Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in Virtual Tunnel Interface Mode Between HUAWEI Firewalls and HUAWEI AR Routers
About This Section
Networking Requirements
In Figure 2-25, the HUAWEI AR router is an enterprise branch gateway, and the HUAWEI firewall is an enterprise headquarters gateway. Both the branch gateway and headquarters gateway use fixed IP addresses to access the Internet.
To ensure secure communication between the branch and headquarters, the enterprise needs to establish an IPSec tunnel between the HUAWEI AR router and HUAWEI firewall. In addition, all the traffic transmitted through the IPSec tunnel needs to be directed to tunnel interfaces for traffic management.
Data Plan
Item |
HUAWEI AR Router |
HUAWEI Firewall |
|
|---|---|---|---|
IPSec proposal |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
ESP authentication algorithm |
SHA2-256 |
SHA2-256 |
|
ESP encryption algorithm |
AES-256 |
AES-256 |
|
IKE proposal |
Authentication method |
Pre-shared key |
Pre-shared key |
Encryption algorithm |
AES-256 |
AES-256 |
|
Authentication algorithm |
SHA2-256 |
SHA2-256 |
|
DH group |
Group14 |
Group14 |
|
IKE peer |
IKE Version |
V1 |
V1 |
Negotiation mode |
Main mode |
Main mode |
|
Pre-shared key |
Huawei@123 |
Huawei@123 |
|
Identity type |
IP |
IP |
|
Configuration Roadmap
- Configure IP addresses for interfaces and configure a static route to the peer end to ensure that the routes between the two ends (the router and firewall) are reachable.
You still need to add interfaces of the firewall to security zones and configure interzone policies.
- Configure an IPSec proposal and define the traffic protection method.
- Configure an IKE proposal and define IKE negotiation parameters.
- Configure an IKE peer and define the attributes used for IKE negotiation.
- Configure an IPSec profile and determine the data flows to be protected and protection method.
- Apply the IPSec profile to tunnel interfaces to enable IPSec protection.
Configuration Guidelines
- If the two ends use the default parameters to negotiate the establishment of an IPSec tunnel, ensure that the default parameter values of the two ends are the same. Otherwise, the IPSec tunnel cannot be established. If you are uncertain about the default parameter values used on the two ends, manually set the parameter values.
- The MD5, SHA-1, DES, and 3DES algorithms pose security risks. Exercise caution when using these algorithms.
- To perform the ping operation to test connectivity, run the service-manage ping permit command in the firewall interface view to allow the ping service on all firewall interfaces along the path.
- When IPSec proposals used by the two ends use the SHA2 algorithm, the SHA2 encryption and decryption modes on the two ends may be different if an IPSec tunnel can be established between the two ends but traffic cannot be forwarded between them. In this case, you are advised to run the ipsec authentication sha2 compatible enable (or undo ipsec authentication sha2 compatible enable) command on the router or run the ipsec sha2 compatible enable (or undo ipsec sha2 compatible enable) command on the firewall to enable the two ends to use the same SHA2 encryption and decryption mode.
Configuration Procedure
- Configure the HUAWEI AR Router.
- Configure IP addresses for interfaces and configure a static route to the firewall.
# Configure IP addresses for interfaces.
<HUAWEI> system-view [HUAWEI] sysname Router [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0 [Router-GigabitEthernet1/0/1] quit [Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0 [Router-GigabitEthernet1/0/2] quit [Router] interface tunnel 0/0/0 [Router-Tunnel0/0/0] ip address 10.2.1.1 255.255.255.0 [Router-Tunnel0/0/0] quit
# Configure a static route to the firewall. This example assumes that the next-hop address of the static route is 1.1.1.2.
[Router] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 [Router] ip route-static 10.1.2.0 255.255.255.0 tunnel 0/0/0
- Configure an IPSec proposal.
[Router] ipsec proposal tran1 [Router-ipsec-proposal-tran1] encapsulation-mode tunnel [Router-ipsec-proposal-tran1] transform esp [Router-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [Router-ipsec-proposal-tran1] esp encryption-algorithm aes-256 [Router-ipsec-proposal-tran1] quit
- Configure an IKE proposal.
[Router] ike proposal 5 [Router-ike-proposal-5] authentication-method pre-share [Router-ike-proposal-5] encryption-algorithm aes-256 [Router-ike-proposal-5] authentication-algorithm sha2-256 [Router-ike-proposal-5] dh group14 [Router-ike-proposal-5] quit
- Configure an IKE peer.
[Router] ike peer spub [Router-ike-peer-spub] undo version 2 [Router-ike-peer-spub] exchange-mode main [Router-ike-peer-spub] ike-proposal 5 [Router-ike-peer-spub] pre-shared-key cipher Huawei@123 [Router-ike-peer-spub] local-id-type ip [Router-ike-peer-spub] quit
- Configure an IPSec profile.
[Router] ipsec profile profile1 [Router-ipsec-profile-profile1] proposal tran1 [Router-ipsec-profile-profile1] ike-peer spub [Router-ipsec-profile-profile1] quit
- Apply the IPSec profile to an interface.
[Router] interface tunnel 0/0/0 [Router-Tunnel0/0/0] tunnel-protocol ipsec [Router-Tunnel0/0/0] source 1.1.1.1 [Router-Tunnel0/0/0] destination 2.1.1.1 [Router-Tunnel0/0/0] ipsec profile profile1 [Router-Tunnel0/0/0] quit
- Configure IP addresses for interfaces and configure a static route to the firewall.
- Configure the HUAWEI Firewall.
- Configure IP addresses for interfaces, add interfaces to security zones, configure an interzone security policy, and configure a static route to the router.
# Configure IP addresses for interfaces, and add interfaces to security zones.
[HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0 [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0 [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] interface tunnel 0 [HUAWEI-Tunnel0] ip address 10.2.1.2 255.255.255.0 [HUAWEI-Tunnel0] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface gigabitethernet 1/0/2 [HUAWEI-zone-trust] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface gigabitethernet 1/0/1 [HUAWEI-zone-untrust] add interface tunnel 0 [HUAWEI-zone-untrust] quit
# Configure interzone policies.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name policy1 [HUAWEI-policy-security-rule-policy1] source-zone trust [HUAWEI-policy-security-rule-policy1] destination-zone untrust [HUAWEI-policy-security-rule-policy1] source-address 10.1.2.0 24 [HUAWEI-policy-security-rule-policy1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-policy1] action permit [HUAWEI-policy-security-rule-policy1] quit [HUAWEI-policy-security] rule name policy2 [HUAWEI-policy-security-rule-policy2] source-zone untrust [HUAWEI-policy-security-rule-policy2] destination-zone trust [HUAWEI-policy-security-rule-policy2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-policy2] destination-address 10.1.2.0 24 [HUAWEI-policy-security-rule-policy2] action permit [HUAWEI-policy-security-rule-policy2] quit [HUAWEI-policy-security] rule name policy3 [HUAWEI-policy-security-rule-policy3] source-zone local [HUAWEI-policy-security-rule-policy3] destination-zone untrust [HUAWEI-policy-security-rule-policy3] source-address 2.1.1.1 32 [HUAWEI-policy-security-rule-policy3] destination-address 1.1.1.1 32 [HUAWEI-policy-security-rule-policy3] action permit [HUAWEI-policy-security-rule-policy3] quit [HUAWEI-policy-security] rule name policy4 [HUAWEI-policy-security-rule-policy4] source-zone untrust [HUAWEI-policy-security-rule-policy4] destination-zone local [HUAWEI-policy-security-rule-policy4] source-address 1.1.1.1 32 [HUAWEI-policy-security-rule-policy4] destination-address 2.1.1.1 32 [HUAWEI-policy-security-rule-policy4] action permit [HUAWEI-policy-security-rule-policy4] quit [HUAWEI-policy-security] quit
# Configure a static route to the router. This example assumes that the next-hop address of the static route is 2.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 [HUAWEI] ip route-static 10.1.1.0 255.255.255.0 tunnel 0
- Configure an IPSec proposal.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm aes-256 [HUAWEI-ipsec-proposal-tran1] quit
- Configure an IKE proposal.
[HUAWEI] ike proposal 5 [HUAWEI-ike-proposal-5] authentication-method pre-share [HUAWEI-ike-proposal-5] encryption-algorithm aes-256 [HUAWEI-ike-proposal-5] authentication-algorithm sha2-256 [HUAWEI-ike-proposal-5] dh group14 [HUAWEI-ike-proposal-5] quit
- Configure an IKE peer.
[HUAWEI] ike peer spub [HUAWEI-ike-peer-spub] undo version 2 [HUAWEI-ike-peer-spub] exchange-mode main [HUAWEI-ike-peer-spub] ike-proposal 5 [HUAWEI-ike-peer-spub] pre-shared-key Huawei@123 [HUAWEI-ike-peer-spub] local-id-type ip [HUAWEI-ike-peer-spub] quit
- Configure an IPSec profile.
[HUAWEI] ipsec profile profile1 [HUAWEI-ipsec-profile-profile1] proposal tran1 [HUAWEI-ipsec-profile-profile1] ike-peer spub [HUAWEI-ipsec-profile-profile1] quit
- Apply the IPSec profile to an interface.
[HUAWEI] interface tunnel 0 [HUAWEI-Tunnel0] tunnel-protocol ipsec [HUAWEI-Tunnel0] source 2.1.1.1 [HUAWEI-Tunnel0] destination 1.1.1.1 [HUAWEI-Tunnel0] ipsec profile profile1 [HUAWEI-Tunnel0] quit
- Configure IP addresses for interfaces, add interfaces to security zones, configure an interzone security policy, and configure a static route to the router.
Verifying the Configuration
- Run the display ike sa command. The command output shows that both IKE SA and IPSec SA have been established. The command output of the router is used as an example.
<Router> display ike sa IKE SA information : Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID ----------------------------------------------------------------------------- 1679 2.1.1.1:500 RD|ST|A v1:2 IP 2.1.1.1 1677 2.1.1.1:500 RD|ST|A v1:1 IP 2.1.1.1 Number of IKE SA : 2 ------------------------------------------------------------------------------- Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING - PC1 and PC2 can ping each other. The following shows the ping from PC1 to PC2.
C:\Users\huawei> ping 10.1.2.2 Pinging 10.1.2.2 with 32 bytes of data: Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 Ping statistics for 10.1.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9msAn IPSec tunnel has been established successfully, and PC1 and PC2 can ping each other successfully. How do I determine whether service packets are transmitted through the IPSec tunnel? The following describes two common methods:
- View the max sent sequence-number field in the display ipsec sa command output. This field is designed for the anti-replay function. Each time an IPSec tunnel sends a packet, the sequence-number field value in the packet increases by 1. You can determine whether traffic passes through the IPSec tunnel based on the field value. For example, if a branch user sends five ICMP packets to the headquarters and the five ICMP packets are transmitted through an IPSec tunnel, the sequence-number field value in the IPSec SA of the tunnel increases by 5. If the field value does not increase or is incorrect, these packets are not transmitted through the IPSec tunnel or the IPSec tunnel is not working properly.
- View the input/output security packets field in the display ipsec statistics command output. Determine whether packets are transmitted through an IPSec tunnel based on the input/output security packets field value. For example, input/output security packets: 4/4 indicates that the IPSec tunnel has sent four packets and received four packets.
The first method displays packet statistics of a specific IPSec tunnel, and the second method displays global packet statistics of IPSec tunnels of the device. If multiple tunnels exist on the device, the second method is not applicable and the first method is recommended.
When traffic triggers the establishment of an IPSec tunnel, the first service packet will be discarded instead of being tunnel encapsulated. This is because the IPSec tunnel has not been established and cannot forward packets when the first packet is sent. For example, if a branch user sends 10 ICMP packets to the headquarters, only nine packets are displayed in the display ipsec statistics command output. This is a normal situation.
Configuration Files
- HUAWEI AR Router Configuration File
# sysname Router # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 5 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer spub undo version 2 pre-shared-key cipher %@%@:A(|N&D21)L2L0Z2WlVE9.-u%@%@%^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# ike-proposal 5 # ipsec profile profile1 ike-peer spub proposal tran1 # interface GigabitEthernet1/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/2 ip address 10.1.1.1 255.255.255.0 # interface Tunnel0/0/0 ip address 10.2.1.1 255.255.255.0 tunnel-protocol ipsec source 1.1.1.1 destination 2.1.1.1 ipsec profile profile1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 # return
- HUAWEI Firewall Configuration File
# sysname HUAWEI # ipsec proposal tran1 esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 # ike proposal 5 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share # ike peer spub undo version 2 pre-shared-key cipher %^%#p7,cEWZqBI<4DT7CZUP:f|LjJ\zNLTbsAAG|d,8T%^%# ike-proposal 5 # ipsec profile profile1 ike-peer spub proposal tran1 # interface GigabitEthernet1/0/1 undo shutdown ip address 2.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown ip address 10.1.2.1 255.255.255.0 # interface Tunnel0 ip address 10.2.1.2 255.255.255.0 tunnel-protocol ipsec source 2.1.1.1 destination 1.1.1.1 ipsec profile profile1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface Tunnel0 # ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 ip route-static 10.1.1.0 255.255.255.0 Tunnel0 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 10.1.2.0 mask 255.255.255.0 destination-address 10.1.1.0 mask 255.255.255.0 action permit rule name policy2 source-zone untrust destination-zone trust source-address 10.1.1.0 mask 255.255.255.0 destination-address 10.1.2.0 mask 255.255.255.0 action permit rule name policy3 source-zone local destination-zone untrust source-address 2.1.1.1 mask 255.255.255.255 destination-address 1.1.1.1 mask 255.255.255.255 action permit rule name policy4 source-zone untrust destination-zone local source-address 1.1.1.1 mask 255.255.255.255 destination-address 2.1.1.1 mask 255.255.255.255 action permit # return