Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing GRE over IPSec Tunnels Between HUAWEI Firewalls and Fortinet Firewalls
Chapter Contents
Networking Requirements
As shown in Figure1, the HUAWEI firewall serves as the enterprise gateway for connecting to the Internet at the headquarters, and the Fortinet firewall as that at the branch. It is required that the headquarters and branch can securely access each other and that multicast data be transmitted between them (such as multicast packet interaction during dynamic routing interaction in a scenario where the enterprise network has dynamic routing deployed). Considering that an IPSec tunnel alone cannot transmit multicast data but a GRE tunnel can, a GRE over IPSec tunnel shall be established between the HUAWEI firewall and Fortinet firewall to satisfy user needs. In this scenario, both ends can initiate the negotiation for establishing a GRE over IPSec tunnel.
Data Plan
Configuration Item |
HUAWEI firewall |
Fortinet firewall |
|
|---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
Peer address |
Peer address |
|
IKE Version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
GRE interface information |
IP address |
Configurable; not in conflict with other IP addresses |
Bound physical interface address |
Source address |
Local address |
Local address |
|
Destination address |
Peer address |
Peer address |
|
Configuration Roadmap
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure a GRE interface and assign it to a security zone.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure a static route to the branch intranet and the default route from the HUAWEI firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
- Apply the IPSec policy to an interface.
- Configure the Fortinet firewall:
- Configure physical interfaces.
- Configure the IKE SA and IPSec SA.
- Configure a tunnel interface and assign it to the Untrust zone.
- Configure a GRE interface.
- Configure a security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the Fortinet firewall.
- Configure a route to divert traffic to the GRE interface.
- Configure the default route to the Internet.
Configuration Precautions
- On the HUAWEI firewall, the ACL is configured to define the source and destination addresses after GRE encapsulation. On the Fortinet firewall, the dst-subnet and src-subnet commands are run to define the source and destination addresses after GRE encapsulation.
- In the GRE interface configuration on the Fortinet firewall, you must bind the GRE interface to the tunnel interface and configure the security policy between the GRE interface and intranet interface.
Configuration Procedure
- Configure the HUAWEI firewall.
- Configure interfaces and assign them to security zones.
- Configure GE1/0/3 and assign it to the Untrust zone.
[HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ip address 1.1.1.1 24 [HUAWEI-GigabitEthernet1/0/3] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3 [HUAWEI-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit
- Configure a GRE interface and assign it to the Untrust zone.
[HUAWEI] interface Tunnel 1 [HUAWEI-Tunnel1] tunnel-protocol gre [HUAWEI-Tunnel1] ip address 10.10.10.1 255.255.255.0 [HUAWEI-Tunnel1] source 1.1.1.1 [HUAWEI-Tunnel1] destination 2.2.2.2 [HUAWEI-Tunnel1] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface Tunnel 1 [HUAWEI-zone-untrust] quit
- When you configure the GRE interface, set source to 1.1.1.1 and destination to 2.2.2.2, indicating that the public IP addresses of the outbound interfaces for the enterprise gateways at both ends are used for encapsulation. They are consistent with the source and destination addresses in the IPSec packet header.
- You can also use the private IP address to encapsulate the GRE packet header. In this case, create a loopback interface, set a private IP address for it, and borrow this address for GRE encapsulation.
- Configure GE1/0/3 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the headquarters and configure policy 2 so that the headquarters can access the branch.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall can initiate a tunnel establishment request and configure policy 4 so that the HUAWEI firewall can receive a tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure Untrust-Trust interzone security policies.
- Configure routes.
- Configure a static route to the branch to divert the traffic to the GRE interface.
[HUAWEI] ip route-static 192.168.0.0 255.255.255.0 tunnel 1
- Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Configure a static route to the branch to divert the traffic to the GRE interface.
- Configure an ACL and define the source and destination addresses after GRE encapsulation.
Perform IPSec encapsulation for GRE-encapsulated packets with source address 1.1.1.1 and destination address 2.2.2.2.
[HUAWEI]acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [HUAWEI-acl-adv-3000] quit
- In a GRE over IPSec scenario where a route is configured to divert traffic to the GRE interface, IPSec encapsulation shall be performed for GRE-encapsulated packets with source address 1.1.1.1 and destination address 2.2.2.2.
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface and determines whether the traffic passes through the GRE tunnel based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, and determines whether it can initiate the GRE and IPSec tunnel negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it establishes a GRE tunnel with the peer based on the ACL and determines whether to accept the negotiation based on security policy 4. If yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer and specify the negotiation mode, IKE version, pre-shared key, and peer address.
[HUAWEI] ike peer Fortigate [HUAWEI-ike-peer-Fortigate] exchange-mode main [HUAWEI-ike-peer-Fortigate] undo version 2 [HUAWEI-ike-peer-Fortigate] ike-proposal 1 [HUAWEI-ike-peer-Fortigate] pre-shared-key Key@123 [HUAWEI-ike-peer-Fortigate] remote-address 2.2.2.2 [HUAWEI-ike-peer-Fortigate] quit
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit
- Configure an IPSec policy, specify the policy name, and associate it with the IKE peer, IPSec proposal, and ACL.
[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer Fortigate [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to the interface.
[HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/3] quit
- Configure interfaces and assign them to security zones.
- Configure the Fortinet firewall.
- Configure physical interfaces.
- Configure port03.
Fortigate # config system interface Fortigate (interface) # edit port03 Fortigate (port03) # set ip 2.2.2.2/24 Fortigate (port03) # set allowaccess ping https ssh snmp http telnet Fortigate (port03) # end
- Configure port10.
Fortigate # config system interface Fortigate (interface) # edit port10 Fortigate (port10) # set ip 192.168.0.1/24 Fortigate (port10) # set allowaccess ping https ssh snmp http telnet Fortigate (port10) # end
On the Fortinet firewall, you can configure security policies directly for physical interfaces, without having to assign them to security zones. Of course, you can also assign them to security zones and configure security policies accordingly.
- Configure port03.
- Configure an IKE SA and specify its name, bound interface, negotiation mode, encryption algorithm, authentication algorithm, pre-shared key, peer address, and DH group.
Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@123 Fortigate (firewall) # set remote-gw 1.1.1.1 Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # end
- The Fortinet firewall does not provide the command for setting the IKE version and uses IKEv1 by default.
- Run the set interface command to bind the IKE SA to the specified port, which is equal to applying the IPSec policy to the interface on the HUAWEI firewall.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IKE SA.
- Configure an IPSec SA and specify its name, bound IKE SA, encryption algorithm, authentication algorithm, and DH group.
Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 1.1.1.1 255.255.255.255 Fortigate (firewall) # set src-subnet 2.2.2.2 255.255.255.255 Fortigate (firewall) # end
- Run the dst-subnet and src-subnet commands to define the source and destination addresses after GRE encapsulation.
- The Fortinet firewall does not provide the command for setting the encapsulation mode or security protocol and uses the tunnel mode and ESP by default.
- Run the set phase1name command to specify the IKE SA referenced by the IPSec SA.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IPSec SA.
- Configure a tunnel interface and assign it to the Untrust zone.
Fortigate # config system interface Fortigate (interface) # edit firewall Fortigate (firewall) # set ip 2.2.2.2 255.255.255.255 Fortigate (firewall) # set remote-ip 1.1.1.1 Fortigate (firewall) # end Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end
- In a GRE over IPSec scenario, you must set the IP address and tunnel peer IP address for the tunnel interface. Otherwise, the tunnel negotiation fails.
- After you successfully configure the IKE SA, the device automatically generates a tunnel interface with the same name as the IKE SA for protected traffic to pass through.
- On the Fortinet firewall, you must assign the tunnel interface to a security zone and then configure a security policy accordingly.
- Configure a GRE interface.
Fortigate # config system gre-tunnel Fortigate (gre-tunnel) # edit gre1 Fortigate (gre1) # set interface firewall Fortigate (gre1) # set local-gw 2.2.2.2 Fortigate (gre1) # set remote-gw 1.1.1.1 Fortigate (gre1) # end
- Run the set interface command to bind the GRE interface to the existing tunnel interface. Otherwise, tunnel negotiation fails.
- Run the set local-gw and set remote-gw commands to specify the local and peer IP addresses.
- Configure security policies.
- Configure a security policy between port03 and port10.
Configure policy 66 so that the headquarters can properly access the branch and configure policy 99 so that the branch can properly access the headquarters.
Fortigate # config firewall policy Fortigate (policy) # edit 66 Fortigate (66) # set srcintf port03 Fortigate (66) # set dstintf port10 Fortigate (66) # set srcaddr all Fortigate (66) # set dstaddr all Fortigate (66) # set action accept Fortigate (66) # set schedule always Fortigate (66) # set service ANY Fortigate (66) # end Fortigate # config firewall policy Fortigate (policy) # edit 99 Fortigate (99) # set srcintf port10 Fortigate (99) # set dstintf port03 Fortigate (99) # set srcaddr all Fortigate (99) # set dstaddr all Fortigate (99) # set action accept Fortigate (99) # set schedule always Fortigate (99) # set service ANY Fortigate (99) # end
- Configure a security policy between the Untrust zone and port10, namely, between the tunnel interface and port10.
Configure policy 96 to ensure that the traffic passing through the tunnel interface can enter the branch intranet and configure policy 76 to ensure that the traffic passing through the tunnel interface can be transparently transmitted to the extranet.
Fortigate # config firewall policy Fortigate (policy) # edit 96 Fortigate (96) # set srcintf untrust Fortigate (96) # set dstintf port10 Fortigate (96) # set srcaddr all Fortigate (96) # set dstaddr all Fortigate (96) # set action accept Fortigate (96) # set schedule always Fortigate (96) # set service ANY Fortigate (96) # end Fortigate # config firewall policy Fortigate (policy) # edit 76 Fortigate (76) # set srcintf port10 Fortigate (76) # set dstintf untrust Fortigate (76) # set srcaddr all Fortigate (76) # set dstaddr all Fortigate (76) # set action accept Fortigate (76) # set schedule always Fortigate (76) # set service ANY Fortigate (76) # end
- Configure a security policy between the GRE interface and port10.
Fortigate # config firewall policy Fortigate (policy) # edit 91 Fortigate (91) # set srcintf gre1 Fortigate (91) # set dstintf port10 Fortigate (91) # set srcaddr all Fortigate (91) # set dstaddr all Fortigate (91) # set action accept Fortigate (91) # set schedule always Fortigate (91) # set service ANY Fortigate (91) # end Fortigate # config firewall policy Fortigate (policy) # edit 90 Fortigate (90) # set srcintf port10 Fortigate (90) # set dstintf gre1 Fortigate (90) # set srcaddr all Fortigate (90) # set dstaddr all Fortigate (90) # set action accept Fortigate (90) # set schedule always Fortigate (90) # set service ANY Fortigate (90) # end
- On the Fortinet firewall, you do not need to configure the security policy between the Untrust and Local zones.
- Although the GRE interface is bound to the tunnel interface, you still need to configure the security policy between the GRE interface and port10. Otherwise, the traffic passing through the GRE interface may not be transparently transmitted.
- Configure a security policy between port03 and port10.
- Configure routes.
- Configure a static route to divert the traffic to the GRE interface.
Fortigate # config route static Fortigate (static) # edit 99 Fortigate (99) # set device gre1 Fortigate (99) # set dst 192.168.10.0 255.255.255.0 Fortigate (99) # end
- Configure a default route to the Internet, passing through port03 and with the next hop being 2.2.2.3.
Fortigate # config router static Fortigate (static) # edit 33 Fortigate (33) # set dst 0.0.0.0 0.0.0.0 Fortigate (33) # set gateway 2.2.2.3 Fortigate (33) # set device port03 Fortigate (33) # end
- Configure a static route to divert the traffic to the GRE interface.
- Configure physical interfaces.
Verification
- Verify whether the headquarters can proactively initiate an IPSec tunnel with the branch.
- Ping PC2 on the branch network from PC1 at the headquarters.
- On the HUAWEI firewall at the headquarters, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<HUAWEI> display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 162 2.2.2.2 RD|A v1:2 public 161 2.2.2.2 RD|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE - On the HUAWEI firewall at the headquarters, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/3 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 162 rule number: 10 encapsulation mode: tunnel holding time: 0d 0h 2m 25s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 1.1.1.1/255.255.255.255 0/0 flow destination: 1.1.1.2/255.255.255.255 0/0 [inbound ESP SAs] spi: 3454630828 (0xcde97bac) vpn: public said: 226 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1655 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3708493491 (0xdd0b1eb3) vpn: public said: 227 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1655 max sent sequence-number: 5 udp encapsulation used for nat traversal: N - Log in to the web UI of the branch Fortinet firewall to check the IPSec tunnel establishment.
- If the tunnel status is displayed as a green upward arrow, the IPSec tunnel is successfully established.
- You can also run the get ipsec tunnel list command on the branch Fortinet firewall to check the IPSec tunnel establishment. If the status is up, the IPSec tunnel is successfully established.
- Verify whether the branch can proactively initiate an IPSec tunnel with the headquarters.
- On the HUAWEI firewall at the headquarters, run the reset ike sa command to disconnect the IPSec tunnel.
- Ping the PC on the headquarters network from the branch PC and refer to the preceding method to verify whether the IPSec tunnel can be successfully established.
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/3 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # interface Tunnel 1 tunnel-protocol gre ip address 10.10.10.1 255.255.255.0 source 1.1.1.1 destination 2.2.2.2 # firewall zone untrust add interface GigabitEthernet 1/0/3 add interface Tunnel 1 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 192.168.0.0 255.255.255.0 tunnel 1 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 1.1.1.1 0 destination 2.2.2.2 0 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer Fortigate exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer Fortigate proposal tran1 security acl 3000 # return