Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in Policy Template Mode Between HUAWEI Firewalls and Fortinet Firewalls
Chapter Contents
Networking Requirements
The HUAWEI firewall serves as the headquarters gateway and uses a template to establish an IPSec tunnel with the branch gateway. In this case, the outbound interface of the branch gateway may have fixed or unfixed public IP addresses. Figure1 shows the scenario where the outbound interface has unfixed public IP addresses. In this scenario, only the branch but not the headquarters can initiate the negotiation for establishing an IPSec tunnel.
Data Plan
Configuration Item |
HUAWEI Firewall |
Fortinet Firewall |
|
|---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
Configuration not required |
Peer address |
|
IKE Version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Configuration Roadmap
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure the default route from the HUAWEI firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, configuring an IKE peer, and configuring a policy template.
- Apply the IPSec policy to an interface.
- Configure the Fortinet firewall:
- Set IP addresses for interfaces.
- Configure the IKE SA and IPSec SA.
- Assign the tunnel interface to the Untrust zone.
- Configure a security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the Fortinet firewall.
- Configure a route to divert traffic to the tunnel interface.
- Configure the default route to the Internet.
Configuration Precautions
- In the configuration of an IPSec policy using a template, if the peer public IP address is fixed, you can strictly specify the peer IP address on the HUAWEI firewall; if the address is not fixed, you can specify a peer IP address segment or leave the peer address unspecified on the HUAWEI firewall.
- Compared with the policy mode, the most significant difference of the template mode lies in that it does not require a fixed peer IP address. Therefore, you do not need to run the remote-address command to specify a peer IP address. Instead, you can just specify an IP address segment.
- If the HUAWEI firewall uses the IPSec policy in template mode, you need to configure only one IPSec policy and one IKE peer at the HQ, no matter how many branches there are, simplifying the configuration. If the HUAWEI firewall uses the IPSec policy directly configured (without using a template), if N branches are involved, you need to configure N IPSec policies and N IKE peers at the HQ, making the configuration complicated.
Configuration Procedure
- Configure the HUAWEI firewall.
- Configure interfaces and assign them to security zones.
- Configure GE1/0/3 and assign it to the Untrust zone.
[HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ip address 1.1.1.1 24 [HUAWEI-GigabitEthernet1/0/3] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3 [HUAWEI-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit
- Configure GE1/0/3 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the headquarters and configure policy 2 so that the headquarters can access the branch.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall can initiate an IPSec tunnel establishment request and configure policy 4 so that the HUAWEI firewall can receive an IPSec tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure Untrust-Trust interzone security policies.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Create an ACL to define the traffic to be protected.
Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over an IPSec tunnel.
[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPSec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer and specify the negotiation mode, IKE version, and pre-shared key.
[HUAWEI] ike peer fortigate [HUAWEI-ike-peer-fortigate] exchange-mode main [HUAWEI-ike-peer-fortigate] undo version 2 [HUAWEI-ike-peer-fortigate] ike-proposal 1 [HUAWEI-ike-peer-fortigate] pre-shared-key Key@123 [HUAWEI-ike-peer-fortigate] quit
- The IP address of the peer outbound interface is unfixed. Therefore, you do not need to run the remote-address command to specify the peer IP address.
- The Fortinet firewall does not provide the command for setting the IKE version, and the default version is IKEv1. Therefore, you must run the undo version 2 command to set the IKE version to IKEv1 on the HUAWEI firewall.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit
- Configure a template and a policy and associate the policy with the IKE peer, IPSec proposal, and ACL.
[HUAWEI] ipsec policy-template tem 1 [HUAWEI-ipsec-policy-template-tem-1] security acl 3000 [HUAWEI-ipsec-policy-template-tem-1] proposal tran1 [HUAWEI-ipsec-policy-template-tem-1] ike-peer fortigate [HUAWEI-ipsec-policy-template-tem-1] ipsec policy map1 1 isakmp template tem [HUAWEI-ipsec-policy-template-tem-1] quit
Different from the policy mode, you shall configure a template first and then a policy to reference the template.
- Apply the IPSec policy to the interface.
[HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/3] quit
- Configure interfaces and assign them to security zones.
- Configure the Fortinet firewall.
- Configure an interface.
- Configure port03.
Fortigate # config system interface Fortigate (interface) # edit port03 Fortigate (port03) # set mode dhcp Fortigate (port03) # set allowaccess ping https ssh snmp http telnet Fortigate (port03) # end
- Configure port10.
Fortigate # config system interface Fortigate (interface) # edit port10 Fortigate (port10) # set ip 192.168.0.1/24 Fortigate (port10) # set allowaccess ping https ssh snmp http telnet Fortigate (port10) # end
- Run the set mode dhcp command so that port03 can dynamically obtain IP addresses.
- On the Fortinet firewall, you can configure security policies directly for physical interfaces, without having to assign them to security zones. Of course, you can also assign them to security zones and configure security policies accordingly.
- Configure port03.
- Configure an IKE SA and specify its name, bound interface, negotiation mode, encryption algorithm, authentication algorithm, pre-shared key, peer address, and DH group.
Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@123 Fortigate (firewall) # set remote-gw 1.1.1.1 Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # end
- Fortinet firewall does not provide the command for setting the IKE version and uses IKEv1 by default.
- Run the set interface command to bind the IKE SA to the specified port, which is equal to applying the IPSec policy to the interface on the HUAWEI firewall.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IKE SA.
- Configure an IPSec SA and specify its name, bound IKE SA, encryption algorithm, authentication algorithm, and DH group.
Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 192.168.10.0 255.255.255.0 Fortigate (firewall) # set src-subnet 192.168.0.0 255.255.255.0 Fortigate (firewall) # end
- The Fortinet firewall does not provide the command for setting the encapsulation mode or security protocol and uses the tunnel mode and ESP by default.
- Run the set phase1name command to specify the IKE SA referenced by the IPSec SA.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IPSec SA.
- Run the dst-subnet and src-subnet commands to define the data flow to be protected, which is equal to configuring an ACL on the HUAWEI firewall.
- Assign the tunnel interface to the Untrust zone.
Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end
- After you successfully configure the IKE SA, the device automatically generates a tunnel interface with the same name as the IKE SA for protected traffic to pass through.
- On the Fortinet firewall, you must assign the tunnel interface to a security zone and then configure a security policy accordingly.
- Configure security policies.
- Configure a security policy between port03 and port10.
Configure policy 66 so that the headquarters can properly access the branch and configure policy 99 so that the branch can properly access the headquarters.
Fortigate # config firewall policy Fortigate (policy) # edit 66 Fortigate (66) # set srcintf port03 Fortigate (66) # set dstintf port10 Fortigate (66) # set srcaddr all Fortigate (66) # set dstaddr all Fortigate (66) # set action accept Fortigate (66) # set schedule always Fortigate (66) # set service ANY Fortigate (66) # end Fortigate # config firewall policy Fortigate (policy) # edit 99 Fortigate (99) # set srcintf port10 Fortigate (99) # set dstintf port03 Fortigate (99) # set srcaddr all Fortigate (99) # set dstaddr all Fortigate (99) # set action accept Fortigate (99) # set schedule always Fortigate (99) # set service ANY Fortigate (99) # end
- Configure a security policy between the Untrust zone and port10, namely, between the tunnel interface and port10.
Configure policy 96 to ensure that the traffic passing through the tunnel interface can enter the branch intranet and configure policy 76 to ensure that the traffic passing through the tunnel interface can be transparently transmitted to the extranet.
Fortigate # config firewall policy Fortigate (policy) # edit 96 Fortigate (96) # set srcintf untrust Fortigate (96) # set dstintf port10 Fortigate (96) # set srcaddr all Fortigate (96) # set dstaddr all Fortigate (96) # set action accept Fortigate (96) # set schedule always Fortigate (96) # set service ANY Fortigate (96) # end Fortigate # config firewall policy Fortigate (policy) # edit 76 Fortigate (76) # set srcintf port10 Fortigate (76) # set dstintf untrust Fortigate (76) # set srcaddr all Fortigate (76) # set dstaddr all Fortigate (76) # set action accept Fortigate (76) # set schedule always Fortigate (76) # set service ANY Fortigate (76) # end
On the Fortinet firewall, you do not need to configure the security policy between the Untrust and Local zones.
- Configure a security policy between port03 and port10.
- Configure routes.
- Configure a static route to divert the traffic to the tunnel interface.
Fortigate # config route static Fortigate (static) # edit 76 Fortigate (76) # set device firewall Fortigate (76) # set dst 192.168.10.0 255.255.255.0 Fortigate (76) # end
- Configure a default route to the Internet, passing through port03 and with the next hop being 2.2.2.3.
Fortigate # config router static Fortigate (static) # edit 33 Fortigate (33) # set dst 0.0.0.0 0.0.0.0 Fortigate (33) # set gateway 2.2.2.3 Fortigate (33) # set device port03 Fortigate (33) # end
- Configure a static route to divert the traffic to the tunnel interface.
- Configure an interface.
Verification
- Ping PC1 at the headquarters from PC2 at the branch and verify whether the branch can proactively initiate an IPSec tunnel with the headquarters.
- On the HUAWEI firewall at the headquarters, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<HUAWEI> display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 86 2.2.2.2 RD|A v1:2 public 85 2.2.2.2 RD|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE - On the HUAWEI firewall at the headquarters, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/3 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: template vpn: public ----------------------------- connection id: 86 rule number: 4294967295 encapsulation mode: tunnel holding time: 0d 0h 1m 25s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 192.168.10.0/255.255.255.0 0/0 flow destination: 192.168.0.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 746108598 (0x2c78b6b6) vpn: public said: 130 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1715 max received sequence-number: 5 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3708493443 (0xdd0b1e83) vpn: public said: 131 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1715 max sent sequence-number: 4 udp encapsulation used for nat traversal: N - Log in to the web UI of the branch Fortinet firewall to check the IPSec tunnel establishment.
- If the tunnel status is displayed as a green upward arrow, the IPSec tunnel is successfully established.
- You can also run the get ipsec tunnel list command on the branch Fortinet firewall to check the IPSec tunnel establishment. If the status is up, the IPSec tunnel is successfully established.
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/3 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # firewall zone untrust add interface GigabitEthernet 1/0/3 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 action permit rule name 4 source-zone untrust destination-zone local destination-address 1.1.1.1 24 action permit # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer fortigate exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy-template tem 1 security acl 3000 proposal tran1 ike-peer fortigate ipsec policy map1 1 isakmp template tem # return