< Home

CLI: Example for Configuring Link Backup for an IPSec Tunnel

Networking Requirements

As shown in Figure 1, FW_A connects to the Internet through active and standby links, and active and standby interfaces use fixed public IP addresses. FW_B connects to the Internet through one link, and its outbound interface uses a fixed public IP address.

Figure 1 Configuring link backup for an IPSec tunnel

The networking requirements are as follows:
  • An IPSec tunnel is established between FW_A and FW_B for the communication between the headquarters and the branch.
  • When the active link of FW_A becomes faulty, services are automatically switched to the standby link. After the fault of the active link is rectified, services can be switched back.

Data Plan

Item

Data

FW_A

Interface number: GigabitEthernet 0/0/0

IP address: 10.1.1.1/24

Security zone: Trust

Interface number: GigabitEthernet 0/0/1

IP address: 1.1.3.1/24

Security zone: Untrust

Interface number: GigabitEthernet 0/0/2

IP address: 1.1.4.1/24

Security zone: Untrust

IPSec configuration

Peer IP address: 2.2.2.2

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

FW_B

Interface number: GigabitEthernet 0/0/1

IP address: 2.2.2.2/24

Security zone: Untrust

Interface number: GigabitEthernet 0/0/0

IP address: 10.2.1.1/24

Security zone: Trust

Tunnel1 and Tunnel2 interfaces

IP address: 2.2.2.2/24

An IPSec tunnel is established between FW_B and FW_A on the Internet using tunnel interfaces. In this example, interfaces Tunnel1 and Tunnel2 use the IP address of interface GigabitEthernet 0/0/1 as their public IP addresses.

Security zone: Untrust

IPSec configuration

Peer IP address: 1.1.3.1

Authentication type: pre-shared key

Pre-shared key: Test!1234

Local ID type: IP address

Peer ID type: IP address

Configuration Roadmap

To establish two IPSec tunnels between FW_A (with active and standby interfaces) and FW_B (with only one physical interface), configure two tunnel interfaces on FW_B. When an active/standby link switchover occurs on FW_A, the tunnel interfaces on FW_B are switched accordingly for re-negotiating an IPSec tunnel.

  1. Configure FW_A.
    1. Perform basic configurations, including setting interface IP addresses and adding the interfaces to corresponding security zones.
    2. Configure routes.

      Configure two routes with different priorities from FW_A to FW_B for redundancy. Then bind IP-link to the active route for detecting the status of the active link. When the active link is faulty, the system automatically switches traffic to the standby link.

    3. Configure an IPSec policy.
    4. Apply the IPSec policy to interfaces.

      Apply the same IPSec policy to active interface GigabitEthernet 0/0/1 and standby interface GigabitEthernet 0/0/2 on FW_A. When active interface GigabitEthernet 0/0/1 becomes faulty, standby interface GigabitEthernet 0/0/2 takes over service traffic.

  2. Configure FW_B.
    1. Perform basic configurations, including setting interface IP addresses and adding the interfaces to security zones.

      Configure active interface Tunnel1 and standby interface Tunnel2 on FW_B, corresponding to active and standby interfaces on FW_A. When an active/standby link switchover occurs on FW_A, the tunnel interfaces on FW_B are switched accordingly.

    2. Configure routes.

      Divert data flows to be protected on FW_B to tunnel interfaces along routes. Because FW_B has two tunnel interfaces, namely, Tunnel1 and Tunnel2, configure two routes with different priorities to the headquarters for redundancy. Then bind IP-link to the active route for detecting the status of the active link. When the active link is faulty, the system automatically switches traffic to the standby link.

    3. Configure IPSec policies.

      An IPSec tunnel needs to be established between FW_B and FW_A using active and standby interfaces. Therefore, configure two IPSec policies.

    4. Apply IPSec policies to interfaces.

      Apply IPSec policies to interfaces Tunnel1 and Tunnel2. When the active interface Tunnel1 becomes faulty, the standby interface Tunnel2 takes over service traffic.

Procedure

  1. Configure FW_A (headquarters).
    1. Perform basic configurations.

      1. Set interface IP addresses.
        <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface GigabitEthernet 0/0/0
[FW_A-GigabitEthernet0/0/0] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/0] quit
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.3.1 24
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 1.1.4.1 24
[FW_A-GigabitEthernet0/0/2] quit
      2. Add interfaces to corresponding security zones.
        [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/0
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/2
[FW_A-zone-untrust] quit

    2. Configure firewall policies.

      1. Configure the security policies between the Trust and Untrust zones to allow original and decapsulated packets to pass through FW_A.
        [FW_A] security-policy
[FW_A-policy-security] rule name 1
[FW_A-policy-security-rule-1] source-zone trust
[FW_A-policy-security-rule-1] destination-zone untrust
[FW_A-policy-security-rule-1] source-address 10.1.1.0 24
[FW_A-policy-security-rule-1] destination-address 10.2.1.0 24
[FW_A-policy-security-rule-1] action permit
[FW_A-policy-security-rule-1] quit
[FW_A-policy-security] rule name 2
[FW_A-policy-security-rule-2] source-zone untrust
[FW_A-policy-security-rule-2] destination-zone trust
[FW_A-policy-security-rule-2] source-address 10.2.1.0 24
[FW_A-policy-security-rule-2] destination-address 10.1.1.0 24
[FW_A-policy-security-rule-2] action permit
[FW_A-policy-security-rule-2] quit
      2. Configure the security policies between the Local and Untrust zones to allow IKE negotiation packets to pass through FW_A.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_A-policy-security] rule name 3
[FW_A-policy-security-rule-3] source-zone local
[FW_A-policy-security-rule-3] destination-zone untrust
[FW_A-policy-security-rule-3] source-address 1.1.0.0 16
[FW_A-policy-security-rule-3] destination-address 2.2.2.0 24
[FW_A-policy-security-rule-3] action permit
[FW_A-policy-security-rule-3] quit
[FW_A-policy-security] rule name 4
[FW_A-policy-security-rule-4] source-zone untrust
[FW_A-policy-security-rule-4] destination-zone local
[FW_A-policy-security-rule-4] source-address 2.2.2.0 24
[FW_A-policy-security-rule-4] destination-address 1.1.0.0 16
[FW_A-policy-security-rule-4] action permit
[FW_A-policy-security-rule-4] quit
[FW_A-policy-security] quit

    3. Configure IP-link for detecting the status of the active link from FW_A to FW_B.

      [FW_A] ip-link check enable
[FW_A] ip-link name n1
[FW_A-iplink-n1] destination 2.2.2.2 interface GigabitEthernet 0/0/1 next-hop 1.1.3.2
[FW_A-iplink-n1] quit

    4. Configure routes to the branch.

      Configure two routes (with the priorities of active and standby routes as 10 and 20 respectively) to the branch and bind the active route to IP-link. When the active link becomes faulty, the standby route takes over service traffic.

      [FW_A] ip route-static 10.2.1.0 24 1.1.3.2 preference 10 track ip-link n1
[FW_A] ip route-static 10.2.1.0 24 1.1.4.2 preference 20
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 preference 10 track ip-link n1
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 preference 20

    5. Configure ACLs to define the data flows to be protected.

      [FW_A] acl 3000 
[FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255 
[FW_A-acl-adv-3000] quit

    6. Create an IPSec proposal named tran1.

      [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_A-ipsec-proposal-tran1] transform esp
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit

    7. Configure an IKE proposal numbered 10.

      [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] prf hmac-sha2-256
[FW_A-ike-proposal-10] encryption-algorithm aes-256
[FW_A-ike-proposal-10] dh group14
[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit

    8. Configure an IKE peer.

      [FW_A] ike peer b
[FW_A-ike-peer-b] ike-proposal 10
[FW_A-ike-peer-b] pre-shared-key Test!1234
[FW_A-ike-peer-b] remote-address 2.2.2.2
[FW_A-ike-peer-b] quit

    9. Configure two IPSec policies.

      [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map1-10] quit
      [FW_A] ipsec policy map2 10 isakmp
[FW_A-ipsec-policy-isakmp-map2-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map2-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map2-10] ike-peer b
[FW_A-ipsec-policy-isakmp-map2-10] quit

    10. Apply IPSec policies to the outbound interfaces.

      [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ipsec policy map1
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ipsec policy map2
[FW_A-GigabitEthernet0/0/2] quit

  2. Configure FW_B (branch).
    1. Perform basic configurations.

      1. Set interface IP addresses.
        <sysname> system-view
[sysname] sysname FW_B
[FW_B] interface GigabitEthernet 0/0/0
[FW_B-GigabitEthernet0/0/0] ip address 10.2.1.1 24
[FW_B-GigabitEthernet0/0/0] quit
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 2.2.2.2 24
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface tunnel 1
[FW_B-Tunnel1] ip address unnumbered interface GigabitEthernet 0/0/1
[FW_B-Tunnel1] tunnel-protocol ipsec
[FW_B-Tunnel1] quit
[FW_B] interface tunnel 2
[FW_B-Tunnel2] ip address unnumbered interface GigabitEthernet 0/0/1
[FW_B-Tunnel2] tunnel-protocol ipsec
[FW_B-Tunnel2] quit
      2. Add interfaces to corresponding security zones.
        [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/0
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] add interface Tunnel 1
[FW_B-zone-untrust] add interface Tunnel 2
[FW_B-zone-untrust] quit

    2. Configure firewall policies.

      1. Configure the security policies between the Trust and Untrust zones to allow original and decapsulated packets to pass through FW_B.
        [FW_B] security-policy
[FW_B-policy-security] rule name 1
[FW_B-policy-security-rule-1] source-zone trust
[FW_B-policy-security-rule-1] destination-zone untrust
[FW_B-policy-security-rule-1] source-address 10.2.1.0 24
[FW_B-policy-security-rule-1] destination-address 10.1.1.0 24
[FW_B-policy-security-rule-1] action permit
[FW_B-policy-security-rule-1] quit
[FW_B-policy-security] rule name 2
[FW_B-policy-security-rule-2] source-zone untrust
[FW_B-policy-security-rule-2] destination-zone trust
[FW_B-policy-security-rule-2] source-address 10.1.1.0 24
[FW_B-policy-security-rule-2] destination-address 10.2.1.0 24
[FW_B-policy-security-rule-2] action permit
[FW_B-policy-security-rule-2] quit

      2. Configure the security policies between the Local and Untrust zones to allow IKE negotiation packets to pass through FW_B.

        The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

        [FW_B-policy-security] rule name 3
[FW_B-policy-security-rule-3] source-zone local
[FW_B-policy-security-rule-3] destination-zone untrust
[FW_B-policy-security-rule-3] source-address 2.2.2.0 24
[FW_B-policy-security-rule-3] destination-address 1.1.0.0 16
[FW_B-policy-security-rule-3] action permit
[FW_B-policy-security-rule-3] quit
[FW_B-policy-security] rule name 4
[FW_B-policy-security-rule-4] source-zone untrust
[FW_B-policy-security-rule-4] destination-zone local
[FW_B-policy-security-rule-4] source-address 1.1.0.0 16
[FW_B-policy-security-rule-4] destination-address 2.2.2.0 24
[FW_B-policy-security-rule-4] action permit
[FW_B-policy-security-rule-4] quit
[FW_B-policy-security] quit

      You should configure a security policy between the Local zone and the zone where the physical interface that sends and receives IKE negotiation packets resides, not between the Local zone and the zone where the tunnel interface resides.

    3. Configure IP-link for detecting the status of the link from FW_B to FW_A.

      [FW_B] ip-link check enable
[FW_B] ip-link name n1
[FW_B-iplink-n1] destination 1.1.3.1 interface GigabitEthernet 0/0/1 next-hop 2.2.2.1
[FW_B-iplink-n1] quit

    4. Configure routes to tunnel interfaces. Data flows destined for the headquarters are preferentially diverted to tunnel interfaces.

      [FW_B] ip route-static 10.1.1.0 255.255.255.0 Tunnel 1 preference 10 track ip-link n1
[FW_B] ip route-static 10.1.1.0 255.255.255.0 Tunnel 2 preference 20

    5. Configure a route to the headquarters. Assume that the next hop of the route is 2.2.2.1.

      [FW_B] ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

    6. Configure ACLs to define the data flows to be protected.

      [FW_B] acl 3000 
[FW_B-acl-adv-3000] rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
[FW_B-acl-adv-3000] quit

    7. Configure an IPSec proposal named tran1.

      [FW_B] ipsec proposal tran1
[FW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_B-ipsec-proposal-tran1] transform esp
[FW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW_B-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_B-ipsec-proposal-tran1] quit

    8. Configure an IKE proposal numbered 10.

      [FW_B] ike proposal 10
[FW_B-ike-proposal-10] authentication-method pre-share
[FW_B-ike-proposal-10] prf hmac-sha2-256
[FW_B-ike-proposal-10] encryption-algorithm aes-256
[FW_B-ike-proposal-10] dh group14
[FW_B-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_B-ike-proposal-10] quit

    9. Configure two IKE peers.

      During the active/standby switchover of FW_A, FW_B switches the IKE peer to negotiate with FW_A.

      [FW_B] ike peer a1
[FW_B-ike-peer-a1] ike-proposal 10
[FW_B-ike-peer-a1] remote-address 1.1.3.1
[FW_B-ike-peer-a1] pre-shared-key Test!1234
[FW_B-ike-peer-a1] quit
[FW_B] ike peer a2
[FW_B-ike-peer-a2] ike-proposal 10
[FW_B-ike-peer-a2] remote-address 1.1.4.1
[FW_B-ike-peer-a2] pre-shared-key Test!1234
[FW_B-ike-peer-a2] quit

    10. Configure IPSec policies map1 and map2.

      [FW_B] ipsec policy map1 10 isakmp
[FW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map1-10] ike-peer a1
[FW_B-ipsec-policy-isakmp-map1-10] quit
[FW_B] ipsec policy map2 10 isakmp
[FW_B-ipsec-policy-isakmp-map2-10] security acl 3000
[FW_B-ipsec-policy-isakmp-map2-10] proposal tran1
[FW_B-ipsec-policy-isakmp-map2-10] ike-peer a2
[FW_B-ipsec-policy-isakmp-map2-10] quit

    11. Apply IPSec policies map1 and map2 to Tunnel1 and Tunnel2 interfaces.

      [FW_B] interface tunnel 1
[FW_B-Tunnel1] ipsec policy map1
[FW_B-Tunnel1] quit
[FW_B] interface tunnel 2
[FW_B-Tunnel2] ipsec policy map2
[FW_B-Tunnel2] quit

Verification

  1. After configurations are complete, run the ping command on PC1 at the headquarters to check whether PC2 at the branch can be pinged. If all configurations are correct, PC1 and PC2 can ping each other.
  2. On FW_A and FW_B, run the display ike sa command to display the status of the IKE SA establishment. If the following information (using FW_A as an example) is displayed, the IKE SA is established.
    <FW_A> display ike sa
IKE SA information :   
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    40002      2.2.2.2:500            RD|ST|A  v2:2   IP          2.2.2.2
    40001      2.2.2.2:500            RD|ST|A  v2:1   IP          2.2.2.2

  Number of IKE SA : 2 
  -------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
  3. On FW_A and FW_B, run the display ipsec sa command to display the status of the IPSec SA establishment. If the following information (using FW_A as an example) is displayed, the IPSec SA is established.
    <FW_A> display ipsec sa

===============================
Interface: GigabitEthernet0/0/1
===============================

  -----------------------------
  IPSec policy name: "map1" 
  Sequence number  : 10
  Acl group        : 3000                                                       
  Acl rule         : 5   
  Mode             : ISAKMP 
  -----------------------------
    Connection ID : 40002
    Encapsulation mode: Tunnel  
    Tunnel local      : 1.1.3.1    
    Tunnel remote     : 2.2.2.2  
    Flow source       : 10.1.1.0/255.255.255.0 0/0                      
    Flow destination  : 10.2.1.0/255.255.255.0 0/0             

    [Outbound ESP SAs] 
      SPI: 120037772 (0x727a18c)
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128  
      SA remaining key duration (bytes/sec): 1887436464/3549
      Max sent sequence-number: 5
      UDP encapsulation used for NAT traversal: N     
      SA decrypted packets (number/kilobytes): 4/0

    [Inbound ESP SAs] 
      SPI: 38742361 (0x24f2959)      
      Proposal: ESP-ENCRYPT-AES-256 SHA2-256-128  
      SA remaining key duration (bytes/sec): 1887436464/3549
      Max received sequence-number: 4
      UDP encapsulation used for NAT traversal: N       
      SA decrypted packets (number/kilobytes): 4/0                        
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024
  4. Run the display ipsec statistics command to check the changes of encrypted data packets. Take FW_A as an example.
    <FW_A> display ipsec statistics
 IPSec statistics information:                                                  
 the security packet statistics:                                                
   input/output security packets: 4/4                                           
   input/output security bytes: 400/400
   input/output dropped security packets: 0/0                                   
   the encrypt packet statistics:                                               
     send chip: 4, recv chip: 4, send err: 0                                    
     local cpu: 4, other cpu: 0, recv other cpu: 0                              
     intact packet: 4, first slice: 0, after slice: 0                           
   the decrypt packet statistics:                                               
     send chip: 4, recv chip: 4, send err: 0                                    
     local cpu: 4, other cpu: 0, recv other cpu: 0                              
     reass  first slice: 0, after slice: 0                                      
   dropped security packet detail:                                              
     can not find SA: 0, wrong SA: 0                                            
     authentication: 0, replay: 0                                               
     front recheck: 0, after recheck: 0                                         
     change cpu enc: 0, dec change cpu: 0                                       
     fib search: 0, output l3: 0                                                
     flow err: 0, slice err: 0, byte limit: 0                                   
   negotiate about packet statistics:                                           
     IKE fwd packet ok: 23300, err: 0                                               
     IKE ctrl packet inbound ok: 22100, outbound ok: 1105
     SoftExpr: 0, HardExpr: 0, DPDOper: 0                                       
     trigger ok: 0, switch sa: 2, sync sa: 0                                    
     recv IKE nat keepalive: 0, IKE input: 0
  5. Disable interface GigabitEthernet 0/0/1 on FW_A to check whether links are switched over by performing the following operations:
    • Run the display ike sa and display ipsec sa commands. You can find that SAs already exist.
    • Packets can be received and transmitted between the headquarters and the branch. Run the display ipsec statistics command. You can view the increase in packet quantity.

Configuration Files

  • FW_A (headquarters) configuration file

    #
 sysname FW_A
#                                                                               
acl number 3000                                               
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255       
#
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256                               
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256                                               
#                                                                               
ike peer b                                                                   
 ike-proposal 10                                                          
 remote-address 2.2.2.2                                                
 pre-shared-key %$%$SP!UWlu=$B7`~B!@iRn+jvmd%$%$                                     
#                                                                               
ipsec policy map1 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#
ipsec policy map2 10 isakmp
 security acl 3000
 ike-peer b
 proposal tran1
#                                                                               
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 10.1.1.1 24
interface GigabitEthernet0/0/1      
 undo shutdown
 ip address 1.1.3.1 24                                             
 ipsec policy map1                                                               
interface GigabitEthernet0/0/2      
 undo shutdown
 ip address 1.1.4.1 24                                             
 ipsec policy map2                                                               
#                                                                               
firewall zone trust                                           
 add interface GigabitEthernet0/0/0
#                                                                               
firewall zone untrust                                         
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
#                                                                               
ip-link check enable                                      
ip-link name n1
 destination 2.2.2.2 interface GigabitEthernet0/0/1 next-hop 1.1.3.2
#                                                                               
 ip route-static 10.2.1.0 24 1.1.3.2 preference 10 track ip-link n1                       
 ip route-static 10.2.1.0 24 1.1.4.2 preference 20         
 ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 preference 10 track ip-link n1
 ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 preference 20
#                                                                               
security-policy
 rule name 1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 255.255.255.0
  destination-address 10.2.1.0 255.255.255.0
  action permit
 rule name 2
  source-zone untrust
  destination-zone trust
  source-address 10.2.1.0 255.255.255.0
  destination-address 10.1.1.0 255.255.255.0
  action permit
 rule name 3
  source-zone local
  destination-zone untrust
  source-address 1.1.0.0 255.255.0.0
  destination-address 2.2.2.0 255.255.255.0
  action permit
 rule name 4
  source-zone untrust
  destination-zone local
  source-address 2.2.2.0 255.255.255.0
  destination-address 1.1.0.0 255.255.0.0
  action permit
#                                                                               
return

  • FW_B (branch) configuration file

    #
 sysname FW_B
#                                                                               
acl number 3000                                               
 rule 5 permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255        
#                                                                               
ipsec proposal tran1                                                            
 esp authentication-algorithm sha2-256                                          
 esp encryption-algorithm aes-256   
#
ike proposal 10
  encryption-algorithm aes-256                                                   
  dh group14                                                                      
  authentication-algorithm sha2-256                                              
  authentication-method pre-share                                                
  integrity-algorithm hmac-sha2-256                                              
  prf hmac-sha2-256                                               
#                                                                               
ike peer a1                                                                   
 ike-proposal 10                                                          
 remote-address 1.1.3.1                                                
 pre-shared-key %$%$SP!UWlu=$B7`~B!@iRn+jvmd%$%$                                     
#
ike peer a2                                                                   
 ike-proposal 10                                                          
 remote-address 1.1.4.1                                                
 pre-shared-key %$%$SP!UWlu=$B7`~B!@iRn+jvmd%$%$                                     
#                                                                               
ipsec policy map1 10 isakmp                                                      
 security acl 3000                                                              
 proposal tran1                                                                  
 ike-peer a1                                                                  
# 
ipsec policy map2 10 isakmp                                                      
 security acl 3000                                       
 proposal tran1                                                                  
 ike-peer a2                                                                  
#                                                                               
interface tunnel 1
 ip address unnumbered interface GigabitEthernet0/0/1
 tunnel-protocol ipsec
 ipsec policy map1
interface tunnel 2
 ip address unnumbered interface GigabitEthernet0/0/1
 tunnel-protocol ipsec
 ipsec policy map2
#                                                                               
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 10.2.1.1 24
interface GigabitEthernet0/0/1      
 undo shutdown
 ip address 2.2.2.2 24                                             
#                                                                               
firewall zone trust                                           
 add interface GigabitEthernet0/0/0
#                                                                               
firewall zone untrust                                         
 add interface GigabitEthernet0/0/1
 add interface tunnel1
 add interface tunnel2
#                                                                               
ip-link check enable                                      
ip-link name n1
 destination 1.1.3.1 interface GigabitEthernet 0/0/1 next-hop 2.2.2.1
#                                                                               
 ip route-static 10.1.1.0 255.255.255.0 Tunnel 1 preference 10 track ip-link n1                       
 ip route-static 10.1.1.0 255.255.255.0 Tunnel 2 preference 20
 ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
#                                                                               
security-policy
 rule name 1
  source-zone trust
  destination-zone untrust
  source-address 10.2.1.0 255.255.255.0
  destination-address 10.1.1.0 255.255.255.0
  action permit
 rule name 2
  source-zone untrust
  destination-zone trust
  source-address 10.1.1.0 255.255.255.0
  destination-address 10.2.1.0 255.255.255.0
  action permit
 rule name 3
  source-zone local
  destination-zone untrust
  source-address 2.2.2.0 255.255.255.0
  destination-address 1.1.0.0 255.255.0.0
  action permit
 rule name 4
  source-zone untrust
  destination-zone local
  source-address 1.1.0.0 255.255.0.0
  destination-address 2.2.2.0 255.255.255.0
  action permit
#                                                                               
return
Parent Topic: IPSec
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >