< Home

CLI: Example for Configuring an IPSec Tunnel Through IKE Negotiation When a NAT Device Exists Between Two Gateways (the Headquarters Authenticate Branches by Pre-NAT IP Address)

Networking Requirement

The network environment of Figure 1 is as follows:

  • The headquarters network (10.1.1.0/24) is connected to FW_A through interface GigabitEthernet 0/0/1.

  • The branch network (10.1.2.0/24) is connected to FW_C through interface GigabitEthernet 0/0/1.

  • FW_A and FW_C are reachable to each other.

  • FW_B serves as the NAT gateway. Branch users must access the headquarters network through FW_B.

The information obtained from the headquarters server is confidential and therefore cannot be transmitted on the Internet. Therefore, an IPSec tunnel is required for data encryption when the branch employees access the headquarters server.

Figure 1 Configuring IPSec NAT traversal

Data Plan

Item

Data

FW_A

Interface number: GigabitEthernet 0/0/1

IP address: 10.1.1.1/24

Security zone: Trust

FW_A

Interface number: GigabitEthernet 0/0/2

IP address: 1.1.2.1/24

Security zone: Untrust

FW_A

IPSec configuration

Peer IP address: 1.1.5.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Peer ID: 10.1.5.2

FW_B

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.5.1/24

Security zone: Untrust

FW_B

Interface: GigabitEthernet 0/0/2

IP address: 10.1.5.1/24

Security zone: Trust

FW_B

NAT configuration

Easy IP

FW_C

Interface number: GigabitEthernet 0/0/1

IP address: 10.1.2.1/24

Security zone: Trust

FW_C

Interface number: GigabitEthernet 0/0/2

IP address: 10.1.5.2/24

Security zone: Untrust

FW_C

IPSec configuration

Peer IP address: 1.1.2.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Local ID: 10.1.5.2

Configuration Roadmap

  • If a NAT device exists between the headquarters and the branch gateways, configure an IPSec policy in ISAKMP mode at the headquarters. Specify the Preā€”NAT IP address as the peer ID when you configure the IKE peer.

  • When configuring an IPSec proposal, you must use Encapsulation Security Payload (ESP). ESP is the default security protocol and therefore requires no configuration.

Procedure

  1. Perform basic configurations on FW_A.
    1. Perform basic configurations.

      1. Set interface IP addresses.

        <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit
        [FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 1.1.2.1 24
[FW_A-GigabitEthernet0/0/2] quit

      2. Add interfaces to corresponding security zones.

        [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit
        [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

    2. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
        [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.2.1 32
[FW_A-policy-security-rule-policy3] destination-address 1.1.5.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
        [FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 1.1.5.1 32
[FW_A-policy-security-rule-policy4] destination-address 1.1.2.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

      Configuring security policies between the Local and Untrust zones enables the devices at both ends of the IPSec tunnel to communicate so that the devices can perform tunnel negotiation.

    3. Configure a static route to the branch. Assume that the next hop of the route is 1.1.2.2.

      [FW_A] ip route-static 10.1.2.0 255.255.255.0 1.1.2.2
[FW_A] ip route-static 10.1.5.0 255.255.255.0 1.1.2.2

  2. Configure IPSec on FW_A.
    1. Configure an ACL to define the data flow to be protected.

      [FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl-adv-3000] quit

    2. Configure an IPSec proposal using the default parameters.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_A-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_A] ike peer c
[FW_A-ike-peer-c] ike-proposal 10
[FW_A-ike-peer-c] local-id-type ip
[FW_A-ike-peer-c] remote-id-type ip
[FW_A-ike-peer-c] remote-id 10.1.5.2
[FW_A-ike-peer-c] remote-address authentication-address 10.1.5.2
[FW_A-ike-peer-c] pre-shared-key Test!1234
[FW_A-ike-peer-c] quit

    5. Configure an IPSec policy.

      [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer c
[FW_A-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy map1 to GigabitEthernet 0/0/2.

      [FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ipsec policy map1
[FW_A-GigabitEthernet0/0/2] quit

  3. Perform basic configurations on FW_C.
    1. Set interface IP addresses and add the interfaces to security zones.

      Set interface IP addresses according to Figure 1.

      Add GigabitEthernet 0/0/1 to the Trust zone and GigabitEthernet 0/0/2 to the Untrust zone.

      For details, see the configuration of FW_A.

    2. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_C] security-policy
[FW_C-policy-security] rule name policy1
[FW_C-policy-security-rule-policy1] source-zone trust
[FW_C-policy-security-rule-policy1] destination-zone untrust
[FW_C-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_C-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_C-policy-security-rule-policy1] action permit
[FW_C-policy-security-rule-policy1] quit
        [FW_C-policy-security] rule name policy2
[FW_C-policy-security-rule-policy2] source-zone untrust
[FW_C-policy-security-rule-policy2] destination-zone trust
[FW_C-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_C-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_C-policy-security-rule-policy2] action permit
[FW_C-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_C-policy-security] rule name policy3
[FW_C-policy-security-rule-policy3] source-zone local
[FW_C-policy-security-rule-policy3] destination-zone untrust
[FW_C-policy-security-rule-policy3] source-address 10.1.5.2 32
[FW_C-policy-security-rule-policy3] destination-address 1.1.2.1 32
[FW_C-policy-security-rule-policy3] action permit
[FW_C-policy-security-rule-policy3] quit
        [FW_C-policy-security] rule name policy4
[FW_C-policy-security-rule-policy4] source-zone untrust
[FW_C-policy-security-rule-policy4] destination-zone local
[FW_C-policy-security-rule-policy4] source-address 1.1.2.1 32
[FW_C-policy-security-rule-policy4] destination-address 10.1.5.2 32
[FW_C-policy-security-rule-policy4] action permit
[FW_C-policy-security-rule-policy4] quit
[FW_C-policy-security] quit

      Configuring security policies between the Local and Untrust zones enables the devices at both ends of the IPSec tunnel to communicate so that the devices can perform tunnel negotiation.

    3. Configure a static route to the headquarters network. Assume that the next hop of the route is 10.1.5.1.

      [FW_C] ip route-static 10.1.1.0 255.255.255.0 10.1.5.1
[FW_C] ip route-static 1.1.2.0 255.255.255.0 10.1.5.1

  4. Configure IPSec on FW_C.
    1. Configure an ACL to define the data flow to be protected.

      [FW_C] acl 3000
[FW_C-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_C-acl-adv-3000] quit

    2. Configure an IPSec proposal using the default parameters.

      [FW_C] ipsec proposal tran1
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_C-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_C] ike proposal 10
[FW_C-ike-proposal-10] authentication-method pre-share
[FW_C-ike-proposal-10] prf hmac-sha2-256
[FW_C-ike-proposal-10] encryption-algorithm aes-256
[FW_C-ike-proposal-10] dh group14
[FW_C-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_C-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_C] ike peer a
[FW_C-ike-peer-a] ike-proposal 10
[FW_C-ike-peer-a] local-id-type ip
[FW_C-ike-peer-a] remote-id-type ip
[FW_C-ike-peer-a] local-id 10.1.5.2
[FW_C-ike-peer-a] remote-address 1.1.2.1
[FW_C-ike-peer-a] pre-shared-key Test!1234
[FW_C-ike-peer-a] quit

    5. Configure an IPSec policy.

      [FW_C] ipsec policy map1 10 isakmp
[FW_C-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_C-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_C-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_C-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy map1 to GigabitEthernet 0/0/2.

      [FW_C] interface GigabitEthernet 0/0/2
[FW_C-GigabitEthernet0/0/2] ipsec policy map1
[FW_C-GigabitEthernet0/0/2] quit

  5. Configure FW_B (NAT gateway).
    1. Perform basic configurations.

      Set interface IP address according to the data in Figure 1.

      Add GigabitEthernet 0/0/1 to the Untrust zone, and GigabitEthernet 0/0/2 to the Trust zone.

      For details, see the configuration of FW_A.

    2. Configure interzone security policies.

      [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.5.2 32
[FW_B-policy-security-rule-policy1] destination-address 1.1.2.1 32
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
      [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 1.1.2.1 32
[FW_B-policy-security-rule-policy2] destination-address 10.1.5.2 32
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit
[FW_B-policy-security] quit

    3. Configure NAT.

      [FW_B] nat-policy
[FW_B-policy-nat] rule name policy_nat1
[FW_B-policy-nat-rule-policy_nat1] source-zone trust
[FW_B-policy-nat-rule-policy_nat1] destination-zone untrust
[FW_B-policy-nat-rule-policy_nat1] source-address 10.1.5.0 24
[FW_B-policy-nat-rule-policy_nat1] action source-nat easy-ip
[FW_B-policy-nat-rule-policy_nat1] quit
[FW_B-policy-nat] quit

    4. Configure a static route to the branch network.

      [FW_B] ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
[FW_B] ip route-static 10.1.2.0 255.255.255.0 10.1.5.2

Verification

  1. After the configuration is complete, access PC1 from PC2. PC1 and PC2 can access each other. PC2 can access the Internet.

  2. PC2 can ping 1.1.2.1 of FW_A. You can view session entries translated using NAT on FW_B.

    <FW_B> display firewall session table
  Current Total Sessions : 2
  udp  VPN:public --> public 10.1.5.2:500[1.1.5.1:2048]-->1.1.2.1:500
  udp  VPN:public --> public 10.1.5.2:4500[1.1.5.1:2048]-->1.1.2.1:4500

  3. On FW_A at the headquarters, you can view two pairs of IKE SAs.

    <FW_A> display ike sa       
IKE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    83887864    1.1.5.1:500           RD|A     v2:2   IP          1.1.5.1
    83887652    1.1.5.1:500           RD|A     v2:1   IP          1.1.5.1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

  4. On FW_C, you can view the IKE SA of the headquarters. FW_C is the initiator and the flag bit is ST.

    <FW_C> display ike sa
IKE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    62887864    1.1.2.1:500           RD|ST|A  v2:2   IP          1.1.2.1
    62887652    1.1.2.1:500           RD|ST|A  v2:1   IP          1.1.2.1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
  5. On FW_A at the headquarters, you can view a pair of IPSec SAs corresponding to FW_C.
    <FW_A> display ipsec sa brief 
Current ipsec sa num:2

Spu board slot 1, cpu 1 ipsec sa information:                                   
Number of SAs:2                                                              
    Src address   Dst address      SPI        VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
    1.1.2.1         1.1.5.1       3923280450        ESP      E:AES-256 A:SHA2_256_128 
    1.1.5.1         1.1.2.1       2676437093        ESP      E:AES-256 A:SHA2_256_128
  6. On FW_C, you can view a pair of IPSec SAs.
    <FW_C> display ipsec sa brief 
Current ipsec sa num:2

Spu board slot 1, cpu 1 ipsec sa information:                                   
Number of SAs:2                                                              
    Src address   Dst address      SPI        VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
    10.1.5.2         1.1.2.1       2179965693      ESP     E:AES-256 A:SHA2_256_128
    1.1.2.1         10.1.5.2       3813759530      ESP     E:AES-256 A:SHA2_256_128

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer c
 pre-shared-key %^%#sV}u~Bv#IC/$qZ*D*"0~+0n4%^%#
 ike-proposal 10
 local-id-type ip
 remote-id-type ip
 remote-id 10.1.5.2
 remote-address authentication-address 10.1.5.2
#                                                                               
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer c
 proposal tran1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 1.1.2.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/2
#
ip route-static 10.1.2.0 255.255.255.0 1.1.2.2
ip route-static 10.1.5.0 255.255.255.0 1.1.2.2
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.1.0 24
    destination-address 10.1.2.0 24
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.2.0 24
    destination-address 10.1.1.0 24
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 1.1.2.1 32
    destination-address 1.1.5.1 32
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.5.1 32
    destination-address 1.1.2.1 32
    action permit
#
return

  • FW_C configuration file

    #
 sysname FW_C
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %^%#ze6KKqm^<JzHx2UXV|FJ.z6i%^%#
 ike-proposal 10
 local-id-type ip
 remote-id-type ip
 local-id 10.1.5.2
 remote-address 1.1.2.1
#                                                                               
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.5.2 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/2
#
ip route-static 1.1.2.0 255.255.255.0 10.1.5.1
ip route-static 10.1.1.0 255.255.255.0 10.1.5.1
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.2.0 24
    destination-address 10.1.1.0 24
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 10.1.1.0 24
    destination-address 10.1.2.0 24
    action permit
  rule name policy3
    source-zone local
    destination-zone untrust
    source-address 10.1.5.2 32
    destination-address 1.1.2.1 32
    action permit
  rule name policy4
    source-zone untrust
    destination-zone local
    source-address 1.1.2.1 32
    destination-address 10.1.5.2 32
    action permit
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.5.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.5.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
ip route-static 10.1.2.0 255.255.255.0 10.1.5.2
#
security-policy
  rule name policy1
    source-zone trust
    destination-zone untrust
    source-address 10.1.5.2 32
    destination-address 1.1.2.1 32
    action permit
  rule name policy2
    source-zone untrust
    destination-zone trust
    source-address 1.1.2.1 32
    destination-address 10.1.5.2 32
    action permit
#
nat-policy
  rule name policy_nat1
    source-zone trust
    destination-zone untrust
    source-address 10.1.5.0 24
    action source-nat easy-ip
#
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >