Networking Requirements
As shown in Figure 3-36, a mobile phone connects to the enterprise headquarters over the Internet. An IPSec tunnel needs to be established between the mobile phone and headquarters for encrypted data transmission between them. The enterprise headquarters wants to verify the identities of mobile office users to improve intranet access security.
IKEv1+xAuth can be configured on the headquarters gateway to achieve these purposes.
Figure 3-36 Connecting an Android phone of a mobile office user to the headquarters VPN in IKEv1+xAuth mode
Data Plan
Item
|
Data
|
FW
|
Interface number: GigabitEthernet 1/0/1
IP address: 1.1.1.2/24
Security zone: Untrust
|
Interface number: GigabitEthernet 1/0/2
IP address: 10.1.1.1/24
Security zone: Trust
|
Address pool and AAA configuration
IP pool 1
Address range: 10.2.1.2 to 10.2.1.100
RADIUS server IP address: 10.1.1.5
RADIUS server authentication password: huawei@12
|
IPSec configuration
IPSec policy type: IPSec policy template
Security protocol: ESP
ESP authentication algorithm: SHA2-256
ESP encryption algorithm: AES-128
IKE authentication algorithm: SHA2-256
IKE encryption algorithm: AES-256
IKE negotiation mode: aggressive mode
Pre-shared key: huawei@123
Local ID type: IP
Peer ID type: any
|
Phone
|
Internet address: 2.1.1.2/24
User name: huawei
User password: Hello@123
Pre-shared key: huawei@123
|
Configuration Roadmap
- Complete basic configurations, including the interfaces, security policies, and routes on the FW.
- Complete the IPSec configuration on the FW.
- Complete the IPSec configuration on the mobile phone. The IPSec parameters on the mobile phone must match those on the FW.
Procedure
- Configure the FW.
- Configure IP addresses for interfaces.
<sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.2 24
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/2] quit
- Add interfaces to the corresponding security zones.
Add GigabitEthernet 1/0/2 to the Trust zone.
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/2
[FW-zone-trust] quit
Add GigabitEthernet 1/0/1 to the Untrust zone.
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
- Configure inter-zone security policies.
# Configure a security policy to allow headquarters users to actively initiate access to the mobile phone.
[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone trust
[FW-policy-security-rule-policy1] destination-zone untrust
[FW-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW-policy-security-rule-policy1] destination-address 10.2.1.0 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
# Configure a security policy to allow the mobile phone to actively initiate access to the headquarters.
[FW-policy-security] rule name policy2
[FW-policy-security-rule-policy2] source-zone untrust
[FW-policy-security-rule-policy2] destination-zone trust
[FW-policy-security-rule-policy2] destination-address 10.1.1.0 24
[FW-policy-security-rule-policy2] action permit
[FW-policy-security-rule-policy2] quit
# Configure a security policy to allow the mobile phone and headquarters to negotiate an IPSec tunnel.
The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP and port 500 for UDP (port 4500 also in NAT traversal scenarios).
[FW-policy-security] rule name policy3
[FW-policy-security-rule-policy3] source-zone local
[FW-policy-security-rule-policy3] destination-zone untrust
[FW-policy-security-rule-policy3] source-address 1.1.1.2 32
[FW-policy-security-rule-policy3] action permit
[FW-policy-security-rule-policy3] quit
[FW-policy-security] rule name policy4
[FW-policy-security-rule-policy4] source-zone untrust
[FW-policy-security-rule-policy4] destination-zone local
[FW-policy-security-rule-policy4] destination-address 1.1.1.2 32
[FW-policy-security-rule-policy4] action permit
[FW-policy-security-rule-policy4] quit
[FW-policy-security] quit
- Configure the pubic and private routes from the FW to the mobile phone.
[FW] ip route-static 2.1.1.0 255.255.255.0 1.1.1.1
[FW] ip route-static 10.2.1.0 255.255.255.0 1.1.1.1
- Configure a service scheme.
Configure an IP address pool.
[FW] ip pool pool1
[FW-ip-pool-pool1] network 10.2.1.0 mask 255.255.255.0
[FW-ip-pool-pool1] section 1 10.2.1.2 10.2.1.100
[FW-ip-pool-pool1] quit
Configure a RADIUS server template.
[FW] radius-server template temp1
[FW-radius-temp1] radius-server authentication 10.1.1.5 1812 weight 80
[FW-radius-temp1] radius-server shared-key cipher huawei@12
[FW-radius-temp1] undo radius-server user-name domain-included
[FW-radius-temp1] quit
Configure a service scheme for access users.
[FW] aaa
[FW-aaa] authentication-scheme xauth
[FW-aaa-authen-xauth] authentication-mode radius
[FW-aaa-authen-xauth] quit
[FW-aaa] service-scheme serv1
[FW-aaa-service-serv1] ip-pool pool1
[FW-aaa-service-serv1] quit
[FW-aaa] domain xauth
[FW-aaa-domain-xauth] radius-server temp1
[FW-aaa-domain-xauth] authentication-scheme xauth
[FW-aaa-domain-xauth] service-type internetaccess ike
[FW-aaa-domain-xauth] service-scheme serv1
[FW-aaa-domain-xauth] new-user add-temporary group /xauth
[FW-aaa-domain-xauth] quit
[FW-aaa] quit
- Configure IPSec.
- Configure the data flow to be protected by the IPSec tunnel.
[FW] acl 3001
[FW-acl-adv-3001] rule 5 permit ip destination 10.2.1.0 0.0.0.255
[FW-acl-adv-3001] quit
- Configure an IPSec proposal tran1.
[FW] ipsec proposal tran1
[FW-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW-ipsec-proposal-tran1] transform esp
[FW-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FW-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[FW-ipsec-proposal-tran1] quit
Configure an IKE proposal.
[FW] ike proposal 1
[FW-ike-proposal-1] authentication-method pre-share
[FW-ike-proposal-1] encryption-algorithm aes-256
[FW-ike-proposal-1] authentication-algorithm sha2-256
[FW-ike-proposal-1] dh group2
[FW-ike-proposal-1] quit
Configure an IKE peer.
[FW] ike peer peer1
[FW-ike-peer-peer1] undo version 2
[FW-ike-peer-peer1] ike-proposal 1
[FW-ike-peer-peer1] exchange-mode aggressive
[FW-ike-peer-peer1] pre-shared-key huawei@123
[FW-ike-peer-peer1] xauth enable
[FW-ike-peer-peer1] xauth type chap
[FW-ike-peer-peer1] quit
Configure an IPSec policy in template mode.
[FW] ipsec policy-template policy_temp 1
[FW-ipsec-policy-templet-policy_temp-1] security acl 3001
[FW-ipsec-policy-templet-policy_temp-1] proposal tran1
[FW-ipsec-policy-templet-policy_temp-1] ike-peer peer1
[FW-ipsec-policy-templet-policy_temp-1] quit
[FW] ipsec policy policy 10 isakmp template policy_temp
Apply the IPSec policy to GigabitEthernet 1/0/1.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ipsec policy policy
[FW-GigabitEthernet1/0/1] quit
- Configure the Android phone.
Access the Settings page of the mobile phone and complete the settings according to the following figure.
![click to enlarge]()
- Verify the configuration.
- Enable VPN connection on the mobile phone.
Enter the user name and password and click Connect.
![click to enlarge]()
After successful connection, you can find that the mobile phone can normally access the headquarters gateway.
- Run the display ike sa command on the FW. The command output shows that an IPSec tunnel is established successfully.
<FW> display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
-----------------------------------------------------------------------------
400236 2.1.1.2:500 RD|A v1:2 IP 2.1.1.2
400235 2.1.1.2:500 RD|A v1:1 IP 2.1.1.2
Number of IKE SA : 2
-----------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
Configuration Script
#
sysname FW
#
radius-server template temp1
radius-server shared-key cipher huawei@12
radius-server authentication 10.1.1.5 1812 weight 80
undo radius-server user-name domain-included
radius-server group-filter class
#
acl number 3001
rule 5 permit ip destination 10.2.1.0 0.0.0.255
#
ipsec proposal tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 1
encryption-algorithm aes-256
dh group2
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer peer1
xauth type chap
undo version 2
exchange-mode aggressive
pre-shared-key huawei@123
ike-proposal 1
xauth enable
#
ipsec policy-template policy_temp 1
security acl 3001
ike-peer peer1
proposal tran1
#
ipsec policy policy 10 isakmp template policy_temp
#
ip pool pool1
network 10.2.1.0 mask 255.255.255.0
section 1 10.2.1.2 10.2.1.100
#
aaa
authentication-scheme xauth
authentication-mode radius
service-scheme serv1
ip-pool pool1
domain xauth
authentication-scheme xauth
service-scheme serv1
radius-server temp1
service-type internetaccess ike
internet-access mode password
reference user current-domain
new-user add-temporary group /xauth
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.2 255.255.255.0
ipsec policy policy
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.1
ip route-static 10.2.1.0 255.255.255.0 1.1.1.1
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.2.1.0 mask 255.255.255.0
action permit
rule name policy2
source-zone untrust
destination-zone trust
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name policy3
source-zone local
destination-zone untrust
source-address 1.1.1.2 mask 255.255.255.255
action permit
rule name policy4
source-zone untrust
destination-zone local
destination-address 1.1.1.2 mask 255.255.255.255
action permit
#
return