Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels Between HUAWEI Firewalls and Fortinet Firewalls in NAT Traversal Scenarios
Chapter Contents
Networking Requirements
As shown in Figure1, the Fortinet firewall at the branch has no public IP addresses, uses HUAWEI firewall_B as the NAT device for address translation, obtains a public IP address, and establishes an IPSec tunnel with HUAWEI firewall_A at the headquarters. HUAWEI firewall_B provides only the source address translation function, implementing access only in the direction from the branch to the headquarters. Therefore, only the branch can proactively establish an IPSec tunnel with the headquarters, but not the other way around.
Data Plan
Item |
HUAWEI firewall_A |
Fortinet firewall |
|
|---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
NATed address of the peer |
Public address of the peer |
|
Authentication address of the peer |
Pre-NAT address of the peer |
- |
|
IKE version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
NAT traversal enabled or not |
Yes |
Yes |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Configuration Roadmap
- Configure HUAWEI firewall_A:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through HUAWEI firewall_A.
- Configure the default route from HUAWEI firewall_A to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, configuring an IKE peer, and configuring IPSec NAT traversal.
- Apply the IPSec policy to an interface.
- Configure HUAWEI firewall_B:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an Untrust-Trust interzone security policy to allow the post-NAT packets to pass through HUAWEI firewall_B.
- Configure Source NAT.
- Configure routes to the HQ and branch.
- Configure the Fortinet firewall:
- Set IP addresses for interfaces.
- Configure IKE SA, IPSec SA, and IPSec NAT traversal.
- Assign the tunnel interface to the Untrust zone.
- Configure a security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the Fortinet firewall.
- Configure a route to divert traffic to the tunnel interface.
- Configure the default route to the Internet.
Configuration Precautions
- In this example, the HUAWEI firewall_B has the Source NAT function configured so that the branch can initiate negotiation for establishing an IPSec tunnel with the HQ, but not the other way around. If the HUAWEI firewall_B has the NAT Server function configured, both the HQ and branch can initiate negotiation for establishing an IPSec tunnel.
- In this example, the post-NAT address is known. If this address is unknown, you must configure an IPSec policy in template mode on the HUAWEI firewall_A.
Configuration Procedure
- Configure HUAWEI firewall_A.
- Configure interfaces and assign them to security zones.
- Configure GE1/0/3 and assign it to the Untrust zone.
[HUAWEI_A] interface GigabitEthernet 1/0/3 [HUAWEI_A-GigabitEthernet1/0/3] ip address 1.1.1.1 24 [HUAWEI_A-GigabitEthernet1/0/3] quit [HUAWEI_A] firewall zone untrust [HUAWEI_A-zone-untrust] add interface GigabitEthernet 1/0/3 [HUAWEI_A-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI_A] interface GigabitEthernet 1/0/5 [HUAWEI_A-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI_A-GigabitEthernet1/0/5] quit [HUAWEI_A] firewall zone trust [HUAWEI_A-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI_A-zone-trust] quit
- Configure GE1/0/3 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the headquarters and configure policy 2 so that the headquarters can access the branch.
[HUAWEI_A] security-policy [HUAWEI_A-policy-security] rule name 1 [HUAWEI_A-policy-security-rule-1] source-zone untrust [HUAWEI_A-policy-security-rule-1] destination-zone trust [HUAWEI_A-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI_A-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI_A-policy-security-rule-1] action permit [HUAWEI_A-policy-security-rule-1] quit [HUAWEI_A-policy-security] rule name 2 [HUAWEI_A-policy-security-rule-2] source-zone trust [HUAWEI_A-policy-security-rule-2] destination-zone untrust [HUAWEI_A-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI_A-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI_A-policy-security-rule-2] action permit [HUAWEI_A-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that HUAWEI firewall_A can initiate an IPSec tunnel establishment request and configure policy 4 so that HUAWEI firewall_A can receive an IPSec tunnel establishment request.
[HUAWEI_A-policy-security] rule name 3 [HUAWEI_A-policy-security-rule-3] source-zone local [HUAWEI_A-policy-security-rule-3] destination-zone untrust [HUAWEI_A-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI_A-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI_A-policy-security-rule-3] action permit [HUAWEI_A-policy-security-rule-3] quit [HUAWEI_A-policy-security] rule name 4 [HUAWEI_A-policy-security-rule-4] source-zone untrust [HUAWEI_A-policy-security-rule-4] destination-zone local [HUAWEI_A-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI_A-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI_A-policy-security-rule-4] action permit [HUAWEI_A-policy-security-rule-4] quit
When you configure policy 3, the destination address is the NATed address of the peer. When you configure policy 4, the source address is the NATed address of the peer.
- Configure Untrust-Trust interzone security policies.
- Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Create an ACL to define the data flow to be protected.
Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over an IPSec tunnel.
[HUAWEI_A] acl 3000 [HUAWEI_A-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [HUAWEI_A-acl-adv-3000] quit
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPSec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
[HUAWEI_A] ike proposal 1 [HUAWEI_A-ike-proposal-1] encryption-algorithm 3des [HUAWEI_A-ike-proposal-1] authentication-algorithm sha1 [HUAWEI_A-ike-proposal-1] dh group2 [HUAWEI_A-ike-proposal-1] quit
- Configure an IKE peer, specify the negotiation mode, IKE version, pre-shared key, peer address, and peer authentication address, and enable the NAT traversal function.
[HUAWEI_A] ike peer fortigate [HUAWEI_A-ike-peer-fortigate] exchange-mode main [HUAWEI_A-ike-peer-fortigate] undo version 2 [HUAWEI_A-ike-peer-fortigate] ike-proposal 1 [HUAWEI_A-ike-peer-fortigate] pre-shared-key Key@123 [HUAWEI_A-ike-peer-fortigate] remote-address 2.2.2.2 [HUAWEI_A-ike-peer-fortigate] remote-address authentication-address 10.10.10.2 [HUAWEI_A-ike-peer-fortigate] nat traversal [HUAWEI_A-ike-peer-fortigate] quit
- Run the remote-address command to set the peer address to the NATed address and the remote-address authentication-address command to set the peer authentication address to the pre-NAT address.
- Run the nat traversal command to enable the NAT traversal function. In this scenario, you must enable this function for both ends.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI_A] ipsec proposal tran1 [HUAWEI_A-ipsec-proposal-tran1] transform esp [HUAWEI_A-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI_A-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI_A-ipsec-proposal-tran1] quit
- Configure an IPSec policy and associate it with the IKE peer, IPSec proposal, and ACL.
[HUAWEI_A] ipsec policy map1 1 isakmp [HUAWEI_A-ipsec-policy-isakmp-map1-1] ike-peer fortigate [HUAWEI_A-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI_A-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI_A-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to the interface.
[HUAWEI_A] interface GigabitEthernet 1/0/3 [HUAWEI_A-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI_A-GigabitEthernet1/0/3] quit
- Configure interfaces and assign them to security zones.
- Configure the Fortinet firewall.
- Configure an interface.
- Configure port03.
Fortigate # config system interface Fortigate (interface) # edit port03 Fortigate (port03) # set ip 10.10.10.2 255.255.255.0 Fortigate (port03) # set allowaccess ping https ssh snmp http telnet Fortigate (port03) # end
- Configure port10.
Fortigate # config system interface Fortigate (interface) # edit port10 Fortigate (port10) # set ip 192.168.0.1 255.255.255.0 Fortigate (port10) # set allowaccess ping https ssh snmp http telnet Fortigate (port10) # end
On the Fortinet firewall, you can configure security policies directly for physical interfaces, without having to assign them to security zones. Of course, you can also assign them to security zones and configure security policies accordingly.
- Configure port03.
- Configure an IKE SA, specify its name, bound interface, negotiation mode, encryption algorithm, authentication algorithm, pre-shared key, peer address, and DH group, and enable the NAT traversal function.
Fortigate # config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set interface port03 Fortigate (firewall) # set mode main Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set psksecret Key@123 Fortigate (firewall) # set remote-gw 1.1.1.1 Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set nattraversal enable Fortigate (firewall) # end
- The Fortinet firewall does not provide the command for setting the IKE version and uses IKEv1 by default.
- Run the set interface command to bind the IKE SA to the specified port, which is equal to applying the IPSec policy to the interface on the HUAWEI firewall.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IKE SA.
- Configure an IPSec SA and specify its name, bound IKE SA, encryption algorithm, authentication algorithm, and DH group.
Fortigate # config vpn ipsec phase2-interface Fortigate (phase2-interface) # edit firewall new entry 'firewall' added Fortigate (firewall) # set phase1name firewall Fortigate (firewall) # set dhgrp 2 Fortigate (firewall) # set proposal 3des-sha1 Fortigate (firewall) # set dst-subnet 192.168.10.0 255.255.255.0 Fortigate (firewall) # set src-subnet 192.168.0.0 255.255.255.0 Fortigate (firewall) # end
- The Fortinet firewall does not provide the command for setting the encapsulation mode or security protocol and uses the tunnel mode and ESP by default.
- Run the set phase1name command to specify the IKE SA referenced by the IPSec SA.
- Run the set proposal 3des-sha1 command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IPSec SA.
- Run the dst-subnet and src-subnet commands to define the data flow to be protected, which is equal to configuring an ACL on the HUAWEI firewall.
- Assign the tunnel interface to the Untrust zone.
Fortigate # config system zone Fortigate (zone) # edit untrust Fortigate (untrust) # set interface firewall Fortigate (untrust) # end
- After you successfully configure the IKE SA, the device automatically generates a tunnel interface with the same name as the IKE SA for protected traffic to pass through.
- On the Fortinet firewall, you must assign the tunnel interface to a security zone and then configure a security policy accordingly.
- Configure security policies.
- Configure a security policy between port03 and port10.
Configure policy 66 so that the headquarters can properly access the branch and configure policy 99 so that the branch can properly access the headquarters.
Fortigate # config firewall policy Fortigate (policy) # edit 66 Fortigate (66) # set srcintf port03 Fortigate (66) # set dstintf port10 Fortigate (66) # set srcaddr all Fortigate (66) # set dstaddr all Fortigate (66) # set action accept Fortigate (66) # set schedule always Fortigate (66) # set service ANY Fortigate (66) # end Fortigate # config firewall policy Fortigate (policy) # edit 99 Fortigate (99) # set srcintf port10 Fortigate (99) # set dstintf port03 Fortigate (99) # set srcaddr all Fortigate (99) # set dstaddr all Fortigate (99) # set action accept Fortigate (99) # set schedule always Fortigate (99) # set service ANY Fortigate (99) # end
- Configure a security policy between the Untrust zone and port10, namely, between the tunnel interface and port10.
Configure policy 96 to ensure that the traffic passing through the tunnel interface can enter the branch intranet and configure policy 76 to ensure that the traffic passing through the tunnel interface can be transparently transmitted to the extranet.
Fortigate # config firewall policy Fortigate (policy) # edit 96 Fortigate (96) # set srcintf untrust Fortigate (96) # set dstintf port10 Fortigate (96) # set srcaddr all Fortigate (96) # set dstaddr all Fortigate (96) # set action accept Fortigate (96) # set schedule always Fortigate (96) # set service ANY Fortigate (96) # end Fortigate # config firewall policy Fortigate (policy) # edit 76 Fortigate (76) # set srcintf port10 Fortigate (76) # set dstintf untrust Fortigate (76) # set srcaddr all Fortigate (76) # set dstaddr all Fortigate (76) # set action accept Fortigate (76) # set schedule always Fortigate (76) # set service ANY Fortigate (76) # end
- Configure a security policy between port03 and port10.
- Configures static routes.
- Configure a static route and specify the traffic passing through the tunnel interface.
Fortigate # config route static Fortigate (staticFortigate (static) # edit 76 Fortigate (76) # set device firewall Fortigate (76) # set dst 192.168.10.0 255.255.255.0 Fortigate (76) # end
- Configure a default route to the Internet, passing through port03 and with the next hop being 10.10.10.3.
Fortigate # config router static Fortigate (static) # edit 33 Fortigate (33) # set dst 0.0.0.0 0.0.0.0 Fortigate (33) # set gateway 10.10.10.3 Fortigate (33) # set device port03 Fortigate (33) # end
- Configure a static route and specify the traffic passing through the tunnel interface.
- Configure an interface.
- Configure HUAWEI firewall_B, which serves as the NAT device.
- Configure interfaces and assign them to security zones.
- Configure GE0/0/1 and assign it to the Untrust zone.
[HUAWEI_B] interface GigabitEthernet 0/0/1 [HUAWEI_B-GigabitEthernet0/0/1] ip address 2.2.2.2 255.255.255.0 [HUAWEI_B-GigabitEthernet0/0/1] quit [HUAWEI_B] firewall zone untrust [HUAWEI_B-zone-untrust] quit
- Configure GE0/0/2 and assign it to the Trust zone.
[HUAWEI_B] interface GigabitEthernet 0/0/2 [HUAWEI_B-GigabitEthernet0/0/2] ip address 10.10.10.3 255.255.255.0 [HUAWEI_B-GigabitEthernet0/0/2] quit [HUAWEI_B] firewall zone trust [HUAWEI_B-zone-trust] add interface GigabitEthernet 0/0/2 [HUAWEI_B-zone-trust] quit
- Configure GE0/0/1 and assign it to the Untrust zone.
- Configure Untrust-Trust interzone security policies.
[HUAWEI_B] security-policy [HUAWEI_B-policy-security] rule name 1 [HUAWEI_B-policy-security-rule-1] source-zone untrust [HUAWEI_B-policy-security-rule-1] destination-zone trust [HUAWEI_B-policy-security-rule-1] source-address 1.1.1.0 24 [HUAWEI_B-policy-security-rule-1] destination-address 10.10.10.0 24 [HUAWEI_B-policy-security-rule-1] action permit [HUAWEI_B-policy-security-rule-1] quit [HUAWEI_B-policy-security] rule name 2 [HUAWEI_B-policy-security-rule-2] source-zone trust [HUAWEI_B-policy-security-rule-2] destination-zone untrust [HUAWEI_B-policy-security-rule-2] source-address 10.10.10.0 24 [HUAWEI_B-policy-security-rule-2] destination-address 1.1.1.0 24 [HUAWEI_B-policy-security-rule-2] action permit [HUAWEI_B-policy-security-rule-2] quit
- Configure source NAT.
[HUAWEI_B] nat-policy [HUAWEI_B-policy-nat] rule name policy_nat1 [HUAWEI_B-policy-nat-rule-policy_nat1] source-zone trust [HUAWEI_B-policy-nat-rule-policy_nat1] destination-zone untrust [HUAWEI_B-policy-nat-rule-policy_nat1] source-address 10.10.10.0 24 [HUAWEI_B-policy-nat-rule-policy_nat1] action nat easy-ip [HUAWEI_B-policy-nat-rule-policy_nat1] quit [HUAWEI_B-policy-nat] quit
- Configure routes to the headquarters and branch.
[HUAWEI_B] ip route-static 192.168.10.0 255.255.255.0 2.2.2.1 [HUAWEI_B] ip route-static 192.168.0.0 255.255.255.0 10.10.10.2
- Configure interfaces and assign them to security zones.
Verification
- Ping PC1 at the headquarters from PC2 at the branch and verify whether the branch can proactively initiate an IPSec tunnel with the headquarters.
- On HUAWEI firewall_A at the headquarters, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
[HUAWEI_A] display ike sa current ike sa number: 2 -------------------------------------------------------------------------------------------------- conn-id peer flag phase vpn -------------------------------------------------------------------------------------------------- 172 2.2.2.2:2049 RD|A v1:2 public 171 2.2.2.2:2049 RD|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE - On HUAWEI firewall USG_A at the headquarters, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
[HUAWEI_A] display ipsec sa =============================== Interface: GigabitEthernet1/0/3 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 172 rule number: 15 encapsulation mode: tunnel holding time: 0d 0h 14m 35s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 192.168.10.0/255.255.255.0 0/0 flow destination: 192.168.0.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 3439073287 (0xccfc1807) vpn: public said: 236 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/925 max received sequence-number: 5 udp encapsulation used for nat traversal: Y [outbound ESP SAs] spi: 3708494123 (0xdd0b212b) vpn: public said: 237 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 200000000/925 max sent sequence-number: 4 udp encapsulation used for nat traversal: Y - Log in to the web UI of the branch Fortinet firewall to check the IPSec tunnel establishment.
- If the tunnel status is displayed as a green upward arrow, the IPSec tunnel is successfully established.
- You can also run the get ipsec tunnel list command on the branch Fortinet firewall to check the IPSec tunnel establishment. If the status is up, the IPSec tunnel is successfully established.
Configuration Files
HUAWEI Firewall_A Configuration Files
# sysname HUAWEI_A # interface GigabitEthernet 1/0/3 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # firewall zone untrust add interface GigabitEthernet 1/0/3 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer fortigate exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 remote-address authentication-address 10.10.10.2 nat traversal # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer fortigate proposal tran1 security acl 3000 # return
HUAWEI Firewall_B Configuration Files
# sysname HUAWEI_B # interface GigabitEthernet 0/0/1 ip address 2.2.2.2 255.255.255.0 # interface GigabitEthernet 0/0/2 ip address 10.10.10.3 255.255.255.0 # firewall zone untrust add interface GigabitEthernet 0/0/1 # firewall zone trust add interface GigabitEthernet 0/0/2 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 1.1.1.0 24 destination-address 10.10.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 10.10.10.0 24 destination-address 1.1.1.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.10.10.0 24 action nat easy-ip # ip route-static 192.168.10.0 255.255.255.0 2.2.2.1 ip route-static 192.168.0.0 255.255.255.0 10.10.10.2 # return