HP VPN Firewall Appliances VPN Configuration Guide Part number: 5998-4168 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring GRE ·························································································································································· 1 Overview············································································································································································ 1 GRE encapsulation format ··························································································································
Configuration prerequisites ·································································································································· 67 Configuration guidelines ······································································································································ 67 Configuration procedure ······································································································································ 67 Configuring an IPv6 manua
Protocols and standards ····································································································································· 105 Configuring IKE in the Web interface························································································································ 105 Recommended configuration procedure ··········································································································· 105 Configuring global IKE parameters ·······
IPsec IPsec IPsec IPsec with IPsec tunnel interfaces configuration example················································································ 187 for RIPng configuration example ·············································································································· 191 RRI configuration example ························································································································ 195 stateful failover configuration example ··············
Certificate request from a Windows 2003 CA server configuration example············································· 271 Certificate request from an RSA Keon CA server configuration example ····················································· 277 IKE negotiation with RSA digital signature configuration example ······························································· 281 Configuring PKI at the CLI ········································································································
DNS64 function ··················································································································································· 387 AFT limitations······················································································································································ 387 Protocols and standards ····································································································································· 387 AFT configura
Related information ······················································································································································ 481 Documents ···························································································································································· 481 Websites······························································································································································
Configuring GRE The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate multiple network layer protocols into virtual point-to-point tunnels over an IP network. Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end.
• GRE over IPv4—The transport protocol is IPv4, and the passenger protocol is any network layer protocol. • GRE over IPv6—The transport protocol is IPv6, and the passenger protocol is any network layer protocol. In the Web interface, you can configure only GRE over IPv4 tunnels. GRE encapsulation and de-encapsulation The following sections use Figure 3 to describe how an X protocol packet traverses an IP network through a GRE tunnel.
• GRE key—Ensures packet validity. The sender adds a GRE key into a packet. The receiver compares the GRE key with its own GRE key. If the two keys are the same, the receiver accepts the packet. Otherwise, it drops the packet. • GRE checksum—Ensures packet integrity. The sender calculates a checksum for the GRE header and payload and sends the packet containing the checksum to the tunnel peer. The receiver calculates a checksum for the received packet and compares it with that carried in the packet.
Figure 5 Network diagram Device A Device D GRE tunnel IP network Host A IP network Device B Device C Host B IP network Constructing VPN As shown in Figure 6, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN. Figure 6 Network diagram Operating with IPsec As shown in Figure 7, GRE can be encapsulated into IPsec to improve transmission security for routing protocol packets, voice data, and video data.
RFC 2784, Generic Routing Encapsulation (GRE) • Configuring a GRE over IPv4 tunnel in the Web interface Configuration prerequisites Before you configure a GRE over IPv4 tunnel, configure an IP address for the interface (such as a VLAN interface, an Ethernet interface, or a Loopback interface) to be used as the source interface of the tunnel interface. Recommended configuration procedure Step 1. Remarks Creating a GRE over IPv4 tunnel interface Required.
Figure 9 Adding a GRE over IPv4 tunnel interface 3. Configure the GRE over IPv4 tunnel interface as described in Table 1. 4. Click Apply. Table 1 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface. IP/Mask IMPORTANT: When configuring a static route on the tunnel interface, make sure the destination IP address of the static route is not in the subnet of the tunnel interface.
Item Description Enable or disable the GRE keepalive function. Keepalive With the GRE keepalive function enabled on a tunnel interface, the device sends GRE keepalive packets from the tunnel interface periodically. If no response is received from the peer within the specified interval, the device retransmits the keepalive packet.
Figure 11 Creating a GRE tunnel interface 3. Configure a static route from Firewall A through interface Tunnel0 to Group 2: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 10.1.3.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 10.1.2.2/24. e. Select Trust from the Zone list. (Select a security zone according to your network configuration.) f. Enter the source end IP address 2.2.2.2, the IP address of GigabitEthernet 0/1. g. Enter the destination end IP address 1.1.1.1, the IP address of GigabitEthernet 0/1 on Firewall A. h. Click Apply. 3.
2. From Firewall B, ping the IP address of GigabitEthernet 0/2 on Firewall A. ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.1.1.
Configuration procedure To configure a GRE over IPv4 tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a tunnel interface and enter tunnel interface view. interface tunnel interface-number By default, a device has no tunnel interface. 3. Configure an IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } By default, a tunnel interface has no IPv4 address. Optional. The default tunnel mode is GRE over IPv4. 4.
Step Command Remarks Optional. 13. Configure the device to discard the IPv4-compatible IPv6 packets. tunnel discard ipv4-compatible-packet By default, the device does not discard the IPv4-compatible IPv6 packets. For information about tunnel interfaces, more configuration commands in a tunnel interface, and the expedite termination function, see VPN Command Reference.
Step Command Remarks 2. Enable the IPv6 packet forwarding function. ipv6 Disabled by default. 3. Create a tunnel interface and enter tunnel interface view. interface tunnel interface-number By default, there is no tunnel interface on a device. 4. Configure an IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } By default, no IPv4 address is configured for a tunnel interface. The default tunnel mode is GRE over IPv4. 5. Set the tunnel mode to GRE over IPv6.
For more information about commands interface tunnel, tunnel-protocol, source, destination, encapsulation-limit and tunnel discard ipv4-compatible-packet, see VPN Command Reference. Displaying GRE Task Display information about a specific or all tunnel interfaces. Display IPv6 information about a tunnel interface.
[FirewallA] interface tunnel 0 # Configure an IPv4 address for the tunnel interface Tunnel0. [FirewallA-Tunnel0] ip address 10.1.2.1 255.255.255.0 # Configure the tunnel encapsulation mode as GRE over IPv4. [FirewallA-Tunnel0] tunnel-protocol gre # Configure the source address of the tunnel interface Tunnel0 as the IP address of GigabitEthernet 0/2. [FirewallA-Tunnel0] source 1.1.1.
Description: Tunnel0 Interface The Maximum Transmit Unit is 1476 Internet Address is 10.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 1.1.1.1, destination 2.2.2.
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms GRE over IPv6 tunnel configuration example Network requirements As shown in Figure 15, two IPv4 subnets Group 1 and Group 2 are connected to an IPv6 network. Create a GRE over IPv6 tunnel between Firewall A and Firewall B so the two IPv4 subnets can communicate with each other through the GRE tunnel over the IPv6 network.
# Configure the destination address of the tunnel interface Tunnel0 as the IP address of interface GigabitEthernet 0/2 on Firewall B). [FirewallA-Tunnel0] destination 2001::2:1 [FirewallA-Tunnel0] quit # Configure a static route from Firewall A through the tunnel interface Tunnel0 to Group 2. [FirewallA] ip route-static 10.1.3.0 255.255.255.0 tunnel 0 2. Configure Firewall B: system-view # Enable IPv6. [FirewallB] ipv6 # Configure an IPv4 address for interface GigabitEthernet 0/1.
Checksumming of GRE packets disabled Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards) Last clearing of counters: Never Last 300 seconds input: 0 bytes/sec, 0 packets/sec Last 300 seconds output: 10 packets input, 0/500/0 0/75/0 0 bytes/sec, 0 packets/sec 840 bytes 0 input error 10 packets output, 840 bytes 0 output error [FirewallB] display interface Tunnel 0 Tunnel0 curre
Troubleshooting GRE The key to configuring GRE is to keep the configurations consistent. Most faults can be located by using the debugging gre or debugging tunnel command. This section analyzes one type of fault for illustration, with the scenario shown in Figure 16. Figure 16 Network diagram Tunnel0 Tunnel0 IP network GRE Tunnel IP network Firewall A Host A IP network Firewall C Host B Firewall B 10.1.1.1/16 10.2.1.
Configuring a point-to-multipoint GRE tunnel The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview Figure 17 P2MP GRE tunnel application scenario A traditional GRE tunnel is a point to point connection. To use traditional GRE tunnels on an enterprise network as shown in Figure 17, you need to configure a P2P GRE tunnel between the headquarters and each branch.
Figure 18 Learning tunnel destination addresses dynamically Dest 10.1.1.0/24 Tun Dest 11.1.1.2 11.1.1.2 GRE 10.1.1.2 Headquarters Device A Branch Device B 11.1.1.1/24 IPv4 network 11.1.1.2/24 GRE tunnel Tunnel0 10.3.1.1/24 Tunnel0 10.3.1.2/24 10.2.1.2/24 10.1.1.2/24 Host A Host B Different from a P2P GRE tunnel, a P2MP GRE tunnel does not require manual configuration of the tunnel destination addresses but learns them from GRE tunnel packets received from peers.
GRE tunnel backup at a branch Figure 19 Backing up a GRE tunnel at a branch As shown in Figure 19, for higher network reliability, a branch can use multiple gateway devices so that a GRE tunnel is established between the headquarters and each gateway of the branch for GRE tunnel backup. When creating a GRE tunnel on a gateway of the branch, you can configure the GRE key. The headquarters device will read the GRE key from the GRE packet and record the GRE key value in the corresponding tunnel entry.
As shown in Figure 20, for higher network reliability, you can deploy multiple gateways at the headquarters and specify one or more backup interfaces for the main tunnel interface on the main gateway (for example, Tunnel 1), to implement headquarters node backup and GRE tunnel backup. If the link between the main gateway and the branch gateway goes down, the main tunnel interface will soon lose the matching tunnel entry for forwarding packets to the branch.
Configuring a P2MP GRE tunnel in the Web interface Configuration prerequisites Before configuring a P2MP GRE tunnel, configure an IP address for the interface (such as a VLAN interface, an Ethernet interface, or a Loopback interface) to be used as the source interface of the tunnel interface. Recommended configuration procedure Task 1. Remarks Configuring a P2MP GRE tunnel interface. Required. Create a P2MP GRE tunnel interface and configure the related parameters. Required.
Figure 21 P2MP GRE tunnel interface management page 2. Click Add to add a P2MP GRE tunnel interface. Figure 22 Adding a P2MP GRE tunnel interface 3. Configure the P2MP GRE tunnel interface as described in Table 2. 4. Click Apply. Table 2 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface.
Item Description Configure the mask of the private network addresses of the branch to be used in tunnel entries. Branch Network Mask After you configure a mask, a device at the headquarters will establish only one tunnel entry for all private IP addresses that belong to the same network segment. This is to reduce the number of tunnel entries on the device.
Table 3 Field description Field Description Tunnel Interface Name of the tunnel interface. Tunnel Dest Address IP address of the tunnel destination. Branch Network Address/Mask IP address and mask of the branch network. GRE Key GRE key of the tunnel, used to identify the priority of the tunnel entry. If the tunnel peer device is not configured with a GRE key, nothing will be displayed for this field.
a. Select VPN > GRE > P2MP from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field, and enter IP address/mask 192.168.22.1/24. d. Select Management from the Zone list. (Select a security zone according to your network configuration.) e. Select GigabitEthernet0/1 as the tunnel source interface. f. Enter 24 as the branch network address mask, and 10 as the tunnel entry aging time. g. Click Apply. Figure 25 Adding a P2MP GRE tunnel interface 3.
Configuring Firewall B 1. Configure an IPv4 address for each interface and assign the interfaces to security zones. (Details not shown.) 2. Create a GRE over IPv4 tunnel interface: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 192.168.22.2/24. e. Select Management from the Zone list. (Select a security zone according to your network configuration.) f. Select the tunnel source interface GigabitEthernet 0/1. g.
Figure 28 Adding a static route from Firewall B through interface Tunnel0 to the headquarters node Verifying the configuration 1. On Firewall A, select VPN > GRE > P2MP from the navigation tree, and then click the Tunnel List tab to view the tunnel entries. There should be no tunnel entry. 2. Ping Host A from Host B. The ping operation succeeds. 3. On Firewall A, click Refresh under the tunnel entry list. The P2MP GRE tunnel entry should have been installed.
GRE tunnel interface. Thus, when Firewall A cannot find the corresponding tunnel entry for a packet, it delivers the packet to Firewall B, which then forwards the packet to Firewall C. To avoid looping, do not configure the tunnel interface of the GRE over IPv4 tunnel as the backup interface of the P2MP GRE tunnel interface on Firewall B.
Figure 31 Adding a GRE over IPv4 tunnel interface (Tunnel 1) 3. Create a P2MP GRE tunnel interface, with the tunnel interface number being 0: a. Select VPN > GRE > P2MP from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field, and enter IP address/mask 172.168.1.1/24. d. Select Management from the Zone list. (Select a security zone according to your network configuration.) e. Enter 11.1.1.
4. Configure a static route from Firewall A through interface Tunnel0 to the branch network: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.12.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply. Figure 33 Adding a static route from Firewall A through interface Tunnel0 to the branch network Configuring Firewall B 1.
Figure 34 Adding a P2MP GRE tunnel interface (Tunnel0) 3. Create a GRE over IPv4 tunnel interface, with the tunnel interface number being 1: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 1 in the Tunnel Interface field. d. Enter IP address/mask 192.168.22.2/24. e. Select Management from the Zone list. (Select a security zone according to your network configuration.) f. Enter the tunnel source IP address 10.1.1.2 and the tunnel destination IP address 10.1.1.1. g. Click Apply.
a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.12.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply. Figure 36 Adding a static route from Firewall B through interface Tunnel0 to the branch network Configuring Firewall C 1. Configure an IPv4 address for each interface and assign the interfaces to security zones. (Details not shown.) 2.
Figure 37 Adding a GRE over IPv4 tunnel interface (Tunnel0) 3. Create a GRE over IPv4 tunnel interface, with the tunnel interface number being 1: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 1 in the Tunnel Interface field. d. Enter IP address/mask 172.168.2.3/24. e. Select Management from the Zone list. (Select a security zone according to your network configuration.) f. Enter the tunnel source IP address 11.1.1.3 and the tunnel destination IP address 11.1.1.2. g.
Figure 38 Adding a GRE over IPv4 tunnel interface (Tunnel1) 4. Configure a static route from Firewall C through interface Tunnel0 to the headquarters node, with the routing priority being 1: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.11.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Enter priority 1. g. Click Apply.
This makes the priority of this route lower than that of the static route of interface Tunnel0, making sure Firewall C prefers the tunnel between Firewall A and Firewall C for packet forwarding. a. On the static route management page, click Add. b. Enter 192.168.11.0 as the destination IP address. c. Select mask 255.255.255.0. d. Select Tunnel1 as the outbound interface. e. Enter priority 10. f. Click Apply.
