CLI: Example for Configuring IPSec VPN for Users to Access the Headquarters Using the Windows 7 IKEv2 Client

Procedure

1. Set basic parameters on FW.
   1. Set the interface IP address.

      1. Configure the IP address of GigabitEthernet 1/0/1.

         <sysname> system-view
         [sysname] sysname FW
         [FW] interface GigabitEthernet 1/0/1 
         [FW-GigabitEthernet1/0/1] ip address 1.1.1.2 24  
         [FW-GigabitEthernet1/0/1] quit

      2. Configure the IP address of GigabitEthernet 1/0/3.

         [FW] interface GigabitEthernet 1/0/3 
         [FW-GigabitEthernet1/0/3] ip address 10.1.1.1 24 
         [FW-GigabitEthernet1/0/3] quit

   2. Add interfaces to corresponding security zones.

      1. Add GigabitEthernet 1/0/3 to the Trust zone.

         [FW] firewall zone trust 
         [FW-zone-trust] add interface GigabitEthernet 1/0/3 
         [FW-zone-trust] quit

      2. Add GigabitEthernet 1/0/1 to the Untrust zone.

         [FW] firewall zone untrust 
         [FW-zone-untrust] add interface GigabitEthernet 1/0/1 
         [FW-zone-untrust] quit

   3. Configure interzone security policies.

      # Configure a security policy to allow users in the headquarters to initiate access requests to traveling employees.

      [FW] security-policy
      [FW-policy-security] rule name policy1
      [FW-policy-security-rule-policy1] source-zone trust
      [FW-policy-security-rule-policy1] destination-zone untrust
      [FW-policy-security-rule-policy1] source-address 10.1.1.0 24
      [FW-policy-security-rule-policy1] destination-address range 10.1.1.2 10.1.1.100
      [FW-policy-security-rule-policy1] action permit
      [FW-policy-security-rule-policy1] quit

      # Configure a security policy to allow traveling users to initiate access requests to users in the headquarters.

      [FW-policy-security] rule name policy2
      [FW-policy-security-rule-policy2] source-zone untrust
      [FW-policy-security-rule-policy2] destination-zone trust
      [FW-policy-security-rule-policy2] source-address range 10.1.1.2 10.1.1.100
      [FW-policy-security-rule-policy2] destination-address 10.1.1.0 24
      [FW-policy-security-rule-policy2] action permit
      [FW-policy-security-rule-policy2] quit

      # Configure security policies to allow traveling users to negotiate an IPSec tunnel with the headquarters.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW-policy-security] rule name policy3
      [FW-policy-security-rule-policy3] source-zone local
      [FW-policy-security-rule-policy3] destination-zone untrust
      [FW-policy-security-rule-policy3] source-address 1.1.1.2 32
      [FW-policy-security-rule-policy3] action permit
      [FW-policy-security-rule-policy3] quit

      [FW-policy-security] rule name policy4
      [FW-policy-security-rule-policy4] source-zone untrust
      [FW-policy-security-rule-policy4] destination-zone local
      [FW-policy-security-rule-policy4] destination-address 1.1.1.2 32
      [FW-policy-security-rule-policy4] action permit
      [FW-policy-security-rule-policy4] quit
      [FW-policy-security] quit

2. Configure the service scheme on the FW.
   1. Set an IP address pool.

      [FW] ip pool pool1
      [FW-ip-pool-pool1] section 1 10.1.1.3 10.1.1.100
      [FW-ip-pool-pool1] quit

   2. Configure the service scheme used by access users.

      [FW] aaa
      [FW-aaa] service-scheme ikev2 
      [FW-aaa-service-ikev2] ip-pool pool1
      [FW-aaa-service-ikev2] quit 
      

   3. Apply the service scheme used by access users.

      [FW-aaa] domain net1
      [FW-aaa-domain-net1] service-type internetaccess ike
      [FW-aaa-domain-net1] service-scheme ikev2
      [FW-aaa-domain-net1] quit
      [FW-aaa] quit

3. Use SCEP to apply for a certificate online for FW.

   1. Create RSA key pair rsa_scep of 2048 bits and make it exportable from the device.

      [FW] pki rsa local-key-pair create rsa_scep exportable
       Info: The name of the new key-pair will be: rsa_scep                           
       The size of the public key ranges from 2048 to 4096.                            
       Input the bits in the modules:2048
       Generating key-pairs...                                                        
      ..................+++                                                           
      .+++   

   2. Configure a PKI entity.

      [FW_A] pki entity user01
      [FW_A-pki-entity-user01] common-name hello
      [FW_A-pki-entity-user01] country cn
      [FW_A-pki-entity-user01] email test@user.com
      [FW_A-pki-entity-user01] fqdn test.abc.com
      [FW_A-pki-entity-user01] ip-address 1.1.3.1
      [FW_A-pki-entity-user01] state jiangsu
      [FW_A-pki-entity-user01] organization huawei
      [FW_A-pki-entity-user01] organization-unit info
      [FW_A-pki-entity-user01] quit

   3. Apply for and update certificates online through SCEP.

      The fingerprint of the CA certificate is obtained from the CA server. In this example, the CA server version is Windows Server 2008, and the CA server uses the challenge password to process certificate requests and the challenge password is 6AE73F21E6D3571D. The URL for obtaining the challenge password and fingerprint is http://1.1.4.1:80/certsrv/mscep_admin. Assume that the fingerprint of the CA certificate is 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF in sha1 mode, and the URL for applying for the certificate is http://1.1.4.1:80/certsrv/mscep/mscep.dll.

      [FW_A] pki realm abc
      # Configure the trusted CA.
      FW_A-pki-realm-abc] ca id ca_root
      # Bind the entity.
      [FW_A-pki-realm-abc] entity user01
      # Configure the fingerprint of the CA certificate. The following uses 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF as the fingerprint.
      [FW_A-pki-realm-abc] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF
      # Specify the URL of CA for certificate application.
      FW_A-pki-realm-abc] enrollment-url http://1.1.4.1:80/certsrv/mscep/mscep.dll ra
      # Specify the RSA key pair for certificate application.
      FW_A-pki-realm-abc] rsa local-key-pair rsa_scep
      # Specify the challenge password. The following uses 6AE73F21E6D3571D as the challenge password.
      [FW_A-pki-realm-abc] password cipher 6AE73F21E6D3571D
      [FW_A-pki-realm-abc] quit
      # Obtain the CA certificate.
      [FW_A] pki get-certificate ca realm abc

      The CA certificate is saved in the device storage with the name abc_ca.cer.

      # Import the CA certificate to memory.

      [FW_A] pki import-certificate ca filename abc_ca.cer 
       The CA's Subject is /CN=ca_root    
       The CA's fingerprint is:                                                       
         MD5  fingerprint:6DF2 CC66 6E6A 09A0 F590 F63B 80BA 017B                     
         SHA1 fingerprint:7A34 D946 24B1 C1BC BF6D 763C 4A67 035D 5B57 8EAF           
       Is the fingerprint correct?(Y/N):y
       Info: Succeeded in importing file.  

      # Enable automatic certificate enrollment and update: the PKI entity updates the certificate and RSA key pair when 60% of the certificate validity period has passed.

      [FW_A] pki realm abc
      [FW_A-pki-realm-abc] auto-enroll 60 regenerate 2048
      [FW_A-pki-realm-abc] quit

      The device automatically obtains the local certificate abc_local.cer and installs it on the device.

4. Configure an IPSec policy and apply the policy to the corresponding interface on FW.
   1. Configure advanced ACL 3000.

      [FW] acl 3000 
      [FW_acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255
      [FW_acl-adv-3000] quit

   2. Configure IPSec proposal tran1.

      [FW] ipsec proposal tran1
      [FW_ipsec-proposal-tran1] transform esp 
      [FW_ipsec-proposal-tran1] esp authentication-algorithm sha2-256
      [FW_ipsec-proposal-tran1] esp encryption-algorithm aes-256 
      [FW_ipsec-proposal-tran1] quit

   3. Configure an IKE proposal.

      [FW] ike proposal 10 
      [FW_ike-proposal-10] authentication-method rsa-signature 
      [FW_ike-proposal-10] prf hmac-sha2-256 
      [FW_ike-proposal-10] encryption-algorithm aes-256
      [FW_ike-proposal-10] dh group14
      [FW_ike-proposal-10] quit

   4. Configure an IKE peer.

      [FW] ike peer a
      [FW_ike-peer-a] ike-proposal 10
      [FW_ike-peer-a] certificate local-filename abc_local.cer
      [FW_ike-peer-a] service-scheme ikev2
      [FW_ike-peer-a] quit

   5. Configure an IPSec policy in the template mode.

      [FW] ipsec policy-template policy_temp 1 
      [FW-ipsec-policy-templet-policy_temp-1] security acl 3000 
      [FW-ipsec-policy-templet-policy_temp-1] proposal tran1 
      [FW-ipsec-policy-templet-policy_temp-1] ike-peer a 
      [FW-ipsec-policy-templet-policy_temp-1] quit
      [FW] ipsec policy policy 10 isakmp template policy_temp

   6. Apply IPSec policy policy to GigabitEthernet 1/0/1.

      [FW] interface GigabitEthernet 1/0/1 
      [FW_GigabitEthernet1/0/1] ipsec policy policy
      [FW_GigabitEthernet1/0/1] quit

5. Configure a route to the headquarters.

   To communicate with traveling employees, the headquarters device must have a route to the address pool, with the next hop pointing to the intranet interface address of the FW.

6. Configure the traveling employee's PC. The configuration on the Windows 7 operating system is as follows:
   1. Create an IKEv2 connection.
      1. Choose Start > Control Panel.
      2. Select Network and Internet.
      3. Open Network and Sharing Center.
      4. Select Set up a new connection or network.
      5. Click Use my Internet connection(VPN).

      6. Select Use my Internet connection(VPN).

      7. Set the Internet address and target name.

         Set the Internet address to the IP address of the extranet interface on the FW (you can also enter the domain name if the domain name is fixed).

      8. Set the user name and password. This step can be omitted in this scenario.

      9. Click Connect.
      10. Click Skip to skip the verification process. After The connection is ready for use is displayed, click Close.

   2. Set IKEv2 connection parameters.
      1. In the left pane of Network and Sharing Center, select Change adapter settings.
      2. Right-click the new VPN connection and select Properties.

      3. Set Options, Security, and Networking.

      Figure 3-13 Choose a connection option
      

      Figure 3-14 Choose a connection option
      

      Figure 3-15 Choose a connection option
      

      The Windows 7 operating system requires that the firewall certificate extensions should contain Server Authentication and IP Security IKE intermediate. Perform the configurations on the certificate server.

   3. Generate a certificate request file.
      • Choose Start > Run, enter mmc, and click OK.

      • Add a certificate node on the console.

        
        
        

        Click OK.

      • Create a user-defined request.

        Expand Certificates, click Personal, and right-click the right blank area to create a user-defined request.

      • Configure a certificate registration policy.

        Click Next. Perform the following configurations.

        Set a certificate attribute owner and leave General and Extensions unconfigured.

        Select RSA as the private key encryption service process, set key options, and click OK.

        Click Next, set the file format to Base 64 and specify the file name and file storage path, and click Finish.

   4. Apply for a local certificate.
      1. Log in to the certificate server.
      2. Click Request a certificate.
      3. Select advanced certificate request.
      4. Select Submit a certificate request using a base-64-encoded CMC or PKCS #10 file or Submit a renewal request by using a base-64-encoded PKCS #7 file.
      5. Copy the information contained in the file to the text box for requesting a certificate and select the template configured on the certificate server.
      6. Click Submit.
      7. Select DER Code, download the certificate, and export the obtained certificate file.

   5. Apply for the root certificate.
      1. Log in to the certificate server.
      2. Click Download a CA certificate, certificate chain, or CRL.
      3. Select DER Code and download the CA certificate.
      4. Select a path to store the root certificate.

   6. Import the local certificate.

      • Expand Certificates on the left menu bar of the console, click Personal, and right-click the right blank area to import the certificate.

      • Access the certificate import wizard and click Next.
      • Select the PC's local certificate and click Next.
      • Select Place all certificates in the following store, click Browse, and select personal.
      • Click OK.
      • Click Next.
      • Click Finish. View Certificates to check whether the certificate is imported to Personal.

   7. Import the root certificate.

      • Expand Certificates on the left menu bar of the console, click Personal, and right-click the right blank area to import the certificate.

      • Access the certificate import wizard and click Next.
      • Select the root certificate and click Next.
      • Select Place all certificates in the following store, click Browse, and select Trusted Root Certification Authorities.
      • Click OK.
      • Click Next.
      • Click Finish. View Certificates to check whether the certificate is imported to Trusted Root Certification Authorities.