Using IPSEC policy template to build the HUB - AND - SPOKE link of dynamic IP with branch

Publication Date:  2012-09-24 Views:  416 Downloads:  0
Issue Description
The customer’s headquarters using the subpolicy to build IPSEC VPN with the branch, and both sides use the fixed IP communication.
Because the business increasing, company need build a new branch office. The customer is also intended to rebuild the IPSEC VPN link that make each branch can use dynamic IP to make IPSEC VPN connection to the headquarters.
And the customer consults how to carry out the plan.
Alarm Information
none
Handling Process
Main configuration is as follows:
Company headquarters
1) configuration to branch static routing
[FWA] IP route - static 0.0.0.0 0.0.0.0 200.0.0.2
[FWA] acl 3000
[FWA - acl - adv - 3000] rule permit IP
[FWA - acl - adv - 3001] quit
3) configure the packet filtering rule between trust and untrust domain
[FWA] firewall packet - filter default permit interzone trust untrust
4) configure packet filtering rule between untrust and local domain
[FWA] firewall packet - filter default permit interzone local untrust
5) configure IPSec security proposal
[FWA] ipsec proposal tran1
6) configure IKE proposal.
[FWA] Ike proposal 10
7) configure IKE Peer
[FWA] Ike peer a
# reference IKE safe proposal.
[FWA - Ike - peer - a] Ike - proposal 10
# configuration IKE negotiation way as the aggressive mode.
[FWA - Ike - peer - a] exchange - mode aggressive
# configuration check word for "huawei".
[FWA - Ike - peer - a] pre-alpha - Shared - key huawei
8) configure security policy template
[FWA] ipsec policy - template map1tmp 10
# reference Ike - peer a.
[FWA - ipsec - policy - templet - map1tmp - 10] Ike - peer a
# reference safety proposal named tran1
[FWA - ipsec - policy - templet - map1tmp - 10] proposal tran1
# reference group number for 3000 of the ACL.
[FWA - ipsec - policy - templet - map1tmp - 10] security acl 3000
# returned to the view of the system.
[FWA - ipsec - policy - templet - map1tmp - 10] quit
# create IPSEC map1 security strategy
[FWA] ipsec policy map1 10 isakmp template map1tmp
9) reference security strategy
[FWA] interface Ethernet 1/0/0
[FWA - Ethernet1/0/0] ipsec policy map1
Branch 1 configuration:
1) configure to headquarters and other private network static routing
[FWB] IP route - static 0.0.0.0 0.0.0.0 200.0.1.2

[FWB] acl 3000
[FWB - acl - adv - 3000] rule permit IP source 10.0.1.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
[FWB - acl - adv - 3000] quit
[FWB] firewall packet - filter default permit interzone trust untrust
[FWB] firewall packet - filter default permit interzone local untrust
Configure IPSec security proposal
[FWB] ipsec proposal tran1
Configure IKE proposal.
[FWB] Ike proposal 10
Configure IKE Peer
[FWB] Ike peer b
[FWB - Ike - peer - b] Ike - proposal 10
[FWB - Ike - peer - b] exchange - mode aggressive
[FWB - Ike - peer - b] remote - address 200.0.0.1
[FWB - Ike - peer - b] pre-alpha - Shared - key huawei
Configure security strategy
[FWB] ipsec policy map1 10 isakmp
[FWB - ipsec - policy - isakmp - map1-10] Ike - peer b
[FWB - ipsec - policy - isakmp - map1-10] proposal tran1
[FWB - ipsec - policy - isakmp - map1-10] security acl 3000
[FWB - ipsec - policy - isakmp - map1-10] quit
reference security strategy
[FWB] interface Ethernet 1/0/0
[FWB - Ethernet1/0/0] ipsec policy map1
[FWB - Ethernet1/0/0] quit
Branch 2 configuration is similar to the branch 1.
Root Cause
At present, the customer’s headquarters using the subpolicy to build IPSEC VPN with the branch and with fixed IP.
After build the new office, in the hope that realize each branch communicates to the HQ with the dynamic IP using the IPSEC policy template.
Suggestions
Using the method policy template, only need set up a policy template command in headquarters can realize the IPSEC communication to each branch.
Set IPsec policy template in the IPsec server end, the advantage is that the server end can don’t care about the safety acl scope, PFS characteristics and can use the originated end configuration parameters, the disadvantage is it can not launch IPsec connection actively.

END