No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR650, AR1600, and AR6100 V300R003

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Defining Data Flows to Be Protected

Defining Data Flows to Be Protected

Context

IPSec can protect one or more data flows, and the ACL specifies data flows to be protected by IPSec. Therefore, you need to create an ACL and apply the ACL to an IPSec policy. An IPSec policy can reference only one ACL. Note the following points:
  • If data flows have different security requirements, create different ACLs and IPSec policies.

  • If data flows have the same security requirements, configure multiple rules in an ACL.

ACL Keyword Usage

Each ACL rule is a deny or permit clause. In IPSec applications, a permit clause identifies a data flow protected by IPSec, and a deny clause identifies a data flow that is not protected by IPSec. An ACL can contain multiple rules. A packet is processed according to the first rule that it matches.

  • In the outbound direction of an SA

    If a packet matches a permit clause, IPSec encapsulates and sends the packet. If a packet matches a deny clause or does not match a permit clause, IPSec directly forwards the packet. A matched permit clause indicates that a data flow needs to be protected and a pair of SAs is created.

  • In the inbound direction of an SA

    The packet protected by IPSec is decrypted and the packet not protected by IPSec is forwarded.

    NOTE:
    If (Optional) Configuring IPSec Check is performed, the device re-checks whether the IP header of the decrypted IPSec packet is in the range defined by the ACL. If the decrypted IPSec packet matches the permit clause, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit clause, the device discards the IPSec packet.

Precautions

  • The protocols defined in the ACLs on both ends of the IPSec tunnel must be the same. For example, if the protocol on one end is IP, the protocol must also be IP on the other end.

  • When ACL rules at both ends of an IPSec tunnel mirror each other, SAs can be set up successfully no matter which party initiates negotiation. If ACL rules at both ends of an IPSec tunnel do not mirror each other, SAs can be set up successfully only when the range specified by ACL rules on the initiator is included in the range specified by ACL rules on the responder. It is recommended that ACL rules at both ends of an IPSec tunnel mirror each other. That is, the source and destination addresses of an ACL rule at one end are the destination and source addresses of an ACL rule at the other end. The IKEv1 and IKEv2 configurations are as follows:

    If IPSec policies in ISAKMP mode are configured at both ends, ACL rules at both ends of an IPSec tunnel must mirror each other. If an IPSec policy in ISAKMP mode is configured at one end and an IPSec policy using an IPSec policy template is configured at the other end, the range specified by ACL rules in the IPSec policy in ISAKMP mode can be included in the range specified by ACL rules in the IPSec policy using an IPSec policy template. The devices use overlapping ACL rules as the negotiation result.

  • Avoid overlapped address segments in ACL rules. Rules with overlapped address segments may affect each other, causing data flow mismatch.

  • The ACL referenced in an IPSec policy group cannot contain rules of the same ID.

  • ACL rules referenced in all IPSec policies of an IPSec policy group cannot overlap. In the following example, ACL 3001 and ACL 3002 overlap.

    acl number 3001
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    
    acl number 3002
     rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
    
  • When the responder uses an IPSec policy template, note the following points:

    If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator.

    After an IPSec tunnel has been established, if both permit and deny actions are configured in an ACL rule in the IPSec policy template view, the deny action does not take effect.

  • If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect because NAT is performed first. You can use the following methods:

    • Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL rule referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT.

    • Configure the ACL rule referenced by NAT to match the IP address translated by NAT.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl [ number ] acl-number [ match-order { config | auto } ]

    An advanced ACL is created and the advanced ACL view is displayed. acl-number ranges from 3000 to 3999.

  3. Run the following commands as required.

    • Run the rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | dscp dscp | vpn-instance vpn-instance-name ] * command to configure a rule to match the IP protocol.
    • Run the rule [ rule-id ] { deny | permit } tcp [ destination { destination-address destination-wildcard | any } | destination-port eq port | source { source-address source-wildcard | any } | source-port eq port | dscp dscp | vpn-instance vpn-instance-name ] * command to configure a rule to match the TCP protocol.
    • Run the rule [ rule-id ] { deny | permit } udp [ destination { destination-address destination-wildcard | any } | destination-port eq port | source { source-address source-wildcard | any } | source-port eq port | dscp dscp | vpn-instance vpn-instance-name ] * command to configure a rule to match the UDP protocol.
    • Run the rule [ rule-id ] { deny | permit } gre [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | dscp dscp | precedence precedence | tos tos | time-range time-name | logging | vpn-instance vpn-instance-name ] * command to configure a rule to match the GRE protocol.
    • Run the rule [ rule-id ] { deny | permit } gre [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | [ dscp dscp | [ tos tos | precedence precedence ] * ] | time-range time-name | logging | vpn-instance vpn-instance-name ] * command to configure a rule to match the GRE protocol.
    NOTE:
    If the data flow to be protected carries VPN labels, the corresponding vpn-instance-name must be specified during the ACL configuration.

Configuration Guidelines

The configurations of rules vary in different scenarios. For details, see the following examples:

Site-to-Site IPSec VPN

A site-to-site IPSec tunnel is set up between gateway A and gateway B. Gateway A protects subnet 10.1.1.0/24 and gateway B protects subnet 192.168.196.0/24.

Configurations on gateway A:

[Huawei] acl 3001       
[Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255          

Configurations on gateway B:

[Huawei] acl 3001       
[Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

Ensure that the subnets on both ends use the same wildcard.

Hub-Spoke IPSec VPN

Hub-Spoke IPSec tunnels are set up between the headquarters and branches. The headquarters resides at subnet 192.168.196.0/24; branch A resides at subnet 10.1.1.0/24; branch B resides at subnet 10.1.2.0/24.

  • To allow the communication between branches and the headquarters but forbid the communication between branches, configure the ACL for the branch network in the same way as in the site-to-site IPSec VPN. Note that the destination address of the ACL at the headquarters must include all branch subnets.

    The ACL at the headquarters is configured as follows:

    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
  • To allow the communication between branches and the headquarters, and between branches through the headquarters, set the source address of the ACL at the headquarters to all subnets of the headquarters and branches. Set the destination address to all branch subnets. The source addresses of the ACLs at the branch offices remain, but the destination addresses must be the subnets of the headquarters and all other branches.

    The ACL at the headquarters is configured as follows:

    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] quit

    The ACL at branch A is configured as follows:

    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
    [Huawei-acl-adv-3001] quit

    The ACL at branch B is configured as follows:

    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 192.168.196.0 0.0.0.255
    [Huawei-acl-adv-3001] quit

IPSec Gateway with NAT Configured

  • If endpoint A uses NAT only for the Internet access, not for IPSec traffic, you must reject the IPSec traffic from NAT.

    Endpoint A protects network 10.1.1.0/24 and endpoint B protects network 192.168.196.0/24. The ACL and NAT configurations on endpoint A are as follows:

    # Define the data flow to be protected.

    [Huawei] acl 3001       
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255          
    [Huawei-acl-adv-3001] quit
    
    # Exclude the networks connected by the IPSec tunnel from the ACL referenced in the NAT policy.
    [Huawei] acl 3005       
    [Huawei-acl-adv-3005] rule deny ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255          
    [Huawei-acl-adv-3005] quit
    

    Configurations on gateway B:

    [Huawei] acl 3001 
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    
  • If the two networks overlap, endpoint A performs NAT for all traffic and then performs IPSec.

    If the networks protected by endpoints A and B are both network 10.1.1.0/24, the private addresses are translated to 10.1.2.1, the configurations on endpoints A and B are as follows:

    On endpoint A:

    [Huawei] acl 3001       
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
    

    On endpoint B:

    [Huawei] acl 3001       
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Huawei-acl-adv-3001] quit
    

    GRE over IPSec

    When a GRE over IPSec tunnel is set up using an ACL, data flows protected by IPSec are encapsulated with the GRE header. The source and destination network segments of an ACL are source and destination addresses of the GRE tunnel, that is, addresses of gateway interfaces at both ends.

    Assume that the public addresses on endpoints A and B are 1.1.1.1/24 and 1.2.1.1/24, respectively.

    Configuration on endpoint A:
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0
    [Huawei-acl-adv-3001] quit
    Configuration on endpoint B:
    [Huawei] acl number 3001
    [Huawei-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0
    [Huawei-acl-adv-3001] quit
Download
Updated: 2019-04-12

Document ID: EDOC1100041799

Views: 31785

Downloads: 45

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next