A: IPSec tunnel configurations include ACL, IKE proposal, IPSec proposal, and IPSec policy configurations.
Networking Requirements
As shown in Figure 2-10, the NGFW serves as the enterprise gateway for connecting to the Internet at the headquarters, and the FortiGate-224B as that at the branch. The enterprise now intends to establish an IPsec tunnel between the NGFW and FortiGate-224B for the secure communication between them.
The outbound interfaces of the NGFWXSA and FortiGate-224B have fixed public IP addresses, and an IPsec tunnel can be established in policy mode. In this mode, both ends can initiate the negotiation for establishing an IPsec tunnel.
Figure 2-10 Establishing an IPsec tunnel using a policy
Data Planning
Configuration Item | NGFW | FortiGate-224B | |
Device information | l Device model: USG6300 l Software version: V100R001C30 | l Device model: FortiGate-224B l Software version: FortiOS 3.00 | |
IKE SA | Negotiation mode | Main mode | Main mode |
Encryption algorithm | 3des | 3des | |
Authentication algorithm | sha1 | sha1 | |
Pre-shared key | Key@123 | Key@123 | |
Identity type | Peer address | Peer address | |
Version | V1 | V1 | |
DH | Group2 | Group2 | |
IPsec SA | Encapsulation mode | Tunnel mode | Tunnel mode |
Security protocol | ESP | ESP | |
Encryption algorithm | 3des | 3des | |
Authentication algorithm | sha1 | sha1 | |
Procedure
Configure the NGFW.
1. Configure interfaces and assign them to security zones.
# Configure GE1/0/3 and assign it to the Untrust zone.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 1.1.1.1 24
[NGFW-GigabitEthernet1/0/3] quit
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface GigabitEthernet 1/0/3
[NGFW-zone-untrust] quit
# Configure GE1/0/5 and assign it to the Trust zone.
[NGFW] interface GigabitEthernet 1/0/5
[NGFW-GigabitEthernet1/0/5] ip address 192.168.10.1 24
[NGFW-GigabitEthernet1/0/5] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/5
[NGFW-zone-trust] quit
2. Configure security policies.
# Configure Untrust-Trust interzone security policies.
# Configure policy 1 so that the branch can access the headquarters and configure policy 2 so that the headquarters can access the branch.
[NGFW] security-policy
[NGFW-policy-security] rule name 1
[NGFW-policy-security-rule-1] source-zone untrust
[NGFW-policy-security-rule-1] destination-zone trust
[NGFW-policy-security-rule-1] source-address 192.168.0.0 24
[NGFW-policy-security-rule-1] destination-address 192.168.10.0 24
[NGFW-policy-security-rule-1] action permit
[NGFW-policy-security-rule-1] quit
[NGFW-policy-security] rule name 2
[NGFW-policy-security-rule-2] source-zone trust
[NGFW-policy-security-rule-2] destination-zone untrust
[NGFW-policy-security-rule-2] source-address 192.168.10.0 24
[NGFW-policy-security-rule-2] destination-address 192.168.0.0 24
[NGFW-policy-security-rule-2] action permit
[NGFW-policy-security-rule-2] quit
# Configure Local-Untrust interzone security policies.
# Configure policy 3 so that the NGFW can initiate an IPsec tunnel establishment request and configure policy 4 so that the NGFW can receive an IPsec tunnel establishment request. The source and destination addresses are the public addresses of the outbound interfaces at both ends.
[NGFW-policy-security] rule name 3
[NGFW-policy-security-rule-3] source-zone local
[NGFW-policy-security-rule-3] destination-zone untrust
[NGFW-policy-security-rule-3] source-address 1.1.1.1 24
[NGFW-policy-security-rule-3] destination-address 2.2.2.2 24
[NGFW-policy-security-rule-3] action permit
[NGFW-policy-security-rule-3] quit
[NGFW-policy-security] rule name 4
[NGFW-policy-security-rule-4] source-zone untrust
[NGFW-policy-security-rule-4] destination-zone local
[NGFW-policy-security-rule-4] source-address 2.2.2.2 24
[NGFW-policy-security-rule-4] destination-address 1.1.1.1 24
[NGFW-policy-security-rule-4] action permit
[NGFW-policy-security-rule-4] quit
3. Configure routes.
# Configure a default route to the Internet. In the example, the next-hop IP address is 1.1.1.2.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
4. Create an ACL to define the traffic to be protected.
# Packets from 192.168.10.0/24 to 192.168.0.0/24 shall be transmitted over an IPsec tunnel.
[NGFW] acl 3000
[NGFW-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination
192.168.0.0 0.0.0.255
[NGFW-acl-adv-3000] quit
[Comments from Dr. WoW]
Till now, you have configured the interfaces, security policies, routes, and ACL. The function of each step in the IPsec tunnel negotiation process is as follows:
Before the NGFW initiates a negotiation request, it finds the outbound interface based on the route, determines whether the traffic can be transparently transmitted based on security policy 2, determines whether the traffic passes through the IPsec tunnel based on the ACL, and determines whether it can initiate the negotiation based on security policy 3. After confirming the answers to all these questions as yes, the NGFW officially initiates the negotiation.
Before the NGFW receives the negotiation request, it checks whether the peer traffic is protected based on the ACL and determines whether to accept the negotiation based on security policy 4. After confirming the answers to both questions as yes, the NGFW starts the negotiation with the peer. If no, the NGFW discards the negotiation packet.
5. Configure an IKE SA.
# Configure an IKE proposal and specify the encryption algorithm, authentication algorithm, and DH group.
[NGFW] ike proposal 1
[NGFW-ike-proposal-1] encryption-algorithm 3des
[NGFW-ike-proposal-1] authentication-algorithm sha1
[NGFW-ike-proposal-1] dh group2
[NGFW-ike-proposal-1] quit
# Configure an IKE peer and specify the negotiation mode, IKE version, pre-shared key, and peer IP address.
[NGFW] ike peer fortigate
[NGFW-ike-peer-fortigate] exchange-mode main
[NGFW-ike-peer-fortigate] undo version 2
[NGFW-ike-peer-fortigate] ike-proposal 1
[NGFW-ike-peer-fortigate] pre-shared-key Key@123
[NGFW-ike-peer-fortigate] remote-address 2.2.2.2
[NGFW-ike-peer-fortigate] quit
[Comments from Dr. WoW]
The FortiGate-224B 3.00 does not provide the command for setting the IKE version, and the default version is IKEv1. Therefore, you must run the undo version 2 command to set the IKE version to IKEv1 on the NGFW.
6. Configure an IPsec proposal and specify the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm.
[NGFW]ipsec proposal tran1
[NGFW-ipsec-proposal-tran1] transform esp
[NGFW-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW-ipsec-proposal-tran1] esp encryption-algorithm 3des
[NGFW-ipsec-proposal-tran1] esp authentication-algorithm sha1
[NGFW-ipsec-proposal-tran1] quit
7. Configure an ISAKMP IPsec policy and associate it with the IKE peer, IPsec proposal, and ACL.
[NGFW] ipsec policy map1 1 isakmp
[NGFW-ipsec-policy-isakmp-map1-1] ike-peer fortigate
[NGFW-ipsec-policy-isakmp-map1-1] proposal tran1
[NGFW-ipsec-policy-isakmp-map1-1] security acl 3000
[NGFW-ipsec-policy-isakmp-map1-1] quit
8. Apply the IPsec policy to the interface.
[NGFW] interface GigabitEthernet
1/0/3
[NGFW-GigabitEthernet1/0/3] ipsec policy map1
[NGFW-GigabitEthernet1/0/3] quit
Configure the FortiGate.
1. Configure an IP address for the interface.
# Configure port03.
Fortigate # config system interface
Fortigate (interface) # edit port03
Fortigate (port03) # set ip 2.2.2.2/24
Fortigate (port03) # set allowaccess ping https ssh snmp http telnet
Fortigate (port03) # end
# Configure port10.
Fortigate # config system interface
Fortigate (interface) # edit port10
Fortigate (port10) # set ip 192.168.0.1/24
Fortigate (port10) # set allowaccess ping https ssh snmp http telnet
Fortigate (port10) # end
[Comments from Dr. WoW]
On the FortiGate-224B 3.00, you can configure security policies directly for physical interfaces, without having to assign them to security zones. Of course, you can also assign them to security zones and configure security policies accordingly.
For tunnel interfaces, however, you must assign them to security zones first and then configure security policies accordingly.
On the FortiGate-224B 3.00, after running the configuration command, you must run the end command for the configuration to take effect.
2. Configure an IKE SA and specify its name, bound interface, negotiation mode, encryption algorithm, authentication algorithm, pre-shared key, peer address, and DH group.
Fortigate # config vpn ipsec phase1-interface
Fortigate (phase1-interface) # edit ngfw
new entry 'ngfw' added
Fortigate (ngfw) # set interface port03
Fortigate (ngfw) # set mode main
Fortigate (ngfw) # set proposal 3des-sha1
Fortigate (ngfw) # set psksecret Key@123
Fortigate (ngfw) # set remote-gw 1.1.1.1
Fortigate (ngfw) # set dhgrp 2
Fortigate (ngfw) # end
[Comments from Dr. WoW]
The FortiGate-224B 3.00 does not provide the command for setting the IKE version and uses IKEv1 by default.
Run the set interface command to bind the IKE SA to the specified port, which is equal to applying the IPsec policy to the interface on the NGFW.
Run the set proposal 3des-sha1command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IKE SA.
3. Configure an IPsec SA and specify its name, bound IKE SA, encryption algorithm, authentication algorithm, and DH group.
Fortigate # config vpn ipsec phase2-interface
Fortigate (phase2-interface) # edit ngfw
new entry 'ngfw' added
Fortigate (ngfw) # set phase1name ngfw
Fortigate (ngfw) # set dhgrp 2
Fortigate (ngfw) # set proposal 3des-sha1
Fortigate (ngfw) # set dst-subnet 192.168.10.0 255.255.255.0
Fortigate (ngfw) # set src-subnet 192.168.0.0 255.255.255.0
Fortigate (ngfw) # end
[Comments from Dr. WoW]
The FortiGate-224B 3.00 does not provide the command for setting the encapsulation mode or security protocol and uses the tunnel mode and ESP by default.
Run the set phase1name command to specify the IKE SA referenced by the IPsec SA.
Run the set proposal 3des-sha1command to set the encryption algorithm (3des) and authentication algorithm (sha1) of the IPsec SA.
Run the dst-subnet and src-subnetcommands to define the data flow to be protected, which is equal to configuring an ACL on the NGFW.
4. Assign the tunnel interface to the Untrust zone.
Fortigate # config system zone
Fortigate (zone) # edit untrust
Fortigate (untrust) # set interface ngfw
Fortigate (untrust) # end
[Comments from Dr. WoW]
After you successfully configure the IKE SA, the device automatically generates a tunnel interface with the same name as the IKE SA for protected traffic to pass through.
On the FortiGate-224B 3.00, you must assign the tunnel interface to a security zone and then configure a security policy accordingly.
5. Configure security policies.
# Configure a security policy between port03 and port10.
# Configure policy 66 so that the headquarters can properly access the branch and configure policy 99 so that the branch can properly access the headquarters.
Fortigate # config firewall policy
Fortigate (policy) # edit 66
Fortigate (66) # set srcintf port03
Fortigate (66) # set dstintf port10
Fortigate (66) # set srcaddr all
Fortigate (66) # set dstaddr all
Fortigate (66) # set action accept
Fortigate (66) # set schedule always
Fortigate (66) # set service ANY
Fortigate (66) # end
Fortigate # config firewall policy
Fortigate (policy) # edit 99
Fortigate (99) # set srcintf port10
Fortigate (99) # set dstintf port03
Fortigate (99) # set srcaddr all
Fortigate (99) # set dstaddr all
Fortigate (99) # set action accept
Fortigate (99) # set schedule always
Fortigate (99) # set service ANY
Fortigate (99) # end
# Configure a security policy between the Untrust zone and port10, namely, between the tunnel interface and port10.
# Configure policy 96 to ensure that the traffic passing through the tunnel interface can enter the branch intranet and configure policy 76 to ensure that the traffic passing through the tunnel interface can be transparently transmitted to the extranet.
Fortigate # config firewall policy
Fortigate (policy) # edit 96
Fortigate (96) # set srcintf untrust
Fortigate (96) # set dstintf port10
Fortigate (96) # set srcaddr all
Fortigate (96) # set dstaddr all
Fortigate (96) # set action accept
Fortigate (96) # set schedule always
Fortigate (96) # set service ANY
Fortigate (96) # end
Fortigate # config firewall policy
Fortigate (policy) # edit 76
Fortigate (76) # set srcintf port10
Fortigate (76) # set dstintf untrust
Fortigate (76) # set srcaddr all
Fortigate (76) # set dstaddr all
Fortigate (76) # set action accept
Fortigate (76) # set schedule always
Fortigate (76) # set service ANY
Fortigate (76) # end
[Comments from Dr. WoW]
On the FortiGate-224B 3.00, you do not need to configure the security policy between the Untrust and Local zones.
6. Configure routes.
# Configure a static route to divert the traffic to the tunnel interface.
Fortigate # config route static
Fortigate (static) # edit 76
Fortigate (76) # set device ngfw
Fortigate (76) # set dst 192.168.10.0 255.255.255.0
Fortigate (76) # end
# Configure a default route to the Internet, passing through port03 and with the next hop being 2.2.2.3.
Fortigate # config router static
Fortigate (static) # edit 33
Fortigate (33) # set dst 0.0.0.0 0.0.0.0
Fortigate (33) # set gateway 2.2.2.3
Fortigate (33) # set device port03
Fortigate (33) # end
----End
Verification
Verify whether the headquarters can proactively initiate an IPsec tunnel with the branch.
1. Ping PC2 on the branch network from PC1 at the headquarters.
2. On the NGFW at the headquarters, run the display ike sa command. If the following information is displayed, the IKE SA is successfully established.
[NGFW] display ike sa
current ike sa number: 2
--------------------------------------------------------------------------------------------------
conn-id
peer
flag phase vpn
--------------------------------------------------------------------------------------------------
12
2.2.2.2
RD|ST|A v1:2
public
11 2.2.2.2
RD|ST|A v1:1
public
flag
meaning
RD--READY
ST--STAYALIVE RL--REPLACED
FD--FADING
TO--TIMEOUT
TD--DELETING NEG--NEGOTIATING
D--DPD
M--ACTIVE
S--STANDBY
A--ALONE
3. On the NGFW, run the display ipsec sacommand. If the following information is displayed, the IPsec SA is successfully established.
[NGFW] display ipsec sa
===============================
Interface:
GigabitEthernet1/0/3
path MTU:
1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number:
1
mode: isakmp
vpn:
public
-----------------------------
connection id:
12
rule number:
5
encapsulation mode:
tunnel
holding time: 0d 0h 1m
14s
tunnel local : 1.1.1.1 tunnel remote:
2.2.2.2
flow source:
192.168.10.0/255.255.255.0
0/0
flow destination: 192.168.0.0/255.255.255.0
0/0
[inbound ESP
SAs]
spi: 2160560287
(0x80c7889f)
vpn: public said: 0 cpuid:
0x0000
proposal: ESP-ENCRYPT-3DES
ESP-AUTH-SHA1
sa remaining key duration (kilobytes/sec):
200000000/1726
max received sequence-number:
4
udp encapsulation used for nat traversal:
N
[outbound ESP SAs]
spi: 3708493377 (0**0b1e41)
vpn: public said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-SHA1
sa remaining key duration (kilobytes/sec):
200000000/1726
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
4. Log in to the web UI of the branch FortiGate to check the IPsec tunnel establishment.
If the tunnel status is displayed as a green upward arrow, the IPsec tunnel is successfully established.
You can also run the get ipsec tunnellist command on the branch FortiGate to check the IPsec tunnel establishment. If the status is up, the IPsec tunnel is successfully established.
Verify whether the branch can proactively initiate an IPsec tunnel with the headquarters.
1. On the NGFW at the headquarters, run the reset ike sa command to disconnect the IPsec tunnel.
2. Ping PC1 on the headquarters network from the branch PC2 and refer to the preceding method to verify whether the IPsec tunnel can be successfully established.
----End
Conclusion by Dr. WoW
The key to IPsec connection is that the connection parameters of the two parties must be completely the same. You must set the connection parameters as specified in the data planning table to ensure that the parameters at the two ends are the same.
The FortiGate-224B 3.00 does not provide the command for setting the IKE version, encapsulation mode, and security protocol. The default IKE version is IKEv1, encapsulation mode is tunnel mode, and security protocol is ESP. You must set the IKE version, encapsulation mode, and security protocol of the NGFW to be the same as those on the FortiGate-224B 3.00. Otherwise, tunnel negotiation may fail.
The data flows to be protected defined on the NGFW and FortiGate must reflect each other. The NGFW has an ACL configured to define the data flow to be protected, whereas the FortiGate has the dst-subnetand src-subnet commands executed to define the data flow to be protected, which is equal to having an ACL configured.
Suggestion and Summary
If an IPSec tunnel has been established between services are interrupted, check whether a routing failure occurs. If the local device does not have any route to the private network segment of the remote device, the local device discards packets.
For details, see the HUAWEI USG6000 Series Interoperability Configuration Guide for VPN.
Step 1 Log in to the enterprise technical support website at TECHNICAL SUPPORT.
Step 2 Click Security.
Step 3 Click the name of the product to be queried, for example, Secospace USG6600.
Step 4 Choose Documentation> Installation&Upgrade>ConfigurationCommissioning>Configuration Guide, and then select the corresponding product documentation.
HUAWEI USG6000 Series Interoperability Configuration Guide for VPN
