IPSec VPN lifetime on the firewall

32

Interfaces supported by IPSec VPN reference on the USG
IPSec can be applied to Layer 3 physical interfaces, VLANIF interfaces, Layer 2 interfaces, tunnel interfaces, subinterfaces, and dialer interfaces.
1. Apply an IPSec policy on a Layer 3 physical interface.
system-view //Access the system view.
interface interface-type interface-number //Access the physical interface.
ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy.
2. Apply an IPSec policy on a Layer 2 physical interface.
system-view //Access the system view.
interface interface-type interface-number //Access the physical interface.
ipsec policy policy-name [ auto-neg ] //Apply the IPSec policy.
Note: Before you establish an IPSec tunnel on a Layer 2 interface, you must first configure the IP address of the VLAN on which the Layer 2 interface resides.
3. Apply an IPSec policy group to a tunnel interface.
system-view
interface tunnel tunnel-number //Access the tunnel interface view.
tunnel-protocol ipsec //Set the encapsulation type on the tunnel interface to IPSec.
ipsec policy policy-name //Apply the IPSec policy group to the tunnel interface.

Other related questions:
Configuring the SSL VPN session lifetime on the firewall
The default SSL session timeout time is 5 minutes. You can run the ssl timeout command to set the timeout time. system-view [sysname] v-gateway abc [sysname-abc] basic [sysname-abc-basic] ssl timeout 10

Configuring the IPSec SA lifetime on the firewall
Configure the IPSec SA lifetime on the USG. Configure the IPSec VPN SA lifetime. 1. Configure IKE SA hard lifetime. You can configure per-SA IKE lifetime, but cannot configure a global IKE lifetime. system-view //Access the system view. ike proposal proposal-number //Access the IKE proposal view. sa duration seconds //Configure the IKE SA hard lifetime. Notes for configuring IKE SA lifetime: a) If the hard lifetime expires, the IKE SA will be deleted and re-negotiated. The IKE negotiation involves DH calculation and may take a long time. To ensure the secure communications, you are advised to set the lifetime to a value larger than 600 seconds. b) When the soft lifetime expires, a new SA is negotiated to replace the original SA. Before the new SA is negotiated, the original SA is still in use. After the new SA is established, the new SA is used, and the original SA will be automatically deleted when the hard lifetime expires. The default IKE SA hard lifetime is 86,400 seconds (a day). 2. Configure IKE SA soft lifetime. system-view //Access the system view. ike peer peer-name //Access the IKE peer view. sa soft-duration time-based buffer seconds //Configure the IKE SA soft lifetime. The configuration applies only to IKEv1. a) By default, the soft lifetime is 9/10 of the hard lifetime. When the soft lifetime expires, a new SA is negotiated to replace the original SA. b) If the soft lifetime is specified and the hard lifetime is greater than the soft lifetime by more than 10s, the specified soft lifetime applies; otherwise, the default soft lifetime applies. display ike proposal //Display the configured IKE SA hard lifetime. [USG] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --- 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA1 AES_CBC MODP_1024 86400 display ike peer [ brief | name peer-name ] //Display the configured IKE SA soft lifetime. [USG] display ike peer name b -- IKE peer: b Exchange mode: main on phase 1 Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$ Local certificate file name: Proposal: 10 Local ID type: IP Peer IP address: 202.38.169.1 VPN instance: Authentic IP address: IP address pool: Peer name: Peer domain name: VPN instance bound to the SA: NAT traversal: enable SA soft timeout buffer time: 22 seconds OCSP check: disable OCSP server URL: Applied to 1 policy: ppp1-1-isakmp

Configuring IPSec VPN on the firewall
Configuring an SA on the USG Creating a dynamic IPSec SA 1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24. Network A---USG_A----INTERNET-----USG_B---Network B 2. The configuration steps are as follows: [USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route. [USG_A] ipsec proposal tran1 //Configure an IPSec proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure an IKE proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure an IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface. [USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route. [USG_B] ipsec proposal tran1 //Configure an IPSec proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure an IKE proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure an IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

Method used to configure the life cycle of the IPSec security association on USG firewalls
You can configure the lifetime of the IPSec security association on USG firewalls as follows: Configure the lifetime for the IPSec VPN security association (SA). 1. Configure the IKE SA hard lifetime. Configure the IKE SA lifetime. You can modify the per-SA lifetime instead of global lifetime. system-view //Enter the system view. ike proposal proposal-number, //Enter the IKE security proposal view. sa duration seconds, //Configure the IKE SA hard lifetime. Pay attention to the following aspects when configuring the IKE SA lifetime: a) If the hard lifetime is expired, the SA is automatically updated. The IKE negotiation needs to perform the DH calculation that consumes a long period of time. It is recommended that the lifetime be longer than 600s, to protect the security communication from being affected by the SA update. b) Before the lifetime (soft lifetime) expires, the SA negotiates with another SA to replace the old SA. Before the new SA negotiation is complete, the old SA is used. After the new SA is established, the new SA immediately takes effect, and the old SA is automatically cleared upon lifetime expiration. By default, the hard lifetime of the IKE SA is 86400s (1 day). 2. Configure the IKE SA soft lifetime. system-view //Enter the system view. ike peer peer-name //Enter the IKE Peer view. sa soft-duration time-based buffer seconds //Configure the soft lifetime of the IKE SA. This configuration is valid only to the IKEv1 protocol. a) By default, the soft lifetime is 9/10 of the hard lifetime. That is, a new SA, used to replace the old SA, is negotiated at the 9/10 length of the SA lifetime. b) After the soft lifetime is configured, if the difference between the hard lifetime and the soft lifetime is longer than 10s, the difference is used as the soft lifetime. Otherwise, the default value (9/10 of the hard lifetime) is used as the soft lifetime. display ike proposal //View the hard lifetime of the IKE SA. [USG] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --- 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA1 AES_CBC MODP_1024 86400 display ike peer [ brief | name peer-name ] //View the soft lifetime of the IKE SA. [USG] display ike peer name b -- IKE peer: b Exchange mode: main on phase 1 Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$ Local certificate file name: Proposal: 10 Local ID type: IP Peer IP address: 202.38.169.1 VPN instance: Authentic IP address: IP address pool: Peer name: Peer domain name: VPN instance bound to the SA: NAT traversal: enable SA soft timeout buffer time: 22 seconds OCSP check: disable OCSP server URL: Applied to 1 policy: ppp1-1-isakmp

Configuring automatic triggering of IPSec VPN on the firewall
Configuring automatic IPSec triggering (automatic negotiation) on the USG The auto-neg option can be configured in the case of establishing an IPSec tunnel in non-template mode, which indicates that an IPSec tunnel is established through auto-negotiation. If this option is not selected, traffic triggers the establishment of an IPSec tunnel. In the case of tunnel establishment in template mode, the configuration template end cannot proactively initiate the negotiation. In this case, if the non-template end does not send traffic, the tunnel fails to be established. At this moment, you can configure the auto-neg command on the non-template end to enable the IPSec auto-negotiation function. After auto-neg is configured at the non-template end, the system immediately checks data flows one by one. The non-template end proactively sends a negotiation request to the template end when no traffic is transmitted, and establishes an IPSec tunnel. The check is performed at a certain interval (far smaller than the SA lifetime) to ensure that all tunnels in the system are in the status of established. Configuration example Apply an IPSec policy group named policy1 to GigabitEthernet 0/0/3 and proactively initiate a tunnel connection. system-view [sysname] interface GigabitEthernet 0/0/3 [sysname-GigabitEthernet0/0/3] ipsec policy policy1 auto-neg

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top