No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Do I Configure IPSec-Protected Data Flows

How Do I Configure IPSec-Protected Data Flows

IPSec can protect one or more data flows. These IPSec-protected data flows are specified using ACLs if an IPSec tunnel is established based on ACLs. In real-world applications, you need to configure an ACL to define data flows to be protected and then reference the ACL in an IPSec policy to protect these data flows. An IPSec policy can reference only one ACL. Therefore:

  • If different data flows have different security requirements, create different ACLs and IPSec policies to protect the data flows.

  • If different data flows have the same security requirements, configure multiple rules in an ACL to protect the data flows.

Configuration Guidelines

  • The protocol types defined in the ACL rules on both ends of an IPSec tunnel must be consistent. For example, if one end uses the IP protocol, the other end must also use the IP protocol.

  • If ACL rules on both ends mirror each other, an SA can be successfully established after any party initiates negotiation. If ACL rules on both ends do not mirror each other, an SA can be successfully established only when the address range defined in the ACL rule of the initiator is included in that of the responder. It is recommended that ACL rules on both ends mirror each other. That is, the source and destination addresses in an ACL rule on one end are the destination and source addresses in an ACL rule on the other end. To be specific:

    If IPSec policies in ISAKMP mode are configured on both ends, ACL rules on both ends must mirror each other. If an IPSec policy in ISAKMP mode is configured on one end and an IPSec policy configured using an IPSec policy template is configured on the other end, the ACL rule range of the IPSec policy in ISAKMP mode can be smaller than that of the IPSec policy configured using an IPSec policy template, and the overlapping ACL rule range is used as the negotiation result.

  • The IP address ranges in the ACL rules should not overlap. Otherwise, an error will occur when data flows are matching ACL rules.

  • The rules for the ACLs in the same IPSec policy group must be unique.

  • The ACL rules referenced by all the IPSec policies in the same IPSec policy group cannot overlap. In the following example, the referenced ACL3001 and ACL3002 overlap:

    acl number 3001
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    
    acl number 3002
     rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
    
  • If the responder uses an IPSec policy configured using an IPSec policy template:

    Protected data flows can be not defined for the responder, which indicates that the responder accepts the protected data flow range defined on the initiator. If you want to define protected data flows for the responder, the data flow range must mirror or include that of the initiator.

  • If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device performs NAT first. In this case, you need to ensure:

    • The destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. This prevents the device from performing NAT on the IPSec-protected data flows.

    • The ACL rule referenced by IPSec matches the post-NAT IP address.

Configuration Tips

ACL rules are configured using different methods in different scenarios. The following examples show how to configure ACL rules:

Gateway-to-gateway IPSec VPN

Establish a point-to-point IPSec tunnel between two gateways. Assume that the network segments to be protected by gateway A and gateway B are 10.1.1.0/24 and 192.168.196.0/24 respectively.

Configure gateway A.

<Huawei> system-view
[Huawei] acl 3001       
[Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255

Configure gateway B.

<Huawei> system-view
[Huawei] acl 3001       
[Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

The network segments protected by devices on both ends of an IPSec tunnel must have the same inverse mask configured.

Headquarters-to-branch IPSec VPN

Establish a point-to-multipoint tunnel between the headquarters gateway and multiple branch gateways. Assume that the intranet network segments of the headquarters, branch A, and branch B are 192.168.196.0/24, 10.1.1.0/24, and 10.1.2.0/24 respectively.

  • If the branches need to communicate with the headquarters but not with each other, configure ACLs of the branches according to the point-to-point IPSec VPN scenario. The source address in the ACL of the headquarters remains unchanged, and the destination address need to include the intranet network segments of all branches.

    Configure the ACL of the headquarters.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
  • If the branches need to communicate with the headquarters and with each other (the branches communicate with each other through the headquarters), the source address of the headquarters should include all network segments of the headquarters and branches, and the destination addresses need to be the intranet network segments of all branches. The source addresses of the branches remain unchanged, and the destination addresses need to include the intranet network segments of the headquarters and the other branch.

    Configure the ACL of the headquarters.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] quit

    Configure the ACL of branch A.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
    [Huawei-acl-adv-3001] quit

    Configure the ACL of branch B.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
    [Huawei-acl-adv-3001] quit

IPSec gateway functioning as a NAT gateway

  • If the data flow on which NAT is performed is directly transmitted from gateway A to the network without entering an IPSec VPN, deny the IPSec data flow when configuring a NAT policy.

    Assume that the IPSec-protected intranet network segments of gateway A and gateway B are 10.1.1.0/24 and 192.168.196.0/24 respectively. Configure the ACL and NAT policy of gateway A.

    # Define the IPSec-protected data flow.
    <Huawei> system-view
    [Huawei] acl 3001       
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255          
    [Huawei-acl-adv-3001] quit
    
    # Deny the IPSec-protected address segment in the ACL referenced by NAT.
    [Huawei] acl 3005       
    [Huawei-acl-adv-3005] rule deny ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
    [Huawei-acl-adv-3005] quit
    

    Configure gateway B.

    <Huawei> system-view
    [Huawei] acl 3001 
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    
  • If private IP addresses of gateway A and gateway B overlap, NAT needs to be performed on the data flow of gateway A, and then the data flow enters the IPSec VPN.

    Assume that the IPSec-protected intranet network segments of gateway A and gateway B are 10.1.1.0/24 and 10.1.1.0/24. Translation from private IP addresses to private IP addresses needs to be performed on the data flow entering from gateway A to the IPSec VPN first. Assume that the post-NAT private IP address is 10.1.2.1. Configure ACLs on both ends.

    Configure gateway A.

    <Huawei> system-view
    [Huawei] acl 3001       
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
    

    Configure gateway B.

    <Huawei> system-view
    [Huawei] acl 3001       
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
    

L2TP over IPSec

In an L2TP over IPSec scenario, IPSec-protected data flows are L2TP-encapsulated data flows, that is, data flows between the LAC and the LNS.
  • Assume that the LAC address is fixed; the source and destination network segments of its ACL are IP addresses of the public network interfaces (LAC outbound interface and LNS inbound interface) on both ends; the IP address of the LAC outbound interface is 1.1.1.1/24; the IP address of the LNS inbound interface is 1.2.1.1/24.

    Configure the LAC.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0  
    [Huawei-acl-adv-3001] quit

    Configure the LNS.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0
    [Huawei-acl-adv-3001] quit
  • If the LAC address is not fixed, configure an ACL to match the L2TP over IPSec data flow through the UDP port number 1701. Configure the UDP destination port number 1701 on the LAC.

    Configure the LAC.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit udp destination-port eq 1701 
    [Huawei-acl-adv-3001] quit

    Configure the LNS.

    <Huawei> system-view
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit udp source-port eq 1701 
    [Huawei-acl-adv-3001] quit

GRE over IPSec

When a GRE over IPSec tunnel is established based on ACLs, IPSec-protected data flows are GRE-encapsulated data flows. The source and destination network segments in an ACL are the source and destination addresses of the GRE tunnel, that is, IP addresses of interfaces in gateways on both ends of the tunnel.

Assume that the public IP addresses of gateway A and gateway B are 1.1.1.1/24 and 1.2.1.1/24 respectively.

Configure gateway A.
<Huawei> system-view
[Huawei] acl number 3001
[Huawei-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0
[Huawei-acl-adv-3001] quit
Configure gateway B.
<Huawei> system-view
[Huawei] acl number 3001
[Huawei-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0
[Huawei-acl-adv-3001] quit
Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 454146

Downloads: 4316

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next