IPSec packet forwarding flow on the USG5000

11

In the NGFW processing flow, the IPSec processing is after the NAT, route, and security policy processing, so that the firewall does not process, based on NAT policies, packets protected by the IPSec policies, and these packets can be delivered, by matching routes and security policies, to the interface that adopts the IPSec security policy. The specific requirements are as follows:
1. Packets arriving at the NGFW cannot match the server map table or reversed server map table established by the NAT server. Otherwise, destination addresses in the packets are translated.
2. Packets arriving at the NGFW cannot match the destination NAT policies. Otherwise, destination addresses in the packets are translated.
3. A route (generally the default route) destined for the IKE peer private network must exist in the routing table. The outbound interface of the route must apply the IPSec policies. If no route is matched, the packets are discarded; if the outbound interface matching the route does not apply the IPSec policies, the packets cannot be delivered to the IPSec processing module but are sent in plain text.
4. Generally, the IPSec VPN data flow is transmitted between zones. Therefore, the inter-zone packet filter function between the source zone (where the intranet interface resides) and the destination zone (where the external network interface that applies the IPSec policies resides) must be enabled. Otherwise, the packets are discarded.
5. The source NAT for the packets that pass the inter-zone packet filter policy check is optional. When the packets match the inter-zone NAT policies of the source NAT, the source addresses in the packets are translated. The source IP addresses after the translation are used to match the security ACL rules. The packets that do not match the inter-zone NAT policies are directly delivered to the IPSec processing module.
6. The packets arriving at the IPSec processing module can only be protected when they match the security ACL rules. Otherwise, the packets are discarded.

Other related questions:
How to assure forwarding of IPSec data flows on an AR
Configure the QoS function for IPSec packets first, and then configure assured forwarding (AF) for IPSec data flows through MQC. system-view [Huawei]ipsec policy huawei 1 manual //Create an IPSec policy, set the SA creation mode to manual, and enter the IPSec policy view. Alternatively, you can complete the following configurations in the ISAKMP policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, or GDOI policy view. [Huawei-ipsec-policy-manual-huawei-1]qos group 10 //Configure the QoS group to which IPSec packets belong. [Huawei-ipsec-policy-manual-huawei-1]quit [Huawei]traffic classifier c1 //Create a traffic classifier and enter the traffic classifier view. [Huawei-classifier-c1]if-match qos-group 10 //Configure a matching rule based on QoS group 10. [Huawei-classifier-c1]quit [Huawei]traffic behavior b1 //Create a traffic behavior and enter the traffic behavior view. [Huawei-behavior-b1]queue af bandwidth 3000 //Configure AF for the matched data flow. [Huawei-behavior-b1]quit [Huawei]traffic policy p1 //Create a traffic policy and enter the traffic policy view. [Huawei-trafficpolicy-p1]classifier c1 behavior b1 //Bind the traffic classifier to the traffic behavior. [Huawei-trafficpolicy-p1]quit [Huawei]interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0]traffic-policy p1 outbound //Apply the traffic policy on the interface.

Protocol used in IPSec packet encapsulation and decapsulation on the USG2000 and USG5000 series
IPSec uses Authentication Header (AH) and Encapsulating Security Payload (ESP) to implement the encryption and decryption of IP packets.

how to limit the flow of IPSec VPN with the USG6000
Speed-limit command can be executed for IPSec current limiting.When building the multi tunnel in NGFW, when large data traffic will generate traffic conflict, by configuring the speed-limit command, can limit the packets flow of each IPSec tunnel, exceeds the limit of the traffic will be discarded, ensure the traffic on each of the tunnel have been transferred.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top