Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying IPSec on Firewalls for Secure Communication with the Headquarters
Networking Requirements
Two firewalls at the egress of a branch set up a hot standby group that functions as the egress gateway of the campus network to filter service traffic that enters and leaves the campus network, ensuring network security. Two core switches set up a CSS, which functions as the core of the campus network and functions as the user gateway to allocate IP addresses to users. The specific service requirements are as follows:
- External network users are not allowed to access the internal network. Internal network users can access the Internet but cannot play online games or watch online videos.
- The branch and headquarters need to securely communicate with each other over the Internet.
In this example, two aggregation switches set up a stack named AGG and connect to core switches, which set up a CSS named CORE. For details about the networking below the core layer, see Campus Network Connectivity Deployment.
Figure 2-19 Deploying IPSec on firewalls for secure communication with the headquarters
![]()
Device Requirements and Versions
Location |
Device Used in This Example |
Version Used in This Example |
|---|---|---|
Egress |
AR6300 |
V300R019C10 |
USG6300E |
V600R007C00 |
|
Core layer |
S12700E |
V200R019C10 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure CSS, stacking, and MAD to improve device reliability. |
Core switches |
2 |
Configure Eth-Trunk interfaces to improve link reliability. |
Core switches and egress firewalls |
3 |
Configure interfaces, IP addresses, and routing to enable network connectivity. |
Core switches, egress firewalls, and egress routers |
5 |
Configure VRRP and HRP to improve device reliability. |
Egress firewalls |
6 |
Configure security policies to allow services to pass through firewalls. |
Egress firewalls |
7 |
Configure outbound NAT to enable internal network users to access the Internet. |
Egress routers |
8 |
Configure NAT policies to enable internal network users to access the Internet. |
Egress firewalls |
9 |
Configure attack defense and application behavior control to ensure network security. |
Egress firewalls |
10 |
Configure IPSec VPN to implement secure communication between the branch and headquarters. |
Egress firewalls and egress router |
Data Plan
Device |
Interface Number |
Member Interface |
VLANIF Interface |
IP Address |
|---|---|---|---|---|
Router |
GE1/0/0 |
- |
- |
192.0.2.1/24 |
GE2/0/0 |
- |
- |
10.10.0.1/24 |
|
FWA |
GE1/0/0 |
- |
- |
203.0.113.1/24 |
GE1/0/3 |
- |
- |
10.4.0.1/24 |
|
Eth-Trunk 1 |
GE1/0/1 |
- |
10.3.0.1/24 |
|
GE1/0/2 |
||||
FWB |
GE1/0/0 |
- |
- |
203.0.113.2/24 |
GE1/0/3 |
- |
- |
10.4.0.2/24 |
|
Eth-Trunk 1 |
GE1/0/1 |
- |
10.3.0.2/24 |
|
GE1/0/2 |
||||
CORE |
Eth-Trunk 10 |
GE1/3/0/0 |
VLANIF 20 |
10.3.0.254/24 |
GE2/3/0/1 |
||||
Eth-Trunk 20 |
GE2/3/0/0 |
|||
GE1/3/0/1 |
Deployment Procedure
- Configure the CSS and MAD functions on core switches. For details, see Typical CSS and Stack Deployment.
- Configure Eth-Trunk interfaces.
- Configure the firewalls.# On FWA, create Eth-Trunk 1 to connect FWA to CORE, and add member interfaces to Eth-Trunk 1.
<sysname> system-view [sysname] sysname FWA [FWA] interface eth-trunk 1 [FWA-Eth-Trunk1] mode lacp-static [FWA-Eth-Trunk1] quit [FWA] interface gigabitethernet 1/0/1 [FWA-GigabitEthernet1/0/1] eth-trunk 1 [FWA-GigabitEthernet1/0/1] quit [FWA] interface gigabitethernet 1/0/2 [FWA-GigabitEthernet1/0/2] eth-trunk 1 [FWA-GigabitEthernet1/0/2] quit
# On FWB, create Eth-Trunk 1 to connect FWB to CORE, and add member interfaces to Eth-Trunk 1.
<sysname> system-view [sysname] sysname FWB [FWB] interface eth-trunk 1 [FWB-Eth-Trunk1] mode lacp-static [FWB-Eth-Trunk1] quit [FWB] interface gigabitethernet 1/0/1 [FWB-GigabitEthernet1/0/1] eth-trunk 1 [FWB-GigabitEthernet1/0/1] quit [FWB] interface gigabitethernet 1/0/2 [FWB-GigabitEthernet1/0/2] eth-trunk 1 [FWB-GigabitEthernet1/0/2] quit
- Configure CORE.
# On CORE, create Eth-Trunk 10 to connect CORE to FWA, and add member interfaces to Eth-Trunk 10.
[CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] mode lacp [CORE-Eth-Trunk10] quit [CORE] interface gigabitethernet 1/3/0/0 [CORE-GigabitEthernet1/3/0/0] eth-trunk 10 [CORE-GigabitEthernet1/3/0/0] quit [CORE] interface gigabitethernet 2/3/0/1 [CORE-GigabitEthernet2/3/0/1] eth-trunk 10 [CORE-GigabitEthernet2/3/0/1] quit
# On CORE, create Eth-Trunk 20 to connect CORE to FWB, and add member interfaces to Eth-Trunk 20.
[CORE] interface eth-trunk 20 [CORE-Eth-Trunk20] mode lacp [CORE-Eth-Trunk20] quit [CORE] interface gigabitethernet 1/3/0/1 [CORE-GigabitEthernet1/3/0/1] eth-trunk 20 [CORE-GigabitEthernet1/3/0/1] quit [CORE] interface gigabitethernet 2/3/0/0 [CORE-GigabitEthernet2/3/0/0] eth-trunk 20 [CORE-GigabitEthernet2/3/0/0] quit
- Configure the firewalls.
- Configure interfaces, IP addresses, and routing.
- Configure IP addresses for interfaces.# Configure IP addresses for interfaces on the router.
<HUAWEI> system-view [HUAWEI] sysname Router [Router] interface gigabitethernet 1/0/0 [Router-GigabitEthernet1/0/0] ip address 192.0.2.1 24 [Router-GigabitEthernet1/0/0] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] ip address 10.10.0.1 24 [Router-GigabitEthernet2/0/0] quit
# Configure IP addresses for interfaces of FWA, and add the interfaces to security zones.
[FWA] interface loopback 0 [FWA-LoopBack0] ip address 1.1.1.1 32 //Configure an IP address for loopback 0, which is also used as the router ID of FWA. [FWA-LoopBack0] quit [FWA] interface gigabitethernet 1/0/0 [FWA-GigabitEthernet1/0/0] ip address 203.0.113.1 24 //Configure an IP address for the interface connected to the Internet. [FWA-GigabitEthernet1/0/0] gateway 203.0.113.254 [FWA-GigabitEthernet1/0/0] quit [FWA] interface gigabitethernet 1/0/3 [FWA-GigabitEthernet1/0/3] ip address 10.4.0.1 24 //Configure an IP address for the heartbeat interface. [FWA-GigabitEthernet1/0/3] quit [FWA] interface eth-trunk 1 [FWA-Eth-Trunk1] ip address 10.3.0.1 24 //Configure an IP address for the Eth-Trunk interface connected to CORE. [FWA-Eth-Trunk1] quit [FWA] firewall zone trust [FWA-zone-trust] set priority 85 [FWA-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to the trusted zone. [FWA-zone-trust] quit [FWA] firewall zone name isp1 [FWA-zone-isp1] set priority 10 [FWA-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the Internet to the security zone isp1. [FWA-zone-isp1] quit [FWA] firewall zone dmz [FWA-zone-dmz] set priority 50 [FWA-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ. [FWA-zone-dmz] quit
# Configure IP addresses for interfaces of FWB, and add the interfaces to security zones.
[FWB] interface loopback 0 [FWB-LoopBack0] ip address 2.2.2.2 32 //Configure an IP address for loopback 0, which is also used as the router ID of FWB. [FWB-LoopBack0] quit [FWB] interface gigabitethernet 1/0/0 [FWB-GigabitEthernet1/0/0] ip address 203.0.113.2 24 //Configure an IP address for the interface connected to the Internet. [FWB-GigabitEthernet1/0/0] gateway 203.0.113.254 [FWB-GigabitEthernet1/0/0] quit [FWB] interface gigabitethernet 1/0/3 [FWB-GigabitEthernet1/0/3] ip address 10.4.0.2 24 //Configure an IP address for the heartbeat interface. [FWB-GigabitEthernet1/0/3] quit [FWB] interface eth-trunk 1 [FWB-Eth-Trunk1] ip address 10.3.0.2 24 //Configure an IP address for the Eth-Trunk interface connected to CORE. [FWB-Eth-Trunk1] quit [FWB] firewall zone trust [FWB-zone-trust] set priority 85 [FWB-zone-trust] add interface eth-trunk 1 //Add Eth-Trunk 1 connected to the internal network to the trusted zone. [FWB-zone-trust] quit [FWB] firewall zone name isp1 [FWB-zone-isp1] set priority 10 [FWB-zone-isp1] add interface gigabitethernet 1/0/0 //Add the interface connected to the Internet to the security zone isp1. [FWB-zone-isp1] quit [FWB] firewall zone dmz [FWB-zone-dmz] set priority 50 [FWB-zone-dmz] add interface gigabitethernet 1/0/3 //Add the heartbeat interface to the DMZ. [FWB-zone-dmz] quit
# Configure IP addresses for interfaces on CORE.
[CORE] interface loopback 0 [CORE-LoopBack0] ip address 3.3.3.3 32 //Configure an IP address for loopback 0, which is also used as the router ID of CORE. [CORE-LoopBack0] quit [CORE] vlan batch 20 [CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] port link-type access [CORE-Eth-Trunk10] port default vlan 20 [CORE-Eth-Trunk10] quit [CORE] interface eth-trunk 20 [CORE-Eth-Trunk20] port link-type access [CORE-Eth-Trunk20] port default vlan 20 [CORE-Eth-Trunk20] quit [CORE] interface vlanif 20 [CORE-Vlanif20] ip address 10.3.0.254 24 //Configure an IP address for the VLANIF interface connected to the firewalls. [CORE-Vlanif20] quit
- Configure routing.
# Configure a default route on the router and set the next hop to a public IP address.
[Router] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254
# Configure OSPF on FWA to advertise the network segments where downlink interfaces belong.
[FWA] ospf 1 router-id 1.1.1.1 [FWA-ospf-1] area 0.0.0.0 [FWA-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255 [FWA-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255 [FWA-ospf-1-area-0.0.0.0] quit [FWA-ospf-1] quit
# Configure a default route on FWA and set the next hop to a public IP address.
[FWA] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
# Configure OSPF on FWB to advertise the network segments where downlink interfaces belong.
[FWB] ospf 1 router-id 2.2.2.2 [FWB-ospf-1] area 0.0.0.0 [FWB-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255 [FWB-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255 [FWB-ospf-1-area-0.0.0.0] quit [FWB-ospf-1] quit
# Configure a default route on FWB and set the next hop to a public IP address.
[FWB] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
# On CORE, configure OSPF to advertise the network segments where uplink interfaces belong.
[CORE] router id 3.3.3.3 [CORE] ospf 1 [CORE-ospf-1] area 0.0.0.0 [CORE-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255 //Advertise the network segment connected to the firewalls. [CORE-ospf-1-area-0.0.0.0] network 10.6.0.0 0.0.0.255 //Advertise the network segment connected to users. [CORE-ospf-1-area-0.0.0.0] quit [CORE-ospf-1] quit
# On CORE, configure a default route with the next hop being the VRRP virtual IP address of the firewalls.
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
- Configure IP addresses for interfaces.
- Configure VRRP and HRP on the firewalls.
- Configure VRRP groups.
# On FWA, configure VRRP group 1 on the uplink service interface GE1/0/0, and set the VRRP group status to active. Configure VRRP group 2 on the downlink service interface Eth-Trunk 1, and set the VRRP group status to active.
[FWA] interface GigabitEthernet 1/0/0 [FWA-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 203.0.113.3 24 active [FWA-GigabitEthernet1/0/0] quit [FWA] interface eth-trunk 1 [FWA-Eth-Trunk1] vrrp vrid 2 virtual-ip 10.3.0.3 24 active [FWA-Eth-Trunk1] quit
# On FWB, configure VRRP group 1 on the uplink service interface GE1/0/0, and set the VRRP group status to standby. Configure VRRP group 2 on the downlink service interface Eth-Trunk 1, and set the VRRP group status to standby.
[FWB] interface GigabitEthernet 1/0/0 [FWB-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 203.0.113.3 24 standby [FWB-GigabitEthernet1/0/0] quit [FWB] interface eth-trunk 1 [FWB-Eth-Trunk1] vrrp vrid 2 virtual-ip 10.3.0.3 24 standby [FWB-Eth-Trunk1] quit
- Configure HRP.
# On FWA, specify a heartbeat interface and enable HRP.
[FWA] hrp interface gigabitethernet 1/0/3 remote 10.4.0.2 [FWA] hrp enable HRP_M[FWA] hrp mirror session enable //Enable quick session backup.
# On FWB, specify a heartbeat interface and enable HRP.
[FWB] hrp interface gigabitethernet 1/0/3 remote 10.4.0.1 [FWB] hrp enable HRP_B[FWB] hrp mirror session enable
- Configure VRRP groups.
- Configure security policies.
# After a hot standby group is successfully established between the active and standby firewalls, the security policies configured on FWA will be automatically synchronized to FWB.
HRP_M[FWA] security-policy HRP_M[FWA-policy-security] rule name policy_dmz //Allow mutual access between the local zone and DMZ. HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz HRP_M[FWA-policy-security-rule-policy_dmz] action permit HRP_M[FWA-policy-security-rule-policy_dmz] quit HRP_M[FWA-policy-security] rule name trust_to_untrust //Allow internal network users to access the Internet. HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1 HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 10.6.0.0 24 HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit HRP_M[FWA-policy-security-rule-trust_to_untrust] quit HRP_M[FWA-policy-security] rule name untrust_to_trust //Prohibit external network users from accessing the internal network. HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1 HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust HRP_M[FWA-policy-security-rule-untrust_to_trust] action deny HRP_M[FWA-policy-security-rule-untrust_to_trust] quit HRP_M[FWA-policy-security] quit
- Configure outbound NAT.
# Define the data flows that require NAT on the router. If both IPSec and NAT are configured on an interface, NAT is performed first. Therefore, to prevent NAT from being performed on IPSec-protected data flows, the ACL rule referenced by NAT needs to deny these data flows.
[Router] acl 3000 [Router-acl-adv-3000] rule 5 deny ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255 //Define IPSec-protected data flows. [Router-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //Define the data flows that require NAT. [Router-acl-adv-3000] quit
# Configure NAT on the router.[Router] interface GigabitEthernet1/0/0 [Router-GigabitEthernet1/0/0] nat outbound 3000 [Router-GigabitEthernet1/0/0] quit
- Configure NAT policies.
# On FWA, create a NAT address pool addressgroup1 (198.51.100.1 to 198.51.100.5). The NAT address pool configured on FWA will be automatically synchronized to FWB.
HRP_M[FWA] nat address-group addressgroup1 HRP_M[FWA-nat-address-group-addressgroup1] section 0 198.51.100.1 198.51.100.5 HRP_M[FWA-nat-address-group-addressgroup1] mode pat HRP_M[FWA-nat-address-group-addressgroup1] route enable HRP_M[FWA-nat-address-group-addressgroup1] quit
# Configure source NAT policies to allow internal network users using the IP address 10.6.0.0/24 to access the Internet through post-NAT public IP addresses. If both IPSec and NAT are configured on an interface, NAT is performed first. Therefore, to prevent NAT from being performed on IPSec-protected data flows, the ACL rule referenced by NAT needs to deny these data flows.
HRP_M[FWA] nat-policy HRP_M[FWA-policy-nat] rule name policy_nat_1 HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address 10.6.0.0 24 HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-address 10.10.0.0 24 //Assume that the private IP address of the headquarters is 10.10.0.0/24. HRP_M[FWA-policy-nat-rule-policy_nat_1] action no-nat HRP_M[FWA-policy-nat-rule-policy_nat_1] quit HRP_M[FWA-policy-nat] rule name policy_nat_2 HRP_M[FWA-policy-nat-rule-policy_nat_2] source-address range 10.6.0.1 10.6.0.127 HRP_M[FWA-policy-nat-rule-policy_nat_2] source-zone trust HRP_M[FWA-policy-nat-rule-policy_nat_2] destination-zone untrust HRP_M[FWA-policy-nat-rule-policy_nat_2] action source-nat address-group addressgroup1 HRP_M[FWA-policy-nat-rule-policy_nat_2] quit
# Contact ISP network administrators to configure routes with the destination addresses in addressgroup1 and the next hops being the interface addresses of the firewalls.
- Configure attack defense and application behavior control.
# Configure attack defense.
HRP_M[FWA] firewall defend land enable HRP_M[FWA] firewall defend smurf enable HRP_M[FWA] firewall defend fraggle enable HRP_M[FWA] firewall defend winnuke enable HRP_M[FWA] firewall defend source-route enable HRP_M[FWA] firewall defend route-record enable HRP_M[FWA] firewall defend time-stamp enable HRP_M[FWA] firewall defend ping-of-death enable HRP_M[FWA] interface GigabitEthernet 1/0/0 HRP_M[FWA-GigabitEthernet1/0/0] anti-ddos flow-statistic enable HRP_M[FWA-GigabitEthernet1/0/0] quit HRP_M[FWA] anti-ddos baseline-learn start HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100 HRP_M[FWA] anti-ddos baseline-learn apply HRP_M[FWA] anti-ddos syn-flood source-detect HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000 HRP_M[FWA] anti-ddos http-flood source-detect mode basic
# Configure application behavior control.
This function requires a license and dynamic installation of the corresponding component package.
# Create an application behavior control file to prohibit HTTP and FTP operations during working hours.
HRP_M[FWA] profile type app-control name profile_app_work HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny HRP_M[FWA-profile-app-control-profile_app_work] quit
# Create a time range named working_hours.
HRP_M[FWA] time-range working_hours HRP_M[FWA-time-range-working_hours] period-range all HRP_M[FWA-time-range-working_hours] quit
Configure the security policy policy_sec_work and reference the time range working_hours and application behavior control file profile_app_work to prohibit HTTP and FTP operations during working hours.
HRP_M[FWA] security-policy HRP_M[FWA-policy-security] rule name policy_sec_work HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1 HRP_M[FWA-policy-security-rule-policy_sec_work] user any HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work HRP_M[FWA-policy-security-rule-policy_sec_work] action permit HRP_M[FWA-policy-security-rule-policy_sec_work] quit
- Configure IPSec VPN.
- Configure ACLs to define IPSec-protected data flows.
# Configure the router.
[Router] acl 3001 [Router-acl-adv-3001] rule 5 permit ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255 [Router-acl-adv-3001] quit
# Configure the firewalls.
HRP_M[FWA] acl 3001 HRP_M[FWA-acl-adv-3001] rule 5 permit ip source 10.6.0.0 0.0.0.255 destination 10.10.0.0 0.0.0.255 HRP_M[FWA-acl-adv-3001] quit
- Configure an IPSec proposal.
# Configure the router.
[Router] ipsec authentication sha2 compatible enable [Router] ipsec proposal tran1 [Router-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [Router-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [Router-ipsec-proposal-tran1] quit
# Configure the firewalls.
HRP_M[FWA] ipsec proposal tran1 HRP_M[FWA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 HRP_M[FWA-ipsec-proposal-tran1] esp encryption-algorithm aes-128 HRP_M[FWA-ipsec-proposal-tran1] quit
- Configure an IKE proposal.
# Configure the router.
[Router] ike proposal 5 [Router-ike-proposal-5] authentication-method pre-share [Router-ike-proposal-5] encryption-algorithm aes-128 [Router-ike-proposal-5] authentication-algorithm sha2-256 [Router-ike-proposal-5] dh group14 [Router-ike-proposal-5] quit
# Configure the firewalls.
HRP_M[FWA] ike proposal 5 HRP_M[FWA-ike-proposal-5] authentication-method pre-share HRP_M[FWA-ike-proposal-5] encryption-algorithm aes-128 HRP_M[FWA-ike-proposal-5] authentication-algorithm sha2-256 HRP_M[FWA-ike-proposal-5] dh group14 HRP_M[FWA-ike-proposal-5] quit
- Configure IKE peers.
# Configure the router.
[Router] ike peer vpn [Router-ike-peer-vpn] undo version 2 [Router-ike-peer-vpn] pre-shared-key cipher YsHsjx_202206 [Router-ike-peer-vpn] ike-proposal 5 [Router-ike-peer-vpn] dpd type periodic //Configure periodic dead peer detection (DPD). [Router-ike-peer-vpn] dpd idle-time 10 //Set the DPD idle time to 10s. [Router-ike-peer-vpn] quit# Configure the firewalls.
HRP_M[FWA] ike peer vpn HRP_M[FWA-ike-peer-vpn] undo version 2 HRP_M[FWA-ike-peer-vpn] pre-shared-key YsHsjx_202206 HRP_M[FWA-ike-peer-vpn] ike-proposal 5 HRP_M[FWA-ike-peer-vpn] dpd type periodic HRP_M[FWA-ike-peer-vpn] dpd idle-time 10 HRP_M[FWA-ike-peer-vpn] remote-address 192.0.2.1 HRP_M[FWA-ike-peer-vpn] quit - Configure security policies.
# Configure the router.
[Router] ipsec policy-template use1 10 [Router-ipsec-policy-templet-use1-10] security acl 3001 [Router-ipsec-policy-templet-use1-10] ike-peer vpn [Router-ipsec-policy-templet-use1-10] proposal tran1 [Router-ipsec-policy-templet-use1-10] quit [Router] ipsec policy ipsec_vpn 10 isakmp template use1
# Configure the firewalls.
HRP_M[FWA] ipsec policy ipsec_vpn 10 isakmp HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001 HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1 HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] tunnel local 203.0.113.3 HRP_M[FWA-ipsec-policy-isakmp-ipsec_vpn-10] quit
- Apply an IPSec policy group to an interface.
# Configure the router.
[Router] interface GigabitEthernet1/0/0 [Router-GigabitEthernet1/0/0] ipsec policy ipsec_vpn [Router-GigabitEthernet1/0/0] quit
# Configure the firewalls.
HRP_M[FWA] interface GigabitEthernet1/0/0 HRP_M[FWA-GigabitEthernet1/0/0] ipsec policy ipsec_vpn HRP_M[FWA-GigabitEthernet1/0/0] quit
- Configure ACLs to define IPSec-protected data flows.
Verifying the Deployment
# After the preceding configurations are complete, run the display ike sa command to check information about the security association (SA) established through IKE negotiation. The following uses the command output of FWA as an example.
[FWA] display ike sa IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID -------------------------------------------------------------------------------- 16 192.0.2.1:500 RD|ST v1:2 IP 192.0.2.1 14 192.0.2.1:500 RD|ST v1:1 IP 192.0.2.1 Number of IKE SA : 2 -------------------------------------------------------------------------------- RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
# Perform ping tests to verify that devices on the private networks of the headquarters and branch can ping each other successfully. External network users cannot access the internal network. Internal network users can access the Internet but cannot play online games or watch online videos.
Configuration Files
- Router configuration file
# sysname Router # ipsec authentication sha2 compatible enable # acl number 3000 rule 5 deny ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255 rule 15 permit ip source 10.10.10.0 0.0.0.255 acl number 3001 rule 5 permit ip source 10.10.0.0 0.0.0.255 destination 10.6.0.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer vpn undo version 2 pre-shared-key cipher %^%#l17URBYEtOKZ~ZL(:AY2#(k(3<RTl>@s@KJ"6![M%^%# ike-proposal 5 dpd type periodic dpd idle-time 10 # ipsec policy-template use1 10 security acl 3001 ike-peer vpn proposal tran1 # ipsec policy ipsec_vpn 10 isakmp template use1 # interface GigabitEthernet1/0/0 ip address 192.0.2.1 255.255.255.0 ipsec policy ipsec_vpn nat outbound 3000 # interface GigabitEthernet2/0/0 ip address 10.10.0.1 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 # return
- FWA configuration file
# sysname FWA # hrp enable hrp interface GigabitEthernet1/0/3 remote 10.4.0.2 hrp mirror session enable # acl number 3001 rule 5 permit ip source 10.6.0.0 0 destination 10.10.0.0 0 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer vpn undo version 2 pre-shared-key %^%#SFl(Do%8qOv%0HDl6S|~J!O:JnI9b;J!9b$vO{;F%^%# ike-proposal 5 dpd type periodic dpd idle-time 10 remote-address 192.0.2.1 # ipsec policy ipsec_vpn 10 isakmp security acl 3001 ike-peer vpn proposal tran1 tunnel local 203.0.113.3 # interface Eth-Trunk1 ip address 10.3.0.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 active mode lacp-static # interface GigabitEthernet1/0/0 undo shutdown ip address 203.0.113.1 255.255.255.0 vrrp vrid 1 virtual-ip 203.0.113.3 255.255.255.0 active anti-ddos flow-statistic enable gateway 203.0.113.254 ipsec policy ipsec_vpn # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/2 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/3 undo shutdown ip address 10.4.0.1 255.255.255.0 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/3 # firewall zone name isp1 set priority 10 add interface GigabitEthernet1/0/0 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.3.0.0 0.0.0.255 network 10.4.0.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 # firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend winnuke enable firewall defend fraggle enable firewall defend ping-of-death enable firewall defend smurf enable firewall defend land enable # anti-ddos baseline-learn start anti-ddos baseline-learn tolerance-value 100 anti-ddos baseline-learn apply anti-ddos syn-flood source-detect anti-ddos udp-flood dynamic-fingerprint-learn anti-ddos udp-frag-flood dynamic-fingerprint-learn anti-ddos http-flood defend alert-rate 2000 anti-ddos http-flood source-detect mode basic # profile type app-control name profile_app_work http-control post action deny http-control proxy action deny http-control web-browse action deny http-control file direction upload action deny http-control file direction download action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # time-range working_hours period-range all # nat address-group addressgroup1 0 mode pat section 0 198.51.100.1 198.51.100.5 route enable # security-policy rule name policy_dmz source-zone local source-zone dmz destination-zone local destination-zone dmz action permit rule name trust_to_untrust source-zone trust destination-zone isp1 source-address 10.6.0.0 mask 255.255.255.0 action permit rule name untrust_to_trust source-zone isp1 destination-zone trust action deny rule name policy_sec_work source-zone trust destination-zone isp1 time-range working_hours profile app-control profile_app_work action permit # nat-policy rule name policy_nat_1 source-zone trust destination-zone untrust source-address 10.6.0.0 mask 255.255.255.0 destination-address 10.10.0.0 mask 255.255.255.0 action nat no-nat rule name policy_nat_2 source-zone trust destination-zone untrust source-address range 10.6.0.1 mask 10.6.0.127 action source-nat address-group addressgroup1 # return - FWB configuration file
# sysname FWB # hrp enable hrp interface GigabitEthernet1/0/3 remote 10.4.0.1 hrp mirror session enable # acl number 3001 rule 5 permit ip source 10.6.0.0 0 destination 10.10.0.0 0 # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 5 encryption-algorithm aes-128 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer vpn undo version 2 pre-shared-key %^%#SFl(Do%8qOv%0HDl6S|~J!O:JnI9b;J!9b$vO{;F%^%# ike-proposal 5 dpd type periodic dpd idle-time 10 remote-address 192.0.2.1 # ipsec policy ipsec_vpn 10 isakmp security acl 3001 ike-peer vpn proposal tran1 tunnel local 203.0.113.3 # interface Eth-Trunk1 ip address 10.3.0.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 standby mode lacp-static # interface GigabitEthernet1/0/0 undo shutdown ip address 203.0.113.2 255.255.255.0 vrrp vrid 1 virtual-ip 203.0.113.3 255.255.255.0 standby anti-ddos flow-statistic enable gateway 203.0.113.254 ipsec policy ipsec_vpn # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/2 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/3 undo shutdown ip address 10.4.0.2 255.255.255.0 # interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/3 # firewall zone name isp1 set priority 10 add interface GigabitEthernet1/0/0 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 10.3.0.0 0.0.0.255 network 10.4.0.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 203.0.113.254 # firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend winnuke enable firewall defend fraggle enable firewall defend ping-of-death enable firewall defend smurf enable firewall defend land enable # anti-ddos baseline-learn start anti-ddos baseline-learn tolerance-value 100 anti-ddos baseline-learn apply anti-ddos syn-flood source-detect anti-ddos udp-flood dynamic-fingerprint-learn anti-ddos udp-frag-flood dynamic-fingerprint-learn anti-ddos http-flood defend alert-rate 2000 anti-ddos http-flood source-detect mode basic # profile type app-control name profile_app_work http-control post action deny http-control proxy action deny http-control web-browse action deny http-control file direction upload action deny http-control file direction download action deny ftp-control file delete action deny ftp-control file direction upload action deny ftp-control file direction download action deny # time-range working_hours period-range all # nat address-group addressgroup1 0 mode pat section 0 198.51.100.1 198.51.100.5 route enable # security-policy rule name policy_dmz source-zone local source-zone dmz destination-zone local destination-zone dmz action permit rule name trust_to_untrust source-zone trust destination-zone isp1 source-address 10.6.0.0 mask 255.255.255.0 action permit rule name untrust_to_trust source-zone isp1 destination-zone trust action deny rule name policy_sec_work source-zone trust destination-zone isp1 time-range working_hours profile app-control profile_app_work action permit # nat-policy rule name policy_nat_1 source-zone trust destination-zone untrust source-address 10.6.0.0 mask 255.255.255.0 destination-address 10.10.0.0 mask 255.255.255.0 action nat no-nat rule name policy_nat_2 source-zone trust destination-zone untrust source-address range 10.6.0.1 mask 10.6.0.127 action source-nat address-group addressgroup1 # return - CORE configuration file
sysname CORE # router id 3.3.3.3 # vlan batch 20 # interface Vlanif20 ip address 10.3.0.254 255.255.255.0 # interface Eth-Trunk10 port link-type access port default vlan 20 mode lacp # interface Eth-Trunk20 port link-type access port default vlan 20 mode lacp # interface GigabitEthernet1/3/0/0 eth-trunk 10 # interface GigabitEthernet1/3/0/1 eth-trunk 20 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface GigabitEthernet2/3/0/0 eth-trunk 20 # interface GigabitEthernet2/3/0/1 eth-trunk 10 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # ospf 1 area 0.0.0.0 network 10.3.0.0 0.0.0.255 network 10.6.0.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 10.3.0.3 # return