Figure 41 Verifying the configuration result on Firewall A 4. Cut off the tunnel link between Firewall A and Firewall C: a. On Firewall C, select Device Management > Interface from the navigation tree and then click the icon of interface Tunnel0. b. Click the Disable button to shut down interface Tunnel0. 5. After the tunnel aging time (10 seconds in this example) elapses, refresh and view the tunnel entry information on Firewall A. There should be no tunnel entry any more. 6. Ping Host A from Host C.
and the other for connecting Firewall C. Firewall A decides which GRE tunnel to use to send packets to the hosts on the branch network. To meet the previous requirements, you need to configure different GRE keys for the GRE tunnels on Firewall B and Firewall C, so that Firewall A can choose a tunnel according to the GRE key values. In this example, the GRE tunnel between Firewall A and Firewall B has a higher priority.
Figure 44 Adding a P2MP GRE tunnel interface 3. Configure a static route from Firewall A through interface Tunnel0 to the branch network: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 192.168.1.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply. Figure 45 Adding a static route from Firewall A through interface Tunnel0 to the branch network Configuring Firewall B 1.
d. Enter IP address/mask 192.168.22.2/24. e. Select Management from the Zone list. (Select a security zone according to your network configuration.) f. Enter the tunnel source IP address 11.1.1.2, the tunnel destination IP address 11.1.1.1, and the GRE key 1. g. Click Apply. Figure 46 Adding a GRE over IPv4 tunnel interface 3. Configure a static route from Firewall B through interface Tunnel0 to the headquarters node: a. Select Network > Routing Management > Static Routing from the navigation tree. b.
Figure 47 Adding a static route from Firewall B through interface Tunnel0 to the headquarters node Configuring Firewall C 1. Configure an IPv4 address for each interface and assign the interfaces to security zones. (Details not shown) 2. Create a GRE over IPv4 tunnel interface: a. Select VPN > GRE > GRE from the navigation tree. b. Click Add. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 192.168.22.3/24. e. Select Management from the Zone list.
Figure 48 Adding a GRE over IPv4 tunnel interface 3. Configure a static route from Firewall C through interface Tunnel0 to the headquarters node: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 172.17.17.0 as the destination IP address. d. Select mask 255.255.255.0. e. Select Tunnel0 as the outbound interface. f. Click Apply.
3. On Firewall A, select VPN > GRE > P2MP from the navigation tree and then click the Tunnel List tab. You can see information about the P2MP GRE tunnels established on Firewall A. Figure 50 Verifying the configuration result on Firewall A (1) 4. On Host B, specify Firewall B as the default gateway. 5. Ping Host A from Host B. The ping operation succeeds. 6. Click the Refresh button under the tunnel list of Firewall A. You can see that another P2MP tunnel entry is generated on Firewall A.
Figure 52 Verifying the configuration result on Firewall A (3) Configuring a P2MP GRE tunnel at the CLI Configuring a P2MP GRE tunnel Follow these guidelines when you configure a P2MP GRE tunnel: • Two or more P2MP GRE tunnel interfaces cannot share the same source address. • If you specify a source interface for a P2MP GRE tunnel interface, the tunnel interface takes the primary IP address of the source interface as its source address.
Step 2. 3. Command Remarks Create a tunnel interface and enter tunnel interface view. interface tunnel interface-number By default, a device has no tunnel interface. Configure an IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } By default, a tunnel interface has no IPv4 address. The default tunnel mode is GRE over IPv4. 4. Set the tunnel mode to P2MP GRE.
Displaying and maintaining P2MP GRE tunnels Task Command Remarks Display the tunnel entry information of a P2MP GRE tunnel interface. display gre p2mp tunnel-table interface tunnel number [ | { begin | exclude | include } regular-expression ] Available in any view. Clear the tunnel entry information of a P2MP GRE tunnel interface. reset gre p2mp tunnel-table [ interface tunnel number [ dest-address tunnel-dest-address] ] Available in user view.
[FirewallA–GigabitEthernet0/1] ip address 11.1.1.1 255.255.255.0 [FirewallA–GigabitEthernet0/1] quit # Configure an IP address for interface GigabitEthernet 0/2. [FirewallA] interface gigabitethernet 0/2 [FirewallA–GigabitEthernet0/2] ip address 192.168.11.1 255.255.255.0 [FirewallA–GigabitEthernet0/2] quit # Create a tunnel interface named Tunnel0 and configure an IP address for it. [FirewallA] interface tunnel 0 [FirewallA-Tunnel0] ip address 192.168.22.1 255.255.255.
# Display the tunnel entry information on Firewall A. The output shows that no tunnel entry exists. [FirewallA] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr Gre Key # Ping Host A from Host B. The operation succeeds. # View tunnel entry information on Firewall A again.
Figure 54 Network diagram Headquarters Firewall A GE0/3 Host A GE0/1 Tunnel0 Branch GE0/2 Tunnel1 Tunnel0 Firewall C GE0/1 IPv4 network GE0/2 Tunnel1 Tunnel1 Host C GE0/2 Tunnel0 GE0/1 GRE P2MP tunnel GE0/3 Host B Firewall B (Backup gateway) GRE over IPv4 tunnel Device Interface IP Address Device Interface IP Address Firewall A GE0/1 11.1.1.1/24 Firewall B GE0/1 11.1.1.2/24 Firewall C GE0/2 10.1.1.1/24 GE0/2 10.1.1.2/24 GE0/3 192.168.11.1/24 GE0/3 192.168.11.
# Set the tunnel entry aging time to 20 seconds. [FirewallA-Tunnel0] gre p2mp aging-time 20 # Configure the source IP address of the tunnel interface Tunnel0. [FirewallA-Tunnel0] source 11.1.1.1 # Configure the tunnel interface Tunnel1 as the backup interface of the tunnel interface Tunnel0. [FirewallA-Tunnel0] gre p2mp backup-interface tunnel 1 [FirewallA-Tunnel0] quit # Configure a static route to the branch network with the outgoing interface being the tunnel interface Tunnel0.
[FirewallC-Tunnel0] destination 11.1.1.1 [FirewallC-Tunnel0] quit # Configure a static route to the headquarters network with the outgoing interface being the tunnel interface Tunnel0 and priority value being 1. [FirewallC] ip route-static 192.168.11.0 255.255.255.0 tunnel 0 preference 1 # Create a tunnel interface named Tunnel1 and configure an IP address for it. [FirewallC] interface tunnel 1 [FirewallC-Tunnel1] ip address 172.168.2.3 255.255.255.
Dest Addr Mask Tunnel Dest Addr Gre Key # Ping Host A from Host C. View tunnel entries on Firewall B: [FirewallB] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr 192.168.12.0 255.255.255.0 11.1.1.3 Gre Key Then, Host A can ping Host C. The verification process shows that: { { { After the link between Firewall A and Firewall C went down, the tunnel entry aging timer started to work. After the timer expired, the tunnel entry on Firewall A was removed.
Figure 55 Network diagram Device Interface IP Address Device Interface IP Address Firewall A GE0/1 11.1.1.1/24 Firewall B GE0/1 11.1.1.2/24 GE0/2 172.17.17.1/24 GE0/2 192.168.1.2/24 Firewall C Tunnel0 192.168.22.1/24 GE0/1 11.1.1.3/24 GE0/2 192.168.1.3/24 Firewall C Tunnel0 192.168.22.2/24 Tunnel0 192.168.22.3/24 Configuration procedure 1. Configure IP addresses and masks for interfaces according to Figure 55. (Details not shown.) 2.
[FirewallB-Tunnel0] tunnel-protocol gre # Configure the source and destination IP addresses of the tunnel interface Tunnel0. [FirewallB-Tunnel0] source 11.1.1.2 [FirewallB-Tunnel0] destination 11.1.1.1 # Set the GRE key of the tunnel interface Tunnel0 to 1. [FirewallB-Tunnel0] gre key 1 [FirewallB-Tunnel0] quit # Configure a static route to the headquarters network with the outgoing interface being the tunnel Tunnel0. [FirewallB] ip route-static 172.17.17.0 255.255.255.0 tunnel 0 4.
# On Host B, specify Firewall C as the default gateway. After the tunnel entry corresponding to Firewall B ages out, ping Host A from Host B. The ping operation succeeds. View tunnel entries on Firewall A: [FirewallA] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr Gre Key 192.168.1.0 24 11.1.1.
Configuring tunneling The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Tunneling can be configured only at the CLI. Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end.
Figure 56 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets as follows: 1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source. 2. After determining according to the routing table that the packet needs to be forwarded through the tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel.
Tunnel type Automatic tunnel 1. Tunnel mode Tunnel source/destination address Tunnel interface address type Automatic IPv4-compatible IPv6 tunneling The source IPv4 address is manually configured. The destination IPv6 address is automatically obtained. IPv4-compatible IPv6 address, in the format of ::IPv4-source-addres s/96 6to4 tunneling The source IPv4 address is manually configured. The destination IPv4 address is automatically obtained.
As shown in Figure 57, 6to4 network Site 1 communicates with IPv6 network Site 3 over a 6to4 tunnel. A static route must be configured on the border router (Device A) in the 6to4 network and the next-hop address must be the 6to4 address of the 6to4 relay router (Device C). Device A forwards all packets destined for the IPv6 network over the 6to4 tunnel and Device C then forwards them to the IPv6 network. Figure 57 Principle of 6to4 tunneling and 6to4 relay 4.
Figure 59 Principle of IPv4 over IPv4 tunneling Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 59. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. c.
The encapsulation and de-encapsulation processes illustrated in Figure 60 are described as follows: • Encapsulation: a. Upon receiving a IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the output interface. If the output interface is the tunnel interface, the IPv4 protocol stack delivers the packet to the tunnel interface. c.
{ Customer Premises Equipment (CPE) Resides at the customer's premise, connects the customer's network to an Internet Service Provider (ISP) network, and typically serves as the gateway of the customer's network. As a tunnel end, the CPE encapsulates IPv4 packets of the customer's network into IPv6 packets and sends them to the other end of the tunnel, and de-encapsulates IPv6 packets into IPv4 packets and sends them to the customer's network. Some hosts can serve as the CPE.
{ The AFTR performs NAT. When a host serves as the CPE, the process is similar and therefore is not shown. NAT supports both basic address translation between private and public addresses and Network Address Port Translation (NAPT), which translates both IP address (private or public) and port number. Figure 62 shows an example of NAPT. For more information about NAT, see NAT and ALG Configuration Guide.
Protocols and standards • RFC 1853, IP in IP Tunneling • RFC 2473, Generic Packet Tunneling in IPv6 Specification • RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers • RFC 3056, Connection of IPv6 Domains via IPv4 Clouds • RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Tunneling configuration task list Task Remarks Configuring a tunnel interface N/A Configuring an IPv6 manual tunnel Configuring an IPv6 over IPv4 tunnel Configuring an automatic IPv4-compatible IPv6
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a tunnel interface and enter its view. interface tunnel number By default, no tunnel interface is created. 3. Configure a description for the interface. Optional. description text By default, the description of a tunnel interface is Tunnel number Interface. Optional. • Set the MTU for IPv4 packets 4. Set the MTU of the tunnel interface.
Configuration procedure To configure an IPv6 manual tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 By default, the IPv6 packet forwarding function is disabled. 3. Enter tunnel interface view. interface tunnel number N/A • Configure a global unicast IPv6 The link-local IPv6 address configuration is optional. address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface.
Figure 64 Network diagram Configuration procedure Make sure Firewall A and Firewall B can reach each other through IPv4. • Configure Firewall A: # Enable IPv6. system-view [FirewallA] ipv6 # Configure an IPv4 address for GigabitEthernet 0/2. [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] ip address 192.168.100.1 255.255.255.0 [FirewallA-GigabitEthernet0/2] quit # Configure an IPv6 address for GigabitEthernet 0/1.
[FirewallB] interface tunnel 0 [FirewallB-Tunnel0] ipv6 address 3001::2/64 [FirewallB-Tunnel0] source gigabitethernet 0/2 [FirewallB-Tunnel0] destination 192.168.100.1 [FirewallB-Tunnel0] tunnel-protocol ipv6-ipv4 [FirewallB-Tunnel0] quit # Configure a static route to IPv6 Group 1 through Tunnel 0 on Firewall B. [FirewallB] ipv6 route-static 3002:: 64 tunnel 0 Verifying the configuration # Display the status of the tunnel interfaces on Firewall A and Firewall B.
... # Ping the IPv6 address of GigabitEthernet 0/1 at the peer end from Firewall A.
Step 2. 3. Command Remarks Enable the IPv6 packet forwarding function. ipv6 By default, the IPv6 packet forwarding function is disabled. Enter tunnel interface view. interface tunnel number N/A • Configure an IPv6 global unicast address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface. { ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 • Configure an IPv6 link-local address: { { 5. 6.
# Configure an IPv4 address for GigabitEthernet 0/1. [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ip address 192.168.100.1 255.255.255.0 [FirewallA-GigabitEthernet0/1] quit # Configure an automatic IPv4-compatible IPv6 tunnel. [FirewallA] interface tunnel 0 [FirewallA-Tunnel0] ipv6 address ::192.168.100.1/96 [FirewallA-Tunnel0] source gigabitethernet 0/1 [FirewallA-Tunnel0] tunnel-protocol ipv6-ipv4 auto-tunnel Configure Firewall B: • # Enable IPv6.
Global unicast address(es): ::192.168.50.1, subnet is ::/96 Joined group address(es): FF02::1:FFA8:3201 FF02::1:FF00:0 FF02::2 FF02::1 MTU is 1480 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 65 ... # Ping the IPv4-compatible IPv6 address at the peer end from Firewall A. [FirewallA-Tunnel0] ping ipv6 ::192.168.50.1 PING ::192.168.50.
• Because automatic tunnels do not support dynamic routing, you must configure a static route destined for the destination IPv6 network at each tunnel end. You can specify the local tunnel interface as the output interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route. For the detailed configuration, see Network Management Configuration Guide. • The automatic tunnel interfaces using the same encapsulation protocol cannot use the same source IP address.
6to4 tunnel configuration example Network requirements As shown in Figure 66, configure a 6to4 tunnel between 6to4 firewalls Firewall A and Firewall B to make Host A and Host B reachable to each other. Figure 66 Network diagram Configuration considerations To enable communication between 6to4 networks, configure 6to4 addresses for 6to4 firewalls and hosts in the 6to4 networks. • The IPv4 address of GigabitEthernet 0/2 on Firewall A is 2.1.1.1/24, and the corresponding 6to4 prefix is 2002:0201:0101::/48.
[FirewallA-Tunnel0] ipv6 address 2002:201:101::1/64 [FirewallA-Tunnel0] source gigabitethernet 0/2 [FirewallA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4 [FirewallA-Tunnel0] quit # Configure a static route whose destination address is 2002::/16 and next hop is the tunnel interface. [FirewallA] ipv6 route-static 2002:: 16 tunnel 0 • Configure Firewall B: # Enable IPv6. system-view [FirewallB] ipv6 # Configure an IPv6 address for GigabitEthernet 0/2.
6to4 relay configuration example Network requirements As shown in Figure 67, Firewall A is a 6to4 firewall, and 6to4 addresses are used on the connected IPv6 network. Firewall B serves as a 6to4 relay firewall and is connected to an IPv6 network (2001::/16). Configure a 6to4 tunnel between Firewall A and Firewall B to make Host A and Host B reachable to each other. Figure 67 Network diagram 6to4 firewall GE0/2 2.1.1.1/24 Firewall A IPv4 netwok GE0/2 6.1.1.
# Configure the default route to the IPv6-only network. [FirewallA] ipv6 route-static :: 0 2002:0601:0101::1 • Configure Firewall B: # Enable IPv6. system-view [FirewallB] ipv6 # Configure an IPv4 address for GigabitEthernet 0/2. [FirewallB] interface gigabitethernet 0/2 [FirewallB-GigabitEthernet0/2] ip address 6.1.1.1 255.255.255.0 [FirewallB-GigabitEthernet0/2] quit # Configure an IPv6 address for GigabitEthernet 0/1.
Configuring an ISATAP tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an ISATAP tunnel: • No destination address needs to be configured for an ISATAP tunnel because the destination IPv4 address is embedded in the ISATAP address.
Step Command Remarks 5. Specify the ISATAP tunnel mode. tunnel-protocol ipv6-ipv4 isatap The default tunnel mode is GRE over IPv4 mode. The same tunnel mode should be configured at both ends of the tunnel. Otherwise, packet delivery fails. 6. Configure a source address or interface for the tunnel. source { ip-address | interface-type interface-number } By default, no source address or interface is configured for the tunnel. 7. Return to system view. quit N/A 8.
[Firewall-Tunnel0] ipv6 address 2001::5efe:0101:0101 64 [Firewall-Tunnel0] source gigabitethernet 0/1 [Firewall-Tunnel0] tunnel-protocol ipv6-ipv4 isatap # Disable RA suppression so that the ISATAP host can acquire information such as the address prefix from the RA message advertised by the ISATAP firewall. [Firewall-Tunnel0] undo ipv6 nd ra halt [Firewall-Tunnel0] quit # Configure a static route to the ISATAP host.
link MTU 1500 (true link MTU 65515) current hop limit 255 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # The host acquires the address prefix 2001::/64 and has automatically generated the address 2001::5efe:2.1.1.2. The message "uses Router Discovery" indicates that the router discovery function is enabled on the host. Ping the IPv6 address of the tunnel interface of the firewall.
• The destination address of the route passing the tunnel interface must not be on the same subnet as the destination address configured on the tunnel interface. • Two or more local tunnel interfaces using the same encapsulation protocol must have different source and destination addresses. • If you specify a source interface instead of a source address for a tunnel interface, the source address of the tunnel is the primary IP address of the source interface.
• Configure Firewall A: # Configure an IPv4 address for GigabitEthernet 0/1. system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ip address 10.1.1.1 255.255.255.0 [FirewallA-GigabitEthernet0/1] quit # Configure an IPv4 address for GigabitEthernet 0/2, which is the physical interface of the tunnel. [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] ip address 2.1.1.1 255.255.255.
[FirewallB-Tunnel2] quit # Configure a static route destined for the IP network Group 1 through interface Tunnel 2. [FirewallB] ip route-static 10.1.1.0 255.255.255.0 tunnel 2 Verifying the configuration # Display the status of the tunnel interfaces on Firewall A and Firewall B. [FirewallA] display interface tunnel 1 Tunnel1 current state: UP Line protocol current state: UP Description: Tunnel1 Interface The Maximum Transmit Unit is 64000 Internet Address is 10.1.2.
Reply from 10.1.3.1: bytes=56 Sequence=3 ttl=255 time=16 ms Reply from 10.1.3.1: bytes=56 Sequence=4 ttl=255 time=16 ms Reply from 10.1.3.1: bytes=56 Sequence=5 ttl=255 time=15 ms --- 10.1.3.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Step Command Remarks 5. Specify the IPv4 over IPv6 manual tunnel mode. tunnel-protocol ipv4-ipv6 The default tunnel mode is GRE over IPv4 mode. The same tunnel mode should be configured at both ends of the tunnel. Otherwise, packet delivery fails. 6. Configure the source address or interface for the tunnel interface. source { ipv6-address | interface-type interface-number } By default, no source address or interface is configured for the tunnel. 7.
[FirewallA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Configure the tunnel encapsulation mode as IPv4 over IPv6. [FirewallA-Tunnel1] tunnel-protocol ipv4-ipv6 # Specify the IP address of GigabitEthernet 0/2 as the source address for interface Tunnel 1. [FirewallA-Tunnel1] source 2002::1:1 # Specify the IP address of GigabitEthernet 0/2 on Firewall B as the destination address for interface Tunnel 1.
Encapsulation is TUNNEL, service-loopback-group ID not set Tunnel source 2002::0001:0001, destination 2002::0002:0001 Tunnel protocol/transport IP/IPv6 Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards) Last 300 seconds input: Last 300 seconds output: 152 packets input, 0/500/0 0/75/0 0 bytes/sec, 0 packets/sec 0 bytes/sec, 0 packets/sec 9728 bytes 0 input error 168 packets output
Configuring a DS-Lite tunnel The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes F5000-S/F5000-C No VPN firewall modules Yes 20-Gbps VPN firewall modules Yes The following section describes the DS-Lite tunnel configuration on the CPE and on the AFTR. Configuration prerequisites Configure IPv6 addresses for interfaces (such as the VLAN interface, Ethernet interface, and loopback interface).
the address of the AFTR through DHCPv6 and uses the address as the destination address of the tunnel. To configure the CPE of a DS-Lite tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 No enabled by default. 3. Enter tunnel interface view. interface tunnel number N/A 4. Configure an IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] By default, no IPv4 address is configured for the tunnel interface. 5.
Step Command 5. Specify the DS-Lite AFTR tunnel mode. tunnel-protocol ipv4-ipv6 dslite-aftr 6. Configure the source address or interface for the tunnel interface. source { ipv6-address | interface-type interface-number } Remarks The default tunnel mode is GRE over IPv4 mode. The tunnel mode at the other end of the tunnel should be DS-Lite CPE. Otherwise, packet delivery fails. By default, no source address or interface is configured for the tunnel.
# Configure an IPv6 address for interface GigabitEthernet 0/2, which is the physical interface of the tunnel. [FirewallA] interface GigabitEthernet0/2 [FirewallA- GigabitEthernet0/2] ipv6 address 1::1 64 [FirewallA- GigabitEthernet0/2] quit # Create interface Tunnel 1. [FirewallA] interface tunnel 1 # Configure an IPv4 address for interface Tunnel 1. [FirewallA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the tunnel encapsulation mode as IPv4 over IPv6.
[FirewallB-GigabitEthernet0/2] quit • Configure Firewall C (the DHCPv6 server): # Enable IPv6. system-view [FirewallC] ipv6 # Enable DHCPv6. [FirewallC] ipv6 dhcp server enable # Create address pool 1 and specify the address of the AFTR as 1::2. [FirewallC] ipv6 dhcp pool 1 [FirewallC-dhcp6-pool-1] ds-lite address 1::2 [FirewallC-dhcp6-pool-1] quit # Configure the IPv6 address of interface GigabitEthernet 0/1.
Tunnel bandwidth 64 (kbps) Tunnel protocol/transport IP/IPv6 dslite-aftr Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards) Last clearing of counters: Last 300 seconds input: Last 300 seconds output: 65 packets input, 0/500/0 0/75/0 Never 0 bytes/sec, 0 packets/sec 0 bytes/sec, 0 packets/sec 3900 bytes 0 input error 65 packets output, 3900 bytes 0 output error # Ping the IPv4 h
• The IPv6 address of the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface. • The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface. • Two or more tunnel interfaces using the same encapsulation protocol must have different source and destination addresses.
Step 9. Return to system view. 10. Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses. Command Remarks quit N/A Optional. tunnel discard ipv4-compatible-packet The default setting is disabled. Configuration example Network requirements As shown in Figure 72, configure an IPv6 over IPv6 tunnel between Firewall A and Firewall B so the two IPv6 networks can reach each other without disclosing their IPv6 addresses.
[FirewallA-Tunnel1] source 2002::11:1 # Specify the IP address of GigabitEthernet 0/2 on Firewall B as the destination address for interface Tunnel 1. [FirewallA-Tunnel1] destination 2002::22:1 [FirewallA-Tunnel1] quit # Configure a static route destined for the IPv6 network Group 2 through interface Tunnel 1. [FirewallA] ipv6 route-static 2002:3:: 64 tunnel 1 • Configure Firewall B: # Enable IPv6. system-view [FirewallB] ipv6 # Configure an IPv6 address for GigabitEthernet 0/1.
FF02::2 FF02::1 MTU is 1460 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: ...
Displaying and maintaining tunneling configuration Task Display information about tunnel interfaces. Command display interface [ tunnel ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface tunnel number [ brief ] [ | { begin | exclude | include } regular-expression ] Remarks Available in any view. Display IPv6 information on tunnel interfaces.
Configuring IKE Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically. Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them, and calculate shared keys respectively.
2. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 73 IKE exchange process in main mode As shown in Figure 73, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the security policy. • Key exchange—Used for exchanging the DH public value and other values like the random number. Key data is generated in this stage.
Relationship between IKE and IPsec Figure 74 Relationship between IKE and IPsec Figure 74 illustrates the relationship between IKE and IPsec: • IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. • IPsec uses the SAs set up through IKE negotiation for encryption and authentication of IP packets.
Step Remarks Required when IKE peers need to specify an IKE proposal. An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You can create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented by its sequence number, and the smaller the sequence number, the higher the preference. 2. Configuring an IKE proposal Two peers must have at least one pair of matched IKE proposals for successful IKE negotiation.
Figure 75 IKE global configuration page 2. Configure global IKE parameters, as described in Table 5. 3. Click Apply. Table 5 Configuration items Item Description Enter a case-sensitive name string for the local security gateway. IKE Local Name If the local device acts as the IKE negotiation initiator and uses the ID type of FQDN or the user FQDN of the security gateway for IKE negotiation, you must configure this parameter on the local device.
Figure 77 Adding an IKE proposal 3. Configure the IKE proposal parameters, as described in Table 6. 4. Click Apply. Table 6 Configuration items Item Description Enter the IKE proposal number. IKE Proposal Number Authentication Method Authentication Algorithm The number also stands for the priority of the IKE proposal, with a smaller value meaning a higher priority. During IKE negotiation, the system matches IKE proposals in order of proposal number, starting from the smallest one.
Item Description Enter the ISAKMP SA lifetime of the IKE proposal. Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it takes effect immediately and the old one will be cleared automatically when it expires. SA Lifetime IMPORTANT: If the SA lifetime expires, the system automatically updates the ISAKMP SA. DH calculation in IKE negotiation takes time, especially on low-end devices.
Configuring an IKE peer 1. Select VPN > IKE > Peer from the navigation tree to display existing IKE peers. Figure 80 IKE peer list 2. Click Add to enter the IKE peer configuration page. Figure 81 Adding an IKE peer 3. Configure the IKE peer parameters, as described in Table 8. 4. Click Apply. Table 8 Configuration items Item Description Peer Name Enter a name for the IKE peer.
Item Description Select the IKE negotiation mode in phase 1, which can be Main or Aggressive. IMPORTANT: • If you configure one end of an IPsec tunnel to obtain an IP address IKE Negotiation Mode dynamically, the IKE negotiation mode must be Aggressive. In this case, SAs can be established as long as the username and password are correct. • The specified negotiated mode is used when the local peer is the negotiation initiator. When acting as the responder, the negotiation mode of the initiator is used.
Item Description To use the authentication method of pre-shared key, select Pre-Shared Key and enter consistent pre-shared keys in the Key and Confirm Key fields. Pre-Shared Key To use the authentication method of RSA signature, select PKI Domain and then select the PKI domain to which the certificate belongs in the following list. Available PKI domains are those configured on the page you enter by selecting VPN > Certificate Manager > Domain from the navigation tree.
Field Description Status of the SA. Possible values include: • • • • Flag RD—Ready. The SA has already been established and is ready for use. ST—Stayalive. The local end is the tunnel negotiation initiator. RL—Replaced. The tunnel has been replaced and will be cleared soon. FD—Fading. The soft lifetime expires but the tunnel is still in use. The tunnel will be deleted when the hard lifetime expires. • TO—Timeout. The SA has received no keepalive packets after the last keepalive timeout.
d. Click Apply. Figure 84 Creating ACL 3101 3. Create a rule for ACL 3101 to allow packets from subnet 10.1.1.0/24 to subnet 10.1.2.0/24: a. From the ACL list, click the icon for ACL 3101. b. Click Add. c. Select Permit from the Operation list. Select the Source IP Address box and enter 10.1.1.0 and 0.0.0.255 as the source subnet address and mask, respectively. Select the Destination IP Address box and enter 10.1.2.0 and 0.0.0.255 as the destination subnet address and mask, respectively. d. Click Apply.
c. Enter the peer name peer. Select the negotiation mode Main. Enter the remote gateway IP address 2.2.2.2. Select Pre-Shared Key and enter the pre-shared key abcde in the Key and Confirm Key fields. d. Click Apply. Figure 86 Configuring an IKE peer named peer 5. Create an IKE proposal numbered 10: a. Select VPN > IKE > Proposal from the navigation tree. b. Click Add. c.
Figure 87 Creating an IKE proposal numbered 10 6. Create an IPsec proposal named tran1: a. Select VPN > IPSec > Proposal from the navigation tree. b. Click Add. c. From the IPSec Proposal Configuration Wizard page, select Custom mode. d. Enter the IPsec proposal name tran1, and select the packet encapsulation mode Tunnel, security protocol ESP, authentication algorithm SHA1, and encryption algorithm DES. e. Click Apply. Figure 88 Creating an IPsec proposal named tran1 7.
Figure 89 Creating an IPsec proposal named map1 8. Apply the IPsec policy to interface GigabitEthernet 0/1: a. Select VPN > IPSec > IPSec Application from the navigation tree. b. Click the 无法显示链接的图像。该文 件可能已被移动、重命名或 删除。请验证该链接是否指 向正确的文件和位置。 icon for interface GigabitEthernet0/1. c. Select policy map1. d. Click Apply. Figure 90 Applying the IPsec policy to interface GigabitEthernet 0/1 9. Configure a static route to Host B: a.
c. Enter 10.1.2.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 2.2.2.2 as the next hop. d. Click Apply. Figure 91 Configuring a static route to Host B Configuring Device B 1. Configure interface IP addresses and assign interfaces to security zones. (Details not shown.) 2. Create ACL 3101. a. Select Firewall > ACL from the navigation tree. b. Click Add. c. Enter the ACL number 3101, and select the match order Config. d. Click Apply. 3.
d. Enter the IPsec proposal name tran1, and select the packet encapsulation mode Tunnel, security protocol ESP, authentication algorithm SHA1, and encryption algorithm DES. e. Click Apply. 6. Create an IPsec policy named map1: a. Select VPN > IPSec > Policy from the navigation tree. b. Click Add. c. Enter the IPsec policy name map1. Enter the sequence number 10. Select the IKE peer peer. Select the IPsec proposal tran1 from the Available Proposal list, and click <<. Enter the ACL number 3101. d.
Task Remarks Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional.
Step 2. Create an IKE proposal and enter its view. Command Remarks ike proposal proposal-number N/A Optional. 3. 4. 5. Specify an encryption algorithm for the IKE proposal. encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc } Specify an authentication method for the IKE proposal. authentication-method { pre-share | rsa-signature } Specify an authentication algorithm for the IKE proposal. authentication-algorithm { md5 | sha } In non-FIPS mode, the default is 56-bit DES.
If you do not specify any IKE proposals, the local end initiates IKE negotiation by using the following guidelines: { { If the IKE negotiation mode in phase 1 is main, the local end sends the first 100 supported IKE proposals to the remote end for IKE negotiation. If the IKE negotiation mode in phase 1 is aggressive, the local end sends the IKE proposal with the smallest sequence number to the remote end for IKE negotiation.
Step 6. Command Select the ID type for IKE negotiation phase 1. id-type { ip | name | user-fqdn } Remarks Optional. By default, the ID type is IP. Optional. 7. Configure a name for the local security gateway. local-name name By default, no name is configured for the local security gateway in IKE peer view, and the security gateway name configured by using the ike local-name command is used. Optional. 8. Specify the name of the remote security gateway. 9.
NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. Setting keepalive timers IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello. 4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA. DPD enables an IKE entity to check the liveliness of its peer only when necessary.
Task Command Remarks Display IKE proposal information. display ike proposal [ | { begin | exclude | include } regular-expression ] Available in any view. Clear SAs established by IKE. reset ike sa [ connection-id | active | standby ] Available in user view. Configuring main mode IKE with pre-shared key authentication Network requirements As shown in Figure 92, configure an IPsec tunnel that uses IKE negotiation between Firewall A and Firewall B to secure the communication between subnet 10.1.1.
[FirewallA-ipsec-transform-set-tran1] quit # Create IKE peer peer. [FirewallA] ike peer peer # Set the pre-shared key. [FirewallA-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [FirewallA-ike-peer-peer] remote-address 2.2.2.2 [FirewallA-ike-peer-peer] quit # Create an IKE proposal numbered 10. [FirewallA] ike proposal 10 # Set the authentication algorithm to MD5.
[FirewallB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [FirewallB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use security protocol ESP. [FirewallB-ipsec-transform-set-tran1] transform esp # Specify encryption and authentication algorithms. [FirewallB-ipsec-transform-set-tran1] esp encryption-algorithm des [FirewallB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [FirewallB-ipsec-transform-set-tran1] quit # Create IKE peer peer.
priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --------------------------------------------------------------------------default PRE_SHARED SHA DES_CBC MODP_768 86400 Firewall A and Firewall B has only one pair of matching IKE proposals. Matching IKE proposals do not necessarily use the same ISAKMP SA lifetime setting. # Send traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
anti-replay check enable: Y anti-replay window size: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 89389742 (0x553faae) transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3590 max sequence-number sent: 5 udp encapsulation used for nat traversal: N Configuring aggressive mode IKE with NAT traversal Network requirements As shown in Figure 93, the branch and the headquarters connect to an ATM network t
[Firewall] ike proposal 1 [Firewall-ike-proposal-1] authentication-algorithm sha [Firewall-ike-proposal-1] authentication-method pre-share [Firewall-ike-proposal-1] encryption-algorithm 3des-cbc [Firewall-ike-proposal-1] dh group2 # Configure an IKE peer.
[Router-acl-adv-3101] rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255 [Router-acl-adv-3101] quit # Configure an IKE proposal. [Router] ike proposal 1 [Router-ike-proposal-1] authentication-algorithm sha [Router-ike-proposal-1] authentication-method pre-share [Router-ike-proposal-1] encryption-algorithm 3des-cbc [Router-ike-proposal-1] dh group2 # Configure an IKE peer.
[Router-Dialer0] quit # Configure a static route to the headquarters LAN. [Router] ip route-static 172.16.0.0 255.255.255.0 dialer 0 # Configure interface GigabitEthernet 0/1. [Router] interface gigabitethernet 0/1 [Router-GigabitEthernet0/1] tcp mss 1450 [Router-GigabitEthernet0/1] ip address 192.168.0.1 255.255.255.0 [Router-GigabitEthernet0/1] quit # Create a virtual Ethernet interface, and create a PPPoE session that uses dialer bundle 1 on the interface.
Proposal mismatch Symptom The proposals mismatch. Analysis The following is the debugging information: got NOTIFY of type NO_PROPOSAL_CHOSEN Or drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN The two parties in the negotiation have no matched proposals. Solution For the negotiation in phase 1, look up the IKE proposals for a match.
different protection granularity respectively. As the priorities of IPsec tunnels are determined by the order they are established, a device cannot interoperate with other peers in fine granularity when its outbound packets are first matched with an IPsec tunnel in coarse granularity. Solution When a device has multiple peers, configure ACLs on the device to distinguish different data flows and try to avoid configuring overlapping ACL rules for different peers.
Configuring IPsec The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.
Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH. Figure 94 shows the format of IPsec packets. Security association A security association is an agreement negotiated between two communicating parties called IPsec peers.
Authentication algorithms and encryption algorithms • Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
• Flexible service application—You can apply a service such as NAT or QoS to packets before or after they are encrypted by IPsec. To handle packets prior to IPsec encryption, apply the service to the IPsec tunnel interface. To handle IPsec encrypted packets, apply the service to the physical outbound interface. Operation of the IPsec tunnel interface IPsec encapsulation and de-encapsulation occur on IPsec tunnel interfaces.
6. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation. 7. The IPsec tunnel interface de-encapsulates the packet, and then delivers the resulting clear text packet back to the forwarding module. 8.
IPsec stateful failover The IPsec stateful failover function enables hot backup of IPsec service data between two devices and is usually deployed on two redundant gateways at the headquarters to improve the availability of IPsec service. The IPsec stateful failover function must work with the stateful failover feature and the VRRP feature. The two devices in IPsec stateful failover must join the same VRRP group to act as a single virtual device.
Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • RFC 4552, Authentication/Confidentiality for OSPFv3 • RFC4301, Security Architecture for the Internet Protocol • RFC4302, IP Authentication Header • RFC4303, IP Encapsulating Security Payload (ESP) Configuration guidelines When you configure IPsec, follow these guidelines: • Typically, IKE uses UDP port 500 for communication,
Step Remarks Required. 2. Configuring an IPsec proposal An IPsec proposal defines a set of security parameters for IPsec SA negotiation, including the security protocol, encryption and authentication algorithms, and encapsulation mode. IMPORTANT: Changes to an IPsec proposal affect only SAs negotiated after the changes are made. Required if you are using an IPsec policy template group to create an IPsec policy. 3.
Use of the Permit/Deny actions in ACLs IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec. IPsec uses referenced ACL to match against packets. The matching process stops once a match is found or ends with no match hit.
Figure 100 ACL 3000 configuration on Device A Figure 101 ACL 3001 configuration on Device A Figure 102 IPsec policy configuration on Device A The configurations on Device B are shown in Figure 103 and Figure 104.
Figure 104 IPsec policy configuration on Device B Mirror image ACLs To make sure that SAs can be set up and the traffic protected by IPsec locally can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer. As shown in Figure 105, ACL rules on Device B are mirror images of the rules on Device A.
Figure 106 Non-mirror image ACLs Protection modes Data flows can be protected in two modes: • Standard mode, in which one tunnel is used to protect one data flow. The data flow permitted by each ACL rule is protected by one tunnel that is established separately for it. • Aggregation mode, in which one tunnel is used to protect all data flows permitted by all the rules of an ACL. This mode applies to only scenarios that use IKE for negotiation.
3. Click Suite mode to configure an IPsec proposal that uses a pre-defined encryption suite. Figure 109 IPsec proposal configuration in suite mode 4. Enter a name for the IPsec proposal. 5. Select an encryption suite for the proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used.
Table 10 Configuration items Item Description Proposal Name Enter a name for the IPsec proposal. Select an IP packet encapsulation mode for the IPsec proposal. Options include: Encapsulation Mode • Tunnel—Uses the tunnel mode. • Transport—Uses the transport mode. Select a security protocol setting for the proposal. Options include: Security Protocol AH Authentication Algorithm • AH—Uses the AH protocol. • ESP—Uses the ESP protocol. • AH-ESP—Uses ESP first and then AH.
Figure 111 IPsec policy template list 2. Click Add to enter the IPsec policy template configuration page. Figure 112 IPsec policy template configuration page 3. Configure an IPsec policy template, as described in Table 11. 4. Click Apply. Table 11 Configuration items Item Description Template Name Enter a name for the IPsec policy template.
Item Description Enter a sequence number for the IPsec policy template. Sequence Number In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority. Select an IKE peer for the IPsec policy template. IKE Peer You configure IKE peers by selecting VPN > IKE > Peer from the navigation tree. Select up to six IPsec proposals for the IPsec policy template.
Item Description Change the preference of the static routes. Priority Change the route preference for equal-cost multipath routing or route backup. If multiple routes to the same destination have the same preference, traffic is balanced among them. If multiple routes to the same destination have different preference values, the route with the highest preference forwards traffic and all other routes are backup routes. Configuring an IPsec policy 1.
Figure 114 IPsec policy configuration page 3. Configure an IPsec policy, as described in Table 12. 4. Click Apply. Table 12 Configuration items Item Description Policy Name Enter a name for the IPsec policy. Enter a sequence number for the IPsec policy. Sequence Number In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority. Select an IPsec policy template.
Item Description Select up to six IPsec proposals for the IPsec policy. IPSec Proposal IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be established and the packets that need to be protected are discarded. Enable and configure the PFS feature or disable the feature. Options include: • • • • PFS dh-group1—Uses the 768-bit Diffie-Hellman group. dh-group2—Uses the 1024-bit Diffie-Hellman group.
Item Description Change the preference of the static routes. Change the route preference for equal-cost multipath routing or route backup. If multiple routes to the same destination have the same preference, traffic is balanced among them. If multiple routes to the same destination have different preference values, the route with the highest preference forwards traffic and all other routes are backup routes. Priority Applying an IPsec policy group 1.
Figure 117 IPsec SAs Table 13 Field description Field Description Source IP IP address of the local end of the IPsec SA. Destination IP IP address of the remote end of the IPsec SA. SPI SPI of the IPsec SA. Security Protocol Security protocol that the IPsec SA uses. Authentication Algorithm Authentication algorithm that the security protocol uses. Encryption Algorithm Encryption algorithm that the security protocol uses.
Network requirements As shown in Figure 119, an enterprise branch accesses the headquarters through IPsec VPN. Configure the IPsec VPN as follows: • Configure an IPsec tunnel between Device A and Device B to protect traffic between the headquarters subnet 10.1.1.0/24 and the branch subnet 10.1.2.0/24. • Configure the tunnel to use the security protocol ESP, encryption algorithm DES, and authentication algorithm SHA-1.
f. On the page that appears, select Permit from the Operation list, select Source IP Address and enter 10.1.1.0 and 0.0.0.255 in the following fields, select Destination IP Address and enter 10.1.2.0 and 0.0.0.255 in the following fields, and click Apply. Figure 121 Configuring a rule to permit packets from 10.1.1.0/24 to 10.1.2.0/24 3. Configure an IPsec proposal named tran1: a. From the navigation tree, select VPN > IPSec > Proposal. b. Click Add. c. On the page that appears, select Custom mode. d.
c. Enter the peer name peer, select the negotiation mode Main, enter the remote gateway IP address 2.2.3.1, and select the Pre-Shared Key box and then enter abcde for both the Key and Confirm Key fields. d. Click Apply. Figure 123 Configuring an IKE peer 5. Configure an IPsec policy: a. From the navigation tree, select VPN > IPSec > Policy. b. Click Add to enter the IPsec policy configuration page. c.
Figure 124 Configuring an IPsec policy 2.2.3.1 6. Apply the IPsec policy to interface GigabitEthernet 0/1: a. From the navigation tree, select VPN > IPSec > IPSec Application. b. Click the icon of interface Serial 2/1 to enter the IPsec application page. c. Select the policy of map1. d. Click Apply.
Configuring Device B The configuration steps on Device B are similar to those on Device A. The configuration pages are not shown. 1. Assign IP addresses to the interfaces, and add them to the target zones. (Details not shown.) 2. Define an ACL to permit traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24: a. From the navigation tree, select Firewall > ACL. b. Click Add. c. On the page that appears, enter the ACL number 3101, select the match order Config, and click Apply. d.
g. Enter the ACL number 3101. h. Click Apply. 7. Apply IPsec policy map1 to GigabitEthernet 0/1: a. From the navigation tree, select VPN > IPSec > IPSec Application. b. Click the icon of interface GigabitEthernet 0/1. c. Select the policy of map1. d. Click Apply. Verifying the configuration After you complete the configuration, packets from subnet 10.1.2.0/24 to subnet 10.1.1.0/24 between Device A and Device B triggers the negotiation of SAs by IKE. Because Device A does not have any route to subnet 10.
Complete the following tasks to configure ACL-based IPsec: Task Remarks Configuring an ACL Configuring an IPsec transform set Required. Configuring an IPsec policy Basic IPsec configuration. Applying an IPsec policy group to an interface Enabling the encryption engine Optional. Enabling ACL checking for de-encapsulated IPsec packets Optional. Configuring the IPsec anti-replay function Optional. Configuring packet information pre-extraction Optional. Enabling invalid SPI recovery Optional.
received and processed, but all inbound non-IPsec packets will be dropped. This will cause the inbound traffic that does not need IPsec protection to be all dropped. { Avoid statement conflicts in the scope of IPsec policy groups. When creating a deny statement, be careful with its matching scope and matching order relative to permit statements. The policies in an IPsec policy group have different match priorities. ACL rule conflicts between them are prone to cause mistreatment of packets.
To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local peer. As shown in Figure 126, ACL rules on Firewall B are mirror images of the rules on Firewall A. This makes sure that SAs can be created successfully for the traffic between Host A and Host C and the traffic between Network 1 and Network 2.
{ Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one tunnel established solely for it. This mode is configurable only in IPsec policies that use IKE negotiation. For more information about ACL configuration, see Access Control Configuration Guide. To use IPsec in combination with QoS, make sure that IPsec's ACL classification rules match the QoS classification rules.
Step Command Remarks • Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } * In non-FIPS mode, the default is DES. In FIPS mode, 3DES and DES are not supported and AES-128 is default encryption algorithm. • Specify the authentication 4. Specify the security algorithms. algorithm for ESP: esp authentication-algorithm { md5 | sha1 } * In non-FIPS mode, the default is MD5. Configure at least one command.
IPsec policy that uses IKE—The parameters are automatically negotiated through IKE. • Configuring a manual IPsec policy To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies at the two ends of an IPsec tunnel: • The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode.
Step 4. 5. 6. 7. Command Assign an IPsec transform set to the IPsec policy. Remarks By default, an IPsec policy references no IPsec transform set. transform-set transform-set-name A manual IPsec policy can reference only one IPsec transform set. To change an IPsec transform set for an IPsec policy, you must remove the reference first. Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications.
• Directly configure it by configuring the parameters in IPsec policy view. • Configure it by referencing an existing IPsec policy template with the parameters to be negotiated configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA negotiation but can respond to a negotiation request. The parameters not defined in the template will be determined by the initiator.
Step Command 10. Enable the IPsec policy. policy enable 11. Return to system view. quit Remark Optional. Enabled by default. N/A Optional. 12. Set the global SA lifetime. 2. ipsec sa global-duration { time-based seconds | traffic-based kilobytes } 3600 seconds for time-based SA lifetime by default. 1843200 kilobytes for traffic-based SA lifetime by default. Configure an IPsec policy that uses IKE by referencing an IPsec policy template.
Step Command Remark Optional. 8. Set the anti-replay information synchronization intervals in IPsec stateful failover mode. synchronization anti-replay-interval inbound inbound-number outbound outbound-number By default, the inbound anti-replay window information is synchronized whenever 1000 packets are received, and the outbound anti-replay sequence number is synchronized whenever 100000 packets are sent. Support for this feature depends on the device model.
In addition to physical interfaces like Ethernet ports, you can apply an IPsec policy to virtual interfaces, such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP. An interface can reference only one IPsec policy group. An IPsec policy that uses IKE can be applied to more than one interface, but a manual IPsec policy can be applied to only one interface. To apply an IPsec policy group to an interface: Step Command 1. Enter system view. system-view 2.
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not only unnecessary, but also consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
Step Enable packet information pre-extraction. 3. Command Remarks qos pre-classify Disabled by default. Enabling invalid SPI recovery When the security gateway at one end of an IPsec tunnel loses its SAs due to rebooting or any other reason, its peer security gateway might not know the problem and send IPsec packets to it. These packets will be discarded by the receiver because the receiver cannot find appropriate SAs for them, resulting in a traffic blackhole.
A good practice is to configure IPsec RRI on a headquarters gateway to create static routes for the IPsec tunnels to branches. For the static routes, you can perform the following operations: • Change their route preference for ECMP routing or route backup. If multiple routes to the same destination have the same preference, traffic is balanced among them.
Complete the following tasks to configure tunnel interface-based IPsec: Task Remarks Required. Configuring an IPsec transform set An IPsec transform set for the IPsec tunnel interface to reference supports tunnel mode only. Configuring an IPsec profile Required. Configuring an IPsec tunnel interface Required. Applying a QoS policy to an IPsec tunnel interface Optional. Enabling the encryption engine Optional. Configuring the IPsec anti-replay function Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IPsec profile and enter its view. ipsec profile profile-name By default, no IPsec profile exists. 3. Specify the IPsec transform sets for the IPsec profile to reference. transform-set transform-name&<1-6> By default, an IPsec profile references no IPsec transform sets. 4. Specify the IKE peer for the IPsec profile to reference. ike-peer peer-name N/A Optional. 5.
4. Apply an IPsec profile to the IPsec tunnel interface. After the link layer of the IPsec tunnel interface comes up, packets routed to the tunnel interface will be protected by IPsec. To make sure the link layer of the IPsec tunnel interface comes up, make sure the following requirements are met: • The source address of the tunnel interface is the IP address of the local physical interface that connects to the remote.
Applying a QoS policy to an IPsec tunnel interface The device allows you to apply a QoS policy to the IPsec tunnel interface. In this case, QoS is performed before IPsec encapsulation, and the priority of a resulting packet is the same as that of the original packet. In addition, the QoS congestion management is done to the packets before encapsulation, avoiding the disorder of IPsec packets.
• The keepalive mechanism for IKE to maintain the link status of ISAKMP SAs is not supported. • IPsec RRI is not effective. Configuration prerequisites Before you configure IPsec stateful failover, complete the tasks in this section on the two devices. 1. Configure stateful failover: { { Configure the devices to operate in the active/standby mode. Specify the interfaces between the devices as failover interfaces for transferring state negotiation messages and backing up IPsec service data.
Displaying and maintaining IPsec Task Command Remarks Display IPsec policy information. display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPsec policy template information. display ipsec policy-template [ brief | name template-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the configuration of IPsec profiles.
Figure 128 Network diagram Firewall A GE0/2 2.2.2.1/24 Firewall B Internet GE0/2 2.2.3.1/24 GE0/1 10.1.1.1/24 GE0/1 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure 1. Configure Firewall A: # Define an ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. system-view [FirewallA] acl number 3101 [FirewallA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.
# Configure the keys. [FirewallA-ipsec-policy-manual-map1-10] sa string-key outbound esp abcdefg [FirewallA-ipsec-policy-manual-map1-10] sa string-key inbound esp gfedcba [FirewallA-ipsec-policy-manual-map1-10] quit # Configure the IP address for GigabitEthernet 0/2. [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] ip address 2.2.2.1 255.255.255.0 # Apply the IPsec policy group to the interface. [FirewallA-GigabitEthernet0/2] ipsec policy map1 2.
# Configure the IP address for GigabitEthernet 0/2. [FirewallB] interface gigabitethernet 0/2 [FirewallB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0 # Apply the IPsec policy group to the interface. [FirewallB-GigabitEthernet0/2] ipsec policy use1 3. Verify the configuration: After the configuration, an IPsec tunnel between Firewall A and Firewall B should be established, and the traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 should be IPsec protected.
# Apply the ACL. [FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IKE peer. [FirewallA-ipsec-policy-isakmp-map1-10] ike-peer peer [FirewallA-ipsec-policy-isakmp-map1-10] quit # Configure the IP address for GigabitEthernet 0/2. [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] ip address 2.2.2.1 255.255.255.0 # Apply the IPsec policy group to the interface. [FirewallA-GigabitEthernet0/2] ipsec policy map1 2.
[FirewallB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0 # Apply the IPsec policy group to the interface. [FirewallB-GigabitEthernet0/2] ipsec policy use1 3. Verify the configuration: After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up, the traffic between the two subnets will be IPsec protected.
# Create an IPsec transform set named method1. This IPsec transform set uses the default settings: the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5.
[FirewallB-ike-peer-btoa] quit # Create an IPsec transform set named method1. This IPsec transform set uses the default settings: the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5.
total phase-1 SAs: connection-id 1 peer flag phase doi ---------------------------------------------------------2 1.1.1.2 RD 2 IPSEC 1 1.1.1.2 RD 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT # Display the IPsec SA information on Firewall B.
PING 172.17.17.1: 56 data bytes, press CTRL_C to break Reply from 172.17.17.1: bytes=56 Sequence=1 ttl=255 time=15 ms Reply from 172.17.17.1: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 172.17.17.1: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 172.17.17.1: bytes=56 Sequence=4 ttl=255 time=5 ms Reply from 172.17.17.1: bytes=56 Sequence=5 ttl=255 time=4 ms --- 172.17.17.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
[FirewallA-GigabitEthernet0/1] ripng 1 enable [FirewallA-GigabitEthernet0/1] quit # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
# Create an IPsec policy named policy001, specify the manual mode for it, configure the SPIs of the inbound and outbound SAs as 123456, and the keys for the inbound and outbound SAs using ESP as abcdefg.
After the configuration, Firewall A, Firewall B, and Firewall C learn IPv6 routing information through RIPng. SAs are set up successfully, and the IPsec tunnel between two peers is up for protecting the RIPng packets. # Execute the display ripng command on Firewall A to view the running status and configuration information of the specified RIPng process. The output shows that IPsec policy policy001 is applied to this process successfully.
IPsec RRI configuration example Network requirements As shown in Figure 131, configure an IPsec tunnel between Firewall A and Firewall B to protect the traffic between the headquarters and the branch. Configure the tunnel to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96. Use IKE for automatic SA negotiation. Configure IPsec RRI on Firewall A to automatically create a static route to the branch based on the established IPsec SAs.
# Set the pre-shared key. [FirewallA-ike-peer-peer] pre-shared-key abcde # Specify the IP address of the peer security gateway. [FirewallA-ike-peer-peer] remote-address 2.2.2.2 [FirewallA-ike-peer-peer] quit # Create an IPsec policy that uses IKE. [FirewallA] ipsec policy map1 10 isakmp # Reference IPsec transform set tran1. [FirewallA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Reference ACL 3101 to identify the protected traffic.
[FirewallB-ike-peer-peer] quit # Create an IPsec policy that uses IKE. [FirewallB] ipsec policy use1 10 isakmp # Reference ACL 3101 to identify the protected traffic. [FirewallB-ipsec-policy-isakmp-use1-10] security acl 3101 # Reference IPsec transform set tran1. [FirewallB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Reference IKE peer peer.
• On Firewall A and Firewall B, add the uplink interface to VRRP group 2 and the downlink interface to VRRP group 1, and assign the virtual IP address 192.168.0.1/24 to VRRP group 2 and the virtual IP address 10.1.1.1/2 to VRRP group 1. • Use Firewall A as the master device to establish an IPsec tunnel with Firewall C and make sure that Firewall B takes over when Firewall A fails. Figure 132 Network diagram Host A IP:10.1.1.2/24 Gateway:10.1.1.1 Virtual IP address 1: 10.1.1.1/24 GE0/1 10.1.1.
Figure 133 Configuring a backup interface Figure 134 Configuring stateful failover 2. Configure VRRP: # Create VRRP group 1 and assign a virtual IP address to the group. system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 10.1.1.1 # Set the priority of Firewall A in VRRP group 1 to 150.
the priority value of Firewall B so Firewall B can become the master. In this example, the priority value decrement is 60. [FirewallA-GigabitEthernet0/1] vrrp vrid 1 track interface gigabitethernet 0/2 reduced 60 [FirewallA-GigabitEthernet0/1] quit # Create VRRP group 2 and assign a virtual IP address to the group. [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1 # Set the priority of Firewall A in VRRP group 2 to 150.
[FirewallA] ipsec policy map1 10 isakmp # Reference IPsec transform set tran1. [FirewallA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Reference ACL 3101. [FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer branch. [FirewallA-ipsec-policy-isakmp-map1-10] ike-peer branch [FirewallA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy group map1 to interface GigabitEthernet0/2.
[FirewallB-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255 [FirewallB-acl-adv-3101] quit # Configure a static route to Host B. [FirewallB] ip route-static 10.2.2.0 255.255.255.0 192.168.0.2 # Create IPsec transform set tran1. [FirewallB] ipsec transform-set tran1 # Configure the IPsec transform set to use the tunnel encapsulation mode.
# Create IPsec transform set tran1. [FirewallC] ipsec transform-set tran1 # Configure the IPsec transform set to use the tunnel encapsulation mode. [FirewallC-ipsec-transform-set-tran1] encapsulation-mode tunnel # Configure the IPsec transform set to use the ESP security protocol. [FirewallC-ipsec-transform-set-tran1] transform esp # Configure ESP to use the DES encryption algorithm and the SHA1 authentication algorithm.
acl version: ACL4 mode: isakmp ----------------------------connection id: 20000 encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 192.168.0.1 remote address: 192.168.0.2 flow: sour addr: 10.1.1.0/0.0.0.255 port: 0 protocol: IP dest addr: 10.2.2.0/0.0.0.
sequence number: 10 mode: isakmp ----------------------------connection id: 20000 encapsulation mode: tunnel perfect forward secrecy: tunnel: local address: 192.168.0.1 remote address: 192.168.0.2 flow: sour addr: 10.1.1.0/0.0.0.255 port: 0 protocol: IP dest addr: 10.2.2.0/0.0.0.
Using a wizard to configure an IPsec VPN IPsec VPN policy can be configured only in the Web interface. The IPsec VPN policy configuration wizard provides a way to easily configure IPsec VPNs. For more information about IPsec and IKE, see "Configuring IPsec" and "Configuring IKE." IPsec VPN supports two networking modes: center-branch mode and peer-peer mode. • Center-branch mode applies to one-to-many networks as shown in Figure 135.
Figure 137 IPsec VPN policy configuration wizard: 1/4 (center node) 4. Click Next. Figure 138 IPsec VPN policy configuration wizard: 2/4 (center node) 5. Perform configuration as described in Table 14.
Table 14 Configuration items Item Description Enter the name for the IPsec VPN. IMPORTANT: If you enter abc here, the wizard creates an IKE peer named abc_peer, an IPsec proposal named abc_prop, an IPsec template named abc_temp and numbered 1, and an IPsec policy named abc_poli and numbered 1. The IKE peer and IPsec proposal are referenced in the IPsec template, and the template is referenced in the IPsec policy.
Table 15 Configuration items Item Description Select the encryption suite for the IPsec proposal. An encryption suite specifies the IP packet encapsulation mode, security protocol, and authentication and encryption algorithms to be used. Options include: • TUNNEL-ESP-SHA1-3DES—Uses the tunnel mode for IP packet encapsulation, ESP for packet protection, SHA1 for authentication, and 3DES for encryption.
9. Click Finish to complete the configuration. The system jumps to the page that you can enter by selecting VPN > IPSec > IPSec Application from the navigation tree. Configuring a branch node 1. From the navigation tree, select Wizard to enter the Configuration Wizard page. 2. Click the IPSec VPN Deployment hyperlink to enter the first page of the IPsec VPN policy configuration page. 3. Select Branch Node from the first page of the IPsec VPN policy configuration wizard.
Figure 142 IPsec VPN policy configuration wizard: 2/4 (branch node) 5. Perform configuration as described in Table 16. Table 16 Configuration items Item Description Enter the name for the IPsec VPN. IMPORTANT: IPSec VPN Name If you enter abc here, the wizard creates an IKE peer named abc_peer, an IPsec proposal named abc_prop, and an IPsec policy named abc_poli and numbered 1. The IKE peer and IPsec proposal are referenced in the IPsec policy.
Figure 143 IPsec VPN policy configuration wizard: 3/4 (branch node) 7. Perform configuration as described in Table 17. Table 17 Configuration items Item Description Source IP Address/Wildcard Specify the traffic to be protected by giving the source IP address and wildcard, destination IP address and wildcard, and the protocol type.
Item Description Pre-Shared Key Select the authentication method for IKE negotiation and specify the required parameter. Options include: • Pre-Shared Key—Uses the pre-shared key authentication method. • PKI Domain—Uses the RSA signature authentication method. Available PKI PKI Domain domains are those configured by selecting VPN > Certificate Manager > Domain from the navigation tree. IMPORTANT: If you select PKI Domain, you create an IKE proposal numbered 1. Select this box to enable DPD.
3. Select Peer Node from the first page of the IPsec VPN policy configuration wizard. Figure 145 IPsec VPN policy configuration wizard: 1/4 (peer node) 4. Click Next.
5. Perform configuration as described in Table 18. Table 18 Configuration items Item Description Enter the name for the IPsec VPN. IMPORTANT: IPSec VPN Name If you enter abc here, the wizard creates an IKE peer named abc_peer, an IPsec proposal named abc_prop, and an IPsec policy named abc_poli and numbered 1. The IKE peer and IPsec proposal are referenced in the IPsec policy. IPSec Interface Select the interface to which you want to apply the IPsec policy.
Table 19 Configuration items Item Description Source IP Address/Wildcard Specify the traffic to be protected by giving the source IP address and wildcard, destination IP address and wildcard, and the protocol type. Destination IP Address/Wildcard Protocol Type IMPORTANT: Based on these configurations, the wizard creates an advanced ACL that permit packets matching these criteria and apply this ACL to the IPsec policy. The ACL number is the smallest, available number in the range 3000 to 3999.
Figure 148 IPsec VPN policy configuration wizard: 4/4 (peer node) 9. Click Finish to complete the configuration. The system jumps to the page that you can enter by selecting VPN > IPSec > IPSec Application from the navigation tree.
Configuring L2TP The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview A virtual private dialup network (VPDN) is a VPN utilizing the dial-up function of public networks such as ISDN or PSTN networks to provide access services for enterprises, small ISPs, and telecommuters. VPDN provides an economical and effective point-to-point method for remote users to connect to their home LANs.
• LAC—An L2TP access concentrator (LAC) is a device with PPP and L2TP capabilities. It is usually a NAS located at a local ISP, which provides access services mainly for PPP users. An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates packets received from a remote system using L2TP and then sends the resulting packets to the LNS. It de-encapsulates packets received from the LNS and then sends the resulting packets to the intended remote system.
L2TP tunnel and session The following types of connections are present between an LNS and an LAC: • Tunnel—A tunnel corresponds to a LNS-LAC pair, and comprises a control connection and one or more sessions. • Session—A session corresponds to one PPP data stream between an LNS and a LAC and is multiplexed on a tunnel. A session can be set up only after the tunnel is created. Multiple L2TP tunnels can be established between an LNS and an LAC.
establish an L2TP tunnel for the virtual PPP user. When a remote system accesses the internal network, the LAC forwards data through the L2TP tunnel. In this mode, the connection between a remote system and the LAC is not confined to a dial-up connection and can be any IP-based connection. Figure 154 LAC-auto-initiated tunneling mode L2TP tunnel establishment process Figure 155 Typical L2TP network Figure 156 shows an L2TP call's setup procedure in NAS-initiated mode.
Figure 156 L2TP call setup procedure Remote system Host A LAC Router A LAC RADIUS server LNS Router B LNS RADIUS server (1) Call setup (2) PPP LCP setup (3) PAP or CHAP authenticaion (4) Access request (5) Access accept (6) Tunnel setup (7) CHAP authentication (challenge/response) (8) Authentication passes (9) User CHAP response, PPP negotiation parameter (10) Access request (11) Acesss accept (12) CHAP authentication twice (challenge/response) (13) Access request (14) Acesss accept (15) Authentication
15. The LNS assigns an internal IP address to the remote user. The user can now access the internal resources of the enterprise network. L2TP features • Flexible identity authentication mechanism and high security—L2TP by itself does not provide security for connections. However, it has all the security features of PPP and allows for PPP authentication (CHAP or PAP). L2TP can also cooperate with IPsec to guarantee data security, strengthening the resistance of tunneled data to attacks.
Table 20 Recommended L2TP configuration procedure Step 1. Remarks Enabling L2TP Required. By default, L2TP is disabled. Required. 2. Adding an L2TP group Create a L2TP group and configure L2TP group related parameters. By default, no L2TP group is created. 3. Displaying L2TP tunnel information Optional. View the L2TP tunnel information. Enabling L2TP 1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 157. 2.
• The system automatically creates a virtual template (VT) interface with the number L2TP group ID minus 1. After an L2TP session is established, the LNS creates a virtual access (VA) interface based on the configuration parameters of the VT interface for data exchange with the peer. An LNS can use different VA interfaces to exchange data with different LACs. NOTE: You cannot add an L2TP whose VT interface already exists.
Figure 159 Advanced Configuration page 3. Configure L2TP group information, as described in Table 21. 4. Click Apply. Table 21 Configuration items Item Description L2TP Group Name Specify the name of the L2TP group. Specify the name of the tunnel peer. Peer Tunnel Name Local Tunnel Name When receiving a tunneling request, an LNS determines whether to grant the tunneling request by checking whether the name of the LAC (tunnel peer) matches the one configured. Specify the local tunnel name.
Item Description Authentication Method PPP Authentication Configuration Select the authentication method for PPP users on the local end. You can select None, PAP, or CHAP. None means no authentication is performed. Specify the ISP domain for PPP user authentication. You can perform the following configurations: ISP Domain You can add an ISP domain and modify or delete a selected ISP domain by using the Add, Modify, and Delete buttons.
Item Description After the LAC authenticates the client, the LNS may re-authenticate the client for higher security. In this case, only when both the authentications succeed can an L2TP tunnel be set up. On an L2TP network, an LNS authenticates users in three ways: mandatory CHAP authentication, LCP re-negotiation, and proxy authentication.
Configuring an ISP domain 1. Click Add for ISP Domain in Figure 158. Figure 160 Adding an ISP domain 2. Configure the ISP domain name, authentication/authorization/accounting methods, and maximum number of users, as described in Table 22. 3. Click Apply. Table 22 Configuration items Item Description ISP Domain Specify the name of the ISP domain. Select the authentication server type for PPP users. • None—All users are trusted and no authentication is performed. This method is not recommended.
Item Description Select the authorization server type for PPP users. • None—No authorization exchange is performed. Every user is trusted and has the corresponding default rights of the system. Server Type Authorization Methods Primary Scheme Backup • • • • Local—Uses local authorization. RADIUS—Uses RADIUS authorization. HWTACACS—Uses HWTACACS authorization. If you do not select any authorization method, the default authorization method of the ISP domain is used, which is Local by default.
Specifying an IP address pool 1. Click Add for User Address in Figure 158. Figure 161 Adding an address pool 2. Specify an address pool for assigning IP addresses to PPP users, as described in Table 23. 3. Click Apply. Table 23 Configuration items Item Description Select the ISP domain for the IP address pool to be created. ISP Domain If no ISP domain is specified, the address pool is used to allocate IP addresses to PPP users that do not need authentication.
Table 24 L2TP tunnel information Item Description Local Tunnel ID Local ID of the tunnel. Peer Tunnel ID Peer ID of the tunnel. Peer Tunnel Port Peer port of the tunnel. Peer Tunnel IP Peer IP address of the tunnel. Session Count Number of sessions on the tunnel. Peer Tunnel Name Peer name of the tunnel. Client-initiated VPN configuration example Network requirements As shown in Figure 163, a VPN user and the corporate headquarters communicate in the following steps: 1.
3. Create a local user: a. Select User > Local User from the navigation tree. b. Click Add. c. Enter vpdnuser as the user name, select PPP as the service type, enter Hello as the password, and enter Hello to confirm the password, as shown in Figure 164. d. Click Apply. Figure 164 Adding a local user 4. Enable L2TP: a. Select VPN > L2TP > L2TP Config from the navigation tree. b. Select the Enable L2TP box, as shown in Figure 165. c. Click Apply. Figure 165 Enable L2TP 5. Add an L2TP group: a.
Figure 166 Configuring local authentication method for VPN users e. Enter 192.168.0.1/255.255.255.0 as the PPP server IP address/mask, and select Trust from the PPP Server Zone list. (Select a security zone according to your network configuration.) f. Click the Add button for User Address, select system as the ISP domain name, enter 1 as the IP address pool number, and enter the start IP address 192.168.0.2 and the end IP address 192.168.0.100. g.
Figure 168 L2TP group configurations Verifying the configuration 1. On the user host, initiate an L2TP connection to the LNS. The host will get an IP address (192.168.0.2) and is able to ping the private address of the LNS (192.168.0.1). 2. On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information about the established L2TP tunnel appears, as shown in Figure 169.
1. Determine the network devices needed according to the networking environment. For NAS-initiated mode and LAC-auto-initiated mode, configure both the LAC and the LNS. For client-initiated mode, you only need to configure the LNS. 2. Configure the devices accordingly based on the intended role (LAC or NAS) on the network.
Task Remarks Configuring L2TP tunnel authentication Configuring L2TP connection parameters Setting the hello interval Optional. Enabling tunnel flow control Disconnecting tunnels by force Configuring basic L2TP capability An L2TP group is intended to represent a group of parameters and corresponds to one VPN user or one group of VPN users. This enables not only flexible L2TP configuration on devices, but also one-to-one and one-to-many networking applications for LACs and LNSs.
Step Command 2. Enter L2TP group view. l2tp-group group-number 3. Enable the device to initiate tunneling requests to one or more IP addresses for one or more specified VPN users. start l2tp { ip ip-address }&<1-5> { domain domain-name | fullusername user-name } Configuring an LAC to transfer AVP data in hidden mode With L2TP, some parameters are transferred as AVP data. To improve security, you can configure an LAC to transfer AVP data in hidden mode—to encrypt AVP data before transmission.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a local user and enter its view. local-user username 3. Configure a password for the local user. password [ { cipher | simple } password ] By default, no local user or password is configured on an LAC. 4. Authorize the user to use the PPP service. service-type ppp N/A 5. Return to system view. quit N/A 6. Create an ISP domain and enter its view. domain isp-name N/A 7.
Step 3. 4. Command Assign an IP address to the VT interface or enable IP address negotiation so that the VT interface accepts the IP address negotiated with the peer. • ip address address mask • ip address ppp-negotiate Configure the authentication method for the LAC to use to authenticate the virtual PPP user. ppp authentication-mode { chap | pap } * [ domain isp-name ] Remarks Use either command. By default, no IP address is assigned by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VT interface and enter its view. interface virtual-template virtual-template-number By default, no VT interface exists. Configuring the local address and the address pool for allocation After an L2TP tunnel is set up between an LAC and an LNS, the LNS needs to assign an IP address to a VPN user. For this purpose, you can directly specify an IP address, or specify an address pool.
Step Command Remarks • If the L2TP group number is 1 3. Specify the VT interface for receiving calls, the tunnel name on the LAC, and the domain name. (the default): allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] • If the L2TP group number is not 1: allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] Use either command. By default, an LNS denies all incoming calls.
Step 3. 2. Configure mandatory CHAP authentication. Command Remarks mandatory-chap By default, CHAP authentication is not performed on an LNS. Configuring LCP renegotiation In a NAS-initiated dial-up VPDN, a user first negotiates with the NAS at the start of a PPP session. If the negotiation succeeds, the NAS initiates an L2TP tunneling request and sends user information to the LNS. The LNS then determines whether the user is valid according to the proxy authentication information received.
those locally configured for VPN users. If an L2TP group's tunnel peer name and domain name match, the LNS establishes a session according to the group configuration. Thus, different sessions can be established for VPN users of different domains. If multiple L2TP groups on the LNS are configured with the same remote tunnel name, make sure that their tunnel authentication settings are the same. Mismatching tunnel authentication keys will result in tunnel establishment failure.
