Shulou(Shulou.com)06/01 Report--

This article introduces the configuration method of IPSEC virtual private network on Huawei firewall. There is no plan for NAT in this model.

Configuration steps:

I. configure the interface

Second, configure the security zone

Third, configure security policy

Fourth, configure static routes

5. Configure IPSEC

1. Ike proposal

2. Ike peer

3. Ipsec proposal

4. ACL

5. Ipsec policy

# call ACL, IPSEC Proposal, ike peer

6. Call IPSEC policy on the public network interface

Detailed configuration

I. configure the interface

# the first step is to configure the IP address of the interface, and configure the public network and private network interfaces with IP

Interface GigabitEthernet1/0/1

Ip address 1.1.3.1 255.255.255.0

#

#

Interface GigabitEthernet1/0/3

Ip address 10.1.1.1 255.255.255.0

Second, configure the security zone

# configure the private network interface g1amp 0swap 3 to the Trust area, and the public network interface G1max 0lem1 to the Untrust area

Firewall zone trust

Add interface GigabitEthernet1/0/3

#

Firewall zone untrust

Add interface GigabitEthernet1/0/1

Third, configure security policy

# configure security policies. Here are four policies

# the first policy is the security policy from the Tust of this firewall to the private network IP segment of the peer.

# the second policy is the security policy from the private network IP segment of the peer to the Trust area of this firewall.

# the third policy is the security policy between local public network IP and peer public network IP

# the fourth policy is the security policy between the peer public network IP and the local public network IP

Security-policy

Rule name policy1

Source-zone trust

Destination-zone untrust

Source-address 10.1.1.0 mask 255.255.255.0

Destination-address 10.1.2.0 mask 255.255.255.0

Action permit

Rule name policy2

Source-zone untrust

Destination-zone trust

Source-address 10.1.2.0 mask 255.255.255.0

Destination-address 10.1.1.0 mask 255.255.255.0

Action permit

Rule name policy3

Source-zone local

Destination-zone untrust

Source-address 1.1.3.1 mask 255.255.255.255

Destination-address 1.1.5.1 mask 255.255.255.255

Action permit

Rule name policy4

Source-zone untrust

Destination-zone local

Source-address 1.1.5.1 mask 255.255.255.255

Destination-address 1.1.3.1 mask 255.255.255.255

Action permit

# the IPSEC trigger of Huawei FW needs to be triggered by private network traffic access. When the FW_1 receives the traffic from PC1 to PC2, 10.1.1.0-- > 10.1.2.0, so the security policy requires that the traffic from the local private network to the peer private network is allowed to pass.

# after the firewall receives this packet, it looks up the routing table and finds that it should be sent to the public network interface G1AGUAGUP 1, and the Policy of IPSEC is applied under this interface, and this traffic matches the flow of interest of Policy, so it will trigger × × negotiation.

Fourth, configure static routes

Ip route-static 1.1.5.0 255.255.255.0 1.1.3.254 # Route to the peer public network IP

Ip route-static 10.1.2.0 255.255.255.0 1.1.3.254 # Route to the peer private network IP

5. Configure IPSEC

Acl number 3000

Rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

# configure a stream of interest. The ACL of the stream of interest at both ends needs to be mirrored. Again, it needs to be mirrored. That is, compared with the local end, the ACL of the peer can only swap the source destination, but cannot change the network segment or become a subset.

#

Ike proposal 10

Encryption-algorithm aes-256

Dh group14

Authentication-algorithm sha2-256

Authentication-method pre-share

Integrity-algorithm hmac-sha2-256

Prf hmac-sha2-256

# in fact, this is the default, which is already very secure. in the early years, Cisco routers were all configured with DES and MD5.

Ike peer b

Pre-shared-key Test!1234

Ike-proposal 10

Remote-address 1.1.5.1

# the version of IKE can be configured here. Huawei initiated the negotiation of IKE v2 by default

[FW_A-ike-peer-b] version?

1 Only V1 SA's can be created

2 Only V2 SA's can be created

# you can also choose whether the mode of Pashe 1 is the main mode or the savage mode. The default is the main mode. Both sides have a fixed public network IP, and you can use the main mode when there is no traversing NAT device in the middle. If one end is PPPOE dialing, use savage mode.

[FW_A-ike-peer-b] exchange-mode?

Aggressive Aggressive mode

Auto Auto mode

Main Main mode

Ipsec proposal tran1

Esp authentication-algorithm sha2-256

Esp encryption-algorithm aes-256

# the default encapsulation mode is tunnel mode. When the route between two communication points is reachable, transport mode is used. When the route is unreachable, tunnel mode is required.

[FW_A-ipsec-proposal-tran1] encapsulation-mode?

Auto Specify automatic mode. The responder can accept negotiations in

Transport or tunnel mode. The initiator initiates negotiations in

Tunnel mode

Transport Only the payload of IP packet is protected (transport mode)

Tunnel The entire IP packet is protected (tunnel mode)

Ipsec policy map1 10 isakmp

Security acl 3000

Ike-peer b

Proposal tran1

# Policy needs to call three parameters, which can be said to associate the previously configured information, 1. Stream of interest 2. Ike-peer 3. Transform set when IPSEC negotiates.

Interface GigabitEthernet1/0/1

Ipsec policy map1

# call ipsec policy on the public network interface

This article only lists the configuration information of the first firewall, and the configuration information of the second firewall can refer to the configuration of the first firewall.

If the configuration doesn't work, congratulations, it's normal. A mismatch between any of the parameters when configuring IKE and IPSEC will result in a failure. Then we can remove the obstacles in the following ways

1. [FW_A] display ike sa

# normally, there are two ike associated, one for each stage, and then the flag information is:

RD--READY: indicates that this SA has been established successfully.

ST--STAYALIVE: indicates that this end is the initiator of channel negotiation.

# there is no ST information at the other end of the flag information, only RD | A

2019-07-16 12 purl 1314 03.740

IKE SA information:

Conn-ID Peer × × Flag (s) Phase RemoteType RemoteID

-

2 1.1.5.1 IP 500 RD | ST | A v2 IP 1.1.5.1

1 1.1.5.1 IP 500 RD | ST | A v2 IP 1.1.5.1

Number of IKE SA: 2

-

Flag Description:

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING

Display ipsec sa

# SA of the second stage

2019-07-16 12 1515 39.990

Ipsec sa information:

= =

Interface: GigabitEthernet1/0/1

= =

-

IPSec policy name: "map1"

Sequence number: 10

Acl group: 3000

Acl rule: 5

Mode: ISAKMP

-

Connection ID: 2

Encapsulation mode: Tunnel

Holding time: 0d 0h 27m 45s

Tunnel local: 1.1.5.1:500

Tunnel remote: 1.1.3.1:500

Flow source: 10.1.2.0 Universe 255.255.255.0 Universe 0-65535

Flow destination: 10.1.1.0 amp 255.255.255.0 0-65535

[Outbound ESP SAs]

SPI: 197382210 (0xbc3d042)

Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256128

SA remaining key duration (kilobytes/sec): 10485666Universe 1935

Max sent sequence-number: 1606

UDP encapsulation used for NAT traversal: N

SA encrypted packets (number/bytes): 1605 Universe 96300

[Inbound ESP SAs]

SPI: 196813874 (0xbbb2432)

Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256128

SA remaining key duration (kilobytes/sec): 10485666Universe 1935

Max received sequence-number: 1600

UDP encapsulation used for NAT traversal: N

SA decrypted packets (number/bytes): 1619 Universe 97140

Anti-replay: Enable

Anti-replay window size: 1024

The above two methods can only check errors. If you want to troubleshoot dynamically, three methods are recommended in the experimental environment.

First, the debug method, this method can find out where the error will be reported, and requires a certain degree of skill.

Termial monitor

Terminal debugging

Debugging ikev2 [error | all]

Second, grab the package: grab the package in the ENSP environment to see the status of the data

Third, knock on the experiment once a day for ten days in a row. If you knock on the experiment for the first few times, there will be problems, and you will check one place at a time.

Before conducting the experiment, there is some knowledge that needs to be prepared in advance:

Encryption principles: symmetric encryption, asymmetric encryption

Hash algorithm

The relationship between ISAKMP and IKE

DH algorithm, you can go to Wikipedia to see, there is a very good document.

The respective roles of Pashe1 and Pahase2

Characteristics of AH and ESP

Pre-shared key: the pre-share-key we configured is not a key for encryption, it is just a parameter for authentication; the encrypted key is the same symmetric encryption key calculated by the DH algorithm through the exchange of key material.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.