No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CLI: Example for Connecting a Mobile Office User to the Headquarters VPN Through a ShrewSoft VPN Client in IKEv1+xAuth Mode

CLI: Example for Connecting a Mobile Office User to the Headquarters VPN Through a ShrewSoft VPN Client in IKEv1+xAuth Mode

Networking Requirements

As shown in Figure 3-39, a PC connects to the enterprise headquarters over the Internet. An IPSec tunnel needs to be established between the PC and headquarters for encrypted data transmission between them. The enterprise headquarters wants to verify the identities of mobile office users to improve intranet access security.

IKEv1+xAuth can be configured on the headquarters gateway to achieve these purposes.

Figure 3-39 Connecting a mobile office user to the headquarters VPN through a ShrewSoft VPN client in IKEv1+xAuth mode

Data Plan

Item

Data

FW

Interface number: GigabitEthernet 1/0/1

IP address: 1.1.1.2/24

Security zone: Untrust

Interface number: GigabitEthernet 1/0/2

IP address: 10.1.1.1/24

Security zone: Trust

Address pool and AAA configuration

IP pool 1

Address range: 10.2.1.2 to 10.2.1.100

RADIUS server IP address: 10.1.1.5

RADIUS server authentication password: huawei@12

IPSec configuration

IPSec policy type: IPSec policy template

Security protocol: ESP

ESP authentication algorithm: SHA2-256

ESP encryption algorithm: AES-128

IKE authentication algorithm: SHA2-256

IKE encryption algorithm: AES-256

IKE negotiation mode: aggressive mode

Pre-shared key: huawei@123

Local ID type: IP

Peer ID type: any

PC

Internet address: 2.1.1.2/24

User name: huawei

User password: Hello@123

Pre-shared key: huawei@123

Configuration Roadmap

  • Complete basic configurations, including the interfaces, security policies, and routes on the FW.
  • Complete the IPSec configuration on the FW.
  • Complete the IPSec configuration on the PC. The IPSec parameters on the PC must match those on the FW.

Procedure

  1. Configure the FW.
    1. Configure IP addresses for interfaces.

      <sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.2 24
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/2] quit

    2. Add interfaces to the corresponding security zones.

      1. Add GigabitEthernet 1/0/2 to the Trust zone.

        [FW] firewall zone trust 
[FW-zone-trust] add interface GigabitEthernet 1/0/2 
[FW-zone-trust] quit

      2. Add GigabitEthernet 1/0/1 to the Untrust zone.

        [FW] firewall zone untrust 
[FW-zone-untrust] add interface GigabitEthernet 1/0/1 
[FW-zone-untrust] quit

    3. Configure inter-zone security policies.

      # Configure a security policy to allow headquarters users to actively initiate access to the PC users.

      [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy1] destination-address 10.2.1.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit

      # Configure a security policy to allow PC users to actively initiate access to the headquarters users.

      [FW-policy-security] rule name policy2
[FW-policy-security-rule-policy2] source-zone untrust
[FW-policy-security-rule-policy2] destination-zone trust
[FW-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW-policy-security-rule-policy2] action permit
[FW-policy-security-rule-policy2] quit

      # Configure security policies to allow the PC and headquarters to negotiate an IPSec tunnel.

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).

      [FW-policy-security] rule name policy3
[FW-policy-security-rule-policy3] source-zone local
[FW-policy-security-rule-policy3] destination-zone untrust
[FW-policy-security-rule-policy3] source-address 1.1.1.2 32
[FW-policy-security-rule-policy3] action permit
[FW-policy-security-rule-policy3] quit
      [FW-policy-security] rule name policy4
[FW-policy-security-rule-policy4] source-zone untrust
[FW-policy-security-rule-policy4] destination-zone local
[FW-policy-security-rule-policy4] destination-address 1.1.1.2 32
[FW-policy-security-rule-policy4] action permit
[FW-policy-security-rule-policy4] quit
[FW-policy-security] quit

    4. Configure the pubic and private routes from the FW to the PC.

      [FW] ip route-static 2.1.1.0 255.255.255.0 1.1.1.1
[FW] ip route-static 10.2.1.0 255.255.255.0 1.1.1.1

    5. Configure a service scheme.

      1. Configure an IP address pool.

        [FW] ip pool pool1
[FW-ip-pool-pool1] network 10.2.1.0 mask 255.255.255.0
[FW-ip-pool-pool1] section 1 10.2.1.2 10.2.1.100
[FW-ip-pool-pool1] quit

      2. Configure a RADIUS server template.

        [FW] radius-server template temp1
[FW-radius-temp1] radius-server authentication 10.1.1.5 1812 weight 80
[FW-radius-temp1] radius-server shared-key cipher huawei@12
[FW-radius-temp1] undo radius-server user-name domain-included
[FW-radius-temp1] quit

      3. Configure a service scheme for access users.

        [FW] aaa
[FW-aaa] authentication-scheme xauth
[FW-aaa-authen-xauth] authentication-mode radius
[FW-aaa-authen-xauth] quit
[FW-aaa] service-scheme serv1
[FW-aaa-service-serv1] ip-pool pool1
[FW-aaa-service-serv1] quit
[FW-aaa] domain xauth
[FW-aaa-domain-xauth] radius-server temp1
[FW-aaa-domain-xauth] authentication-scheme xauth
[FW-aaa-domain-xauth] service-type internetaccess ike
[FW-aaa-domain-xauth] service-scheme serv1
[FW-aaa-domain-xauth] new-user add-temporary group /xauth
[FW-aaa-domain-xauth] quit
[FW-aaa] quit

    6. Configure IPSec.

      1. Configure the data flow to be protected by the IPSec tunnel.
        [FW] acl 3001
[FW-acl-adv-3001] rule 5 permit ip destination 10.2.1.0 0.0.0.255
[FW-acl-adv-3001] quit
      2. Configure an IPSec proposal tran1.
        [FW] ipsec proposal tran1
[FW-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW-ipsec-proposal-tran1] transform esp
[FW-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[FW-ipsec-proposal-tran1] quit

      3. Configure an IKE proposal.

        [FW] ike proposal 1
[FW-ike-proposal-1] authentication-method pre-share
[FW-ike-proposal-1] encryption-algorithm aes-256
[FW-ike-proposal-1] authentication-algorithm sha2-256
[FW-ike-proposal-1] dh group5
[FW-ike-proposal-1] quit

      4. Configure an IKE peer.

        [FW] ike peer peer1
[FW-ike-peer-peer1] undo version 2
[FW-ike-peer-peer1] ike-proposal 1
[FW-ike-peer-peer1] exchange-mode aggressive
[FW-ike-peer-peer1] pre-shared-key huawei@123
[FW-ike-peer-peer1] xauth enable
[FW-ike-peer-peer1] xauth type chap
[FW-ike-peer-peer1] quit

      5. Configure an IPSec policy in template mode.

        [FW] ipsec policy-template policy_temp 1 
[FW-ipsec-policy-templet-policy_temp-1] security acl 3001 
[FW-ipsec-policy-templet-policy_temp-1] proposal tran1 
[FW-ipsec-policy-templet-policy_temp-1] ike-peer peer1 
[FW-ipsec-policy-templet-policy_temp-1] quit
[FW] ipsec policy policy 10 isakmp template policy_temp

      6. Apply the IPSec policy to GigabitEthernet 1/0/1.

        [FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ipsec policy policy
[FW-GigabitEthernet1/0/1] quit

  2. Configure the ShrewSoft VPN client on the PC.
    1. Open the ShrewSoft VPN client (VPN Access Manager) and click Add.



    2. On the General tab, configure the public network interface address of the peer, select Obtain Automatically, and retain the default values for the other options.



    3. On the Client tab, retain the default values for all options.



    4. On the Name Resolution tab, retain the default values for all options.



    5. On the Authentication tab, set Authentication Method to Mutual PSK + XAuth.

      • On the Local Identity tab, set Identification Type to IP Address and retain the default values for all the other options.
      • On the Remote Identity tab, retain the default values for all options.
      • On the Credentials tab, set Pre Shared Key to huawei@123 and retain the default values for all the other options.



    6. On the Phase 1 tab, set parameters for phase 1 IKE SA negotiation.



    7. On the Phase 2 tab, set parameters for phase 2 IPSec SA negotiation.



    8. On the Policy tab, retain the default values for all options.



    9. Click Save and change the name to IPSec.



  3. Verify the configuration.
    1. Open VPN Access Manager, select IPSec, and click Connect.

      Enter the user name and password and click Connect.



      After successful connection, you can find that the PC is allocated an IP address in the 10.2.1.2/24 to 10.2.1.100/24 segment, and it can normally access the headquarters gateway.

    2. Run the display ike sa command on the FW. The command output shows that an IPSec tunnel is established successfully.

      <FW> display ike sa
IKE SA information :
 Conn-ID    Peer          VPN     Flag(s)   Phase   RemoteType  RemoteID
 -----------------------------------------------------------------------------   
 400236    2.1.1.2:500            RD|A      v1:2    IP          2.1.1.2
 400235    2.1.1.2:500            RD|A      v1:1    IP          2.1.1.2
 
 Number of IKE SA : 2                                 
-----------------------------------------------------------------------------   

  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Configuration Script

#
 sysname FW
#
radius-server template temp1
 radius-server shared-key cipher huawei@12
 radius-server authentication 10.1.1.5 1812 weight 80
 undo radius-server user-name domain-included
 radius-server group-filter class
#
acl number 3001
 rule 5 permit ip destination 10.2.1.0 0.0.0.255
# 
ipsec proposal tran1 
 encapsulation-mode tunnel
 transform esp
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 1 
 encryption-algorithm aes-256
 dh group5
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256 
#
ike peer peer1 
 xauth type chap
 undo version 2
 exchange-mode aggressive
 pre-shared-key huawei@123
 ike-proposal 1
 xauth enable
# 
ipsec policy-template policy_temp 1 
 security acl 3001                                                              
 ike-peer peer1                                                                 
 proposal tran1                                                                 
#  
ipsec policy policy 10 isakmp template policy_temp
#
ip pool pool1
 network 10.2.1.0 mask 255.255.255.0
 section 1 10.2.1.2 10.2.1.100
# 
aaa
 authentication-scheme xauth
  authentication-mode radius
 service-scheme serv1
  ip-pool pool1
 domain xauth
  authentication-scheme xauth
  service-scheme serv1 
  radius-server temp1
  service-type internetaccess ike
  internet-access mode password
  reference user current-domain
  new-user add-temporary group /xauth
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.2 255.255.255.0
 ipsec policy policy
#
interface GigabitEthernet1/0/2 
 undo shutdown
 ip address 10.1.1.1 255.255.255.0      
#                                                                                   
firewall zone trust                                                             
 set priority 85
 add interface GigabitEthernet1/0/2 
#                                                                               
firewall zone untrust                                                           
 set priority 5
 add interface GigabitEthernet1/0/1 
#                                                                               
 ip route-static 2.1.1.0 255.255.255.0 1.1.1.1
 ip route-static 10.2.1.0 255.255.255.0 1.1.1.1
#
security-policy 
 rule name policy1
  source-zone trust
  destination-zone untrust 
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.2.1.0 mask 255.255.255.0 
  action permit                                                                 
 rule name policy2                                                              
  source-zone untrust                                                           
  destination-zone trust                                                        
  destination-address 10.1.1.0 mask 255.255.255.0                               
  action permit                                                                 
 rule name policy3                                                              
  source-zone local                                                             
  destination-zone untrust                                                      
  source-address 1.1.1.2 mask 255.255.255.255                                   
  action permit                                                                 
 rule name policy4                                                              
  source-zone untrust                                                           
  destination-zone local                                                        
  destination-address 1.1.1.2 mask 255.255.255.255                              
  action permit  
#
return
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 266541

Downloads: 5055

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :