< Home

CLI: Example for Configuring an IPSec Tunnel Between Two Gateways Through IKE Negotiation (Using Pre-shared Key Authentication)

Networking Requirements

As shown in Figure 1, FW_A connects network A to the Internet and FW_B connects network B to the Internet. The networking requirements are as follows:

  • Network A (10.1.1.0/24) is connected to GigabitEthernet 0/0/3 of FW_A.

  • Network B (10.1.2.0/24) is connected to GigabitEthernet 0/0/3 of FW_B.

  • FW_A and FW_B are reachable to each other.

The purpose of this networking is to set up an IPSec tunnel between FW_A and FW_B to enable communication between users on network A and network B.

Figure 1 Configuring an IPSec tunnel between two gateways through IKE negotiation

Data Plan

Item

Data

FW_A

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.1.1/24

Security zone: Trust

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.3.1/24

Security zone: Untrust

IPSec configuration

Peer IP address: 1.1.5.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

FW_B

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.5.1/24

Security zone: Untrust

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.2.1/24

Security zone: Trust

IPSec configuration

Peer IP address: 1.1.3.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Configuration Roadmap

The roadmap for configuring FW_A is similar to that for configuring FW_B:

  1. Configure interfaces.
  2. Configure security policies to permit packets between specified subnets.
  3. Create a static route to the peer end.
  4. Configure the IPSec policy, including basic IPSec policy information, data flow to be protected by IPSec, and proposal parameters for security association (SA) negotiation.

Procedure

  1. Perform basic configurations on FW_A, including setting the interface IP addresses, adding interfaces to security zones, and configuring interzone security policies and a static route.
    1. Set interface IP addresses.

      1. Set the IP address of GigabitEthernet 0/0/3.

        <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit

      2. Set the IP address of GigabitEthernet 0/0/1.

        [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding security zones.

      1. Add GigabitEthernet 0/0/3 to the Trust zone.

        [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
        [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.3.1 32
[FW_A-policy-security-rule-policy3] destination-address 1.1.5.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
        [FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 1.1.5.1 32
[FW_A-policy-security-rule-policy4] destination-address 1.1.3.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    4. Configure a static route to network B. Assume that the next hop of the route is 1.1.3.2.

      [FW_A] ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
[FW_A] ip route-static 1.1.5.0 255.255.255.0 1.1.3.2

  2. Configure an IPSec policy on FW_A and apply the policy to the corresponding interface.
    1. Configure advanced ACL 3000 to permit the users on network segment 10.1.1.0/24 to access network segment 10.1.2.0/24.

      [FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl-adv-3000] quit

      During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:

      • Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.

        Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.

      • Run the display acl acl-number commands to check ACL information of the destination NAT policy.

        Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.

      • Run the display current-configuration configuration policy-nat command to check source NAT policy information.

        Ensure that the IPSec-protected data flow does not match the source NAT policy.

      If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.

    2. Configure an IPSec proposal using the default parameters.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 1.1.5.1
[FW_A-ike-peer-b] pre-shared-key Test!1234
[FW_A-ike-peer-b] quit

    5. Configure an IPSec policy.

      [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy map1 to GigabitEthernet 0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  3. Perform basic configurations on FW_B, including setting the interface IP addresses, adding interfaces to security zones, and configuring interzone security policies and a static route.
    1. Set interface IP addresses.

      1. Configure the IP address of GigabitEthernet 0/0/3.

        <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/3] quit

      2. Configure the IP address of GigabitEthernet 0/0/1.

        [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 1.1.5.1 24
[FW_B-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding zones.

      1. Add GigabitEthernet 0/0/3 to the Trust zone.

        [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
        [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 1.1.5.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.3.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
        [FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.3.1 32
[FW_B-policy-security-rule-policy4] destination-address 1.1.5.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

    4. Configure a static route to network A. Assume that the next hop of the route is 1.1.5.2.

      [FW_B] ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
[FW_B] ip route-static 1.1.3.0 255.255.255.0 1.1.5.2

  4. Configure an IPSec policy on FW_B and apply the policy to the corresponding interface.
    1. Configure advanced ACL 3000 to permit the users on network segment 10.1.2.0/24 to access network segment 10.1.1.0/24.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:

      • Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.

        Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.

      • Run the display acl acl-number commands to check ACL information of the destination NAT policy.

        Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.

      • Run the display current-configuration configuration policy-nat command to check source NAT policy information.

        Ensure that the IPSec-protected data flow does not match the source NAT policy.

      If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.

    2. Configure an IPSec proposal using the default parameters.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal using the default parameters.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_B-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_B] ike peer a 
[FW_B-ike-peer-a] ike-proposal 10 
[FW_B-ike-peer-a] remote-address 1.1.3.1 
[FW_B-ike-peer-a] pre-shared-key Test!1234 
[FW_B-ike-peer-a] quit

    5. Configure an IPSec policy.

      [FW_B] ipsec policy map1 10 isakmp 
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000 
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1 
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a 
[FW_B-ipsec-policy-isakmp-map1-10] quit

    6. Apply security policy map1 to GigabitEthernet 0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1 
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

Verification

  1. After the configuration is complete, run the ping command on PC1 to trigger IKE negotiation.

    If the IKE negotiation is successful, a tunnel is established and PC2 can be pinged from PC1. If the IKE negotiation fails, no tunnel is established and PC2 cannot be pinged from PC1.

  2. Run the display ike sa and display ipsec sa commands on both FW_A and FW_B to check SA establishment.

    Take FW_B for example. If the following information is displayed, the IKE SA and IPSec SA are successfully established.

    <FW_B> display ike sa
IKE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    16777239    1.1.3.1:500           RD|ST|A  v2:2   IP          1.1.3.1
    16777232    1.1.3.1:500           RD|ST|A  v2:1   IP          1.1.3.1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING 
    <FW_B> display ipsec sa
                                                                                
ipsec sa information:                                                           
                                                                                
===============================                                                  
Interface: GigabitEthernet0/0/1     
===============================                                                 
                                                                                
  -----------------------------                                                 
  IPSec policy name: "map1"                                                     
  Sequence number  : 10                                                          
  Acl group        : 3000                                                       
  Acl rule         : 5                                                         
  Mode             : ISAKMP                                                     
  -----------------------------                                                 
    Connection ID     : 83903371                                                
    Encapsulation mode: Tunnel                                                  
    Tunnel local      : 1.1.5.1                                             
    Tunnel remote     : 1.1.3.1                                               
    Flow source       : 10.1.2.2/255.255.255.255 0/0                           
    Flow destination  : 10.1.1.2/255.255.255.255 0/0                           
                                                                                
    [Outbound ESP SAs]                                                          
      SPI: 763065754 (0x2d7b759a)                                               
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 0/3079                         
      Max sent sequence-number: 1                                               
      UDP encapsulation used for NAT traversal: N 
      SA encrypted packets (number/kilobytes): 4/0                                
                                                                                
    [Inbound ESP SAs]                                                           
      SPI: 163241969 (0x9badff1)                                                
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                
      SA remaining key duration (kilobytes/sec): 0/3079                         
      Max received sequence-number: 3203668                                     
      UDP encapsulation used for NAT traversal: N 
      SA decrypted packets (number/kilobytes): 4/0                          
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256
#
ike peer b
  pre-shared-key %@%@'OMi3SPl%@TJdx5uDE(44*I^%@%@
  ike-proposal 10
  remote-address 1.1.5.1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.3.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
 ip route-static 1.1.5.0 255.255.255.0 1.1.3.2
 ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.3.1 mask 255.255.255.255
  destination-address 1.1.5.1 mask 255.255.255.255
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.5.1 mask 255.255.255.255
  destination-address 1.1.3.1 mask 255.255.255.255
  action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %@%@W[QD:1tV\'f"!1W&yrX6v$B>%@%@
 ike-proposal 10
 remote-address 1.1.3.1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.5.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
 ip route-static 1.1.3.0 255.255.255.0 1.1.5.2
 ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.5.1 mask 255.255.255.255
  destination-address 1.1.3.1 mask 255.255.255.255
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 mask 255.255.255.255
  destination-address 1.1.5.1 mask 255.255.255.255
  action permit
#
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >