IPSec Between the USG2160 and Infogate Firewall

Publication Date:  2012-07-24 Views:  278 Downloads:  0
Issue Description
The IPSec VPN is established between the USG2160 and Infogate firewall in main mode. The IPSec configuration of the Infogate firewall is quite simple. Part of configurations at phase 2 is known, and certain default configurations are adopted. The specific configurations cannot be queried through commands, which makes interconnection more difficult. After the USG2160 is configured, phase 1 succeeds.The following figure shows the configurations of the IPSec VPN of the Infogate firewall: <a pic deleted here>
 
Original configurations of the USG2160 are as follows:
acl number 3002
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.127
#
ike proposal 10
#
ike peer test
 pre-shared-key 12345678
 ike-proposal 10
 remote-address 59.56.179.5
#
ipsec proposal test
 esp encryption-algorithm 3des
#
ipsec policy test 10 isakmp
 security acl 3002
ike-peer test
 proposal test
interface Vlanif10
 ip address 192.168.1.1 255.255.255.0
 interface Ethernet0/0/0
 ip address 61.154.14.55 255.255.255.0
 undo ip fast-forwarding qff
 undo ip fast-forwarding output
 ipsec policy test
Alarm Information
None.
Handling Process
Query the Infogate firewall, you can learn the encryption mode in Phase 2 (different from the default mode of the USG, it is 3DES), authentication algorithm (different from the default algorithm of the USG, it is MD5), public IP address on this end, LAN network segment, negotiation mode (main mode), and pre-shared key (12345678). Query ACLs at both ends, they are correct. Run the display acl 3002 command. The ACL rule is matched for tens of hundreds of times.2. Express port forwarding of the intranet gateway interface is enabled, but that of egress ports is disabled. Disable the express forwarding of the Vlanif 10 interface.
    
             interface Vlanif10
             ip address 192.168.1.1 255.255.255.0
             undo ip fast-forwarding qff
             interface Ethernet0/0/0
             ip address 61.154.14.55 255.255.255.0
             undo ip fast-forwarding output     
             ipsec policy test
   
3. Run the display ike sa command. The peer is displayed as unname. Since the IKE proposal fails, change it as follows:
ike proposal 10
 encryption-algorithm 3des-cbc
 dh group2                  
         authentication-algorithm md5
The source IP address cannot be pinged through. Phase 1 succeeds.
4. The difference between the configuration of the Infogate firewall and the default configuration of the USG2160 lies in the PFS. Configure the PFS, and change the IPSec policy as follows:
    ipsec policy test 10 isakmp              
    security acl 3002
 pfs dh-group2                
    ike-peer test
 proposal test
Both IKE SA and IPSec SA are successful.
<USG2160>dis ike sa
    connection-id  peer                  flag        phase   doi
  ----------------------------------------------------------------
       50          59.56.179.5           RD|ST         2     IPSEC
       41          59.56.179.5           RD            1     IPSEC
 
  flag meaning
  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
  D--DPD
16:09:32  09-21-2010
<USG2160>dis ipsec sa
===============================
Interface: Ethernet0/0/0
    path MTU: 1500
===============================
 
  -----------------------------
  IPsec policy name: "test"
  sequence number: 10
  mode: isakmp
  -----------------------------
    connection id: 50
    encapsulation mode: tunnel
    tunnel local : 61.154.14.55    tunnel remote: 59.56.179.5
 
    [inbound ESP SAs]
      spi: 526811256 (0x1f668078)
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887345969/2839
      max received sequence-number: 1810
      udp encapsulation used for nat traversal: N
 
    [outbound ESP SAs]
      spi: 2704716525 (0xa136b2ed)       
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887340564/2839
      max sent sequence-number: 1744
      udp encapsulation used for nat traversal: N
5. Ping the peer intranet gateway through with the source IP address successfully.
   
  <USG2160>ping -a 192.168.1.1 192.168.2.126
  PING 192.168.2.126: 56  data bytes, press CTRL+C to break
    Reply from 192.168.2.126: bytes=56 Sequence=1 ttl=64 time=1 ms
    Reply from 192.168.2.126: bytes=56 Sequence=2 ttl=64 time=1 ms
    Reply from 192.168.2.126: bytes=56 Sequence=3 ttl=64 time=1 ms
    Reply from 192.168.2.126: bytes=56 Sequence=4 ttl=64 time=1 ms
    Reply from 192.168.2.126: bytes=56 Sequence=5 ttl=64 time=1 ms
 
  --- 192.168.2.126 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/1/1 ms
Root Cause
1. Express port forwarding is enabled.
2. Since the default configurations of the Infogate firewall, the configurations of both ends do not match.
Suggestions
First, you need to be familiar with the default configurations of the USG series firewall. For example, the USG adopts dh group1 (768 bits). The encryption algorithm is DES, and the authentication algorithm is sha1. If phase 1 fails, you need to change dh to group2 (1024 bits), encryption algorithm to 3DES, and authentication algorithm to MD5. Second, the PFS is optional for the USG series, but it is mandatory in certain peer vendors' products to enhance the security. You need to test the PFS in following scenarios: when it is impossible to check the default configurations of peer vendors' products, if the negotiation phase 1 succeeds but phase 2 fails, and when no fault in USG configurations account for the failure. Finally, before configuring the VPN, you need to disable the express port forwarding of the ingress.

END