Establishing GRE over IPSec Tunnels Between HUAWEI Firewalls and H3C Firewalls
Chapter Contents
Networking Requirements
As shown in Figure1, the HUAWEI firewall and H3C firewall function as the enterprise gateways of the HQ and branch respectively to connect to the Internet. It is required that the HQ and branch be able to securely access each other and that multicast data be transmitted between them (such as multicast packet interaction during dynamic routing interaction in a scenario where the enterprise network has dynamic routing deployed). An IPSec tunnel cannot transmit multicast data, but a GRE tunnel can transmit multicast data. To meet user requirements, a GRE over IPSec tunnel must be established between the HUAWEI and H3C firewalls. In this scenario, both ends can initiate the negotiation for establishing a GRE over IPSec tunnel.
Data Plan
Configuration Item |
HUAWEI Firewall |
H3C Firewall |
|
---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
IP address of the peer |
IP address of the peer |
|
IKE Version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
GRE interface information |
IP address |
Configurable; not in conflict with other IP addresses |
Configurable; not in conflict with other IP addresses |
Source address |
Local address |
Local address |
|
Destination address |
IP address of the peer |
IP address of the peer |
Configuration Roadmap
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure a GRE interface and assign it to a security zone.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure a static route to the branch intranet and the default route from the HUAWEI firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
- Apply the IPSec policy to an interface.
- Configure the H3C firewall:
- Set interface IP addresses and assign the interfaces to security zones.
- Configure a GRE interface and assign it to a security zone.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure a static route to the branch intranet and the default route from the H3C firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IKE proposal, configuring a keychain, configuring a profile, and configuring an IPSec proposal.
- Apply the IPSec policy to an interface.
Configuration Precautions
The configuration of GRE over IPSec is similar to the separate configuration of GRE and IPSec. The only difference is that the source address and destination address cannot be configured as private addresses of the HQ and branch when you define the data flow to be protected by using the ACL, the source address and destination address of the GRE tunnel must be configured. If the source address and destination address encapsulated in GRE packets meet the characteristics defined in the ACL, the packets need to be encapsulated using IPSec.
Configuration Procedure
- Configure the HUAWEI firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE1/0/9 and assign it to the Untrust zone.
[HUAWEI] interface GigabitEthernet 1/0/9 [HUAWEI-GigabitEthernet1/0/9] ip address 1.1.1.1 24 [HUAWEI-GigabitEthernet1/0/9] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/9 [HUAWEI-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit
- Configure a GRE interface and assign it to the Untrust zone.
[HUAWEI] interface Tunnel 1 [HUAWEI-Tunnel1] tunnel-protocol gre [HUAWEI-Tunnel1] ip address 10.1.1.1 255.255.255.0 [HUAWEI-Tunnel1] source 1.1.1.1 [HUAWEI-Tunnel1] destination 2.2.2.2 [HUAWEI-Tunnel1] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface Tunnel 1 [HUAWEI-zone-untrust] quit
When you configure the GRE interface, set source to 1.1.1.1 and destination to 2.2.2.2, indicating that the public IP addresses of the outbound interfaces for the enterprise gateways at both ends are used for encapsulation. They are consistent with the source and destination addresses in the IPSec packet header. You can also use the private IP address to encapsulate the GRE packet header. In this case, create a loopback interface, set a private IP address for it, and borrow this address for GRE encapsulation.
- Configure GE1/0/9 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the HQ and configure policy 2 so that the HQ can access the branch.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall can initiate a tunnel establishment request and configure policy 4 so that the HUAWEI firewall can receive a tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure Untrust-Trust interzone security policies.
- Configure routes.
- Configure a static route to the branch to divert the traffic to the GRE interface.
[HUAWEI] ip route-static 192.168.0.0 255.255.255.0 tunnel 1
- Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Configure a static route to the branch to divert the traffic to the GRE interface.
- Configure an ACL and define the source and destination addresses after GRE encapsulation.
Perform IPSec encapsulation for GRE-encapsulated packets with source address 1.1.1.1 and destination address 2.2.2.2.
[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [HUAWEI-acl-adv-3000] quit
- In a GRE over IPSec scenario where a route is configured to divert traffic to the GRE interface, IPSec encapsulation shall be performed for GRE-encapsulated packets with source address 1.1.1.1 and destination address 2.2.2.2.
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface and determines whether the traffic passes through the GRE tunnel based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, and determines whether it can initiate the GRE and IPSec tunnel negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it establishes a GRE tunnel with the peer based on the ACL and determines whether to accept the negotiation based on security policy 4. If yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv1 is used, and the integrity algorithm does not need to be configured.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer and specify the negotiation mode, IKE version, pre-shared key, and peer IP address.
[HUAWEI] ike peer h3c [HUAWEI-ike-peer-h3c] exchange-mode main [HUAWEI-ike-peer-h3c] undo version 2 [HUAWEI-ike-peer-h3c] ike-proposal 1 [HUAWEI-ike-peer-h3c] pre-shared-key Key@123 [HUAWEI-ike-peer-h3c] remote-address 2.2.2.2 [HUAWEI-ike-peer-h3c] quit
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv1 is used, and the integrity algorithm does not need to be configured.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit
- Configure an ISAKMP IPSec policy and associate it with the IKE peer, IPSec proposal, and ACL.
[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer h3c [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[HUAWEI] interface GigabitEthernet 1/0/9 [HUAWEI-GigabitEthernet1/0/9] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/9] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure the H3C firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE2/0/10 and assign it to the Untrust zone.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] port link-mode route [H3C-Ten-GigabitEthernet2/0/10] ip address 2.2.2.2 255.255.255.0 [H3C-Ten-GigabitEthernet2/0/10] quit [H3C] security-zone name Untrust [H3C-security-zone-Untrust] import interface Ten-GigabitEthernet 2/0/10 [H3C-security-zone-Untrust] quit
- Configure GE2/0/9 and assign it to the Trust zone.
[H3C] interface Ten-GigabitEthernet2/0/9 [H3C-Ten-GigabitEthernet2/0/9] ip address 192.168.0.1 24 [H3C-Ten-GigabitEthernet2/0/9] quit [H3C] security-zone name Trust [H3C-security-zone-Trust] import interface Ten-GigabitEthernet 2/0/9 [H3C-security-zone-Trust] quit
- Configure a GRE interface and assign it to the Untrust zone.
[H3C] interface Tunnel 1 mode gre [H3C-Tunnel1] ip address 10.1.1.2 255.255.255.0 [H3C-Tunnel1] source 2.2.2.2 [H3C-Tunnel1] destination 1.1.1.1 [H3C] security-zone name Untrust [H3C-security-zone-Untrust] import interface Tunnel 1 [H3C-security-zone-Untrust] quit
- Configure GE2/0/10 and assign it to the Untrust zone.
- Configure security policies.
- Configure two object groups separately for the HQ network and branch network.
[H3C] object-group ip address trust1 [H3C-obj-grp-ip-trust1] network subnet 192.168.0.0 24 [H3C-obj-grp-ip-trust1] quit [H3C] object-group ip address untrust1 [H3C-obj-grp-ip-untrust1] network subnet 192.168.10.0 24 [H3C-obj-grp-ip-untrust1] quit
- Configure object policies.
[H3C] object-policy ip trust-untrust [H3C-object-policy-ip-trust-untrust] rule pass source-ip trust1 destination-ip untrust1 [H3C-object-policy-ip-trust-untrust] quit [H3C] object-policy ip untrust-trust [H3C-object-policy-ip-untrust-trust] rule pass source-ip untrust1 destination-ip trust1 [H3C-object-policy-ip-untrust-trust] quit
- Configure Untrust-Trust interzone security policies to ensure that the HQ and branch can communicate with each other.
[H3C] zone-pair security source trust destination untrust [H3C-zone-pair-security-Trust-Untrust] object-policy apply ip trust-untrust [H3C-zone-pair-security-Trust-Untrust] quit [H3C] zone-pair security source untrust destination trust [H3C-zone-pair-security-Untrust-Trust] object-policy apply ip untrust-trust [H3C-zone-pair-security-Untrust-Trust] quit
- Configure an ACL for Local-Untrust interzone security policies.
[H3C] acl advanced 3999 [H3C-acl-ipv4-adv-3999] rule 0 permit ip [H3C-acl-ipv4-adv-3999] quit
- Configure Local-Untrust interzone security policies.
[H3C] zone-pair security source untrust destination local [H3C-zone-pair-security-Untrust-Local] packet-filter 3999 [H3C-zone-pair-security-Untrust-Local] quit [H3C] zone-pair security source local destination untrust [H3C-zone-pair-security-Local-Untrust] packet-filter 3999 [H3C-zone-pair-security-Local-Untrust] quit
Untrust-Trust and Local-Untrust interzone security policies also need to be configured on the H3C firewall. The functions of the security policies are the same as those of the HUAWEI firewall. However, the configuration methods are different. Before configuring Untrust-Trust interzone security policies, you need to configure the object group and object policy. You can configure the Local-Untrust interzone security policies by referencing ACLs.
- Configure two object groups separately for the HQ network and branch network.
- Configure routes.
- Configure a static route to the HQ to divert the traffic to the GRE interface.
[HUAWEI] ip route-static 192.168.10.0 255.255.255.0 Tunnel 1
- Configure a default route to the Internet. In the example, the next-hop IP address is 2.2.2.3.
[H3C] ip route-static 0.0.0.0 0.0.0.0 2.2.2.3
- Configure a static route to the HQ to divert the traffic to the GRE interface.
- Create an ACL to define the traffic to be protected.
Perform IPSec encapsulation for GRE-encapsulated packets with source address 1.1.1.1 and destination address 2.2.2.2.
[H3C] acl advanced 3000 [H3C-acl-ipv4-adv-3000] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 [H3C-acl-ipv4-adv-3000] quit
- Configure an IKE proposal.
Configure the IKE proposal and specify the encryption algorithm, authentication algorithm, DH group, and authentication method. The values must be the same as those configured on the HUAWEI firewall. When configuring the authentication algorithm, set this parameter to sha. On the H3C firewall, sha equals sha1.
[H3C] ike proposal 1 [H3C-ike-proposal-1] encryption-algorithm 3des [H3C-ike-proposal-1] authentication-method pre-share [H3C-ike-proposal-1] authentication-algorithm sha [H3C-ike-proposal-1] dh group2 [H3C-ike-proposal-1] quit
- Configure the keychain.
[H3C] ike keychain keychain1 [H3C-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple Key@123 [H3C-ike-keychain-keychain1] quit
- Keychain is used to configure the pre-shared key used by both ends. The peer IP address or host name must be specified during the configuration.
- A keychain can be configured with multiple peers and their pre-shared keys. Each peer uses a unique pre-shared key.
- Configure a profile.
[H3C] ike profile profile1 [H3C-ike-profile-profile1] keychain keychain1 [H3C-ike-profile-profile1] proposal 1 [H3C-ike-profile-profile1] exchange-mode main [H3C-ike-profile-profile1] local-identity address 2.2.2.2 [H3C-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [H3C-ike-profile-profile1] match local address Ten-GigabitEthernet2/0/10 [H3C-ike-profile-profile1] quit
- Configuring a profile is equivalent to configuring an IKE peer on the HUAWEI firewall and referencing keychain1 and the IKE proposal.
- When IKEv1 is used, the match local address Ten-GigabitEthernet2/0/10 command is used to specify the profile usage range. This command is required. Otherwise, the negotiation will fail.
- If IKEv2 is used, run the ikev2 proposal, ikev2 keychain, and ikev2 Profile commands in sequence to configure the IKE proposal, keychain, and profile.
- The match remote identity address 1.1.1.1 255.255.255.0 command is used to specify the peer identity. When the peer identity matches the rule configured in the IKE profile, the H3C firewall uses information in the IKE profile to authenticate the peer.
- Configure an IPSec proposal.
Specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm. The values must be the same as those configured on the HUAWEI firewall.
[H3C] ipsec transform-set tran1 [H3C-ipsec-transform-set-tran1] encapsulation-mode tunnel [H3C-ipsec-transform-set-tran1] protocol esp [H3C-ipsec-transform-set-tran1] esp encryption-algorithm 3des [H3C-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [H3C-ipsec-transform-set-tran1] quit
- Configure an IPSec policy.
[H3C] ipsec policy map1 1 isakmp [H3C-ipsec-policy-isakmp-map1-1] remote-address 1.1.1.1 [H3C-ipsec-policy-isakmp-map1-1] local-address 2.2.2.2 [H3C-ipsec-policy-isakmp-map1-1] security acl 3000 [H3C-ipsec-policy-isakmp-map1-1] transform-set tran1 [H3C-ipsec-policy-isakmp-map1-1] ike-profile profile1 [H3C-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] ipsec apply policy map1 [H3C-Ten-GigabitEthernet2/0/10] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
Verification
- Check whether the HQ can proactively initiate an IPSec tunnel with the branch.
- Ping PC2 on the branch network from PC1 at the HQ.
- On the HUAWEI firewall at the HQ, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<HUAWEI> display ike sa current ike sa number: 2 ----------------------------------------------------------------------------- conn-id peer flag phase vpn ----------------------------------------------------------------------------- 893 2.2.2.2 RD|ST|A v1:2 public 892 2.2.2.2 RD|ST|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE
- On the HUAWEI firewall at the HQ, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/9 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 893 rule number: 10 encapsulation mode: tunnel holding time: 0d 0h 0m 11s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 1.1.1.1/255.255.255.255 0/0 flow destination: 2.2.2.2/255.255.255.255 0/0 [inbound ESP SAs] spi: 2795445812 (0xa69f1e34) vpn: public said: 140 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/3589 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 4159233441 (0xf7e8dda1) vpn: public said: 141 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/3589 max sent sequence-number: 5 udp encapsulation used for nat traversal: N
- Log in to the branch H3C firewall and run the display ike sa command to check the IKE establishment. If the following information is displayed, the IKE SA is established successfully.
[H3C] display ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 798 1.1.1.1 RD IPSec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY
- Log in to the branch H3C firewall and run the display ipsec sa command to check the IPSec establishment. If the following information is displayed, the IPSec SA is established successfully.
[H3C] display ipsec sa ------------------------------- Interface: Ten-GigabitEthernet2/0/10 ------------------------------- ----------------------------- IPSec policy: map1 Sequence number: 1 Mode: ISAKMP Flow table status: Active ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1444 Tunnel: local address: 2.2.2.2 remote address: 1.1.1.1 Flow: sour addr: 2.2.2.2/255.255.255.255 port: 0 protocol: ip dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1520732532 (0x5aa48974) Connection ID: 390842023937 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3427 Max received sequence-number: 0 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 2987702618 (0xb214b95a) Connection ID: 390842023936 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3427 Max sent sequence-number: 4 UDP encapsulation used for NAT traversal: N Status: Active
- Check whether the branch can proactively initiate an IPSec tunnel with the HQ.
- On the HUAWEI firewall at the HQ, run the reset ike sa command to disconnect the IPSec tunnel.
- Ping PC1 at the HQ from the PC2 at the branch and refer to the preceding method to check whether the IPSec tunnel can be successfully established.
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/9 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # interface Tunnel 1 tunnel-protocol gre ip address 10.1.1.1 255.255.255.0 source 1.1.1.1 destination 2.2.2.2 # firewall zone untrust add interface GigabitEthernet 1/0/9 add interface Tunnel 1 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 192.168.0.0 255.255.255.0 tunnel 1 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer h3c exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer h3c proposal tran1 security acl 3000 # return