Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels in ISAKMP Mode Between HUAWEI Firewalls and H3C Firewalls
Chapter Contents
Networking Requirements
As shown in Figure1, the HUAWEI firewall and H3C firewall function as the enterprise gateways of the HQ and branch respectively to connect to the Internet. It is required that an IPSec tunnel be established between the HUAWEI and H3C firewalls for secure communication between the HQ and branch.
Because the public IP addresses of the outbound interfaces on the HUAWEI and H3C firewalls are fixed, the IPSec tunnel can be established in policy mode. In this mode, both ends can initiate negotiation for establishing the IPSec tunnel.
Data Plan
Configuration Item |
HUAWEI Firewall |
H3C Firewall |
|
|---|---|---|---|
IKE SA |
Negotiation mode |
Main mode |
Main mode |
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
IP address of the peer |
IP address of the peer |
|
IKE Version |
V1 |
V1 |
|
DH |
Group2 |
Group2 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Configuration Roadmap
- Configure the HUAWEI firewall:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure the default route from the HUAWEI firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, and configuring an IKE peer.
- Apply the IPSec policy to an interface.
- Configure the H3C firewall:
- Set interface IP addresses and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure the default route from the H3C firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IKE proposal, configuring a keychain, configuring a profile, and configuring an IPSec proposal.
- Apply the IPSec policy to an interface.
Configuration Precautions
- The key to IPSec interconnection is that the parameters set on both ends must be the same. Do not use the default values at both ends (the default values of the two firewalls are basically different). Ensure that the parameters on the two ends are set according to the data planning table.
- When a profile is configured on the H3C firewall, the match local address command is used to specify the usage scope of the profile. According to the H3C firewall configuration guide, this command is optional. If this command is not configured when the H3C firewall is interconnected with a HUAWEI firewall, the H3C firewall cannot find the interface applicable to the profile. Therefore, you are advised to run this command. Otherwise, tunnel negotiation will fail.
Configuration Procedure
- Configure the HUAWEI firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE1/0/9 and assign it to the Untrust zone.
[HUAWEI] interface GigabitEthernet 1/0/9 [HUAWEI-GigabitEthernet1/0/9] ip address 1.1.1.1 24 [HUAWEI-GigabitEthernet1/0/9] quit [HUAWEI] firewall zone untrust [HUAWEI-zone-untrust] add interface GigabitEthernet 1/0/9 [HUAWEI-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI] interface GigabitEthernet 1/0/5 [HUAWEI-GigabitEthernet1/0/5] ip address 192.168.10.1 24 [HUAWEI-GigabitEthernet1/0/5] quit [HUAWEI] firewall zone trust [HUAWEI-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI-zone-trust] quit
- Configure GE1/0/9 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the HQ and configure policy 2 so that the HQ can access the branch.
[HUAWEI] security-policy [HUAWEI-policy-security] rule name 1 [HUAWEI-policy-security-rule-1] source-zone untrust [HUAWEI-policy-security-rule-1] destination-zone trust [HUAWEI-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI-policy-security-rule-1] action permit [HUAWEI-policy-security-rule-1] quit [HUAWEI-policy-security] rule name 2 [HUAWEI-policy-security-rule-2] source-zone trust [HUAWEI-policy-security-rule-2] destination-zone untrust [HUAWEI-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI-policy-security-rule-2] action permit [HUAWEI-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall can initiate an IPSec tunnel establishment request and configure policy 4 so that the HUAWEI firewall can receive an IPSec tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[HUAWEI-policy-security] rule name 3 [HUAWEI-policy-security-rule-3] source-zone local [HUAWEI-policy-security-rule-3] destination-zone untrust [HUAWEI-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI-policy-security-rule-3] action permit [HUAWEI-policy-security-rule-3] quit [HUAWEI-policy-security] rule name 4 [HUAWEI-policy-security-rule-4] source-zone untrust [HUAWEI-policy-security-rule-4] destination-zone local [HUAWEI-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI-policy-security-rule-4] action permit [HUAWEI-policy-security-rule-4] quit
- Configure Untrust-Trust interzone security policies.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Create an ACL to define the traffic to be protected.
Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over the IPSec tunnel.
[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPSec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv1 is used, and the integrity algorithm does not need to be configured.
[HUAWEI] ike proposal 1 [HUAWEI-ike-proposal-1] encryption-algorithm 3des [HUAWEI-ike-proposal-1] authentication-algorithm sha1 [HUAWEI-ike-proposal-1] dh group2 [HUAWEI-ike-proposal-1] quit
- Configure an IKE peer and specify the negotiation mode, IKE version, pre-shared key, and peer IP address.
[HUAWEI] ike peer h3c [HUAWEI-ike-peer-h3c] exchange-mode main [HUAWEI-ike-peer-h3c] undo version 2 [HUAWEI-ike-peer-h3c] ike-proposal 1 [HUAWEI-ike-peer-h3c] pre-shared-key Key@123 [HUAWEI-ike-peer-h3c] remote-address 2.2.2.2 [HUAWEI-ike-peer-h3c] quit
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv1 is used, and the integrity algorithm does not need to be configured.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI] ipsec proposal tran1 [HUAWEI-ipsec-proposal-tran1] transform esp [HUAWEI-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI-ipsec-proposal-tran1] quit
- Configure an ISAKMP IPSec policy and associate it with the IKE peer, IPSec proposal, and ACL.
[HUAWEI] ipsec policy map1 1 isakmp [HUAWEI-ipsec-policy-isakmp-map1-1] ike-peer h3c [HUAWEI-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[HUAWEI] interface GigabitEthernet 1/0/9 [HUAWEI-GigabitEthernet1/0/9] ipsec policy map1 [HUAWEI-GigabitEthernet1/0/9] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure the H3C firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE2/0/10 and assign it to the Untrust zone.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] port link-mode route [H3C-Ten-GigabitEthernet2/0/10] ip address 2.2.2.2 255.255.255.0 [H3C-Ten-GigabitEthernet2/0/10] quit [H3C] security-zone name Untrust [H3C-security-zone-Untrust] import interface Ten-GigabitEthernet 2/0/10 [H3C-security-zone-Untrust] quit
- Configure GE2/0/9 and assign it to the Trust zone.
[H3C] interface Ten-GigabitEthernet2/0/9 [H3C-Ten-GigabitEthernet2/0/9] ip address 192.168.0.1 24 [H3C-Ten-GigabitEthernet2/0/9] quit [H3C] security-zone name Trust [H3C-security-zone-Trust] import interface Ten-GigabitEthernet 2/0/9 [H3C-security-zone-Trust] quit
- Configure GE2/0/10 and assign it to the Untrust zone.
- Configure security policies.
- Configure two object groups separately for the HQ network and branch network.
[H3C] object-group ip address trust1 [H3C-obj-grp-ip-trust1] network subnet 192.168.0.0 24 [H3C-obj-grp-ip-trust1] quit [H3C] object-group ip address untrust1 [H3C-obj-grp-ip-untrust1] network subnet 192.168.10.0 24 [H3C-obj-grp-ip-untrust1] quit
- Configure object policies.
[H3C] object-policy ip trust-untrust [H3C-object-policy-ip-trust-untrust] rule pass source-ip trust1 destination-ip untrust1 [H3C-object-policy-ip-trust-untrust] quit [H3C] object-policy ip untrust-trust [H3C-object-policy-ip-untrust-trust] rule pass source-ip untrust1 destination-ip trust1 [H3C-object-policy-ip-untrust-trust] quit
- Configure Untrust-Trust interzone security policies to ensure that the HQ and branch can communicate with each other.
[H3C] zone-pair security source trust destination untrust [H3C-zone-pair-security-Trust-Untrust] object-policy apply ip trust-untrust [H3C-zone-pair-security-Trust-Untrust] quit [H3C] zone-pair security source untrust destination trust [H3C-zone-pair-security-Untrust-Trust] object-policy apply ip untrust-trust [H3C-zone-pair-security-Untrust-Trust] quit
- Configure an ACL for Local-Untrust interzone security policies.
[H3C] acl advanced 3999 [H3C-acl-ipv4-adv-3999] rule 0 permit ip [H3C-acl-ipv4-adv-3999] quit
- Configure Local-Untrust interzone security policies.
[H3C] zone-pair security source untrust destination local [H3C-zone-pair-security-Untrust-Local] packet-filter 3999 [H3C-zone-pair-security-Untrust-Local] quit [H3C] zone-pair security source local destination untrust [H3C-zone-pair-security-Local-Untrust] packet-filter 3999 [H3C-zone-pair-security-Local-Untrust] quit
Untrust-Trust and Local-Untrust interzone security policies also need to be configured on the H3C firewall. The functions of the security policies are the same as those of the HUAWEI firewall. However, the configuration methods are different. Before configuring Untrust-Trust interzone security policies, you need to configure the object group and object policy. You can configure the Local-Untrust interzone security policies by referencing ACLs.
- Configure two object groups separately for the HQ network and branch network.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 2.2.2.3.
[H3C] ip route-static 0.0.0.0 0.0.0.0 2.2.2.3
- Create an ACL to define the traffic to be protected.
Packets from 192.168.0.0/24 to 192.168.10.0/24 shall be transmitted over the IPSec tunnel. The defined traffic must be mirrored to the traffic defined on the HUAWEI firewall. Otherwise, the negotiation will fail.
[H3C] acl advanced 3000 [H3C-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [H3C-acl-ipv4-adv-3000] quit
- Configure an IKE proposal.
Configure the IKE proposal and specify the encryption algorithm, authentication algorithm, DH group, and authentication method. The values must be the same as those configured on the HUAWEI firewall. When configuring the authentication algorithm, set this parameter to sha. On the H3C firewall, sha equals sha1.
[H3C] ike proposal 1 [H3C-ike-proposal-1] encryption-algorithm 3des [H3C-ike-proposal-1] authentication-method pre-share [H3C-ike-proposal-1] authentication-algorithm sha [H3C-ike-proposal-1] dh group2 [H3C-ike-proposal-1] quit
- Configure the keychain.
[H3C] ike keychain keychain1 [H3C-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple Key@123 [H3C-ike-keychain-keychain1] quit
- Keychain is used to configure the pre-shared key used by both ends. The peer IP address or host name must be specified during the configuration.
- A keychain can be configured with multiple peers and their pre-shared keys. Each peer uses a unique pre-shared key.
- When the H3C firewall functions as the egress gateway of the HQ and needs to establish IPSec tunnels with multiple branches, you can configure an IPSec policy template on the H3C firewall and configure different pre-shared keys in the keychain. In this way, each branch can use a unique pre-shared key to establish an IPSec tunnel with the H3C firewall at the HQ.
- Configure a profile.
[H3C] ike profile profile1 [H3C-ike-profile-profile1] keychain keychain1 [H3C-ike-profile-profile1] proposal 1 [H3C-ike-profile-profile1] exchange-mode main [H3C-ike-profile-profile1] local-identity address 2.2.2.2 [H3C-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [H3C-ike-profile-profile1] match local address Ten-GigabitEthernet2/0/10 [H3C-ike-profile-profile1] quit
- Configuring a profile is equivalent to configuring an IKE peer on the HUAWEI firewall and referencing keychain1 and the IKE proposal.
- When IKEv1 is used, the match local address Ten-GigabitEthernet2/0/10 command is used to specify the profile usage range. This command is required. Otherwise, the negotiation will fail.
- If IKEv2 is used, run the ikev2 proposal, ikev2 keychain, and ikev2 Profile commands in sequence to configure the IKE proposal, keychain, and profile.
- The match remote identity address 1.1.1.1 255.255.255.0 command is used to specify the peer identity. When the peer identity matches the rule configured in the IKE profile, the H3C firewall uses information in the IKE profile to authenticate the peer.
- Configure an IPSec proposal.
Specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm. The values must be the same as those configured on the HUAWEI firewall.
[H3C] ipsec transform-set tran1 [H3C-ipsec-transform-set-tran1] encapsulation-mode tunnel [H3C-ipsec-transform-set-tran1] protocol esp [H3C-ipsec-transform-set-tran1] esp encryption-algorithm 3des [H3C-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [H3C-ipsec-transform-set-tran1] quit
- Configure an IPSec policy.
[H3C] ipsec policy map1 1 isakmp [H3C-ipsec-policy-isakmp-map1-1] remote-address 1.1.1.1 [H3C-ipsec-policy-isakmp-map1-1] security acl 3000 [H3C-ipsec-policy-isakmp-map1-1] transform-set tran1 [H3C-ipsec-policy-isakmp-map1-1] ike-profile profile1 [H3C-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] ipsec apply policy map1 [H3C-Ten-GigabitEthernet2/0/10] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
Verification
- Check whether the HQ can proactively initiate an IPSec tunnel with the branch.
- Ping PC2 on the branch network from PC1 at the HQ.
You can also run the ping command on the HUAWEI firewall. In this case, you need to use -a to carry the source address. Otherwise, the traffic generated by the ping operation is not the traffic defined in the ACL and the IPSec negotiation cannot be triggered.
- On the HUAWEI firewall at the HQ, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
<HUAWEI> display ike sa current ike sa number: 2 ----------------------------------------------------------------------------- conn-id peer flag phase vpn ----------------------------------------------------------------------------- 926 2.2.2.2 RD|ST|A v1:2 public 925 2.2.2.2 RD|ST|A v1:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE - On the HUAWEI firewall at the HQ, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
<HUAWEI> display ipsec sa =============================== Interface: GigabitEthernet1/0/9 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 926 rule number: 10 encapsulation mode: tunnel holding time: 0d 0h 0m 24s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 192.168.10.0/255.255.255.0 0/0 flow destination: 192.168.0.0/255.255.255.0 0/0 [inbound ESP SAs] spi: 2885376008 (0xabfb5808) vpn: public said: 164 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/3576 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 565355390 (0x21b2a37e) vpn: public said: 165 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/3576 max sent sequence-number: 5 udp encapsulation used for nat traversal: N - Log in to the branch H3C firewall and run the display ike sa command to check the IKE establishment. If the following information is displayed, the IKE SA is established successfully.
[H3C] display ike sa Connection-ID Remote Flag DOI ------------------------------------------------------------------ 801 1.1.1.1 RD IPSec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY - Log in to the branch H3C firewall and run the display ipsec sa command to check the IPSec establishment. If the following information is displayed, the IPSec SA is established successfully.
[H3C] display ipsec sa ------------------------------- Interface: Ten-GigabitEthernet2/0/10 ------------------------------- ----------------------------- IPSec policy: map1 Sequence number: 1 Mode: ISAKMP Flow table status: Active ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1444 Tunnel: local address: 2.2.2.2 remote address: 1.1.1.1 Flow: sour addr: 192.168.0.0/255.255.255.0 port: 0 protocol: ip dest addr: 192.168.10.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 565355390 (0x21b2a37e) Connection ID: 416611827712 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3470 Max received sequence-number: 4 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 2885376008 (0xabfb5808) Connection ID: 416611827713 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3470 Max sent sequence-number: 4 UDP encapsulation used for NAT traversal: N Status: Active
- Ping PC2 on the branch network from PC1 at the HQ.
- Check whether the branch can proactively initiate an IPSec tunnel with the HQ.
- On the HUAWEI firewall at the HQ, run the reset ike sa command to disconnect the IPSec tunnel.
- Ping PC1 at the HQ from the PC2 at the branch and refer to the preceding method to check whether the IPSec tunnel can be successfully established.
Configuration Files
# sysname HUAWEI # interface GigabitEthernet 1/0/9 ip address 1.1.1.1 24 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 24 # firewall zone untrust add interface GigabitEthernet 1/0/9 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # ike proposal 1 encryption-algorithm 3des authentication-algorithm sha1 dh group2 # ike peer h3c exchange-mode main undo version 2 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer h3c proposal tran1 security acl 3000 # return
