< Home

CLI: Example for Configuring IPSec VPN Between Branches and the Headquarters and Enabling the Headquarters and Branches to Access the Internet with Post-NAT IP Addresses Translated by Their Respective IPSec Gateways

Networking Requirement

As shown in Figure 1, the headquarters is connected to two branches (Branch 1 and Branch 2). The network environment is as follows:

  • FW_B connects Branch 1 to the Internet, and FW_C connects Branch 2 to the Internet.

  • FW_A and FW_B are reachable to each other; and FW_A and FW_C are reachable to each other.

  • The IP addresses of FW_A and FW_B are fixed public IP addresses, and the IP address of FW_C is a dynamic public IP address.
  • FW_A, FW_B, and FW_C are NAT gateways.

The networking requirements are as follows:

  • PC 2 and PC 3 in the branches can securely communicate with PC 1 in the headquarters.
  • IPSec tunnels can be set up between FW_A and FW_B, and between FW_A and FW_C. However, FW_B and FW_C cannot establish an IPSec tunnel with each other.

  • PC1, PC2, and PC3 can access the Internet.

Figure 1 Configuring the IPSec gateway with the NAT function

Configuration Roadmap

  1. Configure interfaces, security policies, and routes on FW_A, FW_B, and FW_C.
  2. Complete the IPSec configuration on FW_A, FW_B, and FW_C.
  3. Configure source NAT on FW_A, FW_B, and FW_C. On all gateways, configure NAT for Internet access and exempt the IPSec traffic from NAT.

Procedure

  1. Set basic parameters on FW_A.

    1. Set interface IP addresses.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/3] quit
      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding security zones.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit
      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

    3. Configure the security policies between the Trust and Untrust zones.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone trust
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
[FW_A-policy-security-rule-policy1] destination-address 10.1.3.0 24
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
      [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone trust
[FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
[FW_A-policy-security-rule-policy2] source-address 10.1.3.0 24
[FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

    4. Configure the security policies between the Local and Untrust zones.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.3.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
      [FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] destination-address 1.1.3.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

      Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

    5. Configure a static route to the branch. Assume that the next hop of the route is 1.1.3.2.
      [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

  2. Configure the IPSec policy on FW_A.
    1. Configure ACL rules to define data flows that need to be protected.

      [FW_A] acl 3000
[FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl-adv-3000] rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[FW_A-acl-adv-3000] quit

      To ensure the communication between the branches, the source IP address in the advanced ACL must cover the headquarters and branch networks, and the destination address must be specific to the branch.

    2. Configure an IPSec proposal.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_A] ike peer c
[FW_A-ike-peer-c] ike-proposal 10
[FW_A-ike-peer-c] pre-shared-key Test!1234
[FW_A-ike-peer-c] quit

    5. Configure IPSec policy template temp.

      [FW_A] ipsec policy-template temp 1
[FW_A-ipsec-policy-templet-temp-1] security acl 3000
[FW_A-ipsec-policy-templet-temp-1] proposal tran1
[FW_A-ipsec-policy-templet-temp-1] ike-peer c
[FW_A-ipsec-policy-templet-temp-1] quit

    6. Create IPSec policy map1 and apply IPSec policy template temp in the IPSec policy.

      [FW_A] ipsec policy map1 10 isakmp template temp

    7. Apply IPSec policy map1 to GigabitEthernet 0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit

  3. Configure NAT policies on FW_A.

    [FW_A] nat-policy
[FW_A-policy-nat] rule name policy_nat1
[FW_A-policy-nat-rule-policy_nat1] source-zone trust
[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
[FW_A-policy-nat-rule-policy_nat1] source-address 10.1.1.0 0.0.0.255
[FW_A-policy-nat-rule-policy_nat1] destination-address 10.1.2.0 0.0.0.255
[FW_A-policy-nat-rule-policy_nat1] destination-address 10.1.3.0 0.0.0.255
[FW_A-policy-nat-rule-policy_nat1] action no-nat
[FW_A-policy-nat-rule-policy_nat1] quit
[FW_A-policy-nat] rule name policy_nat2
[FW_A-policy-nat-rule-policy_nat2] source-zone trust
[FW_A-policy-nat-rule-policy_nat2] destination-zone untrust
[FW_A-policy-nat-rule-policy_nat2] source-address 10.1.1.0 0.0.0.255
[FW_A-policy-nat-rule-policy_nat2] action source-nat easy-ip
[FW_A-policy-nat-rule-policy_nat2] quit
[FW_A-policy-nat] quit

  4. Set basic parameters on FW_B.
    1. Set interface IP addresses and add the interfaces to security zones.

      Set interface IP addresses according to Figure 1. If the GigabitEthernet 0/0/1 of FW_B is a dynamic address, you do not need to set the IP address.

      Add interface GigabitEthernet 0/0/3 to the Trust zone and interface GigabitEthernet 0/0/1 to the Untrust zone.

      For details, see the configuration of FW_A.

    2. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.2.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.3.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
        [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] source-address 10.1.3.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.2.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 1.1.5.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.3.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
        [FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.3.1 32
[FW_B-policy-security-rule-policy4] destination-address 1.1.5.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

      Configure the security policies between the Local and Untrust zones to permit the interzone traffic for the negotiation between the tunnel endpoints.

    3. Configure static routes to the headquarters and branches.

      [FW_B] ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet 0/0/1

  5. Configure an IPSec policy and apply the policy to the corresponding interface on FW_B.
    1. Configure an ACL to define data flows that need to be protected.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

    2. Configure an IPSec proposal.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256  
[FW_B-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_B] ike peer a
[FW_B-ike-peer-a] ike-proposal 10
[FW_B-ike-peer-a] remote-address 1.1.3.1
[FW_B-ike-peer-a] pre-shared-key Test!1234
[FW_B-ike-peer-a] quit

    5. Configure IPSec policy map1.

      [FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_B-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy map1 to GigabitEthernet 0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

  6. Configure NAT policies on FW_B.

    [FW_B] nat-policy
[FW_B-policy-nat] rule name policy_nat1
[FW_B-policy-nat-rule-policy_nat1] source-zone trust
[FW_B-policy-nat-rule-policy_nat1] destination-zone untrust
[FW_B-policy-nat-rule-policy_nat1] source-address 10.1.2.0 24
[FW_B-policy-nat-rule-policy_nat1] destination-address 10.1.1.0 24
[FW_B-policy-nat-rule-policy_nat1] destination-address 10.1.3.0 24
[FW_B-policy-nat-rule-policy_nat1] action no-nat
[FW_B-policy-nat-rule-policy_nat1] quit
[FW_B-policy-nat] rule name policy_nat2
[FW_B-policy-nat-rule-policy_nat2] source-zone trust
[FW_B-policy-nat-rule-policy_nat2] destination-zone untrust
[FW_B-policy-nat-rule-policy_nat2] source-address 10.1.2.0 24
[FW_B-policy-nat-rule-policy_nat2] action source-nat easy-ip
[FW_B-policy-nat-rule-policy_nat2] quit
[FW_B-policy-nat] quit

  7. Configure FW_C.

    The configuration of FW_C is similar to that of FW_B.

Verification

  1. After the configuration is complete, PC1 can access the public network at any time and ping the interface IP address 1.1.5.1 of FW_B. Meanwhile, you can view NAT session entries on FW_A.

    <FW_A> display firewall session table
 Current Total Sessions : 5
  icmp  VPN:public --> public 10.1.1.2:61251[1.1.3.1:2048]-->1.1.5.1:2048
  icmp  VPN:public --> public 10.1.1.2:62019[1.1.3.1:2049]-->1.1.5.1:2048
  icmp  VPN:public --> public 10.1.1.2:62275[1.1.3.1:2050]-->1.1.5.1:2048
  icmp  VPN:public --> public 10.1.1.2:62531[1.1.3.1:2051]-->1.1.5.1:2048
  icmp  VPN:public --> public 10.1.1.2:62787[1.1.3.1:2052]-->1.1.5.1:2048

  2. PC2 can access the public network at any time and ping the interface IP address 1.1.3.1 of FW_A. Meanwhile, you can view NAT session entries on FW_B.

    <FW_B> display firewall session table 
Current Total Sessions : 5
  icmp  VPN:public --> public 10.1.2.2:61251[1.1.5.1:2048]-->1.1.3.1:2048
  icmp  VPN:public --> public 10.1.2.2:62019[1.1.5.1:2049]-->1.1.3.1:2048
  icmp  VPN:public --> public 10.1.2.2:62275[1.1.5.1:2050]-->1.1.3.1:2048
  icmp  VPN:public --> public 10.1.2.2:62531[1.1.5.1:2051]-->1.1.3.1:2048
  icmp  VPN:public --> public 10.1.2.2:62787[1.1.5.1:2052]-->1.1.3.1:2048
  3. PC1 and PC2 can communicate with each other.

  4. On FW_A, you can view IKE SA information.

    <FW_A> display ike sa      

IKE SA information :             
    Conn-ID     Peer       VPN   Flag(s)   Phase   RemoteType  RemoteID
  -------------------------------------------------------------------------
     83887864   1.1.5.1:500      RD|A       v2:2   IP          1.1.5.1
     83887652   1.1.5.1:500      RD|A       v2:1   IP          1.1.5.1
                       
  Number of IKE SA : 2 
  --------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

  5. On FW_B, you can view the IKE SA whose peer end is the headquarters. FW_B is the initiator and the flag bit is ST.

    <FW_B> display ike sa

IKE SA information :
    Conn-ID    Peer       VPN   Flag(s)   Phase   RemoteType  RemoteID
  -------------------------------------------------------------------------
    62887864   1.1.3.1:500      RD|ST|A   v2:2    IP              1.1.3.1
    62887652   1.1.3.1:500      RD|ST|A   v2:1    IP              1.1.3.1
                                  
  Number of IKE SA : 2 
  -------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
  6. On FW_A, you can view a pair of IPSec SAs corresponding to FW_B. 
    <FW_A> display ipsec sa brief 
Current ipsec sa num:2

Spu board slot 1, cpu 1 ipsec sa information:                                   
Number of SAs:2                                                              
    Src address   Dst address     SPI      VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
     1.1.5.1        1.1.3.1    3923280450        ESP       E:AES-256 A:SHA2_256_128 
     1.1.3.1        1.1.5.1    787858613         ESP       E:AES-256 A:SHA2_256_128
  7. On FW_B, you can view a pair of IPSec SAs.
    <FW_B> display ipsec sa brief 
Current ipsec sa num:2

Spu board slot 1, cpu 1 ipsec sa information:                                   
Number of SAs:2                                                              
    Src address   Dst address     SPI      VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
     1.1.3.1        1.1.5.1    787858613          ESP       E:AES-256 A:SHA2_256_128 
     1.1.5.1        1.1.3.1    3923280450         ESP       E:AES-256 A:SHA2_256_128

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer c
 pre-shared-key %^%#9AGL!*(KJM2ImuCYi!QP,{6N%^%#
 ike-proposal 10
#                                                                               
ipsec policy-template temp 1
 security acl 3000
 ike-peer c
 proposal tran1
#
ipsec policy map1 10 isakmp template temp
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.3.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  destination-address 10.1.3.0 24
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.2.0 24
  source-address 10.1.3.0 24
  destination-address 10.1.1.0 24
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.3.1 32
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  destination-address 1.1.3.1 32
  action permit
#
nat-policy
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 0.0.0.255
  destination-address 10.1.2.0 0.0.0.255
  destination-address 10.1.3.0 0.0.0.255
  action no-nat
 rule name policy_nat2
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 0.0.0.255
  action source-nat easy-ip
#
return

  • FW_B configuration file

    #
 sysname FW_B
#
acl number 3000
 rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %^%#LV|sQ=~fUQO:M$CeqaMEnwVD%^%#
 ike-proposal 10
 remote-address 1.1.3.1
#                                                                               
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.5.1 255.255.255.0
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 24
  destination-address 10.1.1.0 24
  destination-address 10.1.3.0 24
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 24
  source-address 10.1.3.0 24
  destination-address 10.1.2.0 24
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.5.1 32
  destination-address 1.1.3.1 32
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 32
  destination-address 1.1.5.1 32
  action permit
#
nat-policy
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 0.0.0.255
  destination-address 10.1.1.0 0.0.0.255
  destination-address 10.1.3.0 0.0.0.255
  action no-nat
 rule name policy_nat2
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.0 0.0.0.255
  action source-nat easy-ip
#
return

  • FW_C configuration file

    #
 sysname FW_C
#
acl number 3000
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256 
#
ike peer a
 pre-shared-key %^%#Yb/Y7>%YK@K4sS#'Kjd9NGML%^%#
 ike-proposal 10
 remote-address 1.1.3.1
#                                                                               
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer a
 proposal tran1
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust 
 set priority 5 
 add interface GigabitEthernet0/0/1
#
ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet0/0/1
#
security-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 10.1.3.0 24
  destination-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  action permit
 rule name policy2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 24
  source-address 10.1.2.0 24
  destination-address 10.1.3.0 24
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  destination-address 1.1.3.1 32
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 32
  action permit
#
nat-policy
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.1.3.0 24
  destination-address 10.1.1.0 24
  destination-address 10.1.2.0 24
  action no-nat
 rule name policy_nat2
  source-zone trust
  destination-zone untrust
  source-address 10.1.3.0 24
  action source-nat easy-ip
#
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >