Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in Policy Template Mode Between HUAWEI Firewalls and H3C Firewalls
Chapter Contents
Networking Requirements
The H3C firewall serves as the HQ gateway and uses a template to establish an IPSec tunnel with the branch gateway. In this case, the outbound interface of the branch gateway may have fixed or unfixed public IP addresses. Figure1 shows the scenario where the outbound interface has unfixed public IP addresses. In this scenario, only the branch but not the HQ can initiate the negotiation for establishing an IPSec tunnel.
Data Plan
Configuration Item |
HUAWEI Firewall |
H3C Firewall |
|
|---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
IP address of the peer |
IP address of the peer |
|
IKE Version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Configuration Roadmap
- Configure the H3C firewall:
- Set interface IP addresses and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure the default route from the H3C firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IKE proposal, configuring a keychain, configuring a profile, configuring an IPSec proposal, and configuring an IPSec profile.
- Apply the IPSec policy to an interface.
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure the default route from the HUAWEI firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
- Apply the IPSec policy to an interface.
Configuration Precautions
- When an H3C firewall establishes an IPSec tunnel with a HUAWEI firewall using a policy template, if the public IP address of the outbound interface on the HUAWEI firewall is not fixed, the H3C firewall needs to provide a fixed host name. The H3C firewall searches for the pre-shared key based on the peer host name to establish an IPSec tunnel with the peer.
- When IPSec is configured on the H3C firewall in policy template mode, the ACL does not need to be configured on the end that receives the negotiation request. If the ACL is not configured, the maximum protection is supported. That is, the ACL configuration of the negotiation initiator is accepted.
- When a profile is configured on the H3C firewall, the match local address command is used to specify the usage scope of the profile. According to the H3C firewall configuration guide, this command is optional. If this command is not configured when the H3C firewall is interconnected with a HUAWEI firewall, the H3C firewall cannot find the interface applicable to the profile. Therefore, you are advised to run this command. Otherwise, tunnel negotiation will fail.
Configuration Procedure
- Configure the H3C firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE2/0/10 and assign it to the Untrust zone.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] port link-mode route [H3C-Ten-GigabitEthernet2/0/10] ip address 2.2.2.2 255.255.255.0 [H3C-Ten-GigabitEthernet2/0/10] quit [H3C] security-zone name Untrust [H3C-security-zone-Untrust] import interface Ten-GigabitEthernet 2/0/10 [H3C-security-zone-Untrust] quit
- Configure GE2/0/9 and assign it to the Trust zone.
[H3C] interface Ten-GigabitEthernet2/0/9 [H3C-Ten-GigabitEthernet2/0/9] ip address 192.168.0.1 24 [H3C-Ten-GigabitEthernet2/0/9] quit [H3C] security-zone name Trust [H3C-security-zone-Trust] import interface Ten-GigabitEthernet 2/0/9 [H3C-security-zone-Trust] quit
- Configure GE2/0/10 and assign it to the Untrust zone.
- Configure security policies.
- Configure two object groups separately for the HQ network and branch network.
[H3C] object-group ip address trust1 [H3C-obj-grp-ip-trust1] network subnet 192.168.0.0 24 [H3C-obj-grp-ip-trust1] quit [H3C] object-group ip address untrust1 [H3C-obj-grp-ip-untrust1] network subnet 192.168.10.0 24 [H3C-obj-grp-ip-untrust1] quit
- Configure object policies.
[H3C] object-policy ip trust-untrust [H3C-object-policy-ip-trust-untrust] rule pass source-ip trust1 destination-ip untrust1 [H3C-object-policy-ip-trust-untrust] quit [H3C] object-policy ip untrust-trust [H3C-object-policy-ip-untrust-trust] rule pass source-ip untrust1 destination-ip trust1 [H3C-object-policy-ip-untrust-trust] quit
- Configure Untrust-Trust interzone security policies to ensure that the HQ and branch can communicate with each other.
[H3C] zone-pair security source trust destination untrust [H3C-zone-pair-security-Trust-Untrust] object-policy apply ip trust-untrust [H3C-zone-pair-security-Trust-Untrust] quit [H3C] zone-pair security source untrust destination trust [H3C-zone-pair-security-Untrust-Trust] object-policy apply ip untrust-trust [H3C-zone-pair-security-Untrust-Trust] quit
- Configure an ACL for Local-Untrust interzone security policies.
[H3C] acl advanced 3999 [H3C-acl-ipv4-adv-3999] rule 0 permit ip [H3C-acl-ipv4-adv-3999] quit
- Configure Local-Untrust interzone security policies.
[H3C] zone-pair security source untrust destination local [H3C-zone-pair-security-Untrust-Local] packet-filter 3999 [H3C-zone-pair-security-Untrust-Local] quit [H3C] zone-pair security source local destination untrust [H3C-zone-pair-security-Local-Untrust] packet-filter 3999 [H3C-zone-pair-security-Local-Untrust] quit
Untrust-Trust and Local-Untrust interzone security policies also need to be configured on the H3C firewall. However, the configuration method is different from that on the HUAWEI firewall. Before configuring Untrust-Trust interzone security policies, you need to configure the object group and object policy. You can configure the Local-Untrust interzone security policies by referencing ACLs.
- Configure two object groups separately for the HQ network and branch network.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 2.2.2.3.
[H3C] ip route-static 0.0.0.0 0.0.0.0 2.2.2.3
- Create an ACL to define the traffic to be protected.
Packets from 192.168.0.0/24 to 192.168.10.0/24 shall be transmitted over the IPSec tunnel. The defined traffic must be mirrored to the traffic defined on the HUAWEI firewall. Otherwise, the negotiation will fail.
[H3C] acl advanced 3000 [H3C-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [H3C-acl-ipv4-adv-3000] quit
- Configure an IKE proposal.
Configure the IKE proposal and specify the encryption algorithm, authentication algorithm, DH group, and authentication method. The values must be the same as those configured on the HUAWEI firewall. When configuring the authentication algorithm, set this parameter to sha. On the H3C firewall, sha equals sha1.
[H3C] ike proposal 1 [H3C-ike-proposal-1] encryption-algorithm 3des [H3C-ike-proposal-1] authentication-method pre-share [H3C-ike-proposal-1] authentication-algorithm sha [H3C-ike-proposal-1] dh group2 [H3C-ike-proposal-1] quit
- Configure the keychain.
[H3C] ike keychain keychain1 [H3C-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple Key@123 [H3C-ike-keychain-keychain1] quit
- Keychain is used to configure the pre-shared key used by both ends. You must specify the peer IP address or host name. If the IP address of the peer outbound interface is not fixed, you can specify the peer host name.
- If there are multiple branches, you can configure multiple peer IP addresses and their pre-shared keys. Each branch uses a unique pre-shared key.
- Configure a profile.
[H3C] ike profile profile1 [H3C-ike-profile-profile1] keychain keychain1 [H3C-ike-profile-profile1] proposal 1 [H3C-ike-profile-profile1] exchange-mode main [H3C-ike-profile-profile1] local-identity address 2.2.2.2 [H3C-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [H3C-ike-profile-profile1] match local address Ten-GigabitEthernet2/0/10 [H3C-ike-profile-profile1] quit
- The match remote identity address command is used to specify the peer identity. When the peer identity matches the rule configured in the IKE profile, the H3C firewall uses information in the IKE profile to authenticate the peer.
- If there are multiple branches, you can run the match remote identity address range command to specify the peer identity.
- Configuring a profile is equivalent to configuring an IKE peer on the HUAWEI firewall and referencing keychain1 and the IKE proposal.
- When IKEv1 is used, the match local address Ten-GigabitEthernet2/0/10 command is used to specify the profile usage range. This command is required. Otherwise, the negotiation will fail.
- If IKEv2 is used, run the ikev2 proposal, ikev2 keychain, and ikev2 Profile commands in sequence to configure the IKE proposal, keychain, and profile.
- Configure an IPSec proposal.
Specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm. The values must be the same as those configured on the HUAWEI firewall.
[H3C] ipsec transform-set tran1 [H3C-ipsec-transform-set-tran1] encapsulation-mode tunnel [H3C-ipsec-transform-set-tran1] protocol esp [H3C-ipsec-transform-set-tran1] esp encryption-algorithm 3des [H3C-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [H3C-ipsec-transform-set-tran1] quit
- Configure an IPSec template.
[H3C] ipsec policy-template tem1 1 [H3C-ipsec-policy-template-tem1-1] security acl 3000 [H3C-ipsec-policy-template-tem1-1] ike-profile profile1 [H3C-ipsec-policy-template-tem1-1] transform-set tran1 [H3C-ipsec-policy-template-tem1-1] quit
- Different from the policy mode, you need to configure a template named tem1. In this template, you can reference the ACL, profile, and IPSec proposal. Then, configure a policy to reference the template tem1.
- The IPSec template configuration on the H3C firewall is the same as that on the HUAWEI firewall.
- Configure an IPSec policy.
[H3C] ipsec policy map1 1 isakmp template tem1
- Apply the IPSec policy to an interface.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] ipsec apply policy map1 [H3C-Ten-GigabitEthernet2/0/10] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure the HUAWEI firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE1/0/9 and assign it to the Untrust zone.
[HUAWEI] interface GigabitEthernet 1/0/9 [HUAWEI-GigabitEthernet1/0/9] ip address 1.1.1.1 24 [HUAWEI-GigabitEthernet1/0/9] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/9 [HUAWEI-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit
- Configure GE1/0/9 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the HQ and configure policy 2 so that the HQ can access the branch.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall can initiate an IPSec tunnel establishment request and configure policy 4 so that the HUAWEI firewall can receive an IPSec tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure Untrust-Trust interzone security policies.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Create an ACL to define the traffic to be protected.
Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over the IPSec tunnel.
[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPSec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv1 is used, and the integrity algorithm does not need to be configured.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer and specify the negotiation mode, IKE version, pre-shared key, and peer IP address.
[HUAWEI] ike peer h3c [HUAWEI-ike-peer-h3c] exchange-mode main [HUAWEI-ike-peer-h3c] undo version 2 [HUAWEI-ike-peer-h3c] ike-proposal 1 [HUAWEI-ike-peer-h3c] pre-shared-key Key@123 [HUAWEI-ike-peer-h3c] remote-address 2.2.2.2 [HUAWEI-ike-peer-h3c] quit
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv1 is used, and the integrity algorithm does not need to be configured.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit
- Configure an ISAKMP IPSec policy and associate it with the IKE peer, IPSec proposal, and ACL.
[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer h3c [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[HUAWEI] interface GigabitEthernet 1/0/9 [HUAWEI-GigabitEthernet1/0/9] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/9] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
Verification
- Ping PC1 at the HQ from PC2 at the branch and verify whether the branch can proactively initiate an IPSec tunnel with the HQ.
You can also run the ping command on the HUAWEI firewall. In this case, you need to use -a to carry the source address. Otherwise, the traffic generated by the ping operation is not the traffic defined in the ACL and the IPSec negotiation cannot be triggered.
- On the HUAWEI firewall at the branch, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<HUAWEI> display ike sa current ike sa number: 2 ----------------------------------------------------------------------------- conn-id peer flag phase vpn ----------------------------------------------------------------------------- 857 2.2.2.2 RD|ST|A v1:2 public 854 2.2.2.2 RD|ST|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE
- On the HUAWEI firewall at the branch, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/9 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 857 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 36m 53s tunnel local : 1.1.1.1 tunnel remote: 1.1.1.2 flow source: 192.168.10.0/255.255.255.0 0/0 flow destination: 192.168.0.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 1627265478 (0x60fe19c6) vpn: public said: 78 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/1387 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 1378998681 (0x5231d999) vpn: public said: 79 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/1387 max sent sequence-number: 4 udp encapsulation used for nat traversal: N - On the H3C firewall at the HQ, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<H3C> dis ike sa dis ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 782 1.1.1.1 RD IPSec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY - On the H3C firewall at the HQ, run the display ipsec sa command to check the IPSec establishment. If the following information is displayed, the IPSec SA is established successfully.
<H3C> display ipsec sa ------------------------------- Interface: Ten-GigabitEthernet2/0/10 ------------------------------- ----------------------------- IPSec policy: map1 Sequence number: 1 Mode: Template Flow table status: Active ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1444 Tunnel: local address: 2.2.2.2 remote address: 1.1.1.1 Flow: sour addr: 192.168.0.0/255.255.255.0 port: 0 protocol: ip dest addr: 192.168.10.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1378998681 (0x5231d999) Connection ID: 158913789955 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/1304 Max received sequence-number: 4 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 1627265478 (0x60fe19c6) Connection ID: 158913789954 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/1304 Max sent sequence-number: 5 UDP encapsulation used for NAT traversal: N Status: Active
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/9 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # firewall zone untrust add interface GigabitEthernet 1/0/9 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer h3c exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer h3c proposal tran1 security acl 3000 # return