Huawei Firewall VPN Interoperation Configuration Guide
This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.
This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.
Establishing an IPsec Tunnel Between Huawei Firewalls and Cisco Firewalls Using a Policy Template
Chapter Contents
Networking Requirements
In Figure 1-8, the HQ and branch are connected to the Internet through a Huawei firewall and a Cisco firewall, respectively. The Cisco firewall dynamically obtains an IP address for its outbound interface and thereby the IP address is not fixed. The enterprise requires an IPsec tunnel to be established between the Huawei firewall and Cisco firewall to ensure secure communication between the HQ and branch.
Data Plan
Item |
Huawei Firewall |
Cisco Firewall |
|
|---|---|---|---|
IPsec proposal |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
ESP authentication algorithm |
SHA1 |
ESP-SHA-HMAC |
|
ESP encryption algorithm |
AES |
ESP-AES |
|
IKE peer |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
AES-128 |
AES |
|
Authentication algorithm |
SHA1 |
SHA1 |
|
DH group |
Group14 |
Group14 |
|
Pre-shared key |
YsHsjx_202206 |
YsHsjx_202206 |
|
Identity type |
IP address |
IP address |
|
IKE version |
IKEv1 (The IKEv1 MOD file needs to be installed.) |
IKEv1 |
|
Configuration Roadmap
- Configure the Huawei firewall.
- Configure IP addresses for interfaces and assign interfaces to security zones.
- Configure a default route from the Huawei firewall to the Internet.
- Configure interzone security policies on the Huawei firewall to allow IKE negotiation packets, original packets before IPsec encapsulation, and original packets after IPsec decapsulation to pass through.
- Configure IPsec, including defining the data flows to be protected, configuring an IPsec proposal, creating an IKE proposal, configuring an IKE peer, and configuring an IPsec policy template.
- Apply the IPsec policy to a specific interface.
- Configure the Cisco firewall.
- Configure IP addresses for interfaces and enable access control on the interfaces.
- Configure a default route from the Cisco firewall to the Internet.
- Configure IPsec, including defining the data flows to be protected, configuring an IPsec proposal, creating an IKE proposal, and configuring a pre-shared key.
- Apply the IPsec policy to a specific interface.
- Enable the IPsec policy on the interface.
Precautions
- When a Huawei firewall establishes an IPsec tunnel with a Cisco firewall using a policy template, you do not need to specify the peer IP address of the tunnel. In this case, the tunnel initiator can only be the Cisco firewall.
- The outbound interface of the Cisco firewall can obtain a dynamic IP address through DHCP using the ip address dhcp setroute command or using another non-DHCP method. The mode in which the outbound interface obtains an IP address does not affect IPsec tunnel establishment.
- Algorithm settings on both ends of an IPsec tunnel must be consistent or overlap. To use algorithms such as SHA1, 3DES, and MD5 on the Huawei firewall, run the install feature-software WEAKEA command.
- In this example, IKEv1 negotiation is used. By default, Huawei firewalls do not support IKEv1 SA negotiation. To use IKEv1 functions, you need to install the IKEv1 MOD file. The procedure is as follows:
- Log in to the Huawei technical support website, search for the corresponding product and version in the software download area, and download the Product_Version_IKEv1_MOD00X.MOD file.
- Upload the MOD file to the $_install_mod directory in the storage medium of the device.
- Run the install-module Product_Version_IKEv1_MOD00X.MOD command to perform in-service installation of the MOD file.
Procedure
- Configure the Huawei firewall.
- Install the WEAKEA feature package.
<HUAWEI>install feature-software WEAKEA
- Install the IKEv1 MOD file.
<HUAWEI> install-module Product_Version_IKEv1_MOD00X.MOD
- Configure IP addresses for interfaces and assign interfaces to security zones.
[HUAWEI] interface ge 1/0/1 [HUAWEI-GE1/0/1] ip address 10.1.1.1 24 [HUAWEI-GE1/0/1] service-manage ping permit /*Allow the Cisco firewall to ping this interface.*/ [HUAWEI-GE1/0/1] quit [HUAWEI] interface ge 1/0/2 [HUAWEI-GE1/0/2] ip address 1.1.3.1 24 [HUAWEI-GE1/0/2] service-manage ping permit /*Allow the Cisco firewall to ping this interface.*/ [HUAWEI-GE1/0/2] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface ge 1/0/1 [HUAWEI-zone-trust] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface ge 1/0/2 [HUAWEI-zone-untrust] quit
- Configure a default route from the Huawei firewall to the Internet, assuming that the next-hop address is 1.1.3.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
- Configure interzone security policies.
- Configure security policies between the Trust and Untrust zones to allow original packets before IPsec encapsulation and after IPsec decapsulation to pass through the Huawei firewall.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure security policies between the Local and Untrust zones to allow IKE negotiation packets to pass through the Huawei firewall.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure security policies between the Trust and Untrust zones to allow original packets before IPsec encapsulation and after IPsec decapsulation to pass through the Huawei firewall.
- Configure IPsec.
- Configure an ACL to define the data flow to be protected.
[HUAWEI] acl 3000 [HUAWEI-acl4-advance-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 [HUAWEI-acl4-advance-3000] quit
- Configure an IPsec proposal.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [HUAWEI-ipsec-proposal-tran1] quit
- Create an IKE proposal.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm aes-128 [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group14 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer.
[HUAWEI] ike peer cisco [HUAWEI-ike-peer-cisco] undo version 2 [HUAWEI-ike-peer-cisco] exchange-mode main [HUAWEI-ike-peer-cisco] ike-proposal 1 [HUAWEI-ike-peer-cisco] pre-shared-key YsHsjx_202206 [HUAWEI-ike-peer-cisco] quit
- Configure IPsec policy template temp.
[HUAWEI] ipsec policy-template temp 1 [HUAWEI-ipsec-policy-template-temp-1] security acl 3000 [HUAWEI-ipsec-policy-template-temp-1] proposal tran1 [HUAWEI-ipsec-policy-template-temp-1] ike-peer cisco [HUAWEI-ipsec-policy-template-temp-1] quit
- Configure an IPsec policy.
[HUAWEI] ipsec policy map1 1 isakmp template temp
- Apply the IPsec policy to GE1/0/2.
[HUAWEI] interface ge 1/0/2 [HUAWEI-GE1/0/2] ipsec policy map1 [HUAWEI-GE1/0/2] quit
- Configure an ACL to define the data flow to be protected.
- Install the WEAKEA feature package.
- Configure the Cisco firewall.
- Configure IP addresses for interfaces.
ASA5520> en ASA5520# configure terminal ASA5520(config)# interface GigabitEthernet 0/1 ASA5520(config-if)# nameif in ASA5520(config-if)# security-level 90 ASA5520(config-if)# ip address 10.1.3.1 255.255.255.0 ASA5520(config-if)# exit ASA5520(config)# interface interface GigabitEthernet 0/2 ASA5520(config-if)# nameif out ASA5520(config-if)# security-level 10 ASA5520(config-if)# ip address dhcp setroute ASA5520(config-if)# exit
- Enable access control on interfaces.
ASA5520(config)# access-list 10 extended permit icmp any any ASA5520(config)# access-group 10 in interface in ASA5520(config)# access-group 10 out interface in ASA5520(config)# access-group 10 in interface out ASA5520(config)# access-group 10 out interface out
- Configure a default route from the Cisco firewall to the Internet, assuming that the next-hop address is 1.1.5.2.
ASA5520(config)# route out 0.0.0.0 0.0.0.0 1.1.5.2 1
- Configure IPsec.
- Configure an ACL to define the data flow to be protected.
ASA5520(config)# access-list ipsec permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
- Configure an IPsec proposal.
ASA5520(config)# crypto ipsec transform-set myset esp-aes esp-sha-hmac
- Create an IKE proposal.
ASA5520(config-isakmp-policy)# crypto ikev1 policy 10 ASA5520(config-isakmp-policy)# authentication pre-share ASA5520(config-isakmp-policy)# encryption aes ASA5520(config-isakmp-policy)# hash sha ASA5520(config-isakmp-policy)# group 14 ASA5520(config-isakmp-policy)# lifetime 86400
- Configure the pre-shared key.
ASA5520(config)# tunnel-group 1.1.3.1 type ipsec-l2l ASA5520(config)# tunnel-group 1.1.3.1 ipsec-attributes ASA5520(config)# ikev1 pre-shared-key YsHsjx_202206
- Configure an IPsec policy.
Reference the configured ACL and IPsec proposal in the IPsec policy.
ASA5520(config)# crypto map ipsec_map 10 match address ipsec ASA5520(config)# crypto map ipsec_map 10 set peer 1.1.3.1 ASA5520(config)# crypto map ipsec_map 10 set transform-set myset
- Apply the IPsec policy to a specific interface.
ASA5520(config)# crypto map ipsec_map interface out
- Enable the IPsec policy on the interface.
ASA5520(config)# crypto isakmp enable out
- Configure an ACL to define the data flow to be protected.
- Configure IP addresses for interfaces.
Verifying the Configuration
- Ping a user at the HQ from the branch.
- In normal cases, the data flow from the branch to the HQ triggers the establishment of an IPsec tunnel between the Huawei firewall and Cisco firewall. Check the IKE SA establishment on the Huawei firewall. IKE SAs have been successfully established.
<HUAWEI> display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 179 1.1.5.1 RD|ST|A v1:2 public 178 1.1.5.1 RD|ST|D|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE
- Run the display ipsec sa command to check IPsec SA establishment. The command output shows that IPsec SAs have been successfully established.
<HUAWEI> display ipsec sa =============================== Interface: GE1/0/2 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: template vpn: public ----------------------------- connection id: 46 rule number: 4294967295 encapsulation mode: tunnel holding time: 0d 0h 0m 39s tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1 flow source: 10.1.1.0/255.255.255.0 0/0 flow destination: 10.1.3.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 238449139 (0xe3671f3) vpn: public said: 0 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 4608000/3561 max received sequence-number: 3 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 1163306489 (0x4556a5f9) vpn: public said: 1 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 4608000/3561 max sent sequence-number: 4 udp encapsulation used for nat traversal: N
Configuration Files
# sysname HUAWEI # interface GE1/0/1 undo shutdown ip address 10.1.1.1 24 service-manage ping permit # interface GE1/0/2 undo shutdown ip address 1.1.3.1 24 service-manage ping permit ipsec policy map1 # firewall zone trust add interface GE1/0/1 # firewall zone untrust add interface GE1/0/2 # ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 10.1.3.0 24 destination-address 10.1.1.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 10.1.1.0 24 destination-address 10.1.3.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.3.1 32 destination-address 1.1.5.1 32 action permit rule name 4 source-zone untrust destination-zone local source-address 1.1.5.1 32 destination-address 1.1.3.1 32 action permit # acl 3000 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp authentication-algorithm sha1 esp encryption-algorithm aes-128 # ike proposal 1 encryption-algorithm aes-128 authentication-algorithm sha1 dh group14 # ike peer cisco undo version 2 exchange-mode main ike-proposal 1 pre-shared-key YsHsjx_202206 # ipsec policy-template temp 1 security acl 3000 proposal tran1 ike-peer cisco # ipsec policy map1 1 isakmp template temp # return
Document ID:EDOC1000154805
Views:435152
Downloads:8128
Average rating:4.4Points