< Home

CLI: Example for Configuring IPSec in Different VPN Instances (Using the Tunnel Interface for Inter-VPN Forwarding)

Networking Requirements

FW_A serves as the IPSec gateway. The carrier leases FW_A to multiple small-sized enterprises and creates VPN instances for them. Each enterprise has an independent VPN instance, making the intranets mutually independent. Therefore, the employees at branches or on business trips can securely access the headquarters network. The following uses configuring FW_A to provide the IPSec service for enterprise A as an example to describe how to configure IPSec multi-instance and implement inter-VPN forwarding.

As shown in Figure 1, PC1 resides on the branch network of enterprise A. The branch is connected to the Internet through FW_B. VPN1 is created for enterprise A on the FW_A. PC1 can securely access VPN1. FW_A and FW_B are reachable to each other.

Figure 1 Configuring IPSec multi-instance

Configuration Roadmap

  • GigabitEthernet 0/0/3 on FW_A is connected to the Internet and belongs to Public (the root system). GigabitEthernet 0/0/1 is connected to the intranet of enterprise A and belongs to VPN instance VPN1. In this example, you need to configure inter-VPN access.

  • In this example, the tunnel interface is used to implement inter-VPN forwarding. Bind the tunnel interface to VPN1.
  • Set Local address in the IPSec policy to the IP address of GigabitEthernet 0/0/3. Local address and the peer address (IP address of GigabitEthernet 0/0/1 on FW_B) are used for tunnel negotiation. The two interfaces belong to Public.
  • Apply the IPSec policy to the tunnel interface.

Procedure

  • Configure VPN instance VPN1, interfaces, security zones, and interzone security policies on FW_A.
    1. Configure VPN instance vpn1.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] ip vpn-instance vpn1
[FW_A-vpn-instance-vpn1] route-distinguisher 100:1
[FW_A-vpn-instance-vpn1] quit

    2. Set the IP address of GigabitEthernet 0/0/1.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip binding vpn-instance vpn1
[FW_A-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit

    3. Set the IP address of GigabitEthernet 0/0/3.

      [FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/3] quit

    4. Create Tunnel 0.

      [FW_A] interface Tunnel 0
[FW_A-tunnel0] tunnel-protocol ipsec
[FW_A-tunnel0] ip binding vpn-instance vpn1
[FW_A-tunnel0] ip address 10.10.1.2 24
[FW_A-tunnel0] source 1.1.3.1
[FW_A-tunnel0] destination 1.1.5.1
[FW_A-tunnel0] quit

    5. Add GigabitEthernet 0/0/1 to the Trust zone.

      [FW_A] firewall zone trust

[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit

    6. Add Tunnel 0 and GigabitEthernet 0/0/3 to the Untrust zone.

      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface tunnel 0
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/3
[FW_A-zone-untrust] quit

    7. Configure the security policies between the Local zone and the security zone to which the inbound interface belongs.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW_A] security-policy
[FW_A-policy-security] rule name policy1
[FW_A-policy-security-rule-policy1] source-zone local
[FW_A-policy-security-rule-policy1] destination-zone untrust
[FW_A-policy-security-rule-policy1] source-address 1.1.3.1 32
[FW_A-policy-security-rule-policy1] destination-address 1.1.5.1 32
[FW_A-policy-security-rule-policy1] action permit
[FW_A-policy-security-rule-policy1] quit
      [FW_A-policy-security] rule name policy2
[FW_A-policy-security-rule-policy2] source-zone untrust
[FW_A-policy-security-rule-policy2] destination-zone local
[FW_A-policy-security-rule-policy2] source-address 1.1.5.1 32
[FW_A-policy-security-rule-policy2] destination-address 1.1.3.1 32
[FW_A-policy-security-rule-policy2] action permit
[FW_A-policy-security-rule-policy2] quit

    8. Configure the security policies between the Trust and Untrust zones.

      The tunnel interface is in the Untrust zone.

      [FW_A] security-policy
[FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone trust
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 10.1.1.0 24
[FW_A-policy-security-rule-policy3] destination-address 10.1.3.0 24
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
      [FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone trust
[FW_A-policy-security-rule-policy4] source-address 10.1.3.0 24
[FW_A-policy-security-rule-policy4] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit

    9. Configure a static route to the branch of enterprise A.

      [FW_A] ip route-static vpn-instance vpn1 10.1.3.0 255.255.255.0 tunnel0

  • Configure an IPSec policy and apply the policy to the corresponding interface on FW_A.
    1. Define the data flow to be protected.

      [FW_A] acl 3000 vpn-instance vpn1
[FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[FW_A-acl-adv-3000] quit

    2. Configure an IPSec proposal named tran1. The default parameters may not be configured.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal numbered 10. The default parameters may not be configured.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] quit

    4. Configure an IKE peer.

      [FW_A] ike peer vpn1
[FW_A-ike-peer-vpn1] ike-proposal 10
[FW_A-ike-peer-vpn1] remote-address 1.1.5.1
[FW_A-ike-peer-vpn1] pre-shared-key Test!123
[FW_A-ike-peer-vpn1] sa binding vpn-instance vpn1
[FW_A-ike-peer-vpn1] quit

    5. Configure an IPSec policy with the name map1 and number 10.

      [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer vpn1
[FW_A-ipsec-policy-isakmp-map1-10] tunnel local 1.1.3.1
[FW_A-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy map1 to tunnel 0.

      [FW_A] interface tunnel 0
[FW_A-tunnel0] ipsec policy map1
[FW_A-tunnel0] quit

  • Perform basic configurations on FW_B.
    1. Set interface IP addresses.

      1. Set the IP address of GigabitEthernet 0/0/1.

        <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 10.1.3.1 24
[FW_B-GigabitEthernet0/0/3] quit

      2. Set the IP address of GigabitEthernet 0/0/2.

        [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 1.1.5.1 24
[FW_B-GigabitEthernet0/0/1] quit

    2. Add interfaces to corresponding security zones.

      1. Add GigabitEthernet 0/0/3 to the Trust zone.

        [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit

      2. Add GigabitEthernet 0/0/1 to the Untrust zone.

        [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

    3. Configure interzone security policies.

      1. Configure the security policies between the Trust and Untrust zones.

        [FW_B] security-policy
[FW_B-policy-security] rule name policy1
[FW_B-policy-security-rule-policy1] source-zone trust
[FW_B-policy-security-rule-policy1] destination-zone untrust
[FW_B-policy-security-rule-policy1] source-address 10.1.3.0 24
[FW_B-policy-security-rule-policy1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-policy1] action permit
[FW_B-policy-security-rule-policy1] quit
        [FW_B-policy-security] rule name policy2
[FW_B-policy-security-rule-policy2] source-zone untrust
[FW_B-policy-security-rule-policy2] destination-zone trust
[FW_B-policy-security-rule-policy2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-policy2] destination-address 10.1.3.0 24
[FW_B-policy-security-rule-policy2] action permit
[FW_B-policy-security-rule-policy2] quit

      2. Configure the security policies between the Local and Untrust zones.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_B-policy-security] rule name policy3
[FW_B-policy-security-rule-policy3] source-zone local
[FW_B-policy-security-rule-policy3] destination-zone untrust
[FW_B-policy-security-rule-policy3] source-address 1.1.5.1 32
[FW_B-policy-security-rule-policy3] destination-address 1.1.3.1 32
[FW_B-policy-security-rule-policy3] action permit
[FW_B-policy-security-rule-policy3] quit
        [FW_B-policy-security] rule name policy4
[FW_B-policy-security-rule-policy4] source-zone untrust
[FW_B-policy-security-rule-policy4] destination-zone local
[FW_B-policy-security-rule-policy4] source-address 1.1.3.1 32
[FW_B-policy-security-rule-policy4] destination-address 1.1.5.1 32
[FW_B-policy-security-rule-policy4] action permit
[FW_B-policy-security-rule-policy4] quit
[FW_B-policy-security] quit

      Configuring security policies between the Local and Untrust zones enables the devices at both ends of the IPSec tunnel to communicate so that the devices can perform tunnel negotiation.

    4. Configure a static route to the network of enterprise A's headquarters. Assume that the next hop of the route is 1.1.5.2.

      [FW_B] ip route-static 10.1.1.0 255.255.255.0 1.1.5.2

  • Configure an IPSec policy and apply the policy to the corresponding interface on FW_B.
    1. Configure advanced ACL 3000 to permit the users on network segment 10.1.3.0/24 to access network segment 10.1.1.0/24.

      [FW_B] acl 3000
[FW_B-acl-adv-3000] rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_B-acl-adv-3000] quit

    2. Configure an IPSec proposal named tran1. The default parameters may not be configured.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] quit

    3. Configure an IKE proposal numbered 10. The default parameters may not be configured.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] quit

    4. Configure an IKE peer named vpn1.

      [FW_B] ike peer vpn1
[FW_B-ike-peer-vpn1] ike-proposal 10
[FW_B-ike-peer-vpn1] remote-address 1.1.3.1
[FW_B-ike-peer-vpn1] pre-shared-key Test!123
[FW_B-ike-peer-vpn1] quit

    5. Configure an IPSec policy with the name map1 and number 10.

      [FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer vpn1
[FW_B-ipsec-policy-isakmp-map1-10] quit

    6. Apply IPSec policy map1 to GigabitEthernet 0/0/1.

      [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ipsec policy map1
[FW_B-GigabitEthernet0/0/1] quit

Verification

Ping Server1 of VPN1 from PC1. The ping is successful.

<FW_A> display ike sa 
IKE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    117477244   1.1.5.1:500           RD|A     v2:2   IP          1.1.5.1
    117477243   1.1.5.1:500           RD|A     v2:1   IP          1.1.5.1

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING 
<FW_A> display ipsec sa
                                                                                                            
===============================                                                 
Interface: Tunnel0                                               
===============================                                                 
                                                                                
  -----------------------------                                                 
  IPSec policy name: "map1"                                                     
  Sequence number  : 10                                                           
  Acl group        : 3000                                                       
  Acl rule         : 5                                                          
  Mode             : ISAKMP 
  -----------------------------                                                 
    Connection ID     : 150994963                                               
    Encapsulation mode: Tunnel  
    Tunnel local      : 1.1.3.1    
    Tunnel remote     : 1.1.5.1                        
    Flow source       : 10.1.1.0/255.255.255.0 0/0                      
    Flow destination  : 10.1.3.0/255.255.255.0 0/0              
    Flow vpn          : vpn1                                                                             
    [Outbound ESP SAs]                                                          
      SPI: 120037772 (0x727a18c)                                                
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                      
      SA remaining key duration (kilobytes/sec): 1843200/1031                   
      Max sent sequence-number: 9                                               
      UDP encapsulation used for NAT traversal: N     
      SA decrypted packets (number/kilobytes): 4/0

    [Inbound ESP SAs]  
      SPI: 215352593 (0xcd60511)                                                
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128                                  
      SA remaining key duration (kilobytes/sec): 1843196/1031                   
      Max received sequence-number: 49                                          
      UDP encapsulation used for NAT traversal: N       
      SA decrypted packets (number/kilobytes): 4/0                        
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024

Configuration Files

  • FW_A configuration file

    #
 sysname FW_A
#                                                                               
ip vpn-instance vpn1                                                            
 route-distinguisher 100:1                                                      
#                                                                               
acl number 3000 vpn-instance vpn1                                               
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255      
#                                                                               
ipsec proposal tran1
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256                                               
#                                                                               
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256
#                                                                               
ike peer vpn                                                   
 pre-shared-key %^%#cnEDZkL3}#J"qG/2iTb&P9q/%^%#
 ike-proposal 10                                                    
 remote-address 1.1.5.1                                     
 sa binding vpn-instance vpn1
#                                                                               
ipsec policy map1 10 isakmp                                                      
 security acl 3000                                                              
 ike-peer vpn1
 proposal tran1                                                                  
 tunnel local 1.1.3.1
#                                                                               
interface GigabitEthernet0/0/1
 undo shutdown
 ip binding vpn-instance vpn1                                                   
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 1.1.3.1 255.255.255.0                                             
#                                                                               
interface Tunnel0                                                               
 ip binding vpn-instance vpn1                                                   
 ip address 10.10.1.2 255.255.255.0                                             
 tunnel-protocol ipsec                                                          
 source 1.1.3.1                                                                 
 destination 1.1.5.1                                                            
 ipsec policy map1
#
firewall zone trust                                           
 add interface GigabitEthernet0/0/1
#                                                                               
firewall zone untrust                                         
 add interface GigabitEthernet0/0/3
 add interface Tunnel0 
#                                                                               
ip route-static vpn-instance vpn1 10.1.3.0 255.255.255.0 Tunnel0
#                                                                               
security-policy
 rule name policy1
  source-zone local
  destination-zone untrust
  source-address 1.1.3.1 255.255.255.255
  destination-address 1.1.5.1 255.255.255.255
  action permit
 rule name policy2
  source-zone untrust
  destination-zone local
  source-address 1.1.5.1 255.255.255.255
  destination-address 1.1.3.1 255.255.255.255
  action permit
 rule name policy3
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 255.255.255.0
  destination-address 10.1.3.0 255.255.255.0
  action permit
 rule name policy4
  source-zone trust
  destination-zone untrust
  source-address 10.1.3.0 255.255.255.0
  destination-address 10.1.1.0 255.255.255.0
  action permit
#                                                                               
return

  • FW_B configuration file

    #
 sysname FW_B
#                                                                               
acl number 3000                                                        
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255      
#                                                                               
ipsec proposal tran1                                                             
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256                                               
#                                                                               
ike proposal 10
 encryption-algorithm aes-256                                                   
 dh group14                                                                      
 authentication-algorithm sha2-256                                              
 authentication-method pre-share                                                
 integrity-algorithm hmac-sha2-256                                              
 prf hmac-sha2-256
#                                                                               
ike peer vpn1
 pre-shared-key %^%#1tx/S9a;iF[L)QFz!$p;y]Lg%^%#
 ike-proposal 10                                                                 
 remote-address 1.1.3.1                                                       
#                                                                               
ipsec policy map1 10 isakmp                                                      
 security acl 3000                                                              
 ike-peer vpn1                                                          
 proposal tran1                                                                  
#                                                                               
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.5.1 255.255.255.0
 ipsec policy map1
#  
interface GigabitEthernet0/0/2      
 undo shutdown
 ip address 10.1.3.1 255.255.255.0                                             
#                                                                               
firewall zone trust                                           
 add interface GigabitEthernet0/0/3 
#                                                                               
firewall zone untrust                                         
 add interface GigabitEthernet0/0/1
#                                                                               
ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
#                                                                               
security-policy
 rule name policy1
  source-zone untrust
  destination-zone trust
  source-address 10.1.3.0 255.255.255.0
  destination-address 10.1.1.0 255.255.255.0
  action permit
 rule name policy2
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 255.255.255.0
  destination-address 10.1.3.0 255.255.255.0
  action permit
 rule name policy3
  source-zone local
  destination-zone untrust
  source-address 1.1.5.1 255.255.255.255
  destination-address 1.1.3.1 255.255.255.255
  action permit
 rule name policy4
  source-zone untrust
  destination-zone local
  source-address 1.1.3.1 255.255.255.255
  destination-address 1.1.5.1 255.255.255.255
  action permit
#                                                                               
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >