Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in Virtual Tunnel Interface Mode Between HUAWEI Firewalls and Fortinet Firewalls
Chapter Contents
Networking Requirements
As shown in Figure1, the HUAWEI firewall serves as the enterprise gateway for connecting to the Internet at the headquarters, and the Fortinet firewall as that at the branch. In addition, the outbound interfaces of both the HUAWEI firewall and Fortinet firewall have fixed public addresses. The enterprise now intends to establish a tunnel interface-based IPSec tunnel between the HUAWEI firewall and Fortinet firewall for the secure communication between their intranets. In this scenario, both ends can initiate the negotiation for establishing an IPSec tunnel.
Data Planning
Configuration Item |
HUAWEI firewall |
Fortinet firewall |
|
|---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
Peer address |
Peer address |
|
IKE Version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Configuration Roadmap
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure an IPSec profile, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
- Set an IP address for the tunnel interface and assign the interface to a security zone.
- Apply the IPSec profile to the tunnel interface.
- Configure a static route to the branch and the default route to the Internet.
- Configure the Fortinet firewall:
- Set IP addresses for interfaces.
- Configure the IKE SA and IPSec SA.
- Assign the tunnel interface to the Untrust zone.
- Configure a security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the Fortinet firewall.
- Configure a route to divert traffic to the tunnel interface.
- Configure the default route to the Internet.
Configuration Precautions
- In this example, the HUAWEI firewall uses an IPSec profile to configure IPSec. In this case, you do not need to configure an ACL to define the data flow to be protected. In addition, you do not need to define the data flow to be protected for the Fortinet firewall either. That is, you can run the dst-subnet and src-subnet commands to configure the data flow to be protected to any or keep the default configuration.
- The HUAWEI firewall can also use an IPSec security policy to configure IPSec. In this case, you must configure an ACL to define the data flow to be protected.
- An IPSec profile is equal to an IPSec security policy. Different from the IPSec security policy, the IPSec profile supports only IKE negotiation, applies only to the tunnel interface, and provides IPSec protection over all data flows routed to the tunnel interface. In addition, the IPSec profile does not support the configuration of an ACL.
Configuration Procedure
- Configure the HUAWEI firewall.
- Configure interfaces and assign them to security zones.
- Configure GE1/0/3 and assign it to the Untrust zone.
[HUAWEI] interface GigabitEthernet 1/0/3 [HUAWEI-GigabitEthernet1/0/3] ip address 1.1.1.1 24 [HUAWEI-GigabitEthernet1/0/3] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/3 [HUAWEI-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit
- Configure GE1/0/3 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the headquarters and configure policy 2 so that the headquarters can access the branch.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall can initiate an IPSec tunnel establishment request and configure policy 4 so that the HUAWEI firewall can receive an IPSec tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure Untrust-Trust interzone security policies.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer and specify the negotiation mode, IKE version, pre-shared key, and peer IP address.
[HUAWEI] ike peer fortigate [HUAWEI-ike-peer-fortigate] exchange-mode main [HUAWEI-ike-peer-fortigate] undo version 2 [HUAWEI-ike-peer-fortigate] ike-proposal 1 [HUAWEI-ike-peer-fortigate] pre-shared-key Key@123 [HUAWEI-ike-peer-fortigate] remote-address 2.2.2.2 [HUAWEI-ike-peer-fortigate] quit
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI]ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit
- Configure an IPSec profile and associate it with the IKE peer and IPSec proposal.
[HUAWEI] ipsec profile fortigate [HUAWEI-ipsec-profile-fortigate] proposal tran1 [HUAWEI-ipsec-profile-fortigate] ike-peer fortigate [HUAWEI-ipsec-profile-fortigate] quit
In this example, an IPSec profile is used to configure IPSec. This mode does not support the configuration of an ACL to define the data flow to be protected and applies only to the tunnel interface.
- Configure a tunnel interface and assign it to the Untrust zone.
[HUAWEI] interface tunnel 1 [HUAWEI-Tunnel1] tunnel-protocol ipsec [HUAWEI-Tunnel1] ip address 10.10.10.1 24 [HUAWEI-Tunnel1] source 1.1.1.1 [HUAWEI-Tunnel1] service-manage ping permit [HUAWEI-Tunnel1] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface Tunnel 1 [HUAWEI-zone-untrust] quit
Set the protocol type of the tunnel interface to IPSec and specify the source address but not the destination address of the tunnel.
- Apply the IPSec profile to the tunnel interface.
[HUAWEI] interface Tunnel 1 [HUAWEI-Tunnel1] ipsec profile fortigate [HUAWEI-Tunnel1] quit
- Configure routes.
- Configure a static route to the branch to divert the traffic to the tunnel interface.
[HUAWEI] ip route-static 192.168.0.0 24 tunnel 1
- Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
When the IPSec profile is used, no ACL is configured to define the data flow to be protected. In this case, the HUAWEI firewall provides IPSec protection over all traffic routed to tunnel interface 1.
- Configure a static route to the branch to divert the traffic to the tunnel interface.
- Configure interfaces and assign them to security zones.
- Configure the Fortinet firewall.
- Configure an IP address for the interface.
- Configure port03.
Fortigate # config system interface Fortigate (interface) # edit port03 Fortigate (port03) # set ip 2.2.2.2/24 Fortigate (port03) # set allowaccess ping https ssh snmp http telnet Fortigate (port03) # end
# Configure port10.
Fortigate # config system interface Fortigate (interface) # edit port10 Fortigate (port10) # set ip 192.168.0.1/24 Fortigate (port10) # set allowaccess ping https ssh snmp http telnet Fortigate (port10) # end
On the Fortinet firewall, you can configure security policies directly for physical interfaces, without having to assign them to security zones. Of course, you can also assign them to security zones and configure security policies accordingly.
- Configure port03.
- Configure an IKE SA and specify its name, bound interface, negotiation mode, encryption algorithm, authentication algorithm, pre-shared key, peer address, and DH group.
Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@123 Fortigate (firewall) # set remote-gw 1.1.1.1 Fortigate (firewalll) # set dhgrp 2 Fortigate (firewall) # end
- The Fortinet firewall does not provide the command for setting the IKE version and uses IKEv1 by default.
- Run the set interface command to bind the IKE SA to the specified port, which is equal to applying the IPSec policy to the interface on the HUAWEI firewall.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IKE SA.
- Configure an IPSec SA and specify its name, bound IKE SA, encryption algorithm, authentication algorithm, and DH group.
Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 0.0.0.0 0.0.0.0 Fortigate (firewall) # set src-subnet 0.0.0.0 0.0.0.0 Fortigate (firewall) # end
- The Fortinet firewall does not provide the command for setting the encapsulation mode or security protocol and uses the tunnel mode and ESP by default.
- Run the set phase1name command to specify the IKE SA referenced by the IPSec SA.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IPSec SA.
- Run the dst-subnet and src-subnet commands to define the data flow to be protected. The HUAWEI firewall has no ACL configured to define the data flow to be protected. Therefore, you can configure the data flow to be protected to any.
- Assign the tunnel interface to the Untrust zone.
# After the IKE SA is successfully configured, the device automatically generates a tunnel interface with the same name as the IKE SA.
Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end
- After you successfully configure the IKE SA, the device automatically generates a tunnel interface with the same name as the IKE SA for protected traffic to pass through.
- On the Fortinet firewall, you must assign the tunnel interface to a security zone and then configure a security policy accordingly.
- Configure security policies.
- Configure a security policy between port03 and port10.
Configure policy 66 so that the headquarters can properly access the branch and configure policy 99 so that the branch can properly access the headquarters.
Fortigate # config firewall policy Fortigate (policy) # edit 66 Fortigate (66) # set srcintf port03 Fortigate (66) # set dstintf port10 Fortigate (66) # set srcaddr all Fortigate (66) # set dstaddr all Fortigate (66) # set action accept Fortigate (66) # set schedule always Fortigate (66) # set service ANY Fortigate (66) # end Fortigate # config firewall policy Fortigate (policy) # edit 99 Fortigate (99) # set srcintf port10 Fortigate (99) # set dstintf port03 Fortigate (99) # set srcaddr all Fortigate (99) # set dstaddr all Fortigate (99) # set action accept Fortigate (99) # set schedule always Fortigate (99) # set service ANY Fortigate (99) # end
- Configure a security policy between the Untrust zone and port10, namely, between the tunnel interface and port10.
Configure policy 96 to ensure that the traffic passing through the tunnel interface can enter the branch intranet and configure policy 76 to ensure that the traffic passing through the tunnel interface can be transparently transmitted to the extranet.
Fortigate # config firewall policy Fortigate (policy) # edit 96 Fortigate (96) # set srcintf untrust Fortigate (96) # set dstintf port10 Fortigate (96) # set srcaddr all Fortigate (96) # set dstaddr all Fortigate (96) # set action accept Fortigate (96) # set schedule always Fortigate (96) # set service ANY Fortigate (96) # end Fortigate # config firewall policy Fortigate (policy) # edit 76 Fortigate (76) # set srcintf port10 Fortigate (76) # set dstintf untrust Fortigate (76) # set srcaddr all Fortigate (76) # set dstaddr all Fortigate (76) # set action accept Fortigate (76) # set schedule always Fortigate (76) # set service ANY Fortigate (76) # end
On the Fortinet firewall, you do not need to configure the security policy between the Untrust and Local zones.
- Configure a security policy between port03 and port10.
- Configure routes.
# Configure a static route to divert the traffic to the tunnel interface.
Fortigate # config route static Fortigate (static) # edit 76 Fortigate (76) # set device firewall Fortigate (76) # set dst 192.168.10.0 255.255.255.0 Fortigate (76) # end
# Configure a default route to the Internet, passing through port03 and with the next hop being 2.2.2.3.
Fortigate # config router static Fortigate (static) # edit 33 Fortigate (33) # set dst 0.0.0.0 0.0.0.0 Fortigate (33) # set gateway 2.2.2.3 Fortigate (33) # set device port03 Fortigate (33) # end
- Configure an IP address for the interface.
Verification
- Verify whether the headquarters can proactively initiate an IPSec tunnel with the branch.
- Ping PC2 on the branch network from PC1 at the headquarters.
- On the HUAWEI firewall at the headquarters, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<HUAWEI> display ike sa -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 117 2.2.2.2 RD|ST|A v1:2 public 115 2.2.2.2 RD|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE - On the HUAWEI firewall at the headquarters, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
<HUAWEI> display ipsec sa =============================== Interface: Tunnel1 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "fortigate" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 117 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 1m 8s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 0.0.0.0/0.0.0.0 0/0 flow destination: 0.0.0.0/0.0.0.0 0/0 [inbound ESP SAs] spi: 2605355474 (0x9b4a91d2) vpn: public said: 172 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1732 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3708493464 (0xdd0b1e98) vpn: public said: 173 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/1732 max sent sequence-number: 5 udp encapsulation used for nat traversal: N - Log in to the web UI of the branch Fortinet firewall to check the IPSec tunnel establishment.
- If the tunnel status is displayed as a green upward arrow, the IPSec tunnel is successfully established.
- You can also run the get ipsec tunnel list command on the branch Fortinet firewall to check the IPSec tunnel establishment. If the status is up, the IPSec tunnel is successfully established.
- Verify whether the branch can proactively initiate an IPSec tunnel with the headquarters.
- On the HUAWEI firewall at the headquarters, run the reset ike sa command to disconnect the IPSec tunnel.
- Ping PC1 on the headquarters network from the branch PC2 and refer to the preceding method to verify whether the IPSec tunnel can be successfully established.
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/3 ip address 1.1.1.1 24 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # firewall zone untrust add interface GigabitEthernet 1/0/3 add interface Tunnel 1 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer fortigate exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec profile fortigate proposal tran1 ike-peer fortigate # interface tunnel 1 tunnel-protocol ipsec ip address 10.10.10.1 24 source 1.1.1.1 service-manage ping permit ipsec profile fortigate # ip route-static 192.168.0.0 24 tunnel 1 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # return