[Dr.WoW]Q&A: Why does the firewall fail to establish an IPSec tunnel with the AR router?

A: The default values of the IPSec proposals on the firewall and those on the AR router are different. You need to compare the parameter settings at both ends to ensure that they match.

Context

As shown in Figure 2-5, the headquarters and branch access the Internet respectively through the NGFW and AR. The enterprise requires that an IPsec tunnel be established between the NGFW and AR for the headquarters and branch to communicate.

Figure 2-5 Establishing an IPsec tunnel between the NGFW and AR using a policy

Configuration Item		NGFW	AR
Device information		l Device model: USG6330 l Software version: V100R001C30	l Device model: AR2220 l Software version: V200R005C20
IPsec policy type		Policy-based	Policy-based
IPsec proposal	Encapsulation mode	Tunnel mode	Tunnel mode
	Security protocol	ESP	ESP
	ESP authentication algorithm	SHA2-256	SHA2-256
	ESP encryption algorithm	AES-128	AES-128
	DH Group	GROUP2	GROUP2
IKE peer	Negotiation mode	Main mode	Main mode
	Encryption algorithm	AES-128	AES-128
	Authentication algorithm	SHA2-256	SHA2-256
	Pre-shared key	Key123	Key123
	Identity type	IP address	IP address
	Version	V1	V1

Procedure

Configure the NGFW.

1. Set IP addresses for interfaces and assign them to security zones.

[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW-GigabitEthernet1/0/1] quit
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ip address 1.1.3.1 24
[NGFW-GigabitEthernet1/0/2] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW-zone-trust] quit
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface GigabitEthernet 1/0/2
[NGFW-zone-untrust] quit

2. Configure a default route from the NGFW to the Internet. In the example, the next-hop IP address is 1.1.3.2.

[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2

3. Configure interzone security policies.

a. Configure security policies for the Trust-Untrust interzone to allow the unencapsulated and decapsulated packets to pass through the NGFW.

[NGFW] security-policy
[NGFW-policy-security] rule name 1
[NGFW-policy-security-rule-1] source-zone untrust
[NGFW-policy-security-rule-1] destination-zone trust
[NGFW-policy-security-rule-1] source-address 10.1.3.0 24
[NGFW-policy-security-rule-1] destination-address 10.1.1.0 24
[NGFW-policy-security-rule-1] action permit
[NGFW-policy-security-rule-1] quit
[NGFW-policy-security] rule name 2
[NGFW-policy-security-rule-2] source-zone trust
[NGFW-policy-security-rule-2] destination-zone untrust
[NGFW-policy-security-rule-2] source-address 10.1.1.0 24
[NGFW-policy-security-rule-2] destination-address 10.1.3.0 24
[NGFW-policy-security-rule-2] action permit
[NGFW-policy-security-rule-2] quit

b. Configure security policies for the Local-Untrust interzone to allow IKE negotiation packets to pass through the NGFW.

[NGFW-policy-security] rule name 3
[NGFW-policy-security-rule-3] source-zone local
[NGFW-policy-security-rule-3] destination-zone untrust
[NGFW-policy-security-rule-3] source-address 1.1.3.1 32
[NGFW-policy-security-rule-3] destination-address 1.1.5.1 32
[NGFW-policy-security-rule-3] action permit
[NGFW-policy-security-rule-3] quit
[NGFW-policy-security] rule name 4
[NGFW-policy-security-rule-4] source-zone untrust
[NGFW-policy-security-rule-4] destination-zone local
[NGFW-policy-security-rule-4] source-address 1.1.5.1 32
[NGFW-policy-security-rule-4] destination-address 1.1.3.1 32
[NGFW-policy-security-rule-4] action permit
[NGFW-policy-security-rule-4] quit

4. Configure an IPsec policy.

a. Configure an ACL to define the data flow to be protected.

[NGFW] acl 3000
[NGFW-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[NGFW-acl-adv-3000] quit

b. Configure an IPsec proposal.

[NGFW] ipsec proposal tran1
[NGFW-ipsec-proposal-tran1] transform esp
[NGFW-ipsec-proposal-tran1] encapsulation-mode tunnel
[NGFW-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[NGFW-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[NGFW-ipsec-proposal-tran1] quit

c. Create an IKE proposal.

[NGFW] ike proposal 1
[NGFW-ike-proposal-1] encryption-algorithm aes-128
[NGFW-ike-proposal-1] authentication-algorithm sha2-256
[NGFW-ike-proposal-1] dh group2
[NGFW-ike-proposal-1] quit

d. Configure an IKE peer.

[NGFW] ike peer ar
[NGFW-ike-peer-ar] undo version 2
[NGFW-ike-peer-ar] exchange-mode main
[NGFW-ike-peer-ar] ike-proposal 1
[NGFW-ike-peer-ar] pre-shared-key Key123
[NGFW-ike-peer-ar] remote-address 1.1.5.1
[NGFW-ike-peer-ar] quit

e. Configure an ISAKMP IPsec policy.

[NGFW] ipsec policy map1 1 isakmp
[NGFW-ipsec-policy-isakmp-map1-1] ike-peer ar
[NGFW-ipsec-policy-isakmp-map1-1] proposal tran1
[NGFW-ipsec-policy-isakmp-map1-1] security acl 3000
[NGFW-ipsec-policy-isakmp-map1-1] quit

f. Apply the IPsec policy to interface GigabitEthernet 1/0/2.

[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ipsec policy map1
[NGFW-GigabitEthernet1/0/2] quit

Configure the AR.

1. Set interface IP addresses for the AR.

<Huawei> system-view
[Huawei] sysname AR
[AR] interface GigabitEthernet 0/0/1
[AR-GigabitEthernet0/0/1] ip address 10.1.3.1 24
[AR-GigabitEthernet0/0/1] quit
[AR] interface GigabitEthernet 0/0/2
[AR-GigabitEthernet0/0/2] ip address 1.1.5.1 24
[AR-GigabitEthernet0/0/2] quit

2. Configure a default route from the AR to the Internet. In the example, the next-hop IP address is 1.1.5.2.

[AR] ip route-static 0.0.0.0 0.0.0.0 1.1.5.2

3. Configure an IPsec policy.

a. Configure an ACL to define the data flow to be protected.

[AR] acl 3000
[AR-acl-adv-3000] rule permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[AR-acl-adv-3000] quit

b. Configure an IPsec proposal.

[AR] ipsec proposal tran1
[AR-ipsec-proposal-tran1] transform esp
[AR-ipsec-proposal-tran1] encapsulation-mode tunnel
[AR-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[AR-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[AR-ipsec-proposal-tran1] quit

c. Create an IKE proposal.

[AR] ike proposal 1
[AR-ike-proposal-1] encryption-algorithm aes-cbc-128
[AR-ike-proposal-1] authentication-algorithm sha2-256
[AR-ike-proposal-1] dh group2
[AR-ike-proposal-1] quit

d. Configure an IKE peer.

[AR] ike peer ngfw v1 /* Parameter v1 indicates that IKEv1 is used for negotiation./
[AR-ike-peer-ngfw] exchange-mode main
[AR-ike-peer-ngfw] ike-proposal 1
[AR-ike-peer-ngfw] pre-shared-key cipher Key123
[AR-ike-peer-ngfw] remote-address 1.1.3.1
[AR-ike-peer-ngfw] quit

e. Configure an ISAKMP IPsec policy.

[AR] ipsec policy map1 1 isakmp
[AR-ipsec-policy-isakmp-map1-1] ike-peer ngfw
[AR-ipsec-policy-isakmp-map1-1] proposal tran1
[AR-ipsec-policy-isakmp-map1-1] security acl 3000
[AR-ipsec-policy-isakmp-map1-1] quit

f. Apply the IPsec policy to interface GigabitEthernet 0/0/2.

[AR] interface GigabitEthernet 0/0/2
[AR-GigabitEthernet0/0/2] ipsec policy map1
[AR-GigabitEthernet0/0/2] quit

----End

Verification

1. Ping a user on the headquarters network from the branch network.

2. In normal cases, the data flows from the branch to the headquarters trigger the gateways to establish an IPsec tunnel. On the NGFW, check whether an IKE SA is established. If the following information is displayed, an IKE SA has been established.

<NGFW> display ike sa
15:53:30 2015/12/26
current ike sa number: 2
--------------------------------------------------------------------------------
------------------
conn-id    peer    flag          phase vpn
--------------------------------------------------------------------------------
------------------
179        1.1.5.1 RD|ST|A       v1:2 public
178        1.1.5.1 RD|ST|D|A     v1:1 public

flag meaning
RD--READY      ST--STAYALIVE     RL--REPLACED    FD--FADING    TO--TIMEOUT
TD--DELETING   NEG--NEGOTIATING D--DPD          M--ACTIVE     S--STANDBY
A--ALONE

3. Run the display ipsec sa command to check whether an IPsec SA is established. If the following information is displayed, an IPsec SA is established.

<NGFW> display ipsec sa
15:53:53 2015/12/26
===============================
Interface: GigabitEthernet1/0/2
    path MTU: 1500
===============================

-----------------------------
IPsec policy name: "map1"
sequence number: 1
mode: isakmp
vpn: public
-----------------------------
    connection id: 179
    rule number: 5
    encapsulation mode: tunnel
    holding time: 0d 0h 1m 53s
    tunnel local : 1.1.3.1    tunnel remote: 1.1.5.1
    flow      source: 10.1.1.0/255.255.255.0 0/0
    flow destination: 10.1.3.0/255.255.255.0 0/0

    [inbound ESP SAs]
      spi: 112877185 (0x6ba5e81)
      vpn: public said: 36 cpuid: 0x0000
      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): 1843199/3487
      max received sequence-number: 17
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 1572321462 (0x5db7b8b6)
      vpn: public said: 37 cpuid: 0x0000
      proposal: ESP-ENCRYPT-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): 1843199/3487
      max sent sequence-number: 18
      udp encapsulation used for nat traversal: N

An IPsec tunnel has been established, but how can we determine whether service traffic is transmitted over the IPsec tunnel. Here Dr. WoW introduces two methods for your reference.

l Method 1: Check the value of the max sent sequence-number field in the display ipsec sa command output. This field is designed for anti-replay. The sequence number increases by 1 upon the sending of each packet from the IPsec tunnel. In this case, changes of the field value can be used to determine whether traffic is transmitted over the IPsec tunnel. For example, a branch user sends 5 ICMP packets to a headquarters user. If the 5 ICMP packets are transmitted over the IPsec tunnel, the sequence number in the IPsec SA of the tunnel increases by 5. If the sequence number does not increase or the increased number is incorrect, the ICMP packets are not transmitted over the IPsec tunnel or the IPsec tunnel is faulty.

l Method 2: Run the display ipsec statistics command to view the statistics. You can check the changes of the input/output security packets field value to determine whether packets are transmitted over the IPsec tunnel. For example, the changes of the input/output security packets field value indicate that the IPsec tunnel forwarded 3 packets and received 3 packets as well.

<NGFW> display ipsec statistics
15:54:21 2015/12/26
the security packet statistics:
    input/output security packets: 3/3
    input/output security bytes: 252/252
    input/output dropped security packets: 0/0
    the encrypt packet statistics
      send sae:3, recv sae:3, send err:0
      local cpu:3, other cpu:0, recv other cpu:0
      intact packet:2, first slice:0, after slice:0
    the decrypt packet statistics
      send sae:3, recv sae:3, send err:0
      local cpu:0, other cpu:0, recv other cpu:0
      reass first slice:0, after slice:0, len err:0
....

The first service packet triggering the establishment of the IPsec tunnel is discarded, because the tunnel has not been established at that time. For example, a branch user sends 10 ICMP packets to a headquarters user. When you run the display ipsec statistics command, the statistics indicate that there are only 9 packets forwarded.

Method 1 displays the packet changes of the specified tunnel, whereas method 2 displays global statistics on all IPsec tunnels on the device. If the device has multiple tunnels, method 1 is recommended.

Troubleshooting IPsec Tunnels

IPsec configuration involves complicated parameter settings and procedures. It is common that the first configuration fails. Here Dr. WoW introduces how to use debugging commands to rapidly locate the faults.

1. Enable debugging.

<NGFW> terminal monitor
15:43:17 2015/12/26
Info: Current terminal monitor is on
<NGFW> terminal debugging
15:43:20 2015/12/26
Info: Current terminal debugging is on
<NGFW> debugging ike error
15:43:27 2015/12/26

Note that when you enable IKE debugging, selecting ike indicates debugging IKEv1 tunnel negotiation and selecting ikev2 indicates debugging IKEv2 tunnel negotiation. You need to select the parameter based on the IKE version configured for the tunnel. Besides, you can use only the error debugging here to prevent the device from displaying irrelevant IPsec debugging information.

2. Run the ping command to trigger tunnel negotiation and check the debugging information. For example, if the following information is displayed, the fault occurs in phase one of the IKE negotiation, and the cause of the fault is that the IKE proposals are inconsistent. You need to compare and verify the IKE proposals on the two gateways.

2015-12-26 07:47 NGFW %IKE/4/WARNING(l): phase1: proposal mismatch, please check ike proposal configuration.

3. Run the ping command to trigger tunnel negotiation and check the debugging information. For example, if the following information is displayed, the fault occurs in phase two of the IKE negotiation, and the cause of the fault is that the ACLs are inconsistent. You need to compare the ACLs on the two gateways. The ACLs on one gateway must reflect those on the other gateway.

2015-12-26 07:47 NGFW %IKE/4/WARNING(l): phase2: security acl mismatch.

Comments from Dr. WoW

l In this example, the identity authentication method uses the default IP address and the default pre-shared key. The default values are used because the default NGFW and AR configurations are consistent. However, it does not mean that all the default values of the NGFW and AR are the same. Pay attention to that during configuration. For example, the default DH Group value on the NGFW is Group2, but the default DH Group value on the AR is Group1. If you are unclear about the peer default values, manually set them.

In the interconnection configuration, the IKE proposal and IPsec proposal on both ends must use the same authentication and encryption algorithms. Otherwise, the tunnel may fail to be established.

Suggestion and Summary

If an IPSec tunnel has been established between services are interrupted, check whether a routing failure occurs. If the local device does not have any route to the private network segment of the remote device, the local device discards packets.

For details, see the HUAWEI USG6000 Series Interoperability Configuration Guide for VPN.

Step 1 Log in to the enterprise technical support website at http://support.huawei.com/enterprise.

Step 2 Click Security.

Step 3 Click the name of the product to be queried, for example, Secospace USG6600.

Step 4 Choose Documentation> Installation&Upgrade>ConfigurationCommissioning>Configuration Guide, and then select the corresponding product documentation.