No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CLI: Example for Using the Open-Source Software OpenSWan to Establish an IPSec VPN Tunnel to the

CLI: Example for Using the Open-Source Software OpenSWan to Establish an IPSec VPN Tunnel to the

OpenSWan is open-source software, which can be used for IPSec VPN access in the Linux environment. This example describes how to establish an IPSec tunnel between the FW and open-source software OpenSWan.

Networking

As shown in Figure 3-38, a server in the Linux operating system needs to establish a VPN connection with the FW at the peer enterprise network egress for secure and encrypted traffic transmission. In the Linux operating system, the open-source software OpenSWan is installed. The software establishes an IPSec VPN tunnel to the FW in IKEv1 mode.

Figure 3-38 Using the open-source software OpenSWan to establish an IPSec VPN tunnel to the FW

Version Description

The following table lists the versions of the software, operating system, and FW in this example.

Item

Version

Linux operating system

Ubuntu 14.04

OpenSWan

2.6.38

Prerequisites

  • The Linux operating system and necessary basic component package have been installed on the server.
  • The basic OpenSWan environment has been set up in the Linux system and the software can access the Internet.
  • The network connection between the server and FW is normal, and they can ping through each other.
  • The ESP service and UDP port 500 have been enabled on the server and FW (in the NAT traversal scenario, enabling UDP\TCP port 4500 is also required).

Data Planning

The following table shows only the IPSec-related data planning.

Item

Data

FW

Interface configuration

Interface name: GigabitEthernet 1/0/1

IP address: 1.1.1.1/24

Security zone: untrust

Interface name: GigabitEthernet 1/0/2

IP address: 10.1.1.1/24

Security zone: trust

IPSec configuration

Security protocol: ESP

ESP authentication algorithm: SHA1

ESP encryption algorithm: 3DES

Pre-shared key: Admin@123

IKE configuration

IKE version: IKEv1

IKE verification algorithm: SHA1

IKE encryption algorithm: 3DES

DH group: group2

Server

IPSec configuration

ESP authentication algorithm: SHA1

ESP encryption algorithm: 3DES

Pre-shared key: Admin@123

IKE configuration

IKE version: IKEv1

IKE verification algorithm: SHA1

IKE encryption algorithm: 3DES

DH group: group2

Procedure

  • Configuring the FW
    1. Set interface IP addresses.

      1. Set the IP address of GigabitEthernet 1/0/2.

        <FW> system-view
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/2] quit

      2. Set the IP address of GigabitEthernet 1/0/1.

        [FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet1/0/1] quit

    2. Assign interfaces to security zones.

      1. Add GigabitEthernet 1/0/2 to the Trust zone.

        [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/2
[FW-zone-trust] quit

      2. Add GigabitEthernet 1/0/1 to the Untrust zone.

        [FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit

    3. Configure interzone security policies.

      1. Configure the Trust-Untrust interzone policy.

        [FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy1] destination-address 10.2.1.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
        [FW-policy-security] rule name policy2
[FW-policy-security-rule-policy2] source-zone untrust
[FW-policy-security-rule-policy2] destination-zone trust
[FW-policy-security-rule-policy2] source-address 10.2.1.0 24
[FW-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW-policy-security-rule-policy2] action permit
[FW-policy-security-rule-policy2] quit

      2. Configure the Local-Untrust interzone policy to allow the devices at the two ends of the IPSec tunnel to communicate for tunnel negotiation.

        The Local-Untrust interzone policy determines whether IKE negotiation packets can pass through the FW. The interzone policy can use the source address and destination address as matching conditions and can use the protocol type and port number as additional matching conditions. In this example, the source address and destination address are used as matching conditions. To use the protocol type and port number as matching conditions, you must enable the ESP service and UDP port 500 (in the NAT traversal scenario, port 4500 must also be enabled).

        [FW-policy-security] rule name policy3
[FW-policy-security-rule-policy3] source-zone local
[FW-policy-security-rule-policy3] destination-zone untrust
[FW-policy-security-rule-policy3] source-address 1.1.1.1 32
[FW-policy-security-rule-policy3] destination-address 3.3.3.3 32
[FW-policy-security-rule-policy3] action permit
[FW-policy-security-rule-policy3] quit
        [FW-policy-security] rule name policy4
[FW-policy-security-rule-policy4] source-zone untrust
[FW-policy-security-rule-policy4] destination-zone local
[FW-policy-security-rule-policy4] source-address 3.3.3.3 32
[FW-policy-security-rule-policy4] destination-address 1.1.1.1 32
[FW-policy-security-rule-policy4] action permit
[FW-policy-security-rule-policy4] quit
[FW-policy-security] quit

    4. Configure a static route to the peer server. Assume that the next hop of the static route is 1.1.1.2.

      [FW] ip route-static 3.3.3.0 255.255.255.0 1.1.1.2

    5. Define the data flow to be protected. Configure advanced ACL 3000 to allow network segment 10.1.1.0/24 to access network segment 10.2.1.0/24.

      [FW] acl 3000
[FW-acl-adv-3000] rule 5 permit udp source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
[FW-acl-adv-3000] quit

    6. Configure an IPSec proposal. You do not need to set default parameters.

      [FW] ipsec proposal 1
[FW-ipsec-proposal-1] encapsulation-mode auto
[FW-ipsec-proposal-1] esp authentication-algorithm sha1
[FW-ipsec-proposal-1] esp encryption-algorithm 3des
[FW-ipsec-proposal-1] quit

    7. Configure an IKE proposal.

      [FW] ike proposal 1
[FW-ike-proposal-1] encryption-algorithm 3des
[FW-ike-proposal-1] authentication-algorithm sha1
[FW-ike-proposal-1] dh group2
[FW-ike-proposal-1] authentication-method pre-share
[FW-ike-proposal-1] quit

    8. Configure an IKE peer.

      [FW] ike peer a
[FW-ike-peer-b] undo version 2
[FW-ike-peer-b] exchange-mode auto
[FW-ike-peer-b] ike negotiate compatible
[FW-ike-peer-b] ike-proposal 1
[FW-ike-peer-b] remote-address 3.3.3.3
[FW-ike-peer-b] pre-shared-key Admin@123
[FW-ike-peer-b] quit

    9. Configure an IPSec policy.

      [FW] ipsec policy map1 1 isakmp
[FW-ipsec-policy-isakmp-map1-1] security acl 3000
[FW-ipsec-policy-isakmp-map1-1] proposal 1
[FW-ipsec-policy-isakmp-map1-1] ike-peer a
[FW-ipsec-policy-isakmp-map1-1] route inject dynamic
[FW-ipsec-policy-isakmp-map1-1] tunnel local applied-interface
[FW-ipsec-policy-isakmp-map1-1] sa trigger-mode auto
[FW-ipsec-policy-isakmp-map1-1] sa duration time-based 10000
[FW-ipsec-policy-isakmp-map1-1] quit

    10. Apply IPSec policy group map1 to GigabitEthernet 1/0/1.

      [FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ipsec policy map1
[FW-GigabitEthernet1/0/1] quit

  • Configuring the OpenSWan
    1. Install the OpenSWan.

      In different versions of Linux operating systems, the installation command differs.

      • In Debian-based Linux operating systems, such as Debian, Ubuntu, and Linux Mint, run the following command:

        # apt-get install openswan
      • In RedHat-based Linux operating systems, such as CentOS, Fedora, and RHEL, run the following command:
        # yum install openswan lsof

    2. Verify the installation.

      • To check the software installation, run the following command:

        # service ipsec version

        The system displays OpenSWan version information.

      • To check the IPSec service status, run the following command:

        # service ipsec status

        If the state is stopped, the IPSec service is disabled. To enable the IPSec service, run the following command:

        # ipsec setup start

      • To view OpenSWan environment check information, run the following command:

        # ipsec verify

        The environment check result is displayed. [OK] indicates that no problem is detected, while [FAILED] indicates that some problems are detected. For details about the problems, see the description below [FAILED] and resolve the problems accordingly.

    3. Modify the OpenSWan configuration file.

      After the OpenSWan is installed, two configuration files /etc/ipsec.conf and /etc/ipsec.secrets are automatically generated in the installation path:
      • /etc/ipsec.conf saves basic configuration.
      • /etc/ipsec.secrets saves the pre-shared key.
      You need to modify the configuration files to set IPSec connection parameters.

      Only the part of configuration files in which parameters need to be modified is displayed.

      1. Modify the configuration file ipsec.conf.

        # vim /etc/ipsec.conf        /Access ipsec.conf.

conn CSL
  type=tunnel
  authby=secret
  auto=start
  ike=3des-sha1;modp1024
  keyexchange=ike
  phase2=esp
  phase2alg=3des-sha1
  pfs=no
  aggrmode=no
  ikelifetime=86400s
  salifetime=10000s
  forceencaps=yes
  dpdaction=restart
  left=%defaultroute
  leftnexthop=%defaultroute
  leftsubnet=10.2.1.0/24                  
  /Network segment of network A 
  leftid=3.3.3.3                          
  /IP address of the WAN interface on the server
  leftsourceip=3.3.3.3                    
  /IP address of the WAN interface on the server
  rightsubnets=10.1.1.0/24                
  /Network segment of network B
  right=1.1.1.1                           
  /IP address of the WAN interface on the FW
  rightid=1.1.1.1                         
  /IP address of the WAN interface on the FW

      2. Modify the configuration file ipsec.secrets.

        # vim /etc/ipsec.secrets      /Access ipsec.secrets.

3.3.3.3 1.1.1.1: PSK "Admin@123"          
/Set a pre-shared key in the format [server WAN interface IP address FW WAN interface IP address: PSK "pre-shared key"]

    4. Restart the IPSec service.

      # service ipsec restart

Verification

On the FW, run the display ike sa and display ipsec sa brief commands to view the SA establishment.

<FW> display ike sa

IKE SA information :                                                            
    Conn-ID       Peer            VPN            Flag(s)                Phase
  ------------------------------------------------------------------------------
    16777239      3.3.3.3                        RD|ST|A                v1:2
    16777232      3.3.3.3                        RD|ST|A                v1:1
                                                                                
  Number of IKE SA : 2                                                     
  ------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
<FW> display ipsec sa brief
current ipsec sa number: 2                                                      
current ipsec tunnel number: 1                                                  
Src Address     Dst Address     SPI        Protocol  Algorithm                  
------------------------------------------------------------------------------  
1.1.1.1         3.3.3.3         1826317110 ESP       E:3DES A:SHA1-96      
3.3.3.3         1.1.1.1         209587142  ESP       E:3DES A:SHA1-96

Check the IPSec status in the Linux system. You can find that a tunnel has been set up through negotiation.

# service ipsec status
IPsec running  - pluto pid: 9417
pluto pid 9417
1 tunnels up
some eroutes exist

Configuration Script of the FW

#
 system-view 
#
acl number 3000 
 rule 5 permit udp source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255 
#
ipsec proposal 1 
 encapsulation-mode auto 
 esp authentication-algorithm sha1 
 esp encryption-algorithm 3des 
#
ike proposal 1 
 encryption-algorithm 3des 
 authentication-algorithm sha1 
 dh group2 
 authentication-method pre-share 
#
ike peer a 
 undo version 2 
 exchange-mode auto 
 ike negotiate compatible 
 ike-proposal 1 
 remote-address 3.3.3.3 
 pre-shared-key Admin@123 
#
ipsec policy map1 1 isakmp 
 security acl 3000 
 proposal 1 
 ike-peer a 
 route inject dynamic 
 tunnel local applied-interface 
 sa trigger-mode auto 
 sa duration time-based 10000 
#
interface GigabitEthernet 1/0/1 
 undo shutdown
 ip address 1.1.1.1 24 
 ipsec policy map1 
#
interface GigabitEthernet 1/0/2
 undo shutdown
 ip address 10.1.1.1 24 
#
firewall zone trust 
 set priority 85
 add interface GigabitEthernet 1/0/2 
#
firewall zone untrust 
 set priority 5
 add interface GigabitEthernet 1/0/1 
#
security-policy 
 rule name policy1 
  source-zone trust 
  destination-zone untrust 
  source-address 10.1.1.0 24 
  destination-address 10.2.1.0 24 
  action permit 
 rule name policy2 
  source-zone untrust 
  destination-zone trust 
  source-address 10.2.1.0 24 
  destination-address 10.1.1.0 24 
  action permit 
 rule name policy3 
  source-zone local 
  destination-zone untrust 
  source-address 1.1.1.1 32 
  destination-address 3.3.3.3 32 
  action permit 
 rule name policy4 
  source-zone untrust 
  destination-zone local 
  source-address 3.3.3.3 32 
  destination-address 1.1.1.1 32 
  action permit 
#
 ip route-static 3.3.3.0 255.255.255.0 1.1.1.2 
#
return
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 265922

Downloads: 5044

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :