    16777239    3.1.1.1:500           RD|A     v1:2   IP          3.1.1.1
    16777232    3.1.1.1:500           RD|A     v1:1   IP          3.1.1.1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
pki entity user01
 country CN                                                                     
 state beijing                                                                  
 organization huawei                                                            
 organization-unit dev                                                         
 common-name CN-Cer-FWA
 ip-address 1.1.1.1                                                             
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256
 authentication-method rsa-signature
ike proposal 11
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256
 authentication-method pre-share
#
ike peer b
 undo version 2
 pre-shared-key %^%#5)V/1<<'H)e.h%DJ^:s=zcmlE8fGu4;^lS3Rr|U(%^%#
 pki realm abc
#
ipsec policy-template use1 10
 ike-peer b
 proposal tran1
#
ipsec policy map1 10 isakmp template use1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
pki realm abc
 ca id ca_root                                                                  
 enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra             
 entity user01                                                                  
 fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7                      
 rsa local-key-pair rsa_scep                                                    
 password cipher %^%#D=}""x(9%D~E<v0tx4S'WBY!#o9D[,"mnO*s<0xR%^%#
 auto-enroll 60 regenerate
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.0.0 mask 255.255.0.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.0.0 mask 255.255.0.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.1.1 mask 255.255.255.255
    destination-address 2.1.1.1 mask 255.255.255.255
    destination-address 3.1.1.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 2.1.1.1 mask 255.255.255.255
    source-address 3.1.1.1 mask 255.255.255.255
    destination-address 1.1.1.1 mask 255.255.255.255
    action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256
  authentication-method pre-share
#
ike peer a
 undo version 2
 ike-proposal 10
 pre-shared-key %^%#5)V/1<<'H)e.h%DJ^:s=zcmlE8fGu4;^lS3Rr|U(%^%#
 remote-address 1.1.1.1 
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 2.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 2.1.1.1 mask 255.255.255.255
    destination-address 1.1.1.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.1.1 mask 255.255.255.255
    destination-address 2.1.1.1 mask 255.255.255.255
    action permit
#
return

  • FW_C configuration file

    #
 sysname FW_C
#
pki entity user02
 country CN
 state beijing
 organization huawei
 organization-unit dev
 common-name CN-Cer-FWC
 ip-address 3.1.1.1
#
acl number 3000
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256
  authentication-method rsa-signature
#
ike peer a
 undo version 2
 ike-proposal 10
 remote-address 1.1.1.1 
 pki realm b
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 3.1.1.1 255.255.255.0
 ipsec policy map1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 3.1.1.2
#
pki realm b
 ca id ca_root                                                                  
 enrollment-url http://5.1.1.1:8080/certsrv/mscep/mscep.dll ra             
 entity user02                                                                  
 fingerprint sha1 6330974fb2fe3c52d16bdac40140918b4bcd3ec7                      
 rsa local-key-pair rsa_scep_b                                                  
 password cipher %^%#D=}""x(9%D~E<v0tx4S'WBY!#o9D[,"mnO*s<0xR%^%#
 auto-enroll 60 regenerate
 #
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.3.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.3.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 3.1.1.1 mask 255.255.255.255
    destination-address 1.1.1.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.1.1 mask 255.255.255.255
    destination-address 3.1.1.1 mask 255.255.255.255
    action permit
#
return
Parent Topic: Application of IPSec in Other Scenarios
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic