No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPSec

Configuring IPSec

Procedure

  1. Configure IPSec on FW_A.
    1. Apply for certificates on line for FW_A using SCEP.

      1. Create a 2048-bit RSA key pair rsa_scep, and set it to be exportable from the device.

        HRP_M[FW_A] pki rsa local-key-pair create rsa_scep exportable
         Info: The name of the new RSA key will be: rsa_scep                            
         The size of the public key ranges from 2048 to 4096.                            
         Input the bits in the modules:2048                           
         Generating keys...                                                             
        ......++++++                                                                    
        .....................................++++++                                     
        
      2. Configure entity information.

        HRP_M[FW_A] pki entity ngfwa
        HRP_M[FW_A-pki-entity-ngfwa] common-name hello
        HRP_M[FW_A-pki-entity-ngfwa] country cn
        HRP_M[FW_A-pki-entity-ngfwa] email test@user.com
        HRP_M[FW_A-pki-entity-ngfwa] fqdn test.abc.com
        HRP_M[FW_A-pki-entity-ngfwa] ip-address 3.1.1.1
        HRP_M[FW_A-pki-entity-ngfwa] state jiangsu
        HRP_M[FW_A-pki-entity-ngfwa] organization huawei
        HRP_M[FW_A-pki-entity-ngfwa] organization-unit info
        HRP_M[FW_A-pki-entity-ngfwa] quit
        
      3. Apply for certificates on line using SCEP, and update the certificates.

        NOTE:
        Obtain the fingerprint information of the CA certificate from the CA server. It is assumed that the CA server processes certificate applications using the challenge password "6AE73F21E6D3571D". The challenge password and fingerprint can be obtained from http://9.1.2.4:80/certsrv/mscep_admin. It is assumed that the fingerprint information of the CA certificate is 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF in sha1 mode and the URL to obtain the certificate is http://9.1.2.4:80/certsrv/mscep/mscep.dll.
        HRP_M[FW_A] pki realm abc
        #.Configure a trusted CA.
        HRP_M[FW_A-pki-realm-abc] ca id ca_root
        #.Bind an entity.
        HRP_M[FW_A-pki-realm-abc] entity ngfwa
        #.Configure CA certificate fingerprint, such as 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF.
        HRP_M[FW_A-pki-realm-abc] fingerprint sha1 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF
        #.Configure a URL for register a certificate and request a certificate from the CA.
        HRP_M[FW_A-pki-realm-abc] enrollment-url http://9.1.2.4:80/certsrv/mscep/mscep.dll ra
        # Specify the RSA key pair used to apply for a certificate.
        HRP_M[FW_A-pki-realm-abc] rsa local-key-pair rsa_scep
        #.Specify a challenge password, such as 6AE73F21E6D3571D.
        HRP_M[FW_A-pki-realm-abc] password ciper 6AE73F21E6D3571D
        HRP_M[FW_A-pki-realm-abc] quit

        The obtained CA, PA, and local certificates are named ngfwa_ca.cer, ngfw_ra.cer, and ngfwa_local.cer respectively and stored in the CF card.

      4. Install the certificates.

        # Import the CA and RA certificates to the memory.

        HRP_M[FW_A] pki import-certificate ca filename ngfwa_ca.cer
        HRP_M[FW_A] pki import-certificate ca filename ngfw_ra.cer

        # Import the local certificate to the memory.

        HRP_M[FW_A] pki import-certificate local filename ngfwa_local.cer

    2. Configure an IPSec policy on FW_A, and apply the IPSec policy to the interfaces.

      1. Define the protected data streams.
        NOTE:
        There may be hundreds or even thousands of eNodeBs serving on the live network. During ACL rule definition, the destination network segment must include the Service IP addresses of all eNodeBs to ensure all UP and CP traffic returned by the EPC to the eNodeB enters the IPSec tunnel. Two eNodeBs are used to illustrate the configuration.
        HRP_M[FW_A] acl 3000
        HRP_M[FW_A-acl-adv-3000] rule permit ip source 8.1.1.0 0.0.0.255 destination 6.1.0.0 0.0.255.255
        HRP_M[FW_A-acl-adv-3000] rule permit ip source 8.1.1.0 0.0.0.255 destination 7.1.0.0 0.0.255.255
        HRP_M[FW_A-acl-adv-3000] quit
      2. Configure the IPSec proposal.
        HRP_M[FW_A] ipsec proposal tran1
        HRP_M[FW_A-ipsec-proposal-tran1] transform esp
        HRP_M[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
        HRP_M[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
        HRP_M[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
        HRP_M[FW_A-ipsec-proposal-tran1] quit
      3. Configure the IKE proposal.
        HRP_M[FW_A] ike proposal 10
        HRP_M[FW_A-ike-proposal-10] authentication-method rsa-signature
        HRP_M[FW_A-ike-proposal-10] encryption-algorithm aes-256
        HRP_M[FW_A-ike-proposal-10] dh group2
        HRP_M[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
        HRP_M[FW_A-ike-proposal-10] quit
      4. Configure the IKE peer.
        HRP_M[FW_A] ike peer eNodeB
        HRP_M[FW_A-ike-peer-eNodeB] ike-proposal 10
        HRP_M[FW_A-ike-peer-eNodeB] local-id-type dn
        HRP_M[FW_A-ike-peer-eNodeB] remote-id-type dn
        HRP_M[FW_A-ike-peer-eNodeB] certificate local-filename ngfwa_local.cer
        HRP_M[FW_A-ike-peer-eNodeB] remote-id /CN=eNodeB //CN=eNodeB is the subject field value of the device certificate of the eNodeB.
        HRP_M[FW_A-ike-peer-eNodeB] undo version 1
        HRP_M[FW_A-ike-peer-eNodeB] quit
      5. Configure policy template policy1, and reference the policy template in IPSec policy group map1.

        The FW is capable of IPSec dynamic reverse route injection to automatically generate the route to the Service IP address of the eNodeB. When the IPSec tunnel functions normally, the route is generated automatically; when the IPSec tunnel fails, the route is deleted automatically. Dynamic reverse route injection associates the generated static route with the IPSec tunnel state, so that the peer does not send traffic to the IPSec tunnel when the IPSec tunnel is down.

        HRP_M[FW_A] ipsec policy-template policy1 1
        HRP_M[FW_A-ipsec-policy-template-policy1-1] security acl 3000
        HRP_M[FW_A-ipsec-policy-template-policy1-1] proposal tran1
        HRP_M[FW_A-ipsec-policy-template-policy1-1] ike-peer eNodeB
        HRP_M[FW_A-ipsec-policy-template-policy1-1] route inject dynamic
        HRP_M[FW_A-ipsec-policy-template-policy1-1] quit
        HRP_M[FW_A] ipsec policy map1 10 isakmp template policy1
        
      6. Configure the OSPF dynamic route to the EPC.

        Import the route generated during IPSec dynamic reverse route injection to OSPF2 to guide the forwarding of the response traffic of the EPC to the eNodeB. Setting the next hop of the route to the Tunnel interface of the IPSec tunnel.

        HRP_M[FW_A] ospf 2
        HRP_M[FW_A-ospf-2] import-route unr
        HRP_M[FW_A-ospf-2] area 1.1.1.1
        HRP_M[FW_A-ospf-2-area-1.1.1.1] network 1.1.2.0 0.0.0.3
        HRP_M[FW_A-ospf-2-area-1.1.1.1] quit
        HRP_M[FW_A-ospf-2] area 1.1.2.1
        HRP_M[FW_A-ospf-2-area-1.1.2.1] network 1.1.3.0 0.0.0.3
        HRP_M[FW_A-ospf-2-area-1.1.2.1] quit
        HRP_M[FW_A-ospf-2] area 1.1.3.1
        HRP_M[FW_A-ospf-2-area-1.1.3.1] network 1.1.4.0 0.0.0.3
        HRP_M[FW_A-ospf-2-area-1.1.3.1] quit
        HRP_M[FW_A-ospf-2] quit
        
      7. Apply the security policy group map1 to the Tunnel interface.
        HRP_M[FW_A] interface Tunnel 1
        HRP_M[FW_A-Tunnel1] ipsec policy map1
        HRP_M[FW_A-Tunnel1] quit
        

  2. Configure IPSec on FW_B.

    NOTE:
    After hot standby is enabled, all configuration information of FW_A except the route configuration is synchronized to FW_B automatically.

    Import the route generated during IPSec dynamic reverse route injection to OSPF2 to guide the forwarding of the response traffic of the EPC to the eNodeB. Setting the next hop of the route to the Tunnel interface of the IPSec tunnel.

    HRP_M[FW_B] ospf 2
    HRP_M[FW_B-ospf-2] import-route unr
    HRP_M[FW_B-ospf-2] area 1.1.1.1
    HRP_M[FW_B-ospf-2-area-1.1.1.1] network 5.1.2.0 0.0.0.3
    HRP_M[FW_B-ospf-2-area-1.1.1.1] quit
    HRP_M[FW_B-ospf-2] area 1.1.2.1
    HRP_M[FW_B-ospf-2-area-1.1.2.1] network 5.1.3.0 0.0.0.3
    HRP_M[FW_B-ospf-2-area-1.1.2.1] quit
    HRP_M[FW_B-ospf-2] area 1.1.3.1
    HRP_M[FW_B-ospf-2-area-1.1.3.1] network 5.1.4.0 0.0.0.3
    HRP_M[FW_B-ospf-2-area-1.1.3.1] quit
    HRP_M[FW_B-ospf-2] quit
    

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16623

Downloads: 717

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next