Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels Between HUAWEI Firewalls and HUAWEI AR Routers in NAT Traversal Scenarios
Chapter Contents
Networking Requirements
As shown in Figure1, the branch HUAWEI AR is located in the enterprise network, and a NAT device is deployed at the egress of the network (HUAWEI firewall_B functions as the NAT device). It is required that an IPSec tunnel where the NAT device is traversed be established between the HUAWEI AR at the branch and the HUAWEI firewall at the HQ for the secure communication between the branch and HQ.
Data Plan
Configuration Item |
HUAWEI Firewall_A |
HUAWEI AR Router |
|
|---|---|---|---|
IPSec proposal |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
ESP authentication algorithm |
SHA2-256 |
SHA2-256 |
|
ESP encryption algorithm |
AES-128 |
AES-128 |
|
DH Group |
GROUP2 |
GROUP2 |
|
IKE peer |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
AES-128 |
AES-128 |
|
Authentication algorithm |
SHA2-256 |
SHA2-256 |
|
Pre-shared key |
Key123 |
Key123 |
|
Identity type |
IP address |
IP address |
|
IKE Version |
V1 |
V1 |
|
Configuration Roadmap
- Configure HUAWEI firewall_A:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure the default route from HUAWEI firewall_A to the Internet.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through HUAWEI firewall_A.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, configuring an IKE peer, and configuring IPSec NAT traversal.
- Apply the IPSec policy to an interface.
- Configure HUAWEI firewall_B:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an Untrust-Trust interzone security policy to allow the post-NAT packets to pass through HUAWEI firewall_B.
- Configure Source NAT.
- Configure routes to the HQ and branch.
- Configure the HUAWEI AR:
- Set IP addresses for interfaces.
- Configure a default route from the HUAWEI AR to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, configuring the SHA2 encryption/decryption mode same as the peer, and configuring an IKE peer.
- Apply the IPSec policy to an interface.
Configuration Precautions
- remote-address authentication-address must be set to the pre-NAT IP address of the peer. Otherwise, the alarm IPSEC/4/IPSECNEGOFAIL is generated during tunnel establishment, and reasoncode=3 indicates an identity authentication failure.
- In this example, the software version of the HUAWEI AR router is V200R007C00. In IPSec interconnection between this version and the HUAWEI firewall through the SHA2 authentication algorithm, SHA2 algorithm inconsistency may occur. SHA2 algorithm inconsistency may result in packet encryption and decryption failures, interrupting services. Therefore, in this example, you must run the ipsec authentication sha2 compatible enable command.
Configuration Procedure
- Configure the HUAWEI firewall_A.
- Set IP addresses for interfaces and assign them to security zones.
[HUAWEI_A] interface GigabitEthernet 1/0/1 [HUAWEI_A-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [HUAWEI_A-GigabitEthernet1/0/1] quit [HUAWEI_A] interface GigabitEthernet 1/0/2 [HUAWEI_A-GigabitEthernet1/0/2] ip address 1.1.3.1 24 [HUAWEI_A-GigabitEthernet1/0/2] quit [HUAWEI_A] firewall zone trust [HUAWEI_A-zone-trust] add interface GigabitEthernet 1/0/1 [HUAWEI_A-zone-trust] quit [HUAWEI_A] firewall zone untrust [HUAWEI_A-zone-untrust] add interface GigabitEthernet 1/0/2 [HUAWEI_A-zone-untrust] quit
- Configure a default route from the HUAWEI firewall_A to the Internet. In the example, the next-hop IP address is 1.1.3.2.
[HUAWEI_A] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
- Configure interzone security policies.
- Configure security policies for the Trust-Untrust interzone to allow the unencapsulated and decapsulated packets to pass through the HUAWEI firewall_A.
[HUAWEI_A] security-policy [HUAWEI_A-policy-security] rule name 1 [HUAWEI_A-policy-security-rule-1] source-zone untrust [HUAWEI_A-policy-security-rule-1] destination-zone trust [HUAWEI_A-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI_A-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI_A-policy-security-rule-1] action permit [HUAWEI_A-policy-security-rule-1] quit [HUAWEI_A-policy-security] rule name 2 [HUAWEI_A-policy-security-rule-2] source-zone trust [HUAWEI_A-policy-security-rule-2] destination-zone untrust [HUAWEI_A-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI_A-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI_A-policy-security-rule-2] action permit [HUAWEI_A-policy-security-rule-2] quit
- Configure security policies for the Local-Untrust interzone to allow IKE negotiation packets to pass through the HUAWEI firewall_A.
[HUAWEI_A-policy-security] rule name 3 [HUAWEI_A-policy-security-rule-3] source-zone local [HUAWEI_A-policy-security-rule-3] destination-zone untrust [HUAWEI_A-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI_A-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI_A-policy-security-rule-3] action permit [HUAWEI_A-policy-security-rule-3] quit [HUAWEI_A-policy-security] rule name 4 [HUAWEI_A-policy-security-rule-4] source-zone untrust [HUAWEI_A-policy-security-rule-4] destination-zone local [HUAWEI_A-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI_A-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI_A-policy-security-rule-4] action permit [HUAWEI_A-policy-security-rule-4] quit
- Configure security policies for the Trust-Untrust interzone to allow the unencapsulated and decapsulated packets to pass through the HUAWEI firewall_A.
- Configure an IPSec policy.
- Configure an ACL to define the data flow to be protected.
[HUAWEI_A] acl 3000 [HUAWEI_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 [HUAWEI_A-acl-adv-3000] quit
- Configure an IPSec proposal.
[HUAWEI_A] ipsec proposal tran1 [HUAWEI_A-ipsec-proposal-tran1] transform esp [HUAWEI_A-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [HUAWEI_A-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [HUAWEI_A-ipsec-proposal-tran1] quit
- Create an IKE proposal.
[HUAWEI_A] ike proposal 1 [HUAWEI_A-ike-proposal-1] encryption-algorithm aes-128 [HUAWEI_A-ike-proposal-1] authentication-algorithm sha2-256 [HUAWEI_A-ike-proposal-1] dh group2 [HUAWEI_A-ike-proposal-1] quit
- Configure an IKE peer.
[HUAWEI_A] ike peer ar [HUAWEI_A-ike-peer-ar] undo version 2 [HUAWEI_A-ike-peer-ar] exchange-mode main [HUAWEI_A-ike-peer-ar] ike-proposal 1 [HUAWEI_A-ike-peer-ar] pre-shared-key Key123 [HUAWEI_A-ike-peer-ar] remote-address 1.1.5.1 [HUAWEI_A-ike-peer-ar] remote-address authentication-address 172.16.1.2 [HUAWEI_A-ike-peer-ar] nat traversal [HUAWEI_A-ike-peer-ar] quit
- Configure an IPSec policy.
[HUAWEI_A] ipsec policy map1 1 isakmp [HUAWEI_A-ipsec-policy-isakmp-map1-1] ike-peer ar [HUAWEI_A-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI_A-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI_A-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to interface GigabitEthernet 1/0/2.
[HUAWEI_A] interface GigabitEthernet 1/0/2 [HUAWEI_A-GigabitEthernet1/0/2] ipsec policy map1 [HUAWEI_A-GigabitEthernet1/0/2] quit
- Configure an ACL to define the data flow to be protected.
- Set IP addresses for interfaces and assign them to security zones.
- Configure the HUAWEI firewall_B.
- Configure interfaces and assign them to security zones.
[HUAWEI_B] interface GigabitEthernet 1/0/1 [HUAWEI_B-GigabitEthernet1/0/1] ip address 1.1.5.1 255.255.255.0 [HUAWEI_B-GigabitEthernet1/0/1] quit [HUAWEI_B] firewall zone untrust [HUAWEI_B-untrust] add interface GigabitEthernet 1/0/1 [HUAWEI_B-zone-untrust] quit [HUAWEI_B] interface GigabitEthernet 1/0/2 [HUAWEI_B-GigabitEthernet1/0/2] ip address 172.16.1.1 255.255.255.0 [HUAWEI_B-GigabitEthernet1/0/2] quit [HUAWEI_B] firewall zone trust [HUAWEI_B-zone-trust] add interface GigabitEthernet 1/0/2 [HUAWEI_B-zone-trust] quit
- Configure Untrust-Trust interzone security policies.
[HUAWEI_B] security-policy [HUAWEI_B-policy-security] rule name 1 [HUAWEI_B-policy-security-rule-1] source-zone untrust [HUAWEI_B-policy-security-rule-1] destination-zone trust [HUAWEI_B-policy-security-rule-1] source-address 1.1.3.0 24 [HUAWEI_B-policy-security-rule-1] destination-address 172.16.1.0 24 [HUAWEI_B-policy-security-rule-1] action permit [HUAWEI_B-policy-security-rule-1] quit [HUAWEI_B-policy-security] rule name 2 [HUAWEI_B-policy-security-rule-2] source-zone trust [HUAWEI_B-policy-security-rule-2] destination-zone untrust [HUAWEI_B-policy-security-rule-2] source-address 172.16.1.0 24 [HUAWEI_B-policy-security-rule-2] destination-address 1.1.3.0 24 [HUAWEI_B-policy-security-rule-2] action permit [HUAWEI_B-policy-security-rule-2] quit
- Configure source NAT.
[HUAWEI_B] nat-policy [HUAWEI_B-policy-nat] rule name policy_nat1 [HUAWEI_B-policy-nat-rule-policy_nat1] source-zone trust [HUAWEI_B-policy-nat-rule-policy_nat1] destination-zone untrust [HUAWEI_B-policy-nat-rule-policy_nat1] source-address 172.16.1.0 24 [HUAWEI_B-policy-nat-rule-policy_nat1] action nat easy-ip [HUAWEI_B-policy-nat-rule-policy_nat1] quit [HUAWEI_B-policy-nat] quit
- Configure routes to the headquarters and branch.
[HUAWEI_B] ip route-static 10.1.3.0 255.255.255.0 172.16.1.2 [HUAWEI_B] ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
- Configure interfaces and assign them to security zones.
- Configure the HUAWEI AR router.
- Set interface IP addresses for the HUAWEI AR router.
[AR] interface GigabitEthernet 0/0/1 [AR-GigabitEthernet0/0/1] ip address 10.1.3.1 24 [AR-GigabitEthernet0/0/1] quit [AR] interface GigabitEthernet 0/0/2 [AR-GigabitEthernet0/0/2] ip address 172.16.1.2 24 [AR-GigabitEthernet0/0/2] quit
- Configure a default route from the HUAWEI AR router to the Internet. In the example, the next-hop IP address is 1.1.5.2.
[AR] ip route-static 0.0.0.0 0.0.0.0 172.16.1.1
- Configure an IPSec policy.
- Configure an ACL to define the data flow to be protected.
[AR] acl 3000 [AR-acl-adv-3000] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [AR-acl-adv-3000] quit
- Configure an IPSec proposal.
[AR] ipsec proposal tran1 [AR-ipsec-proposal-tran1] transform esp [AR-ipsec-proposal-tran1] encapsulation-mode tunnel [AR-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [AR-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [AR-ipsec-proposal-tran1] quit
- Create an IKE proposal.
[AR] ike proposal 1 [AR-ike-proposal-1] encryption-algorithm aes-cbc-128 [AR-ike-proposal-1] authentication-algorithm sha2-256 [AR-ike-proposal-1] dh group2 [AR-ike-proposal-1] quit
- Set the SHA2 encryption and decryption modes to be the same as those on the peer end.
[AR] ipsec authentication sha2 compatible enable
- Configure an IKE peer.
[AR] ike peer firewall v1 /* Parameter v1 indicates that IKEv1 is used for negotiation./ [AR-ike-peer-firewall] exchange-mode main [AR-ike-peer-firewall] ike-proposal 1 [AR-ike-peer-firewall] pre-shared-key cipher Key123 [AR-ike-peer-firewall] remote-address 1.1.3.1 [AR-ike-peer-firewall] nat traversal [AR-ike-peer-firewall] quit
- Configure an ISAKMP IPSec policy.
[AR] ipsec policy map1 1 isakmp [AR-ipsec-policy-isakmp-map1-1] ike-peer firewall [AR-ipsec-policy-isakmp-map1-1] proposal tran1 [AR-ipsec-policy-isakmp-map1-1] security acl 3000 [AR-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to interface GigabitEthernet 0/0/2.
[AR] interface GigabitEthernet 0/0/2 [AR-GigabitEthernet0/0/2] ipsec policy map1 [AR-GigabitEthernet0/0/2] quit
- Configure an ACL to define the data flow to be protected.
- Set interface IP addresses for the HUAWEI AR router.
Verification
- Ping a user on the headquarters network from the branch network.
- In normal cases, the data flows from the branch to the headquarters trigger the gateways to establish an IPSec tunnel. On the HUAWEI firewall_A, check whether an IKE SA is established. If the following information is displayed, an IKE SA has been established.
<HUAWEI> display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 84094 1.1.3.2:2048 RD|A v1:2 public 84093 1.1.3.2:2048 RD|D|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY
- Run the display ipsec sa command to check whether an IPSec SA is established. If the following information is displayed, an IPSec SA is established.
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/2 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 84094 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 15m 10s tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1 flow source: 10.1.1.0/255.255.255.0 0/0 flow destination: 10.1.3.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 2862345400 (0xaa9becb8) vpn: public said: 2528 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 1843200/2690 max received sequence-number: 5 udp encapsulation used for nat traversal: Y [outbound ESP SAs] spi: 3826946600 (0xe41a9228) vpn: public said: 2529 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256 sa remaining key duration (kilobytes/sec): 1843200/2690 max sent sequence-number: 6 udp encapsulation used for nat traversal: Y
Configuration Files
HUAWEI Firewall_A Configuration Files
# sysname HUAWEI_A # interface GigabitEthernet 1/0/1 ip address 10.1.1.1 24 # interface GigabitEthernet 1/0/2 ip address 1.1.3.1 24 ipsec policy map1 # firewall zone trust add interface GigabitEthernet 1/0/1 # firewall zone untrust add interface GigabitEthernet 1/0/2 # ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 10.1.3.0 24 destination-address 10.1.1.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 10.1.1.0 24 destination-address 10.1.3.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.3.1 32 destination-address 1.1.5.1 32 action permit rule name 4 source-zone untrust destination-zone local source-address 1.1.5.1 32 destination-address 1.1.3.1 32 action permit # acl 3000 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp authentication-algorithm sha2-256 esp encryption-algorithm aes-128 # ike proposal 1 encryption-algorithm aes-128 authentication-algorithm sha2-256 dh group2 # ike peer ar undo version 2 exchange-mode main ike-proposal 1 pre-shared-key Key123 remote-address 1.1.5.1 remote-address authentication-address 172.16.1.2 nat traversal # ipsec policy map1 1 isakmp ike-peer ar proposal tran1 security acl 3000 # return
HUAWEI Firewall_B Configuration Files
# sysname HUAWEI_B # interface GigabitEthernet 1/0/1 ip address 1.1.5.1 255.255.255.0 # interface GigabitEthernet 1/0/2 ip address 172.16.1.1 255.255.255.0 # firewall zone untrust add interface GigabitEthernet 1/0/1 # firewall zone trust add interface GigabitEthernet 1/0/2 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 1.1.3.0 24 destination-address 172.16.1.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 172.16.1.0 24 destination-address 1.1.3.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 172.16.1.0 24 action nat easy-ip # ip route-static 10.1.3.0 255.255.255.0 172.16.1.2 ip route-static 10.1.1.0 255.255.255.0 1.1.5.2 # return