Detailed IPsec configuration of two Huawei usg6300 series firewalls
Conditions:
FW1:
FW1 FW2
export line: 111.111.111.146 222.222.222.150
Intranet vlan 192.168.100.0/24 172.16.100.0/24
Through the configuration of IPsec*** to achieve mutual access between the two ends of the intranet.
Configuration steps:
FW1:
- Configure the egress line to access the external network normally:
Click Network-Interface:
Configure port wan0/0/1 as untrust port, IP address is 111.111.111.146/30, gateway: 111.111.111.145
Configure static routing:
Click Network-Static Route, add a static route, let all packets outgoing from wan0/0/1 to access the external network.
Configure security policy
Configure a security policy to allow the internal network to access the external network:
Configure a NAT policy to implement proxy Internet access:
click Policy-NAT policy, create a new NAT policy, configure the source address for NAT address translation:
- Configure IPsec
Click Network-IPsec, create a new IPsec, select the point-to-point mode: the
first stage:
second stage:
- Configure static route:
Click Network-Static Route:
Create a new static route to the peer intranet vlan, the next hop is the gateway of the egress line:
Create a black hole route to prevent routing loops:
- Configure the security policy:
Click Policy-Security Policy, create a new security policy, and allow access from this segment of the vlan to the other party's intranet vlan.
The entire large segment can be released on the route, and then the specific vlans can be specified through the security policy:
Then configure a security policy for returning access:
which vlans are allowed to access the intranet:
Configure the security policy from the firewall itself to the external network:
When configuring a NAT policy, specify that NAT address translation is not used for access between intranets:
At this point, FW1 has been configured, now let's configure FW2:
FW2 :
- Also configure the export line to be able to go online normally.
Click Network-Interface:
Configure interface IP:
Configure static routing:
Click Network-Routing-Static Routing:
Configure the security policy:
click Policy-Security Policy:
allow access from the internal network and the firewall itself to the external network:
Configure the mutual access between the firewall and the intranet:
Configure the NAT policy to implement source address translation:
Well, at this point, the internal network should be able to access the external network normally, and the firewall can also access the external network normally.
- Configure IPsec
Click Network-IPsec, New IPsec:
Phase 1:
The second stage:
The configuration at both ends must be consistent, otherwise the negotiation will fail.
- Configure static route: Configure the static route
to the peer firewall:
Configure a static route to the peer intranet:
Configure black hole routing to the peer intranet and place routing loops:
- Configure security policy:
Configure security policy to allow this segment of vlan to access the peer intranet:
Configure the reverse security policy to allow the peer VLAN to access the local intranet:
- Configure NAT strategy
Click Strategy-NAT Strategy to create a new NAT strategy to realize mutual access between both ends without NAT translation.
After the two ends are configured, IPsec should be negotiated successfully and mutual access can be realized
- Verification: At
this point, after the configuration is complete, you can ping or tracert -d the peer IP trace route on the internal network to verify whether the two ends are communicating normally.