Configuring IPSec tunnel-based link backup on the USG6000

7

Configuring IPSec tunnel-based link backup on the USG6000
Tunnel-based link backup applies to a scenario where IPSec tunnels are established between multiple public network egresses at one end and the remote end. The configuration procedure differs only a little bit with the common IPSec configuration procedure.
The configuration procedure and roadmap are as follows:
1. Complete basic configurations, including setting IP addresses and assigning interfaces to security zones.
2. Create a tunnel interface and assign the tunnel interface to a security zone.
3. Configure a route (usually a static route) to the Internet on the NGFW.
4. Create an ACL to define the data flow to be protected.
5. Configure the security policy.
6. Configure an IPSec proposal.
7. Configure an IKE proposal.
8. Configure an IKE peer.
9. Configure an IPSec policy.
10. Apply the IPSec policy.
Operation steps
Here provides only key configurations related to tunneling. For other basic policy configurations, see complete configuration examples.

Key configuration steps on USG_A (the end with multiple egresses):
1. Configure a tunnel interface.
[NGFW_A] interface tunnel 0
[NGFW_A-tunnel0] tunnel-protocol ipsec
[NGFW_A-tunnel0] ip address 10.1.0.2 24
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface tunnel 0
[NGFW_A] ip route-static 10.4.0.0 255.255.255.0 tunnel 0 //Configure the route to the peer intranet to pass through the tunnel interface.
[NGFW_A] ip route-static 4.4.4.4 32 1.1.1.254
[NGFW_A] ip route-static 4.4.4.4 32 2.2.2.254
[NGFW_A] ip route-static 4.4.4.4 32 3.3.3.254 //Configure equal-cost routes to the peer interface through three egresses.

[NGFW_A] acl 3000
[NGFW_A-acl-adv-3000] rule permit ip source 10.3.0.0 0.0.0.255 destination 10.4.0.0 0.0.0.255
[NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_A-ipsec-proposal-tran1] transform esp
[NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_A] ike proposal 10
[NGFW_A-ike-proposal-10] quit
[NGFW_A] ike peer b
[NGFW_A-ike-peer-b]ike-proposal 10
[NGFW_A-ike-peer-b]remote-address 4.4.4.4
[NGFW_A-ike-peer-b]pre-shared-key Test!123
[NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-isakmp-map1-10] quit
[NGFW_A] interface tunnel 0 Apply IPSec policy map1 to the tunnel interface.
[NGFW_A-tunnel0] ipsec policy map1
[NGFW_A-tunnel0] quit
Configure NGFW_B.
[NGFW_B] ip route-static 10.3.0.0 255.255.255.0 4.4.4.254
[NGFW_B] ip route-static 10.1.0.2 255.255.255.255 4.4.4.254
[NGFW_B] acl 3000
[NGFW_B-acl-adv-3000] rule permit ip source 10.4.0.0 0.0.0.255 destination 10.3.0.0 0.0.0.255
[NGFW_B-acl-adv-3000] quit
[NGFW_B] ipsec proposal tran1
[NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW_B-ipsec-proposal-tran1] transform esp
[NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[NGFW_B-ipsec-proposal-tran1] quit
[NGFW_B] ike proposal 10
[NGFW_B-ike-proposal-10] quit
[NGFW_B] ike peer a
[NGFW_B-ike-peer-a] ike-proposal 10
[NGFW_B-ike-peer-a] remote-address 10.1.0.2
[NGFW_B-ike-peer-a] pre-shared-key Test!123
[NGFW_B-ike-peer-a] quit
[NGFW_B] ipsec policy map1 10 isakmp
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
[NGFW_B-ipsec-policy-isakmp-map1-10] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1

Other related questions:
Displaying the number of IPSec tunnels on the USG6000
Run the display ipsec sa brief command to display the number of tunnels.

Method used to configure two egresses for backup on the AR
Huawei AR routers can establish IPSec tunnels with remote devices using two egress links in backup or load balancing mode. There is no difference on the configuration between different models and versions. For details about the configuration, see "Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using a Multi-Link Shared IPSec Policy Group" of "IPSec Configuration" in based Configuration Guide - VPN .

Rate limiting for IPSec VPN tunnels of the USG6000 series
On the USG6000 series, rate limiting can be implemented for IPSec VPN tunnels by using two methods. Method 1: If multiple tunnels are established on the USG, traffic conflicts occur in the case of heavy data traffic. In this case, run speed-limit to limit the traffic in each IPSec tunnel. Excess packets are discarded. This ensures that all packets in each tunnel are transmitted properly. If the traffic coming through a tunnel to a local port is heavy, run inbound to limit the traffic coming from this IPSec tunnel to the local port. If the traffic forwarded by the local port is heavy, run outbound to limit the traffic forwarded by the local port to the IPSec tunnel. After a security policy is applied on an interface, you cannot run speed-limit to modify the limited rate in the security policy. If an IPSec security policy is configured in any of the following modes, you can run speed-limit { inbound | outbound } speed-limit to limit the traffic rate of the IPSec tunnel. �?Manual mode �?Template mode �?Internet Key Exchange (IKE) non-policy template mode Method 2: After traffic policies are configured, if the actual address before VPN encapsulation or after decapsulation is matched, the traffic rate of the IPSec VPN can be limited. Assume that the actual address before VPN encapsulation is 10.1.1.1. The configuration method is as follows: [sysname] traffic-policy [sysname-policy-traffic] rule name 1 [sysname-policy-traffic-rule-1] source-address 10.1.1.1 32

GRE tunnel configuration on the USG6000
The USG6000 GRE scenarios are as follows: 1. Static route-based GRE tunnel The NGFW adopts the dynamic routing protocol. Intranet users can transmit data that is not supported by certain public network devices over the GRE tunnel. 2. OSPF-based GRE tunnel The NGFW adopts the OSPF routing protocol. Intranet users can transmit data that is not supported by certain public network devices over the GRE tunnel. For specific scenarios and configuration cases, click Configuring a Static Route-based GRE Tunnel.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top