Configuring IPSec tunnel-based link backup on the USG6000

Configuring IPSec tunnel-based link backup on the USG6000
Tunnel-based link backup applies to a scenario where IPSec tunnels are established between multiple public network egresses at one end and the remote end. The configuration procedure differs only a little bit with the common IPSec configuration procedure.
The configuration procedure and roadmap are as follows:
1. Complete basic configurations, including setting IP addresses and assigning interfaces to security zones.
2. Create a tunnel interface and assign the tunnel interface to a security zone.
3. Configure a route (usually a static route) to the Internet on the NGFW.
4. Create an ACL to define the data flow to be protected.
5. Configure the security policy.
6. Configure an IPSec proposal.
7. Configure an IKE proposal.
8. Configure an IKE peer.
9. Configure an IPSec policy.
10. Apply the IPSec policy.
Operation steps
Here provides only key configurations related to tunneling. For other basic policy configurations, see complete configuration examples.

Key configuration steps on USG_A (the end with multiple egresses):
1. Configure a tunnel interface.
[NGFW_A] interface tunnel 0
[NGFW_A-tunnel0] tunnel-protocol ipsec
[NGFW_A-tunnel0] ip address 10.1.0.2 24
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface tunnel 0
[NGFW_A] ip route-static 10.4.0.0 255.255.255.0 tunnel 0 //Configure the route to the peer intranet to pass through the tunnel interface.
[NGFW_A] ip route-static 4.4.4.4 32 1.1.1.254
[NGFW_A] ip route-static 4.4.4.4 32 2.2.2.254
[NGFW_A] ip route-static 4.4.4.4 32 3.3.3.254 //Configure equal-cost routes to the peer interface through three egresses.

[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.3.0.0 0.0.0.255 destination 10.4.0.0 0.0.0.255
[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] quit
[NGFW_A] ike peer b
[NGFW_A-ike-peer-b]ike-proposal 10
[NGFW_A-ike-peer-b]remote-address 4.4.4.4
[NGFW_A-ike-peer-b]pre-shared-key Test!123
[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit
[NGFW_A] interface tunnel 0 Apply IPSec policy map1 to the tunnel interface.
[NGFW_A-tunnel0] ipsec policy map1
[NGFW_A-tunnel0] quit
Configure NGFW_B.
[NGFW_B] ip route-static 10.3.0.0 255.255.255.0 4.4.4.254
[NGFW_B] ip route-static 10.1.0.2 255.255.255.255 4.4.4.254
[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.4.0.0 0.0.0.255 destination 10.3.0.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit
[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit
[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] quit
[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 10.1.0.2
[NGFW_B-ike-peer-a] pre-shared-key Test!123
[NGFW_B-ike-peer-a] quit
[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1

Scroll to top