IPSec VPN Establishment between Juniper Firewall & Huawei Firewall Highlighted

Latest reply: Sep 9, 2019 07:09:18 494 6 9 2

Equipment Used

Juniper SRX-220 Firewall

Huawei USG6550E Firewall


1.             There are three main steps to config a IPSec/ Tunnel between Juniper Firewall and Huawei Edge Firewall, these steps are:-

a.            Step-1:- IPSec/ Tunnel Config on Juniper Firewall

b.            Step-2:- IPSec/ Tunnel Config on Huawei Edge Firewall

c.            Step-3:- Sec Policies on Huawei & Juniper Firewall

d.            Step-4:- Route Config on Huawei & Juniper Firewall 


2.           For the Juniper side firewall config, you need to manually define Tunnel algorithms (Proposals) in Juniper Config, so that they can be in uniformity with the Huawei side firewall:-


a.            set security ike proposal Huawei_IKE_Proposal authentication-method pre-shared-keys

b.            set security ike proposal Huawei_IKE_Proposal dh-group group14

c.            set security ike proposal Huawei_IKE_Proposal authentication-algorithm sha-256

d.            set security ike proposal Huawei_IKE_Proposal encryption-algorithm aes-256-cbc

e.            set security ike policy Huawei_Policy mode main

f.             set security ike policy Huawei_Policy proposals Huawei_IKE_Proposal

g.            set security ike policy Huawei_Policy pre-shared-key ascii-text "YOUR KEY"

h.            set security ike gateway Huawei_Edge ike-policy Huawei_Policy

i.              set security ike gateway Huawei_Edge address 10.XX.XX.XX

j.              set security ike gateway Huawei_Edge external-interface ge-0/0/2.0 (Outgoing Interface)

k.            set security ipsec proposal Huawei_IPsec_Proposal protocol esp

l.              set security ipsec proposal Huawei_IPsec_Proposal authentication-algorithm hmac-sha-256-128

m.           set security ipsec proposal Huawei_IPsec_Proposal encryption-algorithm aes-256-cbc

n.            set security ipsec policy Huawei_Edge_Policy proposals Huawei_IPsec_Proposal

o.            set security ipsec vpn Huawei_Edge bind-interface st0.XX (Tunnel Interface, Make sure you have already created this interface)

p.            set security ipsec vpn Huawei_Edge vpn-monitor

q.            set security ipsec vpn Huawei_Edge ike gateway Huawei_Edge

r.             set security ipsec vpn Huawei_Edge ike ipsec-policy Huawei_Edge_Policy

s.            set security ipsec vpn Huawei_Edge establish-tunnels immediately


Step-2:-

a.            Access the web interface of Huawei Firewall and go-to Network>Interfaces to config your access interface (Connected with Juniper Firewall)

b.            In case you are using Huawei Fiber Ports, first you need to need to enable the fiber functionality of the firewall otherwise it won’t work, Use the following commands via command line interface:-

(1)          [USG6500E]interface GigabitEthernet 0/0/23

(2)          [USG6500E-GigabitEthernet0/0/23]combo enable fiber

(3)          [USG6500E] save

2.            Then go-to Network>IPSec>IPSec and press the add link and fill up the initial config as shown below:-

a.            Also Add the LOCAL-ID (IP Address) & Peer-ID (IP Address)

b. Pre-shared key should be similar to the key mentioned in Juniper Firewall


1


b.            Goto option 3. Data Flow to Encrypt and press add button and fill up any, any, as shown.

c.            Go-to option 4. IKE/IPSec Proposal and select the following as shown. It is important not to change these algorithms, as any change will cause a disparity with Juniper Firewall algorithams mentioned in the above configiration of Juniper & as a result IPSec tunnel will not estb.

d.            Press apply; to commit changes


2

Step-3:-

3.            To complete the step-3:-

a.            Create the network address to be used in security policies, from Object>Address>Address and click add, add all the addresses as per your architecture

b.            Go-to Policy>Sec Policy>Sec Policy and add Two-Way Sec policies, for example, from Source to Destination and return traffic from Destination to Source as well, both should be added. Security policy for IPSec/ Tunnel will be created between Local Zone & WAN Zone (Access Port Zone) and two way security policy will be added as shown in the fig:-

c. Accordingly add Security Policies to your Juniper Firewall.


3

Step-4:-

4.            To complete the step-4, you have to add Static Routes of your Server (Destination) traffic , go-to Network>Route>Static Route; In the next-hop enter the Access IP for your Juniper Firewall.

5.            If both ends are accessible to each other i.e. Juniper Firewall & Huawei Firewall, IPSec/ Tunnel will be estb and services will start to work. IPSe/ Tunnel can be checked from Network>IPSec>Monitor, In juniper you can check using show security IKE/IPSEC security policies command


[1] Note: Red highlighted values are required to be adjusted as per your network architecture


  • x
  • convention:

chenhui
Admin Created Aug 20, 2019 01:12:45 Helpful(1) Helpful(1)

this is great. :)
  • x
  • convention:

Jamalb
Created Sep 4, 2019 05:51:06 Helpful(0) Helpful(0)

very specific ...thx
  • x
  • convention:

Hello%20my%20dear%20friends%2C%3Cbr%2F%3E%3Cbr%2F%3EMy%20Name%20is%20Jamal%2C%20I'm%20from%20Syria%2C%20I%20have%20master%20degree%20in%20MIS.%20I%20like%20tennis%20and%20watching%20new%20films.%20I%20wish%20I%20can%20get%20more%20information%20from%20this%20community%20to%20start%20new%20education%20level.%20I%20like%20to%20know%20about%20all%20my%20dear%20friend%20in%20this%20community%20to%20know%20each%20other.%3Cbr%2F%3E%3Cbr%2F%3Ethanks%20you%20and%20best%20regards%2C
wissal
MVE Created Sep 8, 2019 05:35:24 Helpful(1) Helpful(1)

Well explained, thanks
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.
SurButt
Created Sep 9, 2019 06:46:06 Helpful(0) Helpful(0)

Thank You Sir :)
  • x
  • convention:

Expert%20on%20Juniper%20Networks%20%26%20Security%20but%20a%20student%20of%20Cyber%20Operations%20%26%20In%20between%20new%20to%20the%20WORLD%20of%20Huawei%20Tech.
SurButt
Created Sep 9, 2019 07:08:48 Helpful(0) Helpful(0)

Thank You Sir.
  • x
  • convention:

Expert%20on%20Juniper%20Networks%20%26%20Security%20but%20a%20student%20of%20Cyber%20Operations%20%26%20In%20between%20new%20to%20the%20WORLD%20of%20Huawei%20Tech.
SurButt
Created Sep 9, 2019 07:09:18 Helpful(0) Helpful(0)

Thank You Sir
  • x
  • convention:

Expert%20on%20Juniper%20Networks%20%26%20Security%20but%20a%20student%20of%20Cyber%20Operations%20%26%20In%20between%20new%20to%20the%20WORLD%20of%20Huawei%20Tech.

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login