Hello, everyone!
Today I will share with you the procedure of establishing an IPSec tunnel through negotiation initiated by the branch device to the headquarters Fortinet Firewall. Please see more details below.
1.1.1 Overview
On the Internet, most data is transmitted in plain text, causing potential security risks. For example, bank accounts and passwords may be intercepted or tampered, user identities may be counterfeited, networks may be attacked. IPSec can protect transmitted IP packets, reducing risks of information leakage.
Internet Protocol Security (IPSec) is a security protocol suite defined by the Internet Engineering Task Force (IETF). IPSec secures data transmission on the Internet through data origin authentication, data encryption, data integrity check, and anti-replay functions.
l Data origin authentication: The receiver checks the validity of the sender.
l Data encryption: The sender encrypts data packets and transmits them in cipher text on the Internet. The receiver decrypts or directly forwards the received packets.
l Data integrity check: The receiver validates received data to check whether the data has been tampered.
l Anti-replay: The receiver rejects old or duplicate packets, preventing malicious attacks initiated by resending obtained packets.
In Figure 1-26, IPSec VPN allows users to connect to the VPN over the Internet in any mode with no geographical limitations. IPSec VPN applies to the access of mobile office users and partners, and is used for communication between enterprise branches.
Figure 1-1 Application of IPSec VPN
1.1.2 Precautions
l Default IPSec parameter settings on different vendors' devices may be different, and need to be adjusted as needed. Ensure that the configurations of devices at both ends of an IPSec tunnel are consistent.
l The DPD packet formats supported by a Fortinet firewall and an AR are different. If DPD detection is enabled, the DPD packet format of the AR router must be set to seq-hash-notify.
l When an AR connects to a non-Huawei device and IPSec protocols of both devices define SHA-2, an IPSec tunnel can be established but traffic forwarding fails. The possible cause is that both devices use different encryption/decryption modes of SHA-2. In this case, run the ipsec authentication sha2 compatible enable command on the AR router so that both devices use the same encryption/decryption modes of SHA-2.
1.1.3 Networking Requirements
In Figure 1-27, the router is an enterprise branch gateway and the FW (Fortinet firewall) is a headquarters gateway, and they communicate through the Internet.
The enterprise wants to protect traffic between the branch and headquarters. An IPSec tunnel can be established between the branch gateway and headquarters gateway to secure data flows transmitted over the Internet.
Figure 1-2 Establishing an IPSec tunnel through negotiation initiated by the branch device to the headquarters Fortinet firewall
1.1.4 Data Plan
Before the configuration, plan data according to Table 1-17. The data in Table 1-17 is used for reference only.
Table 1-1 Data plan for interconnection between the router and FW
Public Network Address of Router | 1.1.1.1 |
Private Network Address of Router | 10.1.1.2 |
Public Network Address of FW | 2.1.1.1 |
Private Network Address of FW | 10.1.2.1 |
Parameters for IPSec Phase 1 (IKE Negotiation Phase) | IKE version: V1 Negotiation mode: main Authentication method: pre-shared key Pre-shared key: huawei@123 Encryption algorithm: aes-cbc-256 Authentication algorithm: sha2-512 DH group: group 14 Lifetime: 28800s DPD detection: enabled |
Parameters for IPSec Phase 2 (IPSec Negotiation Phase) | Security protocol: ESP Encapsulation mode: tunnel Encryption algorithm: aes-256 Authentication algorithm: sha2-512 Lifetime: 3600s PFS function: disabled |
1.1.5 Configuration Procedure
1.1.5.1 Configuring the Router
Configuration Roadmap
1. Configure IP addresses and static routes for interfaces so that routes between the router and FW are reachable.
2. Configure an ACL to define the data flows to be protected by the IPSec tunnel.
3. Configure an IPSec proposal to define the method used to protect IPSec traffic.
4. Configure an IKE proposal and an IKE peer, and define parameters used for IKE negotiation.
5. Configure an IPSec policy, and reference the ACL, IPSec proposal, and IKE peer in the IPSec policy to determine the methods used to protect data flows.
6. Apply the IPSec policy group to an interface.
Procedure
Step 1 Configure IP addresses and static routes for interfaces so that routes between the router and FW are reachable.
# Assign an IP address to an interface on the router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
[Router-GigabitEthernet1/0/0] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[Router-GigabitEthernet2/0/0] quit
# On the router, configure static routes to the FW. This example assumes that the next hop addresses of the routes are both 1.1.1.2.
[Router] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
[Router] ip route-static 10.2.1.0 255.255.255.0 1.1.1.2
Step 2 Configure an ACL to define data flows to be protected.
# Configure an ACL on the router to define the data flows sent from private network 10.1.1.0/24 to private network 10.2.1.0/24.
[Router] ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
[Router] ip route-static 10.2.1.0 255.255.255.0 1.1.1.2
Step 3 Configure an IPSec proposal to define the method used to protect IPSec traffic.
# Create an IPSec proposal on the router.
[Router] ipsec authentication sha2 compatible enable
[Router] ipsec proposal tran1
[Router-ipsec-proposal-tran1] transform esp
[Router-ipsec-proposal-tran1] esp authentication-algorithm sha2-512
[Router-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[Router-ipsec-proposal-tran1] encapsulation-mode tunnel
Step 4 Configure an IKE proposal and an IKE peer, and define parameters used for IKE negotiation.
# Configure an IKE proposal and define parameters in IKE negotiation phase 1
[Router] ike proposal 5
[Router-ike-proposal-5] encryption-algorithm aes-cbc-256
[Router-ike-proposal-5] authentication-algorithm sha2-512
[Router-ike-proposal-5] dh group14
[Router-ike-proposal-5] sa duration 28800
[Router-ike-proposal-5] authentication-method pre-share
[Router-ike-proposal-5] quit
# Configure an IKE peer and define parameters in IKE negotiation phase 1.
[Router] ike proposal 5
[Router-ike-proposal-5] encryption-algorithm aes-cbc-256
[Router-ike-proposal-5] authentication-algorithm sha2-512
[Router-ike-proposal-5] dh group14
[Router-ike-proposal-5] sa duration 28800
[Router-ike-proposal-5] authentication-method pre-share
[Router-ike-proposal-5] quit
Step 5 Configure an IPSec policy, and reference the ACL, IPSec proposal, and IKE peer in the IPSec policy to determine the methods used to protect data flows.
# Create an IPSec policy in IKE negotiation mode on the router.
[Router] ike proposal 5
[Router-ike-proposal-5] encryption-algorithm aes-cbc-256
[Router-ike-proposal-5] authentication-algorithm sha2-512
[Router-ike-proposal-5] dh group14
[Router-ike-proposal-5] sa duration 28800
[Router-ike-proposal-5] authentication-method pre-share
[Router-ike-proposal-5] quit
Step 6 Apply an IPSec policy group to an interface.
# Apply an IPSec policy group to the public interfaces of the router.
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ipsec policy map1
[Router-GigabitEthernet1/0/0] quit
Step 7 Verify the configuration.
# Run the display ike proposal command on the router to check the IKE proposal configuration.
[Router] display ike proposal number 5
-------------------------------------------
IKE Proposal: 5
Authentication method : pre-shared
Authentication algorithm : SHA2-512
Encryption algorithm : AES-CBC-256
DH group : MODP-2048
SA duration : 28800
PRF : PRF-HMAC-SHA2-256
-------------------------------------------
# Run the display ipsec proposal command on the router to check the IPSec proposal configuration.
[Router] display ipsec proposal
Number of proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA2-HMAC-512
Encryption AES-256
----End
1.1.5.2 the FWConfiguring
Step 1 Log in to the web system of FW
1. Enter the URL of the FW and press Enter. The login page is displayed. Enter user name and password, and click Login.
2. After login, the main page is displayed.
Figure 1-3 Web main page
Step 2 Configure IP addresses for interfaces.
Choose System > Network > Interfaces to access the interface configuration page.
1. Configure an IP address for the public interface. Choose wan1 in Name and right-click Edit.
Figure 1-4 Configuring an IP address for the public interface
2. Configure an IP address for the private interface. Choose port1 in Name and right-click Edit.
Figure 1-5 Configuring an IP address for the private interface
Step 3 Configure IP addresses and static routes to the peer. This example assumes that the next hop address of the route is 2.1.1.2.
1. Choose Router > Static > Static Routes to access the static route configuration page, and click Create New.
2. Configure a public network route.
Figure 1-6 Configuring a public network route
3. Configure a private network route.
Figure 1-7 Configuring a private network route
Step 4 Configure IPSec.
1. Choose VPN > IPSec > Tunnels to access the IPSec configuration page.
Figure 1-8 IPSec configuration page
2. Click Create New, enter the IPSec tunnel name in Name, and select Custom VPN Tunnel (No Template).
Figure 1-9 Configuring the IPSec tunnel name and template
3. Click Next to access the IPSec parameter configuration page.
You can configure parameters as needed under Comments.
Figure 1-10 Configuring IPSec parameters
4. Configure IP Address and Interface under Network, and modify other parameters as needed.
Figure 1-11 Configuring network
5. Configure Pre-shared Key in Authentication, and choose Version and Mode under IKE.
Figure 1-12 Configuring authentication and IKE
6. Configure parameters for Phase 1 Proposal.
Figure 1-13 Configuring an IKE proposal
7. Choose Phase 2 Selectors > New Phase 2 to configure IPSec encrypted data flows, and configure parameters under Phase 2 Proposal.
Figure 1-14 Configuring parameters for phase 2 proposal
8. Click OK to complete IPSec configuration.
----End
1.1.6 Verification
1. Run the display ike sa command to check information about the SAs established in phase 1 and phase 2.
[Router] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
16 2.1.1.1 0 RD|ST 2
14 2.1.1.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
2. Ping a host in the headquarters from a host in a branch. The ping operation succeeds. Run the display ipsec statistics esp command to check statistics on IPSec packets. The values of Inpacket decap count and Outpacket encap count fields are not 0, indicating that data transmitted between the branch and headquarters is encrypted.
1.1.7 Troubleshooting
If an IPSec tunnel cannot be established, check whether there are reachable routes and whether the devices at both ends use the same configuration.
That is all I want to share with you. Thank you!
