Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing IPSec Tunnels Between HUAWEI Firewalls and H3C Firewalls in NAT Traversal Scenarios
Chapter Contents
Networking Requirements
As shown in Figure1, the H3C firewall at the branch does not have a public IP address. The HUAWEI firewall_B is used as the NAT device to obtain a public IP address and establish an IPSec tunnel with the HUAWEI firewall_A at the HQ. The HUAWEI firewall_B provides only the Source NAT function, implementing access only in the direction from the branch to the HQ. Therefore, only the branch can proactively establish an IPSec tunnel with the HQ, but not the other way around.
Data Plan
Item |
HUAWEI Firewall_A |
H3C Firewall |
|
|---|---|---|---|
IKE SA |
Encryption algorithm |
3des |
3des |
Authentication algorithm |
sha1 |
- |
|
Pre-shared key |
Key@123 |
Key@123 |
|
Identity type |
Post-NAT address of the peer |
Public address of the peer |
|
Authentication address of the peer |
Pre-NAT address of the peer |
- |
|
IKE version |
V2 |
V2 |
|
DH |
Group2 |
Group2 |
|
NAT traversal enabled or not |
Yes |
- |
|
Integrity algorithm |
sha1 |
sha1 |
|
IPSec SA |
Encapsulation mode |
Tunnel mode |
Tunnel mode |
Security protocol |
ESP |
ESP |
|
Encryption algorithm |
3des |
3des |
|
Authentication algorithm |
sha1 |
sha1 |
|
Configuration Roadmap
- Configure HUAWEI firewall_A:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through HUAWEI firewall_A.
- Configure the default route from HUAWEI firewall_A to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IPSec proposal, creating an IKE proposal, configuring an IKE peer, and configuring IPSec NAT traversal.
- Apply the IPSec policy to an interface.
- Configure HUAWEI firewall_B:
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure an Untrust-Trust interzone security policy to allow the post-NAT packets to pass through HUAWEI firewall_B.
- Configure Source NAT.
- Configure routes to the HQ and branch.
- Configure the H3C firewall:
- Set interface IP addresses and assign the interfaces to security zones.
- Configure an interzone security policy to allow IKE negotiation packets, original IPSec packets, and decapsulated IPSec packets to pass through the HUAWEI firewall.
- Configure the default route from the H3C firewall to the Internet.
- Configure an IPSec policy, including defining the data flow to be protected, configuring an IKEv2 proposal, configuring an IKEv2 policy, configuring an IKEv2 keychain, configuring an IKEv2 profile, and configuring an IPSec proposal.
- Apply the IPSec policy to an interface.
Configuration Precautions
- The H3C firewall can check whether a NAT device exists on the network. If yes, the NAT traversal function is automatically enabled. You do not need to run any command to enable the NAT traversal function.
- When IKEv2 is used, the H3C firewall does not provide any command for configuring the IKE SA authentication algorithm. By default, sha1 is used. On the HUAWEI firewall_A, the IKE SA authentication algorithm must be set to sha1. Otherwise, the IPSec negotiation will fail.
- This example uses IKEv2 as an example. Compared with IKEv1, the configuration of the H3C firewall is greatly different. The configuration difference of the HUAWEI firewall_A is very small.
Configuration Procedure
- Configure the HUAWEI firewall_A.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE1/0/3 and assign it to the Untrust zone.
[HUAWEI_A] interface GigabitEthernet 1/0/3 [HUAWEI_A-GigabitEthernet1/0/3] ip address 1.1.1.1 255.255.255.0 [HUAWEI_A-GigabitEthernet1/0/3] quit [HUAWEI_A] firewall zone untrust [HUAWEI_A-zone-untrust] add interface GigabitEthernet 1/0/3 [HUAWEI_A-zone-untrust] quit
- Configure GE1/0/5 and assign it to the Trust zone.
[HUAWEI_A] interface GigabitEthernet 1/0/5 [HUAWEI_A-GigabitEthernet1/0/5] ip address 192.168.10.1 255.255.255.0 [HUAWEI_A-GigabitEthernet1/0/5] quit [HUAWEI_A] firewall zone trust [HUAWEI_A-zone-trust] add interface GigabitEthernet 1/0/5 [HUAWEI_A-zone-trust] quit
- Configure GE1/0/3 and assign it to the Untrust zone.
- Configure security policies.
- Configure Untrust-Trust interzone security policies.
Configure policy 1 so that the branch can access the HQ and configure policy 2 so that the HQ can access the branch.
[HUAWEI_A] security-policy [HUAWEI_A-policy-security] rule name 1 [HUAWEI_A-policy-security-rule-1] source-zone untrust [HUAWEI_A-policy-security-rule-1] destination-zone trust [HUAWEI_A-policy-security-rule-1] source-address 192.168.0.0 24 [HUAWEI_A-policy-security-rule-1] destination-address 192.168.10.0 24 [HUAWEI_A-policy-security-rule-1] action permit [HUAWEI_A-policy-security-rule-1] quit [HUAWEI_A-policy-security] rule name 2 [HUAWEI_A-policy-security-rule-2] source-zone trust [HUAWEI_A-policy-security-rule-2] destination-zone untrust [HUAWEI_A-policy-security-rule-2] source-address 192.168.10.0 24 [HUAWEI_A-policy-security-rule-2] destination-address 192.168.0.0 24 [HUAWEI_A-policy-security-rule-2] action permit [HUAWEI_A-policy-security-rule-2] quit
- Configure Local-Untrust interzone security policies.
Configure policy 3 so that the HUAWEI firewall_A can initiate an IPSec tunnel establishment request and configure policy 4 so that HUAWEI firewall_A can receive an IPSec tunnel establishment request.
[HUAWEI_A-policy-security] rule name 3 [HUAWEI_A-policy-security-rule-3] source-zone local [HUAWEI_A-policy-security-rule-3] destination-zone untrust [HUAWEI_A-policy-security-rule-3] source-address 1.1.1.1 24 [HUAWEI_A-policy-security-rule-3] destination-address 2.2.2.2 24 [HUAWEI_A-policy-security-rule-3] action permit [HUAWEI_A-policy-security-rule-3] quit [HUAWEI_A-policy-security] rule name 4 [HUAWEI_A-policy-security-rule-4] source-zone untrust [HUAWEI_A-policy-security-rule-4] destination-zone local [HUAWEI_A-policy-security-rule-4] source-address 2.2.2.2 24 [HUAWEI_A-policy-security-rule-4] destination-address 1.1.1.1 24 [HUAWEI_A-policy-security-rule-4] action permit [HUAWEI_A-policy-security-rule-4] quit [HUAWEI_A-policy-security] quit
When you configure policy 3, the destination address is the post-NAT address of the peer. When you configure policy 4, the source address is the post-NAT address of the peer.
- Configure Untrust-Trust interzone security policies.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[HUAWEI_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Create an ACL to define the traffic to be protected.
Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over the IPSec tunnel.
[HUAWEI_A] acl 3000 [HUAWEI_A-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [HUAWEI_A-acl-adv-3000] quit
- Before the HUAWEI firewall initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPSec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the HUAWEI firewall officially initiates the negotiation.
- Before the HUAWEI firewall receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the HUAWEI firewall starts the negotiation with the peer. If no, the HUAWEI firewall discards the negotiation packet.
- Configure an IKE SA.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv2 is used, and the integrity algorithm needs to be configured.
[HUAWEI_A] ike proposal 1 [HUAWEI_A-ike-proposal-1] authentication-algorithm sha1 [HUAWEI_A-ike-proposal-1] encryption-algorithm 3des [HUAWEI_A-ike-proposal-1] integrity-algorithm hmac-sha1-96 [HUAWEI_A-ike-proposal-1] dh group2 [HUAWEI_A-ike-proposal-1] quit
In the case of IKEv2, the H3C firewall does not provide any command for configuring the authentication algorithm. However, the authentication algorithm must be set to sha1 on the HUAWEI firewall_A. Otherwise, the IPSec negotiation will fail.
- Configure an IKE peer, specify the IKE version, pre-shared key, peer address, and peer authentication address, and enable the NAT traversal function.
[HUAWEI_A] ike peer h3c [HUAWEI_A-ike-peer-h3c] undo version 1 [HUAWEI_A-ike-peer-h3c] ike-proposal 1 [HUAWEI_A-ike-peer-h3c] pre-shared-key Key@123 [HUAWEI_A-ike-peer-h3c] remote-address 2.2.2.2 [HUAWEI_A-ike-peer-h3c] remote-address authentication-address 10.10.10.2 [HUAWEI_A-ike-peer-h3c] nat traversal [HUAWEI_A-ike-peer-h3c] quit
- Run the remote-address command to set the peer address to the post-NAT address and the remote-address authentication-address command to set the peer authentication address to the pre-NAT address.
- The H3C firewall does not provide the command for enabling the NAT traversal function. If the H3C firewall detects that a NAT device exists on the network, it automatically enables the NAT traversal function. However, you must run the nat traversal command on the HUAWEI firewall_A to enable the NAT traversal function.
- Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group. In this example, IKEv2 is used, and the integrity algorithm needs to be configured.
- Configure an IPSec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[HUAWEI_A] ipsec proposal tran1 [HUAWEI_A-ipsec-proposal-tran1] transform esp [HUAWEI_A-ipsec-proposal-tran1] encapsulation-mode tunnel [HUAWEI_A-ipsec-proposal-tran1] esp encryption-algorithm 3des [HUAWEI_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [HUAWEI_A-ipsec-proposal-tran1] quit
- Configure an ISAKMP IPSec policy and associate it with the IKE peer, IPSec proposal, and ACL.
[HUAWEI_A] ipsec policy map1 1 isakmp [HUAWEI_A-ipsec-policy-isakmp-map1-1] ike-peer h3c [HUAWEI_A-ipsec-policy-isakmp-map1-1] proposal tran1 [HUAWEI_A-ipsec-policy-isakmp-map1-1] security acl 3000 [HUAWEI_A-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[HUAWEI_A] interface GigabitEthernet 1/0/3 [HUAWEI_A-GigabitEthernet1/0/3] ipsec policy map1 [HUAWEI_A-GigabitEthernet1/0/3] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure the H3C firewall.
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE2/0/10 and assign it to the Untrust zone.
[H3C] interface Ten-GigabitEthernet2/0/10 [H3C-Ten-GigabitEthernet2/0/10] port link-mode route [H3C-Ten-GigabitEthernet2/0/10] ip address 10.10.10.2 255.255.255.0 [H3C-Ten-GigabitEthernet2/0/10] quit [H3C] security-zone name Untrust [H3C-security-zone-Untrust] import interface Ten-GigabitEthernet 2/0/10 [H3C-security-zone-Untrust] quit
- Configure GE2/0/9 and assign it to the Trust zone.
[H3C] interface Ten-GigabitEthernet2/0/9 [H3C-Ten-GigabitEthernet2/0/9] ip address 192.168.0.1 24 [H3C-Ten-GigabitEthernet2/0/9] quit [H3C] security-zone name Trust [H3C-security-zone-Trust] import interface Ten-GigabitEthernet 2/0/9 [H3C-security-zone-Trust] quit
- Configure GE2/0/10 and assign it to the Untrust zone.
- Configure security policies.
- Configure two object groups separately for the HQ network and branch network.
[H3C] object-group ip address trust1 [H3C-obj-grp-ip-trust1] network subnet 192.168.0.0 24 [H3C-obj-grp-ip-trust1] quit [H3C] object-group ip address untrust1 [H3C-obj-grp-ip-untrust1] network subnet 192.168.10.0 24 [H3C-obj-grp-ip-untrust1] quit
- Configure object policies.
[H3C] object-policy ip trust-untrust [H3C-object-policy-ip-trust-untrust] rule pass source-ip trust1 destination-ip untrust1 [H3C-object-policy-ip-trust-untrust] quit [H3C] object-policy ip untrust-trust [H3C-object-policy-ip-untrust-trust] rule pass source-ip untrust1 destination-ip trust1 [H3C-object-policy-ip-untrust-trust] quit
- Configure Untrust-Trust interzone security policies to ensure that the HQ and branch can communicate with each other.
[H3C] zone-pair security source trust destination untrust [H3C-zone-pair-security-Trust-Untrust] object-policy apply ip trust-untrust [H3C-zone-pair-security-Trust-Untrust] quit [H3C] zone-pair security source untrust destination trust [H3C-zone-pair-security-Untrust-Trust] object-policy apply ip untrust-trust [H3C-zone-pair-security-Untrust-Trust] quit
- Configure an ACL for Local-Untrust interzone security policies.
[H3C] acl advanced 3999 [H3C-acl-ipv4-adv-3999] rule 0 permit ip [H3C-acl-ipv4-adv-3999] quit
- Configure Local-Untrust interzone security policies.
[H3C] zone-pair security source untrust destination local [H3C-zone-pair-security-Untrust-Local] packet-filter 3999 [H3C-zone-pair-security-Untrust-Local] quit [H3C] zone-pair security source local destination untrust [H3C-zone-pair-security-Local-Untrust] packet-filter 3999 [H3C-zone-pair-security-Local-Untrust] quit
Untrust-Trust and Local-Untrust interzone security policies also need to be configured on the H3C firewall. The functions of the security policies are the same as those of the HUAWEI firewall. However, the configuration methods are different. Before configuring Untrust-Trust interzone security policies, you need to configure the object group and object policy. You can configure the Local-Untrust interzone security policies by referencing ACLs.
- Configure two object groups separately for the HQ network and branch network.
- Configure routes.
Configure a default route to the Internet. In the example, the next-hop IP address is 10.10.10.3.
[H3C] ip route-static 0.0.0.0 0.0.0.0 10.10.10.3
- Create an ACL to define the traffic to be protected.
Packets from 192.168.0.0/24 to 192.168.10.0/24 shall be transmitted over the IPSec tunnel. The defined traffic must be mirrored to the traffic defined on the HUAWEI firewall_A. Otherwise, the negotiation will fail.
[H3C] acl advanced 3000 [H3C-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 [H3C-acl-ipv4-adv-3000] quit
- Configure an IKEv2 proposal.
Configure the IKE proposal and specify the encryption algorithm, DH group, and integrity verification algorithm. The values must be the same as those configured on the HUAWEI firewall_A.
[H3C] ikev2 proposal 1 [H3C-ikev2-proposal-1] encryption 3des [H3C-ikev2-proposal-1] integrity sha1 [H3C-ikev2-proposal-1] dh group2 [H3C-ikev2-proposal-1] quit
- Configure an IKEv2 policy.
[H3C] ikev2 policy policy1 [H3C-ikev2-policy-policy1] match local address Ten-GigabitEthernet 2/0/10 [H3C-ikev2-policy-policy1] proposal 1 [H3C-ikev2-policy-policy1] quit
- In the IKEv2 scenario, configure the IKEv2 policy, reference the IKEv2 proposal, and apply the IKEv2 policy to Ten-GigabitEthernet 2/0/10. The subsequent IPSec policy is also applied to the interface.
- The IKEv2 policy is not referenced by the profile. That is, the IKEv2 security proposal is not referenced by the profile. In the IKEv1 scenario, the IKE proposal is referenced by the profile.
- Configure the IKEv2 keychain.
Configure the IKEv2 keychain, specify the pre-shared key, and configure the peer host address and peer identity information. In this example, the peer host address is used as the peer identity information.
[H3C] ikev2 keychain keychain1 [H3C-ikev2-keychain-keychain1] peer firewall [H3C-ikev2-keychain-keychain1-peer-firewall] address 1.1.1.1 255.255.255.0 [H3C-ikev2-keychain-keychain1-peer-firewall] identity address 1.1.1.1 [H3C-ikev2-keychain-keychain1-peer-firewall] pre-shared-key plaintext Key@123 [H3C-ikev2-keychain-keychain1-peer-firewall] quit
- In IKEv2 mode, you need to configure a peer before configuring the keychain, configure the pre-shared key in the peer, and specify the peer host address and peer identity of the pre-shared key.
- The peer host address and peer identity must be configured. Otherwise, the IPSec tunnel negotiation will fail. During negotiation, the initiator searches for the peer based on the peer identity.
- If there are N peers, configure N peers. The local end and each peer use a unique pre-shared key to negotiate an IPSec tunnel.
- Configure a profile.
Configure an IKEv2 profile to specify the local and peer authentication modes, referenced keychain1, local identity, peer identity, and profile usage range.
[H3C] ikev2 profile profile1 [H3C-ikev2-profile-profile1] authentication-method local pre-share [H3C-ikev2-profile-profile1] authentication-method remote pre-share [H3C-ikev2-profile-profile1] keychain keychain1 [H3C-ikev2-profile-profile1] identity local address 10.10.10.2 [H3C-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [H3C-ikev2-profile-profile1] match local address Ten-GigabitEthernet 2/0/10 [H3C-ikev2-profile-profile1] quit
- Configure an IPSec proposal.
Specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm. The values must be the same as those configured on the HUAWEI firewall_A.
[H3C] ipsec transform-set tran1 [H3C-ipsec-transform-set-tran1] encapsulation-mode tunnel [H3C-ipsec-transform-set-tran1] protocol esp [H3C-ipsec-transform-set-tran1] esp encryption-algorithm 3des [H3C-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [H3C-ipsec-transform-set-tran1] quit
- Configure an IPSec policy.
[H3C] ipsec policy map1 1 isakmp [H3C-ipsec-policy-isakmp-map1-1] remote-address 1.1.1.1 [H3C-ipsec-policy-isakmp-map1-1] security acl 3000 [H3C-ipsec-policy-isakmp-map1-1] transform-set tran1 [H3C-ipsec-policy-isakmp-map1-1] ikev2-profile profile1 [H3C-ipsec-policy-isakmp-map1-1] quit
- Apply the IPSec policy to an interface.
[H3C] interface Ten-GigabitEthernet 2/0/10 [H3C-Ten-GigabitEthernet2/0/10] ipsec apply policy map1 [H3C-Ten-GigabitEthernet2/0/10] quit
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure HUAWEI firewall_B (NAT device).
- Set IP addresses for interfaces and assign the interfaces to security zones.
- Configure GE1/0/6 and assign it to the Untrust zone.
[HUAWEI_B] interface GigabitEthernet 1/0/6 [HUAWEI_B-GigabitEthernet1/0/6] ip address 2.2.2.2 255.255.255.0 [HUAWEI_B-GigabitEthernet1/0/6] quit [HUAWEI_B] firewall zone untrust [HUAWEI_B-zone-untrust] add interface GigabitEthernet 1/0/6 [HUAWEI_B-zone-untrust] quit
- Configure GE1/0/9 and assign it to the Trust zone.
[HUAWEI_B] interface GigabitEthernet 1/0/9 [HUAWEI_B-GigabitEthernet1/0/9] ip address 10.10.10.3 24 [HUAWEI_B-GigabitEthernet1/0/9] quit [HUAWEI_B] firewall zone trust [HUAWEI_B-zone-trust] add interface GigabitEthernet 1/0/9 [HUAWEI_B-zone-trust] quit
- Configure GE1/0/6 and assign it to the Untrust zone.
- Configure Untrust-Trust interzone security policies.
[HUAWEI_B] security-policy [HUAWEI_B-policy-security] rule name 1 [HUAWEI_B-policy-security-rule-1] source-zone untrust [HUAWEI_B-policy-security-rule-1] destination-zone trust [HUAWEI_B-policy-security-rule-1] source-address 1.1.1.0 24 [HUAWEI_B-policy-security-rule-1] destination-address 10.10.10.0 24 [HUAWEI_B-policy-security-rule-1] action permit [HUAWEI_B-policy-security-rule-1] quit [HUAWEI_B-policy-security] rule name 2 [HUAWEI_B-policy-security-rule-2] source-zone trust [HUAWEI_B-policy-security-rule-2] destination-zone untrust [HUAWEI_B-policy-security-rule-2] source-address 10.10.10.0 24 [HUAWEI_B-policy-security-rule-2] destination-address 1.1.1.0 24 [HUAWEI_B-policy-security-rule-2] action permit [HUAWEI_B-policy-security-rule-2] quit
- Configure Source NAT.
[HUAWEI_B] nat-policy [HUAWEI_B-policy-nat] rule name policy_nat1 [HUAWEI_B-policy-nat-rule-policy_nat1] source-zone trust [HUAWEI_B-policy-nat-rule-policy_nat1] destination-zone untrust [HUAWEI_B-policy-nat-rule-policy_nat1] source-address 10.10.10.0 24 [HUAWEI_B-policy-nat-rule-policy_nat1] action nat easy-ip [HUAWEI_B-policy-nat-rule-policy_nat1] quit [HUAWEI_B-policy-nat] quit
- Configure routes to the HQ and branch.
[HUAWEI_B]ip route-static 192.168.10.0 255.255.255.0 2.2.2.1 [HUAWEI_B]ip route-static 192.168.0.0 255.255.255.0 10.10.10.2
- Set IP addresses for interfaces and assign the interfaces to security zones.
Verification
- Ping PC1 at the HQ from PC2 at the branch and verify whether the branch can proactively initiate an IPSec tunnel with the HQ.
- On the HUAWEI firewall_A at the HQ, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
[HUAWEI_A] display ike sa current ike sa number: 2 ----------------------------------------------------------------------------- conn-id peer flag phase vpn ----------------------------------------------------------------------------- 2 2.2.2.2:2048 RD|A v2:2 public 1 2.2.2.2:2048 RD|A v2:1 public flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD M--ACTIVE S--STANDBY A--ALONE - On the HUAWEI firewall_A at the HQ, run the display ipsec sa command. If the following information is displayed, the IPSec SA is successfully established.
[HUAWEI_A] display ipsec sa =============================== Interface: GigabitEthernet1/0/3 path MTU: 1500 =============================== ----------------------------- IPSec policy name: "map1" sequence number: 1 mode: isakmp vpn: public ----------------------------- connection id: 2 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 15m 0s tunnel local : 1.1.1.1 tunnel remote: 2.2.2.2 flow source: 192.168.10.0-192.168.10.255 0-65535 0 flow destination: 192.168.0.0-192.168.0.255 0-65535 0 [inbound ESP SAs] spi: 169992973 (0xa21e30d) vpn: public said: 0 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/2700 max received sequence-number: 7 udp encapsulation used for nat traversal: Y [outbound ESP SAs] spi: 3484754186 (0xcfb5210a) vpn: public said: 1 cpuid: 0x0000 proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1 sa remaining key duration (kilobytes/sec): 1843200/2700 max sent sequence-number: 6 udp encapsulation used for nat traversal: Y - Log in to H3C firewall and run the display ikev2 sa command to check the IKE establishment. If the following information is displayed, the IKE SA is established successfully.
[H3C] display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 1 10.10.10.2/4500 1.1.1.1/4500 EST Status: IN-NEGO: Negotiating, EST: Established, DEL:Deleting
- Log in to the branch H3C firewall and run the display ipsec sa command to check the IPSec establishment. If the following information is displayed, the IPSec SA is established successfully.
[H3C] display ipsec sa ------------------------------- Interface: Ten-GigabitEthernet2/0/10 ------------------------------- ----------------------------- IPSec policy: map1 Sequence number: 1 Mode: ISAKMP Flow table status: Active ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VPN: Extended Sequence Numbers enable: N Traffic Flow Confidentiality enable: N Path MTU: 1436 Tunnel: local address: 10.10.10.2 remote address: 1.1.1.1 Flow: sour addr: 192.168.0.0/255.255.255.0 port: 0 protocol: ip dest addr: 192.168.10.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3484754186 (0xcfb5210a) Connection ID: 356482285571 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/2490 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: Y Status: Active [Outbound ESP SAs] SPI: 169992973 (0x0a21e30d) Connection ID: 356482285570 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/2490 Max sent sequence-number: 6 UDP encapsulation used for NAT traversal: Y Status: Active
Configuration Files
HUAWEI Firewall_A Configuration Files
# sysname HUAWEI_A # interface GigabitEthernet 1/0/3 ip address 1.1.1.1 255.255.255.0 ipsec policy map1 # interface GigabitEthernet 1/0/5 ip address 192.168.10.1 255.255.255.0 # firewall zone untrust add interface GigabitEthernet 1/0/3 # firewall zone trust add interface GigabitEthernet 1/0/5 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 192.168.0.0 24 destination-address 192.168.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 192.168.10.0 24 destination-address 192.168.0.0 24 action permit rule name 3 source-zone local destination-zone untrust source-address 1.1.1.1 24 destination-address 2.2.2.2 24 action permit rule name 4 source-zone untrust destination-zone local source-address 2.2.2.2 24 destination-address 1.1.1.1 24 action permit # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # acl 3000 rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 # ike proposal 1 authentication-algorithm sha1 encryption-algorithm 3des integrity-algorithm hmac-sha1-96 dh group2 # ike peer h3c undo version 1 ike-proposal 1 pre-shared-key Key@123 remote-address 2.2.2.2 remote-address authentication-address 10.10.10.2 nat traversal # ipsec proposal tran1 transform esp encapsulation-mode tunnel esp encryption-algorithm 3des esp authentication-algorithm sha1 # ipsec policy map1 1 isakmp ike-peer h3c proposal tran1 security acl 3000 # return
HUAWEI Firewall_B Configuration Files
# sysname HUAWEI_B # interface GigabitEthernet 1/0/6 ip address 2.2.2.2 255.255.255.0 # interface GigabitEthernet 1/0/9 ip address 10.10.10.3 24 # firewall zone untrust add interface GigabitEthernet 1/0/6 # firewall zone trust add interface GigabitEthernet 1/0/9 # security-policy rule name 1 source-zone untrust destination-zone trust source-address 1.1.1.0 24 destination-address 10.10.10.0 24 action permit rule name 2 source-zone trust destination-zone untrust source-address 10.10.10.0 24 destination-address 1.1.1.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.10.10.0 24 action nat easy-ip # ip route-static 192.168.10.0 255.255.255.0 2.2.2.1 ip route-static 192.168.0.0 255.255.255.0 10.10.10.2 # return