No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in ISAKMP Mode Between HUAWEI Firewalls and HUAWEI AR Routers

Establishing IPSec Tunnels in ISAKMP Mode Between HUAWEI Firewalls and HUAWEI AR Routers

Chapter Contents

Networking Requirements

As shown in Figure1, the headquarters and branch access the Internet respectively through the HUAWEI firewall and HUAWEI AR router. The enterprise requires that an IPSec tunnel be established between the HUAWEI firewall and HUAWEI AR router for the headquarters and branch to communicate.

Figure 2-18 Establishing an IPSec tunnel in ISAKMP mode

Data Plan

Configuration Item

HUAWEI USG Firewall

HUAWEI AR Router

IPSec proposal

Encapsulation mode

Tunnel mode

Tunnel mode

Security protocol

ESP

ESP

ESP authentication algorithm

SHA2-256

SHA2-256

ESP encryption algorithm

AES-128

AES-128

DH Group

GROUP2

GROUP2

IKE peer

Negotiation mode

Main mode

Main mode

Encryption algorithm

AES-128

AES-128

Authentication algorithm

SHA2-256

SHA2-256

Pre-shared key

Key123

Key123

Identity type

IP address

IP address

IKE Version

V1

V1

Configuration Roadmap

  1. Configure the HUAWEI firewall:
    1. Set IP addresses for interfaces and assign the interfaces to security zones.
    2. Configure the default route from the HUAWEI firewall to the Internet.
    3. Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
    4. Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
    5. Apply the IPSec policy to an interface.
  2. Configure the HUAWEI AR:
    1. Set IP addresses for interfaces.
    2. Configure a default route from the HUAWEI AR to the Internet.
    3. Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
    4. Apply the IPSec policy to an interface.

Configuration Precautions

  • In this example, identity authentication uses the default IP address and the default pre-shared key. The default values are used because the default configurations of HUAWEI firewalls and ARs are the same. However, it does not mean that all the default values of the firewall and AR are the same. Pay attention to that during configuration. For example, the default DH group on a HUAWEI firewall is Group2, and the default DH group on a HUAWEI AR is Group1. If you are unclear about the default values, manually set them.
  • In the interconnection configuration, the IKE proposal and IPSec proposal on both ends must use the same authentication and encryption algorithms. Otherwise, the tunnel will fail to be established.

Configuration Procedure

  1. Configure the HUAWEI firewall.

    1. Set IP addresses for interfaces and assign them to security zones.
      [HUAWEI] interface GigabitEthernet 1/0/1 
[HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.1 24 
[HUAWEI-GigabitEthernet1/0/1] quit 
[HUAWEI] interface GigabitEthernet 1/0/2 
[HUAWEI-GigabitEthernet1/0/2] ip address 1.1.3.1 24 
[HUAWEI-GigabitEthernet1/0/2] quit 
[HUAWEI] firewall zone trust 
[HUAWEI-zone-trust] add interface GigabitEthernet 1/0/1 
[HUAWEI-zone-trust] quit 
[HUAWEI] firewall zone untrust 
[HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/2 
[HUAWEI-zone-untrust] quit
    2. Configure a default route from the HUAWEI firewall to the Internet. In the example, the next-hop IP address is 1.1.3.2.
      [HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
    3. Configure interzone security policies.
      1. Configure security policies for the Trust-Untrust interzone to allow the unencapsulated and decapsulated packets to pass through the HUAWEI firewall.
        [HUAWEI] security-policy 
[HUAWEI-policy-security] rule name 1 
[HUAWEI-policy-security-rule-1] source-zone untrust 
[HUAWEI-policy-security-rule-1] destination-zone trust 
[HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 
[HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 
[HUAWEI-policy-security-rule-1] action permit 
[HUAWEI-policy-security-rule-1] quit 
[HUAWEI-policy-security] rule name 2 
[HUAWEI-policy-security-rule-2] source-zone trust 
[HUAWEI-policy-security-rule-2] destination-zone untrust 
[HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 
[HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 
[HUAWEI-policy-security-rule-2] action permit 
[HUAWEI-policy-security-rule-2] quit
      2. Configure security policies for the Local-Untrust interzone to allow IKE negotiation packets to pass through the HUAWEI firewall.
        [HUAWEI-policy-security] rule name 3 
[HUAWEI-policy-security-rule-3] source-zone local 
[HUAWEI-policy-security-rule-3] destination-zone untrust 
[HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 
[HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 
[HUAWEI-policy-security-rule-3] action permit 
[HUAWEI-policy-security-rule-3] quit 
[HUAWEI-policy-security] rule name 4 
[HUAWEI-policy-security-rule-4] source-zone untrust 
[HUAWEI-policy-security-rule-4] destination-zone local 
[HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 
[HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 
[HUAWEI-policy-security-rule-4] action permit 
[HUAWEI-policy-security-rule-4] quit
    4. Configure an IPSec policy.
      1. Configure an ACL to define the data flow to be protected.
        [HUAWEI] acl 3000 
[HUAWEI-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 
[HUAWEI-acl-adv-3000] quit
      2. Configure an IPSec proposal.
        [HUAWEI] ipsec proposal tran1 
[HUAWEI-ipsec-proposal-tran1] transform esp 
[HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel 
[HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
[HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[HUAWEI-ipsec-proposal-tran1] quit
      3. Create an IKE proposal.
        [HUAWEI] ike proposal 1 
[HUAWEI-ike-proposal-1] encryption-algorithm aes-128 
[HUAWEI-ike-proposal-1] authentication-algorithm sha2-256 
[HUAWEI-ike-proposal-1] dh group2 
[HUAWEI-ike-proposal-1] quit
      4. Configure an IKE peer.
        [HUAWEI] ike peer ar 
[HUAWEI-ike-peer-ar] undo version 2 
[HUAWEI-ike-peer-ar] exchange-mode main 
[HUAWEI-ike-peer-ar] ike-proposal 1 
[HUAWEI-ike-peer-ar] pre-shared-key Key123 
[HUAWEI-ike-peer-ar] remote-address 1.1.5.1 
[HUAWEI-ike-peer-ar] quit
      5. Configure an IPSec policy.
        [HUAWEI] ipsec policy map1 1 isakmp 
[HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer ar 
[HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 
[HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 
[HUAWEI-ipsec-policy-isakmp-map1-1] quit
      6. Apply the IPSec policy to interface GigabitEthernet 1/0/2.
        [HUAWEI] interface GigabitEthernet 1/0/2 
[HUAWEI-GigabitEthernet1/0/2] ipsec policy map1 
[HUAWEI-GigabitEthernet1/0/2] quit

  2. Configure the HUAWEI AR router.

    1. Set interface IP addresses for the AR.
      [AR] interface GigabitEthernet 0/0/1 
[AR-GigabitEthernet0/0/1] ip address 10.1.3.1 24 
[AR-GigabitEthernet0/0/1] quit 
[AR] interface GigabitEthernet 0/0/2 
[AR-GigabitEthernet0/0/2] ip address 1.1.5.1 24 
[AR-GigabitEthernet0/0/2] quit
    2. Configure a default route from the HUAWEI AR router to the Internet. In the example, the next-hop IP address is 1.1.5.2.
      [AR] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2
    3. Configure an IPSec policy.
      1. Configure an ACL to define the data flow to be protected.
        [AR] acl 3000 
[AR-acl-adv-3000] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
[AR-acl-adv-3000] quit
      2. Configure an IPSec proposal.
        [AR] ipsec proposal tran1 
[AR-ipsec-proposal-tran1] transform esp 
[AR-ipsec-proposal-tran1] encapsulation-mode tunnel 
[AR-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 
[AR-ipsec-proposal-tran1] esp encryption-algorithm aes-128 
[AR-ipsec-proposal-tran1] quit
      3. Create an IKE proposal.
        [AR] ike proposal 1 
[AR-ike-proposal-1] encryption-algorithm aes-cbc-128 
[AR-ike-proposal-1] authentication-algorithm sha2-256 
[AR-ike-proposal-1] dh group2 
[AR-ike-proposal-1] quit
      4. Configure an IKE peer.
        [AR] ike peer firewall v1  /* Parameter v1 indicates that IKEv1 is used for negotiation./ 
[AR-ike-peer-firewall] exchange-mode main 
[AR-ike-peer-firewall] ike-proposal 1 
[AR-ike-peer-firewall] pre-shared-key cipher Key123 
[AR-ike-peer-firewall] remote-address 1.1.3.1 
[AR-ike-peer-firewall] quit
      5. Configure an ISAKMP IPSec policy.
        [AR] ipsec policy map1 1 isakmp 
[AR-ipsec-policy-isakmp-map1-1] ike-peer firewall 
[AR-ipsec-policy-isakmp-map1-1] proposal tran1 
[AR-ipsec-policy-isakmp-map1-1] security acl 3000 
[AR-ipsec-policy-isakmp-map1-1] quit
      6. Apply the IPSec policy to interface GigabitEthernet 0/0/2.
        [AR] interface GigabitEthernet 0/0/2 
[AR-GigabitEthernet0/0/2] ipsec policy map1 
[AR-GigabitEthernet0/0/2] quit

Verification

  1. Ping a user on the headquarters network from the branch network.
  2. Normally, the data flow from the branch to the HQ triggers the establishment of an IPSec tunnel between the HUAWEI firewall and HUAWEI AR. On the HUAWEI firewall, check whether an IKE SA is established. If the following information is displayed, an IKE SA has been established.
    <HUAWEI> display ike sa        
current ike sa number: 2        
-------------------------------------------------------------------------------- 
------------------              
conn-id peer flag          phase vpn       
-------------------------------------------------------------------------------- 
------------------              
179        1.1.5.1 RD|ST|A       v1:2  public 
178        1.1.5.1 RD|ST|D|A     v1:1  public 
  
  
  flag meaning                  
  RD--READY      ST--STAYALIVE     RL--REPLACED FD--FADING TO--TIMEOUT     
  TD--DELETING NEG--NEGOTIATING  D--DPD          M--ACTIVE     S--STANDBY      
  A--ALONE
  3. Run the display ipsec sa command to check whether an IPSec SA is established. If the following information is displayed, an IPSec SA is established.
    <HUAWEI> display ipsec sa             
=============================== 
Interface: GigabitEthernet1/0/2 
 path MTU: 1500              
=============================== 
  
  ----------------------------- 
  IPSec policy name: "map1"     
  sequence number: 1            
  mode: isakmp                  
  vpn: public                   
  ----------------------------- 
 connection id: 179          
 rule number: 5              
 encapsulation mode: tunnel  
 holding time: 0d 0h 1m 53s  
 tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1 
 flow      source: 10.1.1.0/255.255.255.0 0/0 
 flow destination: 10.1.3.0/255.255.255.0 0/0 
  
 [inbound ESP SAs]         
      spi: 112877185 (0x6ba5e81)                 
      vpn: public  said: 36  cpuid: 0x0000       
      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256  
      sa remaining key duration (kilobytes/sec): 1843199/3487 
      max received sequence-number: 17           
      udp encapsulation used for nat traversal: N  
  
 [outbound ESP SAs]          
      spi: 1572321462 (0x5db7b8b6)               
      vpn: public  said: 37  cpuid: 0x0000       
      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256  
      sa remaining key duration (kilobytes/sec): 1843199/3487  
      max sent sequence-number: 18               
      udp encapsulation used for nat traversal: N

Configuration Files

#
 sysname HUAWEI 
#
interface GigabitEthernet 1/0/1 
 ip address 10.1.1.1 24 
#
interface GigabitEthernet 1/0/2 
 ip address 1.1.3.1 24
 ipsec policy map1 
#
firewall zone trust 
 add interface GigabitEthernet 1/0/1 
#
firewall zone untrust 
 add interface GigabitEthernet 1/0/2 
#
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
#
security-policy 
 rule name 1 
  source-zone untrust 
  destination-zone trust 
  source-address 10.1.3.0 24 
  destination-address 10.1.1.0 24 
  action permit 
 rule name 2 
  source-zone trust 
  destination-zone untrust 
  source-address 10.1.1.0 24 
  destination-address 10.1.3.0 24 
  action permit 
 rule name 3 
  source-zone local 
  destination-zone untrust 
  source-address 1.1.3.1 32 
  destination-address 1.1.5.1 32 
  action permit 
 rule name 4 
  source-zone untrust 
  destination-zone local 
  source-address 1.1.5.1 32 
  destination-address 1.1.3.1 32 
 action permit 
#
acl 3000 
  rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 
#
ipsec proposal tran1 
 transform esp 
 encapsulation-mode tunnel 
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-128 
#
ike proposal 1 
 encryption-algorithm aes-128 
 authentication-algorithm sha2-256 
 dh group2 
#
ike peer ar 
 undo version 2 
 exchange-mode main 
 ike-proposal 1 
 pre-shared-key Key123 
 remote-address 1.1.5.1 
#
ipsec policy map1 1 isakmp 
 ike-peer ar 
 proposal tran1 
 security acl 3000 
#
return

Check Whether Service Traffic is Transmitted Through the IPSec Tunnel

  • Method 1: Check the value of the max sent sequence-number field in the display ipsec sa command output. This field is designed for anti-replay. The sequence number increases by 1 upon the sending of each packet from the IPSec tunnel. In this case, changes of the field value can be used to determine whether traffic is transmitted over the IPSec tunnel. For example, a branch user sends 5 ICMP packets to a headquarters user. If the 5 ICMP packets are transmitted over the IPSec tunnel, the sequence number in the IPSec SA of the tunnel increases by 5. If the sequence number does not increase or the increased number is incorrect, the ICMP packets are not transmitted over the IPSec tunnel or the IPSec tunnel is faulty.
  • Method 2: Run the display ipsec statistics command to view the statistics. You can check the changes of the input/output security packets field value to determine whether packets are transmitted over the IPSec tunnel. For example, the changes of the input/output security packets field value indicate that the IPSec tunnel forwarded 3 packets and received 3 packets as well.
    <HUAWEI> display ipsec statistics            
  the security packet statistics: 
 input/output security packets: 3/3   
 input/output security bytes: 252/252         
 input/output dropped security packets: 0/0 
 the encrypt packet statistics                
      send sae:3, recv sae:3, send err:0         
   local cpu:3, other cpu:0, recv other cpu:0 
      intact packet:2, first slice:0, after slice:0 
 the decrypt packet statistics                
      send sae:3, recv sae:3, send err:0         
      local cpu:0, other cpu:0, recv other cpu:0 
      reass  first slice:0, after slice:0, len err:0 
....

The first service packet triggering the establishment of the IPSec tunnel is discarded, because the tunnel has not been established at that time. For example, a branch user sends 10 ICMP packets to a headquarters user. When you run the display ipsec statistics command, the statistics indicate that there are only 9 packets forwarded.

Method 1 displays the packet changes of the specified tunnel, and method 2 displays global statistics on all IPSec tunnels on the device. If multiple tunnels exist on the device, you are advised to use method 1.

Troubleshooting IPSec Tunnels

Because IPSec has many configuration parameters and steps, the tunnel may not be established after the configuration is complete. This section describes how to use the debugging commands to quickly locate a fault.

  1. Enable debugging.
    <HUAWEI> terminal monitor        
Info: Current terminal monitor is on 
<HUAWEI> terminal debugging       
Info: Current terminal debugging is on 
<HUAWEI> debugging ike error

    Note that when you enable IKE debugging, selecting ike indicates debugging IKEv1 tunnel negotiation and selecting ikev2 indicates debugging IKEv2 tunnel negotiation. You need to select the parameter based on the IKE version configured for the tunnel. Besides, you can use only the error debugging here to prevent the device from displaying irrelevant IPSec debugging information.

  2. Run the ping command to trigger tunnel negotiation and check the debugging information. For example, if the following information is displayed, the fault occurs in phase one of the IKE negotiation, and the cause of the fault is that the IKE proposals are inconsistent. You need to compare and verify the IKE proposals on the two gateways.
    %%01IKE/4/WARNING(l): phase1: proposal mismatch, please check ike proposal configuration.
  3. Run the ping command to trigger tunnel negotiation and check the debugging information. For example, if the following information is displayed, the fault occurs in phase two of the IKE negotiation, and the cause of the fault is that the ACLs are inconsistent. You need to compare the ACLs on the two gateways. The ACLs on one gateway must reflect those on the other gateway.
    %%01IKE/4/WARNING(l): phase2: security acl mismatch.
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 265929

Downloads: 5044

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :