Configuration templates way configuration roadmap
ike peer fw2
exchange-mode aggressive 修改模式为野蛮
Other parts of the same main mode
Note: Aggressive mode must also specify the remote-address, you must configure the remote address or domain name Huawei does not recommend aggressive mode, we recommend using templates way
[FW1-ipsec-policy-isakmp-ipsec_policy-10]ike-peer fw2
Error: ike peer's remote addresses or domain name should be configed.
First step: Basic configuration
FW1 firewall configuration
#
sysname FW1
#
interface GigabitEthernet0/0/0
ip address 202.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 192.168.1.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.254
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
security-policy
default action permit
#
FW2 router configuration
#
sysname FW2
#
interface GigabitEthernet0/0/0
ip address 101.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
ip route-static 0.0.0.0 0.0.0.0 101.1.1.254
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
security-policy
default action permit
#
internet configuration
#
interface GigabitEthernet0/0/0
ip address 202.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 101.1.1.254 255.255.255.0
#
Check the following:
checking the communication FW1 and PC1
<FW1>ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=40 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=40 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=50 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/50/60 ms
Check communication FW2 and PC2
[FW2]ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=128 time=45 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=128 time=53 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=128 time=51 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=128 time=52 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=128 time=32 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/46/53 ms
Check FW1 and FW2 communication
<FW1>ping 101.1.1.1
PING 101.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 101.1.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 101.1.1.1: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 101.1.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms
Reply from 101.1.1.1: bytes=56 Sequence=4 ttl=254 time=20 ms
Reply from 101.1.1.1: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 101.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/28/40 ms
PC1 and PC2 communicate Check
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Step two: IPSEC stage a configuration
IKE security proposal
FW1 and FW2 are disposed in the following
ike proposal 10 注意:安全提议是有默认配置,可以修改
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256 IKEv1中不用这个参数 IKEv2中使用这个参数
prf hmac-sha2-256
#
an examination:
[FW1]display ike proposal
2020-03-14 14:25:22.420
Number of IKE Proposals: 2
-------------------------------------------
IKE Proposal: 10
Authentication Method : PRE_SHARED
Authentication Algorithm : SHA2-256
Encryption Algorithm : AES-256
Diffie-Hellman Group : MODP-2048
SA Duration(Seconds) : 86400
Integrity Algorithm : HMAC-SHA2-256
Prf Algorithm : HMAC-SHA2-256
-------------------------------------------
IKE peer configuration (the PEER)
FW1 Configuration Notes: The template approach does not require configuration can also configure remote-address network segment, you can not configure
ike peer fw2 -----------取名
pre-shared-key Huawei@123---------------如果采用预共享方式,配置密钥
ike-proposal 10 -----------------------------调用安全提议
undo version 2-------------------------------关闭V2版本,默认就是V2版本
FW2 Configuration
ike peer fw1
pre-shared-key Huawei@123
ike-proposal 10
undo version 2
remote-address 202.1.1.1
Check the following:
[FW1]display ike peer brief
2020-03-14 14:31:19.910
Current ike peer number: 1
---------------------------------------------------------------------------
Peer name Version Exchange-mode Proposal Id-type RemoteAddr
---------------------------------------------------------------------------
fw2 v1 main 10 IP
The third step: IPSEC Phase II configuration
Configuration flow interest (that is, the actual communication points)
FW1:
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
FW2
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
Note: IKEV1 interested flow to mirror each other, must be matched to each other, it is not included or is not the same, can not be successfully negotiated
IPSEC security proposal
In FW1 and FW2 configuration
ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
an examination:
[FW1]display ipsec proposal
2020-03-14 14:33:58.850
Number of proposals: 1
IPSec proposal name: 10
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-256
[FW1]
Configuring IPSEC security policy
FW1
#
ipsec policy-template 10 10 第一个10是名称 第二个10是序号
security acl 3000-----------------------调用感兴趣流
ike-peer fw2---------------------------调用IKE PEER
proposal 10---------------------------调用IPSEC安全
#
ipsec policy ipsec_policy 10 isakmp template 10
FW2
ipsec policy ipsec_policy 10 isakmp 后面接isakmp的话是自动方式
security acl 3000 -----------------------调用感兴趣流
ike-peer fw1 ---------------------------调用IKE PEER
alias ipsec_policy_10
proposal 10 ---------------------------调用IPSEC安全
Physical interface calls
Configured on FW1 and FW2
interface GigabitEthernet0/0/0
ipsec policy ipsec_policy
Release security policy
FW1 configuration
#
security-policy
rule name ipsec1
source-zone local
destination-zone untrust
source-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec2
source-zone untrust
destination-zone local
destination-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec3
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name ipsec4
source-zone untrust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
#
FW2 configuration
#
security-policy
rule name ipsec1
source-zone local
destination-zone untrust
destination-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec2
source-zone untrust
destination-zone local
source-address 202.1.1.0 mask 255.255.255.0
action permit
rule name ipsec3
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name ipsec4
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
#
Tests are as follows
If the default is not configured auto-neg, need to manually trigger (trigger stream of interest)
[FW1]display ike sa 检查IKE SA,阶段一的问题
2020-03-14 14:46:10.170
IKE SA information :
Conn-ID Peer *** Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
2 101.1.1.1:500 RD|ST|A v1:2 IP 101.1.1.1
1 101.1.1.1:500 RD|ST|A v1:1 IP 101.1.1.1
Number of IKE SA : 2
--------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
View IPsec SA Information
[FW1]display ipsec sa
2020-03-14 15:16:47.650
ipsec sa information:
===============================
Interface: GigabitEthernet0/0/0
===============================
-----------------------------
IPSec policy name: "ipsec_policy"
Sequence number : 10
Acl group : 3000
Acl rule : 5
Mode : Template
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Holding time : 0d 0h 11m 51s
Tunnel local : 202.1.1.1:500
Tunnel remote : 101.1.1.1:500
Flow source : 192.168.1.0/255.255.255.0 0/0-65535
Flow destination : 192.168.2.0/255.255.255.0 0/0-65535
[Outbound ESP SAs]
SPI: 190568358 (0xb5bd7a6)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/2889
Max sent sequence-number: 7
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 6/360
[Inbound ESP SAs]
SPI: 194468180 (0xb975954)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 10485760/2889
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 4/240
Anti-replay : Enable
Anti-replay window size: 1024
[FW1]
View encryption and decryption information
[FW1]display ipsec statistics
2020-03-14 15:17:20.770
IPSec statistics information:
Number of IPSec tunnels: 1
Number of standby IPSec tunnels: 0
the security packet statistics:
input/output security packets: 4/6
input/output security bytes: 240/360
input/output dropped security packets: 0/5
the encrypt packet statistics:
send chip: 6, recv chip: 6, send err: 0
local cpu: 6, other cpu: 0, recv other cpu: 0
intact packet: 6, first slice: 0, after slice: 0
the decrypt packet statistics:
send chip: 4, recv chip: 4, send err: 0
local cpu: 4, other cpu: 0, recv other cpu: 0
reass first slice: 0, after slice: 0
dropped security packet detail:
can not find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
change cpu enc: 0, dec change cpu: 0
fib search: 0, output l3: 0
flow err: 5, slice err: 0, byte limit: 0
slave drop: 0
negotiate about packet statistics:
IKE fwd packet ok: 5, err: 0
IKE ctrl packet inbound ok: 5, outbound ok: 4
SoftExpr: 0, HardExpr: 0, DPDOper: 0
trigger ok: 0, switch sa: 1, sync sa: 0
recv IKE nat keepalive: 0, IKE input: 0
[FW1]
Note: If the docking Huawei routers words
ipsec proposal 10
esp authentication-algorithm sha1 --------注意路由器VS FW,ESP认证算法采用SHA1
esp encryption-algorithm aes-128