SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningInteroperation Configuration Guide

Huawei Firewall VPN Interoperation Configuration Guide

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Establishing an IPsec Tunnel Between USG12000 and USG6000E Series Firewalls Using Tunnel Interfaces

Establishing an IPsec Tunnel Between USG12000 and USG6000E Series Firewalls Using Tunnel Interfaces

Chapter Contents

Networking Requirements

In Figure 1-59, the USG6000E series firewall is an enterprise HQ gateway, and the USG12000 series firewall is an enterprise branch gateway. Both the HQ and branch gateways use fixed IP addresses to access the Internet.

The enterprise requires an IPsec tunnel to be established between the USG6000E and USG12000 series firewalls to ensure secure communication between the branch and HQ. In addition, all traffic transmitted through the IPsec tunnel needs to be diverted to the tunnel interfaces to facilitate traffic management.

Figure 1-59 Establishing an IPsec tunnel between USG12000 and USG6000E series firewalls using tunnel interfaces

Data Plan

Item

USG6000E Series Firewall

USG12000 Series Firewall

IPsec proposal

Encapsulation mode

Tunnel mode

Tunnel mode

Security protocol

ESP

ESP

ESP authentication algorithm

SHA2-256

SHA2-256

ESP encryption algorithm

AES-256

AES-256

IKE proposal

Authentication method

Pre-shared key

Pre-shared key

Encryption algorithm

AES-256

AES-256

Authentication algorithm

SHA2-256

SHA2-256

DH group

Group14

Group14

IKE peer

IKE version

IKEv2

IKEv2

Pre-shared key

YsHsjx_202206

YsHsjx_202206

Identity type

IP address

IP address

Configuration Roadmap

  1. Configure IP addresses for interfaces and configure static routes to the peer end to ensure that there are reachable routes between both ends.

    Assign interfaces to security zones and configure interzone security policies.

  2. Configure an IPsec proposal and define the traffic protection method.
  3. Configure an IKE proposal and define IKE negotiation parameters.
  4. Configure an IKE peer and define the attributes used for IKE negotiation.
  5. Configure an IPsec profile and determine the data flows to be protected and protection method.
  6. Apply the IPsec profile to an interface to enable IPsec protection.

Precautions

  • If both ends use the default parameter settings to negotiate the establishment of an IPsec tunnel, ensure that the default parameter settings on both ends are consistent. Otherwise, the IPsec tunnel fails to be established. If you are uncertain about the default parameter settings on both ends, you are advised to manually set the parameters.
  • The MD5, SHA-1, DES, and 3DES algorithms pose security risks. Exercise caution when using these algorithms.
  • To use a ping test to check connectivity, run the service-manage ping permit command in the interface view of the firewalls to allow ping packets to pass through the interfaces of all firewalls.

Procedure

  • Configure the USG6000E series firewall.
    1. Configure IP addresses for interfaces, assign interfaces to security zones, configure interzone security policies, and configure a static route to the peer end.

      # Configure IP addresses for interfaces and assign interfaces to security zones.

      <HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] interface gigabitethernet 0/0/1
[DeviceA-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet0/0/1] quit
[DeviceA] interface gigabitethernet 0/0/2
[DeviceA-GigabitEthernet0/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet0/0/2] quit
[DeviceA] firewall zone trust
[DeviceA-zone-trust] add interface gigabitethernet 0/0/2
[DeviceA-zone-trust] quit
[DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface gigabitethernet 0/0/1
[DeviceA-zone-untrust] quit
[DeviceA] interface tunnel 1
[DeviceA-Tunnel1] ip address 10.2.1.1 255.255.255.0
[DeviceA-Tunnel1] quit

      # Configure interzone security policies.

      # Configure security policies between the Untrust and Trust zones to ensure that the branch and HQ can communicate with each other.
[DeviceA] security-policy
[DeviceA-policy-security] rule name policy1
[DeviceA-policy-security-rule-policy1] source-zone trust
[DeviceA-policy-security-rule-policy1] destination-zone untrust
[DeviceA-policy-security-rule-policy1] source-address 10.1.1.0 24
[DeviceA-policy-security-rule-policy1] destination-address 10.1.2.0 24
[DeviceA-policy-security-rule-policy1] action permit
[DeviceA-policy-security-rule-policy1] quit
[DeviceA-policy-security] rule name policy2
[DeviceA-policy-security-rule-policy2] source-zone untrust
[DeviceA-policy-security-rule-policy2] destination-zone trust
[DeviceA-policy-security-rule-policy2] source-address 10.1.2.0 24
[DeviceA-policy-security-rule-policy2] destination-address 10.1.1.0 24
[DeviceA-policy-security-rule-policy2] action permit
[DeviceA-policy-security-rule-policy2] quit
# Configure security policies between the Local and Untrust zones to ensure that the firewall can initiate and receive IPsec tunnel establishment requests. The source and destination IP addresses are the public IP addresses of the outbound interfaces on both ends.
[DeviceA-policy-security] rule name policy3
[DeviceA-policy-security-rule-policy3] source-zone local
[DeviceA-policy-security-rule-policy3] destination-zone untrust
[DeviceA-policy-security-rule-policy3] source-address 1.1.1.1 32
[DeviceA-policy-security-rule-policy3] destination-address 2.1.1.1 32
[DeviceA-policy-security-rule-policy3] action permit
[DeviceA-policy-security-rule-policy3] quit
[DeviceA-policy-security] rule name policy4
[DeviceA-policy-security-rule-policy4] source-zone untrust
[DeviceA-policy-security-rule-policy4] destination-zone local
[DeviceA-policy-security-rule-policy4] source-address 2.1.1.1 32
[DeviceA-policy-security-rule-policy4] destination-address 1.1.1.1 32
[DeviceA-policy-security-rule-policy4] action permit
[DeviceA-policy-security-rule-policy4] quit
[DeviceA-policy-security] quit

      # Configure a static route to the peer end, assuming that the next-hop address is 1.1.1.2.

      [DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
[DeviceA] ip route-static 10.1.2.0 255.255.255.0 tunnel 1
    2. Configure an IPsec proposal.
      [DeviceA] ipsec proposal tran1
[DeviceA-ipsec-proposal-tran1] encapsulation-mode tunnel
[DeviceA-ipsec-proposal-tran1] transform esp
[DeviceA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[DeviceA-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[DeviceA-ipsec-proposal-tran1] quit
    3. Configure an IKE proposal.
      [DeviceA] ike proposal 5
[DeviceA-ike-proposal-5] authentication-method pre-share
[DeviceA-ike-proposal-5] encryption-algorithm aes-256
[DeviceA-ike-proposal-5] authentication-algorithm sha2-256
[DeviceA-ike-proposal-5] dh group14
[DeviceA-ike-proposal-5] quit
    4. Configure an IKE peer.
      [DeviceA] ike peer b
[DeviceA-ike-peer-b] ike-proposal 5
[DeviceA-ike-peer-b] pre-shared-key YsHsjx_202206
[DeviceA-ike-peer-b] local-id-type ip
[DeviceA-ike-peer-b] quit
    5. Configure an IPsec profile.
      [DeviceA] ipsec profile profile1
[DeviceA-ipsec-profile-profile1] proposal tran1
[DeviceA-ipsec-profile-profile1] ike-peer b
[DeviceA-ipsec-profile-profile1] quit
    6. Apply the IPsec profile to an interface.
      [DeviceA] interface tunnel 1
[DeviceA-Tunnel1] tunnel-protocol ipsec
[DeviceA-Tunnel1] source 1.1.1.1
[DeviceA-Tunnel1] destination 2.1.1.1
[DeviceA-Tunnel1] ipsec profile profile1
[DeviceA-Tunnel1] quit
  • Configure the USG12000 series firewall.
    1. Configure IP addresses for interfaces, assign interfaces to security zones, configure interzone security policies, and configure a static route to the peer end.

      # Configure IP addresses for interfaces and assign interfaces to security zones.

      <HUAWEI> system-view
[HUAWEI] sysname DeviceB
[DeviceB] interface ge 1/0/1
[DeviceB-GE1/0/1] ip address 2.1.1.1 255.255.255.0
[DeviceB-GE1/0/1] quit
[DeviceB] interface ge 1/0/2
[DeviceB-GE1/0/2] ip address 10.1.2.1 255.255.255.0
[DeviceB-GE1/0/2] quit
[DeviceB] interface tunnel 0 
[DeviceB-Tunnel0] ip address 10.2.1.2 255.255.255.0
[DeviceB-Tunnel0] quit
[DeviceB] firewall zone trust
[DeviceB-zone-trust] add interface ge 1/0/2
[DeviceB-zone-trust] quit
[DeviceB] firewall zone untrust
[DeviceB-zone-untrust] add interface ge 1/0/1
[DeviceB-zone-untrust] add interface tunnel 0
[DeviceB-zone-untrust] quit

      # Configure interzone security policies.

      # Configure security policies between the Untrust and Trust zones to ensure that the branch and HQ can communicate with each other.
[DeviceB] security-policy
[DeviceB-policy-security] rule name policy1
[DeviceB-policy-security-rule-policy1] source-zone trust
[DeviceB-policy-security-rule-policy1] destination-zone untrust
[DeviceB-policy-security-rule-policy1] source-address 10.1.2.0 24
[DeviceB-policy-security-rule-policy1] destination-address 10.1.1.0 24
[DeviceB-policy-security-rule-policy1] action permit
[DeviceB-policy-security-rule-policy1] quit
[DeviceB-policy-security] rule name policy2
[DeviceB-policy-security-rule-policy2] source-zone untrust
[DeviceB-policy-security-rule-policy2] destination-zone trust
[DeviceB-policy-security-rule-policy2] source-address 10.1.1.0 24
[DeviceB-policy-security-rule-policy2] destination-address 10.1.2.0 24
[DeviceB-policy-security-rule-policy2] action permit
[DeviceB-policy-security-rule-policy2] quit
# Configure security policies between the Local and Untrust zones to ensure that the firewall can initiate and receive IPsec tunnel establishment requests. The source and destination IP addresses are the public IP addresses of the outbound interfaces on both ends.
[DeviceB-policy-security] rule name policy3
[DeviceB-policy-security-rule-policy3] source-zone local
[DeviceB-policy-security-rule-policy3] destination-zone untrust
[DeviceB-policy-security-rule-policy3] source-address 2.1.1.1 32
[DeviceB-policy-security-rule-policy3] destination-address 1.1.1.1 32
[DeviceB-policy-security-rule-policy3] action permit
[DeviceB-policy-security-rule-policy3] quit
[DeviceB-policy-security] rule name policy4
[DeviceB-policy-security-rule-policy4] source-zone untrust
[DeviceB-policy-security-rule-policy4] destination-zone local
[DeviceB-policy-security-rule-policy4] source-address 1.1.1.1 32
[DeviceB-policy-security-rule-policy4] destination-address 2.1.1.1 32
[DeviceB-policy-security-rule-policy4] action permit
[DeviceB-policy-security-rule-policy4] quit
[DeviceB-policy-security] quit

      # Configure a static route to the peer end, assuming that the next-hop address is 2.1.1.2.

      [DeviceB] ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
[DeviceB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0
    2. Configure an IPsec proposal.
      [DeviceB] ipsec proposal tran1
[DeviceB-ipsec-proposal-tran1] encapsulation-mode tunnel
[DeviceB-ipsec-proposal-tran1] transform esp
[DeviceB-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[DeviceB-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[DeviceB-ipsec-proposal-tran1] quit
    3. Configure an IKE proposal.
      [DeviceB] ike proposal 5
[DeviceB-ike-proposal-5] authentication-method pre-share
[DeviceB-ike-proposal-5] encryption-algorithm aes-256
[DeviceB-ike-proposal-5] authentication-algorithm sha2-256
[DeviceB-ike-proposal-5] dh group14
[DeviceB-ike-proposal-5] quit
    4. Configure an IKE peer.
      [DeviceB] ike peer b
[DeviceB-ike-peer-b] ike-proposal 5
[DeviceB-ike-peer-b] pre-shared-key YsHsjx_202206
[DeviceB-ike-peer-b] local-id-type ip
[DeviceB-ike-peer-b] quit
    5. Configure an IPsec profile.
      [DeviceB] ipsec profile profile1
[DeviceB-ipsec-profile-profile1] proposal tran1
[DeviceB-ipsec-profile-profile1] ike-peer b
[DeviceB-ipsec-profile-profile1] quit
    6. Apply the IPsec profile to an interface.
      [DeviceB] interface tunnel 0
[DeviceB-Tunnel0] tunnel-protocol ipsec
[DeviceB-Tunnel0] source 2.1.1.1
[DeviceB-Tunnel0] destination 1.1.1.1
[DeviceB-Tunnel0] ipsec profile profile1
[DeviceB-Tunnel0] quit

Verifying the Configuration

  1. Run the display ike sa command. The command output shows that both IKE SAs and IPsec SAs have been successfully established. The following example uses the command output on DeviceA.
    <DeviceA> display ike sa
 IKE SA information :    
     Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID 
 ----------------------------------------------------------------------------- 
     1679       2.1.1.1:500           RD|ST|A  v2:2   IP          2.1.1.1 
     1677       2.1.1.1:500           RD|ST|A  v2:1   IP          2.1.1.1 
  
   Number of IKE SA : 2  
 ------------------------------------------------------------------------------- 
  
   Flag Description:                                                              
   RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT            
   HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                 
   M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
  2. PC1 and PC2 can ping each other. The following example pings PC2 from PC1.
    C:\Users\DeviceB> ping 10.1.2.2
  
 Pinging 10.1.2.2 with 32 bytes of data: 
 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 
 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 
 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 
 Reply from 10.1.2.2: bytes=32 time=9ms TTL=126 
  
 Ping statistics for 10.1.2.2: 
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
 Approximate round trip times in milli-seconds: 
     Minimum = 9ms, Maximum = 9ms, Average = 9ms

    An IPsec tunnel has been successfully established, and PC1 and PC2 can ping each other successfully. The following describes two commonly used methods to check whether service packets are transmitted through the IPsec tunnel.

    • Check the max sent sequence-number field in the display ipsec sa command output. This field is designed for the anti-replay function. Each time an IPsec tunnel sends a packet, the sequence-number field value in the packet increases by 1. You can check whether traffic passes through the IPsec tunnel based on the field value. For example, if a branch user sends five ICMP packets to the HQ and the five ICMP packets are transmitted through an IPsec tunnel, the sequence-number field value in the IPsec SA of the tunnel increases by 5. If the field value does not increase or is incorrect, these packets are not transmitted through the IPsec tunnel or the IPsec tunnel is not operational.
    • Check the input/output security packets field in the display ipsec statistics command output. For example, input/output security packets: 4/4 indicates that the IPsec tunnel has sent four packets and received four packets.

    The first method displays packet statistics of a specific IPsec tunnel, and the second method displays global packet statistics of IPsec tunnels of the device. If multiple tunnels exist on the device, the second method is not applicable and the first method is recommended.

    When traffic triggers the establishment of an IPsec tunnel, the first service packet is discarded instead of being tunnel encapsulated. This is because the IPsec tunnel has not been established and cannot forward packets when the first packet is sent. For example, if a branch user sends 10 ICMP packets to the HQ, only nine packets are displayed in the display ipsec statistics command output. This is a normal situation.

Configuration Files

  • USG6000E series firewall
    # 
 sysname DeviceA 
# 
ipsec proposal tran1 
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes-256 
# 
ike proposal 5 
 encryption-algorithm aes-256                                                    
 dh group14                                                                       
 authentication-algorithm sha2-256                                               
 authentication-method pre-share                                               
# 
ike peer b 
 pre-shared-key %@%@:A(|N&D21)L2L0Z2WlVE9.-u%@%@%^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# 
 ike-proposal 5 
# 
ipsec profile profile1 
 ike-peer b 
 proposal tran1 
# 
interface GigabitEthernet0/0/1 
 undo shutdown
 ip address 1.1.1.1 255.255.255.0 
# 
interface GigabitEthernet0/0/2 
 undo shutdown
 ip address 10.1.1.1 255.255.255.0 
# 
firewall zone trust 
 set priority 85 
 add interface GigabitEthernet0/0/2 
# 
firewall zone untrust  
 set priority 5  
 add interface GigabitEthernet0/0/1 
#
interface Tunnel1
 ip address 10.2.1.1 255.255.255.0
 tunnel-protocol ipsec
 source 1.1.1.1
 destination 2.1.1.1 
 ipsec profile profile1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 
ip route-static 10.1.2.0 255.255.255.0 Tunnel1 
# 
# 
security-policy 
 rule name policy1 
  source-zone trust 
  destination-zone untrust 
  source-address 10.1.1.0 mask 255.255.255.0 
  destination-address 10.1.2.0 mask 255.255.255.0 
  action permit 
 rule name policy2 
  source-zone untrust 
  destination-zone trust 
  source-address 10.1.2.0 mask 255.255.255.0 
  destination-address 10.1.1.0 mask 255.255.255.0 
  action permit 
 rule name policy3 
  source-zone local 
  destination-zone untrust 
  source-address 1.1.1.1 mask 255.255.255.255 
  destination-address 2.1.1.0 mask 255.255.255.0 
  action permit 
 rule name policy4 
  source-zone untrust 
  destination-zone local 
  source-address 2.1.1.0 mask 255.255.255.0 
  destination-address 1.1.1.1 mask 255.255.255.255 
  action permit 
#
return
  • USG12000 series firewall
    # 
sysname DeviceB 
# 
ipsec proposal tran1 
 esp authentication-algorithm sha2-256  
 esp encryption-algorithm aes-256 
# 
ike proposal 5 
 encryption-algorithm aes-256                                                    
 dh group14                                                                       
 authentication-algorithm sha2-256                                               
 authentication-method pre-share                                               
# 
ike peer b 
 pre-shared-key %^%#p7,cEWZqBI<4DT7CZUP:f|LjJ\zNLTbsAAG|d,8T%^%# 
 ike-proposal 5 
# 
ipsec profile profile1 
 ike-peer b 
 proposal tran1 
# 
interface GE1/0/1 
 undo shutdown 
 ip address 2.1.1.1 255.255.255.0 
# 
interface GE1/0/2 
 undo shutdown 
 ip address 10.1.2.1 255.255.255.0 
# 
interface Tunnel0
 ip address 10.2.1.2 255.255.255.0
 tunnel-protocol ipsec
 source 2.1.1.1
 destination 1.1.1.1 
 ipsec profile profile1
#
firewall zone trust 
 set priority 85 
 add interface GE1/0/2 
# 
firewall zone untrust  
 set priority 5  
 add interface GE1/0/1 
 add interface Tunnel0
# 
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 
ip route-static 10.1.1.0 255.255.255.0 Tunnel0 
# 
security-policy 
 rule name policy1 
  source-zone trust 
  destination-zone untrust 
  source-address 10.1.2.0 mask 255.255.255.0 
  destination-address 10.1.1.0 mask 255.255.255.0 
  action permit 
 rule name policy2 
  source-zone untrust 
  destination-zone trust 
  source-address 10.1.1.0 mask 255.255.255.0 
  destination-address 10.1.2.0 mask 255.255.255.0 
  action permit 
 rule name policy3 
  source-zone local 
  destination-zone untrust 
  source-address 2.1.1.1 mask 255.255.255.255 
  destination-address 1.1.1.1 mask 255.255.255.255 
  action permit 
 rule name policy4 
  source-zone untrust 
  destination-zone local 
  source-address 1.1.1.1 mask 255.255.255.255 
  destination-address 2.1.1.1 mask 255.255.255.255 
  action permit 
# 
return