< Home

CLI: Example for Configuring IPSec Tunnels Between the Headquarters and Branches (When IP Address of the Headquarters Gateway Is Fixed)

Networking Requirements

As shown in Figure 1, the headquarters is connected to two branches (Branch 1 and Branch 2). The networking requirements are as follows:

  • FW_B connects Branch 1 to the Internet, and FW_C connects Branch 2 to the Internet.

  • FW_A and FW_B are reachable to each other; and FW_A and FW_C are reachable to each other.

  • FW_A and FW_B use fixed public IP addresses, and FW_C uses a dynamic public IP address.

The purposes of this networking are as follows:

  • PC 2 and PC 3 in the branches can securely communicate with PC 1 in the headquarters.
  • IPSec tunnels can be set up between FW_A and FW_B, and between FW_A and FW_C. However, FW_B and FW_C cannot establish an IPSec tunnel with each other.
Figure 1 Configuring IPSec tunnels between the headquarters and branches

Data Plan

Item

Data

FW_A

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.1.1/24

Security zone: Trust

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.3.1/24

Security zone: Untrust

IPSec configuration

Peer IP address: The IP address of FW_B is specified, but the IP address of FW_C is not specified.

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: any

FW_B

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.5.1/24

Security zone: Untrust

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.2.1/24

Security zone: Trust

IPSec configuration

Peer IP address: 1.1.3.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

FW_C

Interface number: GigabitEthernet 0/0/1

IP address: dynamic

Security zone: Untrust

Interface number: GigabitEthernet 0/0/3

IP address: 10.1.3.1/24

Security zone: Trust

IPSec configuration

Peer IP address: 1.1.3.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Configuration Roadmap

The roadmap for configuring FW_A, FW_B, and FW_C is similar:

  1. Configure interfaces and routes, and enable security policies.

  2. Configure the IPSec policy, including basic IPSec policy information, data flow to be protected by IPSec, and proposal parameters for security association (SA) negotiation.

Procedure

  1. Perform basic configurations on FW_A, including setting the interface IP addresses, adding interfaces to security zones, and configuring interzone security policies and a static route.

    1. Set interface IP addresses.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit
      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure the security policies between the Trust and Untrust zones.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.3.0 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
      [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_A-policy-security-rule-policy2] source-address 10.1.3.0 24
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

    4. Configure the security policies between the Local and Untrust zones.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.3.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
      [FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] destination-address 1.1.3.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

      Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

    5. Configure a static route to reach branches. Assume that the next hop of the route is 1.1.3.2.

      [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

  2. Configure an IPSec policy and apply the policy to the corresponding interface on FW_A.
    1. Configure ACLs to define data flows that need to be protected.

      1. Configure advanced ACL 3000 to define the data flow from the headquarters to Branch1.

        [FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl-adv-3000] quit

      2. Configure advanced ACL 3001 to define the data flow from the headquarters to Branch2.

        [FW_A] acl 3001
[FW_A-acl-adv-3001] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[FW_A-acl-adv-3001] quit

        During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:

        • Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.

          Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.

        • Run the display acl acl-number commands to check ACL information of the destination NAT policy.

          Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.

        • Run the display current-configuration configuration policy-nat command to check source NAT policy information.

          Ensure that the IPSec-protected data flow does not match the source NAT policy.

        If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.

    2. Configure an IPSec proposal.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_A-ike-proposal-10] quit

    4. Configure IKE peers.

      1. Configure an IKE peer named b.

        [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] remote-address 1.1.5.1
[FW_A-ike-peer-b] pre-shared-key Test!1234
[FW_A-ike-peer-b] quit

      2. Configure an IKE peer named c.

        [FW_A] ike peer c
[FW_A-ike-peer-c] ike-proposal 10
[FW_A-ike-peer-c] pre-shared-key Test!1234
[FW_A-ike-peer-c] quit

    5. Configure an IPSec policy numbered 10 in IPSec policy group map1.

      [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit

    6. Configure an IPSec policy template with the name map_temp and number 1.

      [FW_A] ipsec policy-template map_temp 1
[FW_A-ipsec-policy-templet-map_temp-1] security acl 3001
[FW_A-ipsec-policy-templet-map_temp-1] proposal tran1
[FW_A-ipsec-policy-templet-map_temp-1] ike-peer c
[FW_A-ipsec-policy-templet-map_temp-1] quit

    7. Refer to IPSec policy template map_temp in IPSec policy 20 of IPSec policy group map1.

      [FW_A] ipsec policy map1 20 isakmp template map_temp

    8. Apply IPSec policy group map1 to GigabitEthernet 0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  3. Perform basic configurations on FW_B.
    1. Set interface IP addresses and add the interfaces to security zones.

      1. Set interface IP addresses.

        <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[FW_B-GigabitEthernet0/0/3] quit
        [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 1.1.5.1 24
[FW_B-GigabitEthernet0/0/1] quit

      2. Add GigabitEthernet 0/0/3 to the Trust zone and GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit
        [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    2. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.3.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
        [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] source-address 10.1.3.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 1.1.5.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.3.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
        [FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.3.1 32
[FW_B-policy-security-rule-policy4] destination-address 1.1.5.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

      Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

    3. Configure a static route to the headquarters and the other branch. Assume that the next hop is 1.1.5.2.

      [FW_B] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2

  4. Configure an IPSec policy and apply the policy to the corresponding interface on FW_B.
    1. Configure an ACL to define data flows that need to be protected.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

      During packet forwarding, the IPSec module is behind the NAT module (NAT server, destination NAT, and source NAT). You need to ensure that the NAT server and destination NAT do not affect the processing of IPSec-protected data flow. The following requirements must be met:

      • Run the display firewall server-map command to check the source and destination IP addresses in the servermap table.

        Ensure that the IPSec-protected data flow does not match the servermap table or reverse servermap table created on the NAT server. Otherwise, destination addresses of packets will be translated.

      • Run the display acl acl-number commands to check ACL information of the destination NAT policy.

        Ensure that the IPSec-protected data flow does not match the destination NAT policy. Otherwise, destination addresses of packets will be translated.

      • Run the display current-configuration configuration policy-nat command to check source NAT policy information.

        Ensure that the IPSec-protected data flow does not match the source NAT policy.

      If NAT is required for the IPSec-protected data flow, the ACL needs to match the post-NAT IP address.

    2. Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_B-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_B] ike peer a
[FW_B-ike-peer-a] ike-proposal 10
[FW_B-ike-peer-a] remote-address 1.1.3.1
[FW_B-ike-peer-a] pre-shared-key Test!1234
[FW_B-ike-peer-a] quit

    5. Configure an IPSec policy with the name map1 and number 10.

      [FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_B-ipsec-policy-isakmp-map1-10] quit

    6. Apply security policy map1 to GigabitEthernet 0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

  5. Perform basic configurations on FW_C.
    1. Set interface IP addresses and add them to the corresponding security zones.

      1. Set the IP address of GigabitEthernet 0/0/3 to 10.1.3.1/24, and configure GigabitEthernet 0/0/1 to obtain an IP address dynamically through DHCP.

        <sysname> system-view
[sysname] sysname FW_C
[FW_C] interface GigabitEthernet 0/0/3
[FW_C-GigabitEthernet0/0/3] ip address 10.1.3.1 24
[FW_C-GigabitEthernet0/0/3] quit
        [FW_C] interface GigabitEthernet 0/0/1
[FW_C-GigabitEthernet0/0/1] ip address dhcp-alloc
[FW_C-GigabitEthernet0/0/1] quit

      2. Add GigabitEthernet 0/0/3 to the Trust zone and GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_C] firewall zone trust
[FW_C-zone-trust] add interface GigabitEthernet 0/0/3
[FW_C-zone-trust] quit
        [FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_C-zone-untrust] quit

    2. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_C] security-policy
[FW_C-policy-security] rule name policy1
[FW_C-policy-security-rule-policy1] source-zone trust
[FW_C-policy-security-rule-policy1] destination-zone untrust
[FW_C-policy-security-rule-policy1] source-address 10.1.3.0 24
[FW_C-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_C-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_C-policy-security-rule-policy1] action permit
[FW_C-policy-security-rule-policy1] quit
        [FW_C-policy-security] rule name policy2
[FW_C-policy-security-rule-policy2] source-zone untrust
[FW_C-policy-security-rule-policy2] destination-zone trust
[FW_C-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_C-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_C-policy-security-rule-policy2] destination-address 10.1.3.0 24
[FW_C-policy-security-rule-policy2] action permit
[FW_C-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_C-policy-security] rule name policy3
[FW_C-policy-security-rule-policy3] source-zone local
[FW_C-policy-security-rule-policy3] destination-zone untrust
FW_C-policy-security-rule-policy3] destination-address 1.1.3.1 32
[FW_C-policy-security-rule-policy3] action permit
[FW_C-policy-security-rule-policy3] quit
        [FW_C-policy-security] rule name policy4
[FW_C-policy-security-rule-policy4] source-zone untrust
[FW_C-policy-security-rule-policy4] destination-zone local
[FW_C-policy-security-rule-policy4] source-address 1.1.3.1 32
[FW_C-policy-security-rule-policy4] action permit
[FW_C-policy-security-rule-policy4] quit
[FW_C-policy-security] quit

      Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

    3. Configure a static route to the headquarters and the other branch.

      [FW_C] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 0/0/1

  6. Configure an IPSec policy and apply the policy to the corresponding interface on FW_C.
    1. Configure an ACL to define data flows that need to be protected.

      [FW_C] acl 3000
[FW_C-acl-adv-3000] rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_C-acl-adv-3000] quit

    2. Configure an IPSec proposal.

      [FW_C] ipsec proposal tran1
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_C-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_C] ike proposal 10
[FW_C-ike-proposal-10] authentication-method pre-share
[FW_C-ike-proposal-10] prf hmac-sha2-256
[FW_C-ike-proposal-10] encryption-algorithm aes-256
[FW_C-ike-proposal-10] dh group14
[FW_C-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_C-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_C] ike peer a
[FW_C-ike-peer-a] ike-proposal 10
[FW_C-ike-peer-a] remote-address 1.1.3.1
[FW_C-ike-peer-a] pre-shared-key Test!1234
[FW_C-ike-peer-a] quit

    5. Configure an IPSec policy with the name map1 and number 10.

      [FW_C] ipsec policy map1 10 isakmp
[FW_C-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_C-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_C-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_C-ipsec-policy-isakmp-map1-10] quit

    6. Apply ISPec policy map1 to GigabitEthernet 0/0/1.

      [FW_C] interface GigabitEthernet 0/0/1
[FW_C-GigabitEthernet0/0/1] ipsec policy map1
[FW_C-GigabitEthernet0/0/1] quit

Verification

  1. On FW_A, you can view two pairs of IKE SAs.

    <FW_A> display ike sa       
IKE SA information :                                                            
    Conn-ID       Peer        VPN   Flag(s)   Phase   RemoteType  RemoteID
  ------------------------------------------------------------------------------
    50336907      1.1.5.1:500       RD|ST|A   v2:2    IP          1.1.5.1
    50336906      1.1.5.1:500       RD|ST|A   v2:1    IP          1.1.5.1
    33554436      1.1.6.254:500     RD|A      v2:2    IP          1.1.6.254
    33554435      1.1.6.254:500     RD|A      v2:1    IP          1.1.6.254

  Number of IKE SA : 4
  ------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

  2. On FW_B and FW_C, you can view the IKE SAs whose peer ends are the headquarters. The following takes the information displayed on FW_B as an example.

    <FW_B> display ike sa      
IKE SA information :                                                            
    Conn-ID       Peer        VPN   Flag(s)   Phase   RemoteType  RemoteID
  ------------------------------------------------------------------------------
    16782416      1.1.3.1:500       RD|A      v2:2    IP          1.1.3.1
    16782415      1.1.3.1:500       RD|A      v2:1    IP          1.1.3.1

  Number of IKE SA : 2
  ------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
  3. On FW_A, you can view two pairs of IPSec SAs, corresponding to FW_B and FW_C respectively.
    <FW_A> display ipsec sa brief
                                                                                
Current ipsec sa num:4
Number of SAs:4
    Src address   Dst address      SPI        VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
    1.1.6.254       1.1.3.1       4001819557        ESP      E:AES-256 A:SHA2-256-128
    1.1.5.1         1.1.3.1       3923280450        ESP      E:AES-256 A:SHA2-256-128
    1.1.3.1         1.1.6.254     4249128694        ESP      E:AES-256 A:SHA2-256-128
    1.1.3.1         1.1.5.1       787858613         ESP      E:AES-256 A:SHA2-256-128
  4. On FW_B and FW_C, you can view a pair of reverse IPSec SAs of FW_A. The following takes the information displayed on FW_B as an example.
    <FW_B> display ipsec sa brief
Current ipsec sa num:2                                                          
Number of SAs:2
    Src address   Dst address     SPI      VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
     1.1.5.1        1.1.3.1    3923280450         ESP       E:AES-256 A:SHA2-256-128
     1.1.3.1        1.1.5.1    787858613          ESP       E:AES-256 A:SHA2-256-128

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
acl number 3001
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer b
  pre-shared-key %$%$c([VET@941t/q_4tS-f7,ri/%$%$
  ike-proposal 10
  remote-address 1.1.5.1
#
ike peer c
  pre-shared-key %$%$d([VET@941t/q_56S-f7,ra/%$%$
  ike-proposal 10
#
ipsec policy-template map_temp 1
 security acl 3001
 ike-peer c
 proposal tran1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
ipsec policy map1 20 isakmp template map_temp
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.3.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.3.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.2.0 mask 255.255.255.0
    source-address 10.1.3.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.3.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    destination-address 1.1.3.1 mask 255.255.255.255
    action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %@%@TI"2Gr[*D9KS1Z0-#3v'xT;d%@%@
 ike-proposal 10
 remote-address 1.1.3.1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.5.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.5.2
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.3.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    source-address 10.1.3.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.5.1 mask 255.255.255.255
    destination-address 1.1.3.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.3.1 mask 255.255.255.255
    destination-address 1.1.5.1 mask 255.255.255.255
    action permit
#
return

  • FW_C configuration file

    #
 sysname FW_C
#
acl number 3000
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %@%@8O:JW`kDBG.O9Y(h6>YK\=,T%@%@
 ike-proposal 10
 remote-address 1.1.3.1
#
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address dhcp-alloc
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.3.0 mask 255.255.255.0
    destination-address 10.1.1.0 mask 255.255.255.0
    destination-address 10.1.2.0 mask 255.255.255.0
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 mask 255.255.255.0
    source-address 10.1.2.0 mask 255.255.255.0
    destination-address 10.1.3.0 mask 255.255.255.0
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    destination-address 1.1.3.1 mask 255.255.255.255
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.3.1 mask 255.255.255.255
    action permit
#
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >