Configuring SA on the firewall

15

Configuring an SA on the USG
Creating a dynamic IPSec SA
1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24.
Network A---USG_A----INTERNET----USG_B---Network B
2. The configuration steps are as follows:
[USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets.
[USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[USG_A-acl-adv-3000] quit
[USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route.
[USG_A] ipsec proposal tran1 //Configure an IPSec proposal.
[USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG_A-ipsec-proposal-tran1] transform esp
[USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_A-ipsec-proposal-tran1] quit
[USG_A] ike proposal 10 //Configure an IKE proposal.
[USG_A-ike-proposal-10] authentication-method pre-share
[USG_A-ike-proposal-10] authentication-algorithm sha1
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_A-ike-proposal-10] quit
[USG_A] ike peer b //Configure an IKE peer.
[USG_A-ike-peer-b] ike-proposal 10
[USG_A-ike-peer-b] remote-address 202.38.169.1
[USG_A-ike-peer-b] pre-shared-key abcde
[USG_A-ike-peer-b] quit
[USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy.
[USG_A-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_A-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_A-ipsec-policy-isakmp-map1-10] ike-peer b
[USG_A-ipsec-policy-manual-map1-10] quit
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

[USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets.
[USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[USG_B-acl-adv-3000] quit
[USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route.
[USG_B] ipsec proposal tran1 //Configure an IPSec proposal.
[USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG_B-ipsec-proposal-tran1] transform esp
[USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1
[USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes
[USG_B-ipsec-proposal-tran1] quit
[USG_B] ike proposal 10 //Configure an IKE proposal.
[USG_B-ike-proposal-10] authentication-method pre-share
[USG_B-ike-proposal-10] authentication-algorithm sha1
[USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_B-ike-proposal-10] quit
[USG_B] ike peer a //Configure an IKE peer.
[USG_B-ike-peer-a] ike-proposal 10
[USG_B-ike-peer-a] remote-address 202.38.163.1
[USG_B-ike-peer-a] pre-shared-key abcde
[USG_B-ike-peer-a] quit
[USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy.
[USG_B-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_B-ipsec-policy-isakmp-map1-10] proposal tran1
[USG_B-ipsec-policy-isakmp-map1-10] ike-peer a
[USG_B-ipsec-policy-isakmp-map1-10] quit
[USG_B] interface GigabitEthernet 0/0/2
[USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

Other related questions:
Configuring SA on the firewall
Configuring an SA on the USG Creating a dynamic IPSec SA 1. The data between network A and network B is encrypted and securely transmitted through the IPSec tunnel between USG_A and USG_B. USG_A protects network 10.1.1.0/24, and its public address is 202.38.163.1/24. USG_B protects network 10.1.2.0/24, and its public address is 202.38.169.1/24. Network A---USG_A----INTERNET----USG_B---Network B 2. The configuration steps are as follows: [USG_A] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure a route. [USG_A] ipsec proposal tran1 //Configure an IPSec proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure an IKE proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure an IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface. [USG_B] acl 3000 //Configure an ACL to match sensitive traffic packets. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure a route. [USG_B] ipsec proposal tran1 //Configure an IPSec proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure an IKE proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure an IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure an IPSec policy. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the IPSec policy to the interface.

When does the firewall clear an IPSec SA in normal cases
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted. If the IPSec SA hard lifetime expires, both the IKE SA and the IPSec SA are deleted. Besides, if the IKE SA keepalive or DPD function is enabled, the IKE SA and IPSec SA are deleted if the keepalive packets or DPD packets time out.

Method used to view IKE SA information on USG firewalls
The common IPSec maintenance command used on USG firewalls is as follows: display ike sa //Display the configuration of the security association established in IKE negotiation mode.

Time at which the USG9000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Cable/interconnect (SAS cable) config error
The SAS cable of the RAID controller card may not be securely connected. If this error is displayed, do as follows: 1. Check whether the SAS cable is correctly or securely connected. 2. Check whether the signal cable between the hard disk backplane and the mainboard is securely connected.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top