Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in Virtual Tunnel Interface Mode Between HUAWEI Firewalls and Cisco Firewalls
Chapter Contents
Networking Requirements
As shown in Figure1, the HUAWEI firewall serves as the gateway for connecting to the Internet at the headquarters, and the Cisco firewall as that at the branch. It is required that the headquarters divert all traffic transmitted through the IPSec tunnel to the tunnel interface for ease of management over such traffic and for the secure communication between the headquarters and branch intranets.
Data Plan
Configuration Item |
HUAWEI Firewall |
Cisco Firewall |
|
|---|---|---|---|
IPSec proposal |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
ESP authentication algorithm |
SHA1 |
ESP-SHA-HMAC |
|
ESP encryption algorithm |
AES |
ESP-AES |
|
IKE peer |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
AES-128 |
AES |
|
Authentication algorithm |
SHA1 |
SHA |
|
DH Group |
GROUP2 |
GROUP 2 |
|
Pre-shared key |
Key123 |
Key123 |
|
Identity type |
IP address |
IP address |
|
IKE Version |
V1 |
V1 |
|
Configuration Roadmap
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
- Apply the IPSec policies to the tunnel interface.
- Configure a route from the HUAWEI firewall to the branch intranet.
- Configure the default route from the HUAWEI firewall to the Internet.
- Configure the Cisco firewall:
- Set IP addresses for interfaces and enable access control on the interfaces.
- Configure the default route from the Cisco firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring a pre-shared key.
- Apply the IPSec policy to an interface.
- Enable the IPSec policy on the interface.
Configuration Precautions
- The key point of this example is that the interface for establishing the tunnel turns from a physical interface to a logical tunnel interface. Pay attention to the setting of the IP address for the tunnel interface. The tunnel interface can have its IP address manually specified or borrow the IP address of the physical interface. In either way, its IP address must be reachable to the peer interface of the tunnel. In actual applications, this IP address is usually a public address.
- You must permit the ping service for the tunnel interface. Otherwise, pinging a user on the headquarters network from the branch network may fail.
- In the IPSec tunnel establishment at the tunnel interface, you must set tunnel-protocol to IPSec.
Configuration Procedure
- Configure the HUAWEI firewall.
- Set IP addresses for interfaces and assign them to security zones.
[HUAWEI] interface GigabitEthernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [HUAWEI-GigabitEthernet1/0/1] ip service-manage ping permit /*Allow the Cisco firewall to ping the interface. */ [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface GigabitEthernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] ip address 1.1.3.1 24 [HUAWEI-GigabitEthernet1/0/2] service-manage ping permit /*Allow the Cisco firewall to ping the interface. */ [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] interface tunnel 1 [HUAWEI-Tunnel1] ip address unnumbered interface GigabitEthernet1/0/2 [HUAWEI-Tunnel1] tunnel-protocol ipsec [HUAWEI-Tunnel1] service-manage ping permit [HUAWEI-Tunnel1] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/1 [HUAWEI-zone-trust] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/2 [HUAWEI-zone-untrust] add interface tunnel 1 [HUAWEI-zone-untrust] quit
- Configure interzone security policies.
- Configure security policies for the Trust-Untrust interzone to allow the unencapsulated and decapsulated packets to pass through the HUAWEI firewall.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 10.1.3.0 24 [HUAWEI-policy-security-rule-1] destination-address 10.1.1.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 10.1.1.0 24 [HUAWEI-policy-security-rule-2] destination-address 10.1.3.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure security policies for the Local-Untrust interzone to allow IKE negotiation packets to pass through the HUAWEI firewall.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.3.1 32 [HUAWEI-policy-security-rule-3] destination-address 1.1.5.1 32 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 1.1.5.1 32 [HUAWEI-policy-security-rule-4] destination-address 1.1.3.1 32 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure security policies for the Trust-Untrust interzone to allow the unencapsulated and decapsulated packets to pass through the HUAWEI firewall.
- Configure an IPSec policy.
- Configure an ACL to define the data flow to be protected.
[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit
- Configure an IPSec proposal.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm aes-128 [HUAWEI-ipsec-proposal-tran1] quit
- Create an IKE proposal.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm aes-128 [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer.
[HUAWEI] ike peer asa [HUAWEI-ike-peer-asa] undo version 2 [HUAWEI-ike-peer-asa] exchange-mode main [HUAWEI-ike-peer-asa] ike-proposal 1 [HUAWEI-ike-peer-asa] remote-address 1.1.5.1 [HUAWEI-ike-peer-asa] pre-shared-key Key123 [HUAWEI-ike-peer-asa] quit
- Configure an IPSec policy.
[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer asa [HUAWEI-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to the tunnel interface.
[HUAWEI] interface Tunnel 1 [HUAWEI-Tunnel1] ipsec policy map1 [HUAWEI-Tunnel1] quit
- Configure an ACL to define the data flow to be protected.
- Configure routes.
# Configure a route to the branch intranet to divert the traffic to the tunnel interface.
[HUAWEI] ip route-static 10.1.3.0 24 tunnel 1
# Configure a default route from the HUAWEI firewall to the Internet. In the example, the next-hop IP address is 1.1.3.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
- Set IP addresses for interfaces and assign them to security zones.
- Configure the Cisco firewall.
- Configure the IP address of the Cisco firewall interface.
ASA5520> en ASA5520# configure terminal ASA5520(config)# interface GigabitEthernet 0/1 ASA5520(config-if)# nameif in ASA5520(config-if)# security-level 90 ASA5520(config-if)# ip address 10.1.3.1 255.255.255.0 ASA5520(config-if)# exit ASA5520(config)# interface interface GigabitEthernet 0/2 ASA5520(config-if)# nameif out ASA5520(config-if)# security-level 10 ASA5520(config-if)# ip address 1.1.5.1 255.255.255.0 ASA5520(config-if)# exit
- Enable access control for the Cisco firewall interface.
ASA5520(config)# access-list 10 extended permit icmp any any ASA5520(config)# access-group 10 in interface in ASA5520(config)# access-group 10 out interface in ASA5520(config)# access-group 10 in interface out ASA5520(config)# access-group 10 out interface out
- Configure a default route from the Cisco firewall to the Internet. In the example, the next-hop IP address is 1.1.5.2.
ASA5520(config)# route out 0.0.0.0 0.0.0.0 1.1.5.2 1
- Configure IPSec.
- Configure an ACL to define the data flow to be protected.
Note that the Cisco firewall uses a mask in the ACL, whereas the HUAWEI firewall uses a wildcard mask. These two are different.
ASA5520(config)# access-list ipsec permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
- Configure an IPSec proposal.
ASA5520(config)# crypto ipsec transform-set myset esp-aes esp-sha-hmac
- Create an IKE proposal.
ASA5520(config-isakmp-policy)# crypto isakmp policy 10 ASA5520(config-isakmp-policy)# authentication pre-share ASA5520(config-isakmp-policy)# encryption aes ASA5520(config-isakmp-policy)# hash sha ASA5520(config-isakmp-policy)# group 2 ASA5520(config-isakmp-policy)# lifetime 86400
- Configure a pre-shared key.
ASA5520(config)# crypto isakmp key Key123 address 1.1.3.1
- Configure an IPSec policy.
Reference the configured ACL and IPSec proposal in the IPSec policy.
ASA5520(config)# crypto map ipsec_map 10 match address ipsec ASA5520(config)# crypto map ipsec_map 10 set peer 1.1.3.1 ASA5520(config)# crypto map ipsec_map 10 set transform-set myset
- Apply the IPSec policy to the interface.
ASA5520(config)# crypto map ipsec_map interface out
- Enable the IPSec policy on the interface.
ASA5520(config)# crypto isakmp enable out
- Configure an ACL to define the data flow to be protected.
- Configure the IP address of the Cisco firewall interface.
Verification
- Ping a user on the headquarters network from the branch network.
- In normal cases, the data flows from the branch to the headquarters trigger the gateways to establish an IPSec tunnel. On the HUAWEI firewall, check whether an IKE SA is established. If the following information is displayed, an IKE SA has been established.
<HUAWEI> display ike sa -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 54 1.1.5.1 RD|ST|A v1:2 public 53 1.1.5.1 RD|ST|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE
- Run the display ipsec sa command to check whether an IPSec SA is established. If the following information is displayed, an IPSec SA is established.
<HUAWEI> display ipsec sa =============================== Interface: Tunnel1 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 54 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 27m 23s tunnel local : 1.1.3.1 tunnel remote: 1.1.5.1 flow source: 10.1.1.0/255.255.255.0 0/0 flow destination: 10.1.3.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 4231227848 (0xfc3369c8) vpn: public said: 8 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 4608000/1957 max received sequence-number: 3 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 2527152779 (0x96a14a8b) vpn: public said: 9 cpuid: 0x0000 proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 4608000/1957 max sent sequence-number: 4 udp encapsulation used for nat traversal: N
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/1 undo shutdown ip address 10.1.1.1 24 ip service-manage ping permit # interface GigabitEthernet 1/0/2 undo shutdown ip address 1.1.3.1 24 service-manage ping permit # interface tunnel 1 ip address unnumbered interface GigabitEthernet1/0/2 tunnel-protocol ipsec service-manage ping permit ipsec policy map1 # firewall zone trust add interface GigabitEthernet 1/0/1 # firewall zone untrust add interface GigabitEthernet 1/0/2 add interface tunnel 1 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 10.1.3.0 24 destination-address 10.1.1.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 10.1.1.0 24 destination-address 10.1.3.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.3.1 32 destination-address 1.1.5.1 32 action permit rule name 4 source-zone untrust destination-zone local source-address 1.1.5.1 32 destination-address 1.1.3.1 32 action permit # acl 3000 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp authentication-algorithm sha1 esp encryption-algorithm aes-128 # ike proposal 1 encryption-algorithm aes-128 authentication-algorithm sha1 dh group2 # ike peer asa undo version 2 exchange-mode main ike-proposal 1 remote-address 1.1.5.1 pre-shared-key Key123 # ipsec policy map1 1 isakmp security acl 3000 proposal tran1 ike-peer asa # ip route-static 10.1.3.0 24 tunnel 1 ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 # return