Configuring interested IPSec data flows on the firewall

20

Common IPSec maintenance commands on the USG

Display ike peer //Display the configuration information of the IKE peer.
display ike proposal //Display the configuration information of the IKE proposal.
display ike sa //Display the configuration information of the SA established in IKE negotiation mode.
display ipsec policy //Display the configuration information of the security policy.
display ipsec policy-template //Display the configuration information of the security policy template.
display ipsec proposal //Display the configuration information of the IPSec proposal.
display ipsec sa //Display the configuration information of the SA.
display ipsec sa global-configuration //Display the global configuration information of the IPSec SA, including the global hard lifetime information, global soft lifetime information, and global anti-replay information.
display ipsec statistics //Display IPSec packet statistics.

Other related questions:
How to configure an AR to limit the rate of IPSec data flows
To configure an AR to limit the rate of IPSec data flows, configure the QoS function for IPSec packets first, and then configure rate limiting for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]car cir 3000 //Limit the rate of traffic. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface

How does IPSec on an AR router define data flows to be protected
IPSec can protect one or more data flows. If an ACL is used to establish an IPSec tunnel, the ACL can specify data flows to be protected by IPSec. In practice, you need to configure an ACL to define data flows to be protected and reference the ACL in an IPSec policy to protect the data flows. An IPSec policy can reference only one ACL: - If different data flows have different security requirements, create different ACLs and IPSec policies. - If different data flows have the same security requirements, configure multiple rules in an ACL to protect different data flows. When configuring IPSec, pay attention to the following points: - The ACLs at both ends of an IPSec tunnel must define the same protocol type. For example, if the ACL at one end defines an IP protocol, the ACL at the other end must use the IP protocol. - When ACL rules at both ends of an IPSec tunnel mirror each other, SAs can be set up successfully no matter which party initiates negotiation. If ACL rules at both ends of an IPSec tunnel do not mirror each other, SAs can be set up successfully only when the range specified by ACL rules on the initiator is the subset of ACL rules on the responder. It is recommended that ACL rules at both ends of an IPSec tunnel mirror each other. That is, the source and destination addresses of an ACL at one end are the destination and source addresses of an ACL at the other end. - For IKEv1, if IPSec policies in ISAKMP mode are configured at both ends, ACL rules at both ends of an IPSec tunnel must mirror each other. If an IPSec policy in ISAKMP mode is configured at one end and an IPSec policy using an IPSec policy template is configured at the other end, the range of ACL rules in the IPSec policy in ISAKMP mode can be the subset of ACL rules in the IPSec policy using an IPSec policy template. The devices use overlapping rules as the negotiation result. - For IKEv2, mirroring is not necessary. SAs can be set up successfully as long as the range of ACL rules configured on the initiator is the subset of the responder. The devices use overlapping rules as the negotiation result. - The ACL rule with a larger rule ID cannot completely cover the ACL rule with a smaller rule ID. - ACLs referenced by the same IPSec policy group cannot contain the same ACL rule. - When IKEv2 is used, ACL rules referenced by IPSec policies of an IPSec policy group cannot overlap. - When the negotiation responder uses the IPSec policy that is created through an IPSec policy template: - You must specify the source IP address in an ACL rule referenced by an IPSec policy on the initiator; otherwise, an IPSec tunnel cannot be set up. - If data flows to be protected are not specified, the responder accepts the range of data flows to be protected on the initiator. If data flows to be protected are specified, the ACL on the responder must mirror the ACL on the initiator or the range specified by the ACL on the responder must cover the range specified by the ACL on the initiator. - If NAT is configured on an interface to which an IPSec policy is applied, IPSec may not take effect because NAT is performed first. You can use the following methods: - Configure the destination IP address that matches the deny clause in an ACL referenced by NAT as the destination IP address in an ACL referenced by IPSec. In this case, data flows protected by IPSec are not translated by NAT. - Configure the ACL rule referenced by NAT to match the IP address translated by NAT.

How to assure forwarding of IPSec data flows on an AR
Configure the QoS function for IPSec packets first, and then configure assured forwarding (AF) for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]queue af bandwidth 3000 //Configure AF for the matched data flow. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface.

Configuring IPSec VPN on the firewall
Configuring an SA on the USG Creating a dynamic IPSec SA 1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24. Network A---USG_A----INTERNET-----USG_B---Network B 2. The configuration steps are as follows: [USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route. [USG_A] ipsec proposal tran1 //Configure an IPSec proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure an IKE proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure an IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface. [USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route. [USG_B] ipsec proposal tran1 //Configure an IPSec proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure an IKE proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure an IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top