Establishing an IPSec Tunnel Through Negotiation Initiated by the Branch Device to the Headquarters Fortinet Firewall Highlighted

Created: Mar 13, 2017 20:54:03Latest reply: Mar 14, 2017 11:49:05 2652 1 0 0

1.1.1 Overview

On the Internet, most data is transmitted in plain text, causing potential security risks. For example, bank accounts and passwords may be intercepted or tampered, user identities may be counterfeited, networks may be attacked. IPSec can protect transmitted IP packets, reducing risks of information leakage.

Internet Protocol Security (IPSec) is a security protocol suite defined by the Internet Engineering Task Force (IETF). IPSec secures data transmission on the Internet through data origin authentication, data encryption, data integrity check, and anti-replay functions.

l   Data origin authentication: The receiver checks the validity of the sender.

l   Data encryption: The sender encrypts data packets and transmits them in cipher text on the Internet. The receiver decrypts or directly forwards the received packets.

l   Data integrity check: The receiver validates received data to check whether the data has been tampered.

l   Anti-replay: The receiver rejects old or duplicate packets, preventing malicious attacks initiated by resending obtained packets.

In Figure 1-26, IPSec VPN allows users to connect to the VPN over the Internet in any mode with no geographical limitations. IPSec VPN applies to the access of mobile office users and partners, and is used for communication between enterprise branches.

Figure 1-1 Application of IPSec VPN



1.1.2 Precautions

l   Default IPSec parameter settings on different vendors' devices may be different, and need to be adjusted as needed. Ensure that the configurations of devices at both ends of an IPSec tunnel are consistent.

l   The DPD packet formats supported by a Fortinet firewall and an AR are different. If DPD detection is enabled, the DPD packet format of the AR router must be set to seq-hash-notify.

l   When an AR connects to a non-Huawei device and IPSec protocols of both devices define SHA-2, an IPSec tunnel can be established but traffic forwarding fails. The possible cause is that both devices use different encryption/decryption modes of SHA-2. In this case, run the ipsec authentication sha2 compatible enable command on the AR router so that both devices use the same encryption/decryption modes of SHA-2.

1.1.3 Networking Requirements

In Figure 1-27, the router is an enterprise branch gateway and the FW (Fortinet firewall) is a headquarters gateway, and they communicate through the Internet.

The enterprise wants to protect traffic between the branch and headquarters. An IPSec tunnel can be established between the branch gateway and headquarters gateway to secure data flows transmitted over the Internet.

Figure 1-2 Establishing an IPSec tunnel through negotiation initiated by the branch device to the headquarters Fortinet firewall



1.1.4 Data Plan

Before the configuration, plan data according to Table 1-17. The data in Table 1-17 is used for reference only.

Table 1-1 Data plan for interconnection between the router and FW

Public Network Address of Router

Private Network Address of Router

Public Network Address of FW

Private Network Address of FW

Parameters for IPSec Phase 1 (IKE Negotiation Phase)

IKE version: V1

Negotiation mode: main

Authentication method: pre-shared key

Pre-shared key: huawei@123

Encryption algorithm: aes-cbc-256

Authentication algorithm: sha2-512

DH group: group 14

Lifetime: 28800s

DPD detection: enabled

Parameters for IPSec Phase 2 (IPSec Negotiation Phase)

Security protocol: ESP

Encapsulation mode: tunnel

Encryption algorithm: aes-256

Authentication algorithm: sha2-512

Lifetime: 3600s

PFS function: disabled


1.1.5 Configuration Procedure Configuring the Router

Configuration Roadmap

1.      Configure IP addresses and static routes for interfaces so that routes between the router and FW are reachable.

2.      Configure an ACL to define the data flows to be protected by the IPSec tunnel.

3.      Configure an IPSec proposal to define the method used to protect IPSec traffic.

4.      Configure an IKE proposal and an IKE peer, and define parameters used for IKE negotiation.

5.      Configure an IPSec policy, and reference the ACL, IPSec proposal, and IKE peer in the IPSec policy to determine the methods used to protect data flows.

6.      Apply the IPSec policy group to an interface.


                      Step 1    Configure IP addresses and static routes for interfaces so that routes between the router and FW are reachable.

# Assign an IP address to an interface on the router.

<Huawei> system-view 
[Huawei] sysname Router 
[Router] interface gigabitethernet 1/0/0 
[Router-GigabitEthernet1/0/0] ip address 
[Router-GigabitEthernet1/0/0] quit 
[Router] interface gigabitethernet 2/0/0 
[Router-GigabitEthernet2/0/0] ip address 
[Router-GigabitEthernet2/0/0] quit

# On the router, configure static routes to the FW. This example assumes that the next hop addresses of the routes are both

[Router] ip route-static 
[Router] ip route-static

                      Step 2    Configure an ACL to define data flows to be protected.

# Configure an ACL on the router to define the data flows sent from private network to private network

[Router] acl number 3101 
[Router-acl-adv-3101] rule permit ip source destination 
[Router-acl-adv-3101] quit

                      Step 3    Configure an IPSec proposal to define the method used to protect IPSec traffic.

# Create an IPSec proposal on the router.

[Router] ipsec authentication sha2 compatible enable 
[Router] ipsec proposal tran1 
[Router-ipsec-proposal-tran1] transform esp 
[Router-ipsec-proposal-tran1] esp authentication-algorithm sha2-512 
[Router-ipsec-proposal-tran1] esp encryption-algorithm aes-256 
[Router-ipsec-proposal-tran1] encapsulation-mode tunnel

                      Step 4    Configure an IKE proposal and an IKE peer, and define parameters used for IKE negotiation.

# Configure an IKE proposal and define parameters in IKE negotiation phase 1.

[Router] ike proposal 5 
[Router-ike-proposal-5] encryption-algorithm aes-cbc-256  
[Router-ike-proposal-5] authentication-algorithm sha2-512  
[Router-ike-proposal-5] dh group14 
[Router-ike-proposal-5] sa duration 28800 
[Router-ike-proposal-5] authentication-method pre-share 
[Router-ike-proposal-5] quit

# Configure an IKE peer and define parameters in IKE negotiation phase 1.

[Router] ike peer feita v1 
[Router-ike-peer-feita] ike-proposal 5 
[Router-ike-peer-feita] pre-shared-key cipher huawei@123 
[Router-ike-peer-feita] remote-address 
[Router-ike-peer-feita] exchange-mode main 
[Router-ike-peer-feita] dpd type periodic 
[Router-ike-peer-feita] dpd msg seq-hash-notify  
[Router-ike-peer-feita] quit

                      Step 5    Configure an IPSec policy, and reference the ACL, IPSec proposal, and IKE peer in the IPSec policy to determine the methods used to protect data flows.

# Create an IPSec policy in IKE negotiation mode on the router.

[Router] ipsec policy map1 10 isakmp 
[Router-ipsec-policy-isakmp-map1-10] ike-peer feita 
[Router-ipsec-policy-isakmp-map1-10] proposal tran1 
[Router-ipsec-policy-isakmp-map1-10] security acl 3101 
[Router-ipsec-policy-isakmp-map1-10] sa duration time-based 3600 
[Router-ipsec-policy-isakmp-map1-10] quit

                      Step 6    Apply an IPSec policy group to an interface.

# Apply an IPSec policy group to the public interfaces of the router.

[Router] interface gigabitethernet 1/0/0 
[Router-GigabitEthernet1/0/0] ipsec policy map1 
[Router-GigabitEthernet1/0/0] quit

                      Step 7    Verify the configuration.

# Run the display ike proposal command on the router to check the IKE proposal configuration.

[Router] display ike proposal number 5 
 IKE Proposal: 5 
 Authentication method      : pre-shared 
 Authentication algorithm : SHA2-512 
 Encryption algorithm       : AES-CBC-256 
 DH group                   : MODP-2048 
 SA duration                : 28800 
 PRF                        : PRF-HMAC-SHA2-256 

# Run the display ipsec proposal command on the router to check the IPSec proposal configuration.

[Router] display ipsec proposal 
Number of proposals: 1 
IPsec proposal name: tran1 
 Encapsulation mode: Tunnel 
 Transform         : esp-new 
 ESP protocol      : Authentication SHA2-HMAC-512 
                     Encryption     AES-256

----End Configuring the FW

                      Step 1    Log in to the web system of FW

1.      Enter the URL of the FW and press Enter. The login page is displayed. Enter user name and password, and click Login.

2.      After login, the main page is displayed.

Figure 1-3 Web main page



                      Step 2    Configure IP addresses for interfaces.

Choose System > Network > Interfaces to access the interface configuration page.

1.      Configure an IP address for the public interface. Choose wan1 in Name and right-click Edit.

Figure 1-4 Configuring an IP address for the public interface



2.      Configure an IP address for the private interface. Choose port1 in Name and right-click Edit.

Figure 1-5 Configuring an IP address for the private interface



                      Step 3    Configure IP addresses and static routes to the peer. This example assumes that the next hop address of the route is

1.      Choose Router > Static > Static Routes to access the static route configuration page, and click Create New.

2.      Configure a public network route.

Figure 1-6 Configuring a public network route



3.      Configure a private network route.

Figure 1-7 Configuring a private network route



                      Step 4    Configure IPSec.

1.      Choose VPN > IPSec > Tunnels to access the IPSec configuration page.

Figure 1-8 IPSec configuration page



2.      Click Create New, enter the IPSec tunnel name in Name, and select Custom VPN Tunnel (No Template).

Figure 1-9 Configuring the IPSec tunnel name and template



3.      Click Next to access the IPSec parameter configuration page.

You can configure parameters as needed under Comments.

Figure 1-10 Configuring IPSec parameters



4.      Configure IP Address and Interface under Network, and modify other parameters as needed.

Figure 1-11 Configuring network



5.      Configure Pre-shared Key in Authentication, and choose Version and Mode under IKE.

Figure 1-12 Configuring authentication and IKE



6.      Configure parameters for Phase 1 Proposal.

Figure 1-13 Configuring an IKE proposal



7.      Choose Phase 2 Selectors > New Phase 2 to configure IPSec encrypted data flows, and configure parameters under Phase 2 Proposal.

Figure 1-14 Configuring parameters for phase 2 proposal



8.      Click OK to complete IPSec configuration.


1.1.6 Verification

1.      Run the display ike sa command to check information about the SAs established in phase 1 and phase 2.

[Router] display ike sa 
      Conn-ID      Peer           VPN    Flag(s)     Phase 
       16         0     RD|ST         2 
       14         0     RD|ST         1 
  Flag Description:                                                               

2.      Ping a host in the headquarters from a host in a branch. The ping operation succeeds. Run the display ipsec statistics esp command to check statistics on IPSec packets. The values of Inpacket decap count and Outpacket encap count fields are not 0, indicating that data transmitted between the branch and headquarters is encrypted.

1.1.7 Troubleshooting

If an IPSec tunnel cannot be established, check whether there are reachable routes and whether the devices at both ends use the same configuration.


  • x
  • convention:

user_2790689     Created Mar 14, 2017 11:49:05 Helpful(0) Helpful(0)

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top