Step Command Remarks N/A 2. Enter L2TP group view. l2tp-group group-number 3. Set the hello interval. tunnel timer hello hello-interval Optional. 60 seconds by default. Enabling tunnel flow control The L2TP tunnel flow control function controls data packet transmission by buffering and adjusting data packets arriving out of order. To enable tunnel flow control: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter L2TP group view. l2tp-group group-number N/A 3.
Configuration example for NAS-initiated VPN Network requirements As shown in Figure 170, a VPN user accesses the corporate headquarters in the following procedure: 1. The user dials in to the NAS (LAC). 2. The NAS determines whether the user is a valid VPN client. If so, it initiates a tunneling request to the LNS. 3. After a tunnel is set up between the NAS and the LNS, the NAS transfers the results of its negotiation with the VPN user to the LNS. 4.
# Create a local user named vpdnuser, set the password, and enable the PPP service. The username and password must match those configured on the client. system-view [LNS] local-user vpdnuser [LNS-luser-vpdnuser] password simple Hello [LNS-luser-vpdnuser] service-type ppp [LNS-luser-vpdnuser] quit # Configure local authentication for the VPN user. [LNS] domain system [LNS-isp-system] authentication ppp local [LNS-isp-system] ip pool 1 192.168.0.2 192.168.0.100 [LNS-isp-system] quit # Enable L2TP.
Configuration example for client-initiated VPN Network requirements As shown in Figure 171, a VPN user accesses the corporate headquarters in the following procedure: 1. Configure an IP address and route for the user host, making sure that the host is reachable to the LNS. 2. The user initiates a tunneling request to the LNS. 3. After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the VPN user. 4. The VPN user communicates with the headquarters over the tunnel.
[LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 2. Configure the VPN user host: Configure the IP address of the user host as 2.1.1.1, and configure a route to the LNS (1.1.2.2). { Create a virtual private network connection by using the Windows system, or install the L2TP client software, such as WinVPN Client. { Complete the following configuration procedure (the procedure depends on the client software): { # Specify the VPN username as vpdnuser and the password as Hello.
Figure 172 Network diagram Configuration procedure 1. Configure the LNS: # Configure IP addresses for interfaces. (Details not shown.) # Create a local user, configure a username and password for the user, and specify the service type as PPP. system-view [LNS] local-user vpdnuser [LNS-luser-vpdnuser] password simple Hello [LNS-luser-vpdnuser] service-type ppp [LNS-luser-vpdnuser] quit # Configure a VT interface. [LNS] interface virtual-template 1 [LNS-virtual-template1] ip address 192.168.0.20 255.
[LAC] l2tp enable [LAC] l2tp-group 1 # Configure the local tunnel name and specify the IP address of the tunnel peer (LNS). [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] start l2tp ip 3.3.3.2 fullusername vpdnuser # Enable tunnel authentication and configure the authentication key. [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password simple aabbcc [LAC-l2tp1] quit # Configure the PPP authentication method PAP, authentication username vpdnuser, and password Hello for the virtual PPP user.
PING 10.2.0.1: 56 data bytes, press CTRL_C to break Reply from 10.2.0.1: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.2.0.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.2.0.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
[LAC-luser-vpdn2] service-type ppp [LAC-luser-vpdn2] quit # Configure local authentication for the users. [LAC] domain aaa.net [LAC-isp-aaa.net] authentication ppp local [LAC-isp-aaa.net] quit [LAC] domain bbb.net [LAC-isp-bbb.net] authentication ppp local [LAC-isp-bbb.net] quit # Configure PPPoE servers on interface GigabitEthernet 0/1 and GigabitEthernet 0/3.
# Enable L2TP for VPNs. [LNS] l2tpmoreexam enable # Create two local users, set the passwords, and enable the PPP service. [LNS] local-user vpdn1 [LNS-luser-vpdn1] password simple 11111 [LNS-luser-vpdn1] service-type ppp [LNS-luser-vpdn1] quit [LNS] local-user vpdn2 [LNS-luser-vpdn2] password simple 22222 [LNS-luser-vpdn2] service-type ppp [LNS-luser-vpdn2] quit # Specify the IP address of GigabitEthernet 0/1, through which the LNS connects to the tunnel, as 1.1.2.2.
[LNS-l2tp4] tunnel password simple 12345 If RADIUS authentication is required on the LNS, modify the AAA configurations as needed. For AAA configuration details, see Access Control Configuration Guide. 3. Configure the users: Create a dial-up connection on each host: On Host A, enter vpdn1@aaa.net as the username and 11111 as the password in the dial-up terminal window. { On Host B, enter vpdn2@aaa.net as the username and 22222 as the password in the dial-up terminal window. { 4.
Analysis and solution Possible reasons for login failure include: • Tunnel setup failure, which might occur in the following cases: { { { { • The address of the LNS is set incorrectly on the LAC. No L2TP group is configured on the LNS (usually a router) to receive calls from the tunnel peer. For details, see the description of the allow command. Tunnel authentication fails.
Managing certificates Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. A key problem with PKI is how to manage the public keys.
CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.
PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it works: 1. An entity submits a certificate request to the RA. 2. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. 3. The CA verifies the digital signature, approves the application, and issues a certificate. 4.
Configuring PKI in the Web interface Recommended configuration procedure The device supports the following PKI certificate request modes: • Manual—In manual mode, you need to manually retrieve the CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity.
Step Remarks Required. Obtain the CA certificate and save it locally. For more information, see "Retrieving and displaying a certificate." Certificate retrieval serves the following purposes: • Locally store the certificates associated with the local security domain 4. Retrieving the CA certificate for improved query efficiency and reduced query count, • Prepare for certificate verification. IMPORTANT: If a local CA certificate already exists, you cannot perform the CA certificate retrieval operation.
Recommended configuration procedure for automatic request Step Remarks Required. Create a PKI entity and configure the identity information. 1. Creating a PKI entity A certificate is the binding of a public key and the identity information of an entity, where the DN shows the identity information of the entity. A CA identifies a certificate applicant uniquely by an entity DN. The DN settings of an entity must be compliant to the CA certificate issue policy.
Figure 175 PKI entity list 2. Click Add. Figure 176 PKI entity configuration page 3. Configure the parameters, as described in Table 25. 4. Click Apply. Table 25 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the FQDN for the entity. FQDN An FQDN is a unique identifier of an entity on the network.
Item Description Organization Unit Enter the unit name for the entity. Creating a PKI domain 1. From the navigation tree, select VPN > Certificate Management > Domain. Figure 177 PKI domain list 2. Click Add. Figure 178 PKI domain configuration page 3. Configure the parameters, as described in Table 26. 4. Click Apply. Table 26 Configuration items Item Description Domain Name Enter the name for the PKI domain.
Item Description Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query. CA Identifier IMPORTANT: • In offline mode, this item is optional. In other modes, this item is required. • The CA identifier is required only when you retrieve a CA certificate. It is not used during local certificate request. Select the local PKI entity.
Item Description Fingerprint Hash Specify the fingerprint used for verifying the CA root certificate. After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.
Hardware Upper limit VPN firewall modules 32 20-Gbps VPN firewall modules 2 Generating an RSA key pair 1. From the navigation tree, select VPN > Certificate Management > Certificate. Figure 179 Certificate list 2. Click Create Key. Figure 180 RSA key pair generation page 3. Enter the key length. 4. Click Apply. Requesting a local certificate 1. From the navigation tree, select VPN > Certificate Management > Certificate. 2. Click Request Cert.
Figure 181 Local certificate request page 3. Configure the parameters, as described in Table 27. 4. Click Apply. Table 27 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Click this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.
Figure 183 RSA key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally. To do so, you can use offline mode or online mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, email and then import it to the device. By default, the retrieved certificate is saved in a file under the root directory of the device, and the file name is domain-name_ca.
Item Description Password Enter the password for protecting the private key, which was specified when the certificate was exported. After retrieving the certificate, click View Cert for the certificate to display its information. Figure 185 Certificate information Retrieving and displaying a CRL 1. From the navigation tree, select VPN > Certificate Management > CRL. 2. Click Retrieve CRL to retrieve the CRL of a domain.
Figure 187 CRL information Certificate request from a Windows 2003 CA server configuration example Network requirements As shown in Figure 188, configure the fireall to work as the PKI entity, so that: • The firewall submits a local certificate request to the CA server, which runs Windows 2003 server operating system. • The firewall retrieves CRLs for certificate verification. Figure 188 Network diagram Configuring the CA server 1. Install the CA server component: a.
d. Click Next to begin the installation. 2. Install the SCEP add-on: Because a CA server running Windows 2003 server operating system does not support SCEP by default, you must install the SCEP add-on to provide the firewall with automatic certificate registration and retrieval. After the add-on is installed, a prompt dialog box appears, displaying the URL of the registration server configured on the firewall. 3. Modify the certificate service properties: a.
Figure 189 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. In the upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA identifier, select aaa as the local entity, select RA as the authority for certificate request, enter http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must be in the format of http://host:port/certsrv/mscep/mscep.
Figure 190 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Create Key. c. Enter 1024 as the key length. d. Click Apply to generate an RSA key pair. Figure 191 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
5. Request a local certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Request Cert. c. Select torsa as the PKI domain, and click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm. Figure 193 Requesting a certificate Verifying the configuration 1. From the navigation tree, select VPN > Certificate Management > Certificate. 2.
Figure 194 Detailed information about the local certificate 276
Certificate request from an RSA Keon CA server configuration example Network requirements As shown in Figure 195, configure the firewall working as the PKI entity, so that: • The firewall submits a local certificate request to the CA server, which runs the RSA Keon software. • The firewall retrieves CRLs for certificate verification. Figure 195 Network diagram Configuring the CA server 1. Create a CA server named myca.
Figure 196 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. In the upper area of the page, enter torsa as the PKI domain name, enter myca as the CA identifier, select aaa as the local entity, select CA as the authority for certificate request, enter http://4.4.4.
Figure 197 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Create Key. c. Enter 1024 as the key length. d. Click Apply to generate an RSA key pair. Figure 198 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
Figure 199 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Request Cert. c. Select torsa as the PKI domain, select Password and then enter "challenge-word" as the password, and click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm. Figure 200 Requesting a certificate 6. Retrieve the CRL: a.
IKE negotiation with RSA digital signature configuration example Network requirements An IPsec tunnel is set up between Firewall A and Firewall B to secure the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet 11.1.1.0/24. Firewall A and Firewall B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI certificate system for identity authentication. Firewall A and Firewall B use different CAs. They may also use the same CA as required.
Figure 203 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. In the upper area of the page, enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity, select RA as the authority for certificate request, enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given here is just an example. Configure the RA URL as required), enter 1.1.1.
Figure 204 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Create Key. c. Enter 1024 as the key length. d. Click Apply to generate an RSA key pair. Figure 205 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Retrieve Cert. c. Select 1 as the PKI domain, select CA as the certificate type, and click Apply.
Figure 206 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select VPN > Certificate Management > Certificate. b. Click Request Cert. c. Select 1 for the PKI domain, and click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm. Figure 207 Requesting a local certificate 6. Retrieve the CRL: a. From the navigation tree, sfter retrieving a local certificate, select VPN > Certificate Management > CRL. b.
Figure 209 Creating an IKE proposal 8. Configure an IKE peer and reference the configuration of the PKI domain for the IKE peer: a. From the navigation tree, select VPN > IKE > Peer. b. Click Add. c. Enter peer as the peer name, select PKI Domain and then select the PKI domain of 1, and click Apply.
Configuring Firewall B The configuration for Firewall B is similar to that for Firewall A. 1. Create a PKI entity: a. From the navigation tree, select VPN > Certificate Management > Entity. b. Click Add. c. Enter en as the PKI entity name, enter device-b as the common name, enter 3.3.3.1 as the IP address of the entity, and click Apply. 2. Create a PKI domain: a. From the navigation tree, select VPN > Certificate Management > Domain. b. Click Add. c. The configuration page appears. d.
b. Click Retrieve CRL corresponding to PKI domain 1. 7. Configure IKE proposal 1, using RSA signature for identity authentication: a. From the navigation tree, select VPN > IKE > Proposal. b. Click Add. c. Enter 1 as the IKE proposal number, select RSA Signature as the authentication method, and click Apply. 8. Configure an IKE peer and reference the configuration of the PKI domain for the IKE peer: a. From the navigation tree, select VPN > IKE > Peer. b. Click Add. c.
• FQDN of the entity, a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www is a host name and whatever.com a domain name. • IP address of the entity. • Locality where the entity resides. • Organization to which the entity belongs. • Unit of the entity in the organization. • State where the entity resides.
Configuring a PKI domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. The PKI domain configured on a device is invisible to the CA and other devices, and each PKI domain has its own parameters.
Step Command Remarks Optional. 7. Configure the polling interval and attempt limit for querying the certificate request status. certificate request polling { count count | interval minutes } The polling is executed for up to 50 times at the interval of 20 minutes by default. Specify the LDAP server. ldap-server ip ip-address [ port port-number ] [ version version-number ] Optional. 8. 9. Configure the fingerprint for root certificate verification.
To configure automatic certificate request: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter PKI domain view. pki domain domain-name N/A 3. Set the certificate request mode to auto. certificate request mode auto [ key-length key-length | password { cipher | simple } password ] * Manual by default. Requesting a certificate in manual mode In manual mode, you must submit a local certificate request for an entity.
Step Command Remarks 5. Retrieve a CA certificate manually. See "Retrieving a certificate manually" N/A 6. Generate a local RSA key pair. public-key local create rsa No local RSA key pair exists by default. 7. Submit a local certificate request manually. pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] This command is not saved in the configuration file. NOTE: In FIPS mode, you cannot import an MD5 certificate.
Verifying PKI certificates A certificate needs to be verified before being used. Verifying a certificate will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked. You can specify whether CRL checking is required in certificate verification. If you enable CRL checking, CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and CRLs to the local device before the certificate verification.
Step 6. Verify the validity of the certificate. Command Remarks pki validate-certificate { ca | local } domain domain-name N/A Destroying the local RSA key pair A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate is about to expire, you can destroy the old RSA key pair and then create a pair to request a new certificate. To destroy the local RSA key pair: Step Command 1. Enter system view. system-view 2. Destroy a local RSA key pair.
Step 5. Create a certificate attribute-based access control policy and enter its view. 6. Configure a certificate attribute-based access control rule. Command Remarks pki certificate access-control-policy policy-name No access control policy exists by default. rule [ id ] { deny | permit } group-name No access control rule exists by default. A certificate attribute group must exist to be associated with a rule.
b. Nickname—Name of the trusted CA. c. Subject DN—DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). d. Use the default settings for the other attributes. 2. Configure extended attributes: After configuring the basic attributes, perform configuration on the jurisdiction configuration page of the CA server. Select the proper extension profiles, enable the SCEP autovetting function, and add the IP address list for SCEP autovetting. 3.
+++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ 4. Apply for certificates: # Retrieve the CA certificate and save it locally. [Firewall] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while......
Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C 2B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.
c. Click Next to begin the installation. 2. Install the SCEP add-on: As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP add-on so that the firewall can register and obtain its certificate automatically. After the SCEP add-on installation completes, a URL is displayed, which you need to configure on the firewall as the URL of the server for certificate registration. 3. Modify the certificate service attributes: a.
3. Generate a local key pair using RSA. [Firewall] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ 4.
Subject: CN=firewall Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44
Firewall A and Firewall B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI certificate system for identity authentication. Firewall A and Firewall B use the same CA. Figure 213 Network diagram Configuration procedure 1. Configure Firewall A: # Configure the entity DN. system-view [FirewallA] pki entity en [FirewallA-pki-entity-en] ip 2.2.2.1 [FirewallA-pki-entity-en] common-name firewalla [FirewallA-pki-entity-en] quit # Configure the PKI domain.
# Request a certificate. [FirewallA] pki retrieval-certificate ca domain 1 [FirewallA] pki retrieval-crl domain 1 [FirewallA] pki request-certificate domain 1 # Configure IKE proposal 1, using RSA signature for identity authentication. [FirewallA] ike proposal 1 [FirewallA-ike-proposal-1] authentication-method rsa-signature [FirewallA-ike-proposal-1] quit # Specify the PKI domain for the IKE peer. [FirewallA] ike peer peer [FirewallA-ike-peer-peer] certificate domain 1 2.
Certificate attribute-based access control policy configuration example Network requirements The client accesses the remote Hypertext Transfer Protocol Secure (HTTPS) server through the HTTPS protocol. Configure SSL to make sure only legal clients log into the HTTPS server. Create a certificate attribute-based access control policy to control access to the HTTPS server.
[Firewall-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Firewall-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc [Firewall-pki-cert-attribute-group-mygroup2] quit 3.
Failed to request a local certificate Symptom Failed to request a local certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved. • The current key pair has been bound to a certificate. • No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured. • No authority is specified for certificate request.
4. Specify the CRL distribution URL. 5. Re-configure the LDAP version. 6. Configure the correct DNS server that can resolve the domain name of the CRL distribution point.
Managing public keys Public keys can be configured only at the CLI. Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 215.
Complete these tasks to configure public keys: Task Remarks Configuring a local asymmetric key pair on the local device Creating a local asymmetric key pair Displaying or exporting the local host public key Destroying a local asymmetric key pair Choose one or more tasks.
• Displaying and recording the host public key information • Displaying the host public key in a specific format and saving it to a file • Exporting the host public key in a specific format to a file If your local device functions to authenticate the peer device, you must specify the peer public key on the local device. For more information, see "Specifying the peer public key on the local device.
Exporting the host public key in a specific format to a file Step Command Remarks N/A 1. Enter system view. system-view 2. Export a local RSA host public key in a specific format to a file. public-key local export rsa { openssh | ssh1 | ssh2 } filename 3. Export a local DSA host public key in a specific format to a file. public-key local export dsa { openssh | ssh2 } filename Use at least one command.
Method Prerequisites Remarks • Display and record the public key of the • The recorded public key must be in intended asymmetric key pair. Manually configure the public key—input or copy the key data • If the peer device is an HP device, use the display public-key local public command to view and record its public key. A public key displayed by other methods for the HP device may not be in a correct format. the correct format, or the manual configuration of a format-incompliant public key will fail.
Public key configuration examples Entering the peer public key on the local device In this example, Device A or Device B is the firewall device. Network requirements As shown in Figure 216, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF
The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A. Importing a public key from a public key file In this example, Device A or Device B is the firewall device. Network requirements As shown in Figure 217, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF
# Import the host public key of Device A from the key file devicea.pub to Device B. system-view [DeviceB] public-key peer devicea import sshkey devicea.pub # Display the host public key of Device A on Device B.
Configuring SSL VPN Feature and hardware compatibility Hardware SSL VPN compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No Overview SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application layer.
How SSL VPN works SSL VPN works in the following procedure: 1. The administrator logs in to the Web interface of the SSL VPN gateway, and then creates resources to represent resources on the internal servers. 2. A remote user establishes an HTTPS connection to the SSL VPN gateway. The SSL VPN gateway and the remote user authenticate each other by using the certificate-based authentication function provided by SSL. 3.
Granular access control of network resources. On the SSL VPN gateway, you can configure multiple resources and users, add resources to resource groups, add users to user groups, and assign resource groups to user groups. After a user logs in, the SSL VPN gateway finds the user groups to which the user belongs, and checks the resource groups assigned to the user groups to determine which resources to provide for the user.
SSL VPN configuration example at the CLI Network requirements As shown in Figure 273, configure SSL and enable SSL VPN service on the SSL VPN gateway, so that users can log in to the Web interface of the SSL VPN gateway through HTTPS and then access the internal resources of the corporate network through the SSL VPN gateway. In this configuration example: • The IP address of the SSL VPN gateway is 10.1.1.1/24. • The IP address of the Certificate Authority (CA) is 10.2.1.1/24.
[Firewall] public-key local create rsa # Retrieve the CA certificate. [Firewall] pki retrieval-certificate ca domain sslvpn # Apply for a certificate for the firewall. [Firewall] pki request-certificate domain sslvpn 2. Configure an SSL server policy for the SSL VPN service: # Configure an SSL server policy named myssl, and specify the policy to use PKI domain sslvpn. [Firewall] ssl server-policy myssl [Firewall-ssl-server-policy-myssl] pki-domain sslvpn [Firewall-ssl-server-policy-myssl] quit 3.
Step Remarks Required. 3. Configure a resource group, and add resources to the resource group. Configuring a resource group By default, resource groups named autohome and autostart exist. Required. 4. Configure local SSL VPN users—users that need to pass local authentication to log in to the SSL VPN system. Configuring local users By default, a local user named guest (without a password) exists, in denied state. Required. 5.
1. Select VPN > SSL VPN > Service Management from the navigation tree to enter the service management page. Figure 220 Service management 2. Configure the SSL VPN service as describe in Table 30. 3. Click Apply. Table 30 Configuration items Item Description Enable SSL VPN Select the box before this item to enable the SSL VPN service. Port Specify the port for providing the SSL VPN service. The default port number is 443. PKI Domain Select a PKI domain for the SSL VPN service.
Figure 222 Adding a Web proxy server resource 3. Configure the Web proxy server resource as described in Table 31. Table 31 Configuration items Item Description Enter a name for the Web proxy server source. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
To enable single login, select the box before the Single login field to expand the configuration area (as shown in Figure 223), and then configure the single login parameters as described in Table 32.
2. Enter a username and a password (the password must be different from the username) on the popup page, and click Apply. The login page for the website in the resource pops up. 3. Enter the username and password again and log in. A message will tell you that the single login function is configured successfully. During this process, the system automatically gets the username parameter name and the password parameter name.
Figure 225 Adding a remote access service c. Configure the remote access service as described in Table 33. d. Click Apply. Table 33 Configuration items Item Description Enter a name for the remote access service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
and Citrix desktop sharing. For some desktop sharing applications, data is transmitted in plain text and can be easily intercepted. SSL VPN can encrypt the data to ensure data security. a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. b. Click the Desktop Sharing Service tab to view existing desktop sharing services, as shown in Figure 226. Figure 226 Desktop sharing services c. Click Add to enter the page for adding a desktop sharing service.
Item Description Local Host Specify a loopback address or a character string that represents a loopback address. Local Port Specify the port number that the local host uses for the remote access service. HP recommends using a port number greater than 1024 that is rarely used. Configure the Windows command for the resource. Command 3. For example, you can configure the command for a Windows desktop sharing service in the format mstsc /v , such as mstsc /v 127.0.0.2 20000.
d. Configure the email service as described in Table 35. e. Click Apply. Table 35 Configuration items Item Description Enter a name for the email service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Figure 231 Adding a Notes service resource d. Configure the Notes service as described in Table 36. e. Click Apply. Table 36 Configuration items Item Description Enter a name for the Notes service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. b. Click the TCP Service tab to view existing TCP services, as shown in Figure 232. Figure 232 TCP services c. Click Add to enter the page for adding a common TCP service. Figure 233 Adding a TCP service resource d. Configure the common TCP service as described in Table 37. e. Click Apply. Table 37 Configuration items Item Description Enter a name for the common TCP service resource.
Item Description Local Host Enter a loopback address or a character string that represents a loopback address. Local Port Enter the port number that the local host uses for the common TCP service. Command Configure the Windows command for the resource. Configuring IP network resources The SSL VPN IP network access service supports all applications that operate at the IP layer and above, providing secure communication between users and servers.
Figure 234 Global configuration page b. Configure the global parameters for IP network resources, as described in Table 38. c. Click Apply. Table 38 Configuration items Item Description Start IP End IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter. Gateway IP Enter the default gateway IP address to be assigned to a client's virtual network adapter.
Figure 235 Host configuration c. Click Add to enter the page for adding a host resource. Figure 236 Adding a host resource d. Enter a name for the host resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. e. Click Add under the Network Services list.
Figure 237 Adding an available network service f. Configure the network service as described in Table 39. Table 39 Configuration items Item Description Destination IP Enter the destination address of the network service. Subnet Mask Enter the subnet mask of the network service. Protocol Specify the protocol type of the network service, IP, TCP, or UDP. Enter a description for the network service.
b. Click the User-IP Binding tab to view existing user-IP bindings, as shown in Figure 239. Figure 239 User-IP bindings c. Click Add to enter the page for adding a user-IP binding. Figure 240 Adding a user-IP binding d. Configure the user-IP binding as described in Table 40. e. Click Apply. Table 40 Configuration items Item Description Username Specify the username to be bound with an IP address. The username must contain the domain name. For example, aaa@local.
Figure 241 Predefined domain names c. Click Add to enter the page for adding a predefined domain name. Figure 242 Adding a predefined domain name d. Configure the predefined domain name as described in Table 41. e. Click Apply. Table 41 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static.
Figure 243 Resource groups 2. Click Add to enter the page for adding a resource group. Figure 244 Adding a resource group 3. Configure the resource group as described in Table 42. 4. Click Apply. Table 42 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Available Resources Specify resources for the resource group.
Configuring local users Configure SSL VPN users for local authentication in the following methods: • Configure local users one by one in the SSL VPN system. In this method, you can configure all parameters for a user at the same time, including the username, password, the certificate and MAC addresses to be bound, public account settings, user status, and user groups. • Write the information of the users into a text file, and then import the users to the SSL VPN system.
Figure 246 Adding a local user c. Configure the local user as described in Table 43. d. Click Apply. Table 43 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Confirm Password Certificate SN Specify a password for the local user and enter the password again to confirm the password. Specify a certificate sequence number for the local user.
Item Enable public account Max Number of Users Description Select this item to set the local user account as a public account. A public account can be concurrently used by multiple users to log in to the SSL VPN system. If you do not select this item, only one user can use the local user account to log in to the SSL VPN system at a time. Set the maximum number of concurrent users that can log in to the SSL VPN system by using the public account. The value range depends on the device model.
Figure 247 Batch import of local users Configuring a user group 1. Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears, as shown in Figure 248. Figure 248 User groups 2. Click Add to add a user group.
Figure 249 Adding a user group 3. Configure the user group as described in Table 45. 4. Click Apply. Table 45 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group are able to access the resources in the selected resource groups. Available Resources Selected Local Users Available Local Users Select local users for the user group.
Viewing user information 1. View online user information and logging out an online user: Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, showing the information of the current online users. Figure 250 Online users Table 46 Field description 2. Field Description Login Time Time when the user logged in to the SSL VPN system. Username Username of the user, with the domain name. IP Address IP address of the user host.
• Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from the SSL VPN system. • Bulletin management—Allows you to provide different information to different users. 1. Configure the domain policy: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 252. Figure 252 Domain policy b.
Item Description Select this item to enable MAC address binding. Enable MAC address binding With MAC address binding enabled, the SSL VPN system obtains the MAC address of a user when the user logs in, for user identity authentication or MAC address learning. Select this item to enable automatic login.
Figure 253 Caching policy 3. Configure a bulletin: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. b. Click the Bulletin Management tab. The bulletin management page appears, as shown in Figure 254. Figure 254 Bulletin management c. Click Add to add a new bulletin, as shown in Figure 255.
Figure 255 Adding a bulletin d. Configure the bulletin as described in Table 48. e. Click Apply. Table 48 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Available User Groups Select the user groups that can view the bulletin.
• { Password+Certificate—Authenticates a user's password and client certificate. { Certificate—Authenticates only a user's client certificate. RADIUS authentication supports only two authentication policies: password and password+certificate. SSL VPN supports using local authentication, RADIUS authentication, LDAP authentication, and AD authentication for client reauthentication.
Figure 257 RADIUS authentication c. Configure the RADIUS authentication as described in Table 49. d. Click Apply. Table 49 Configuration items 3. Item Description Enable RADIUS authentication Select this item to enable RADIUS authentication. Authentication Mode Select an authentication mode for RADIUS authentication. Options include Password and Password+Certificate. Enable RADIUS accounting Select this item to enable RADIUS accounting.
Figure 258 LDAP authentication c. Configure the LDAP authentication as described in Table 50. d. Click Apply. Table 50 Configuration items Item Description Enable LDAP authentication Select this item to enable LDAP authentication. LDAP Sever IP Specify the IP address of the LDAP server. Server Port Specify the TCP port number used by the LDAP server. Version Specify the supported LDAP protocol version. Authentication Mode Select an authentication mode for LDAP authentication.
AD is a directory service provided by Windows 2000 Server and later versions. It saves information of objects on a network and allows administrators and users to query the information. AD uses structured data storage, which is the basis of the directory information logical structure. The SSL VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD authentication for users in the enterprise.
Item Description Admin Username Set an administrator account. It must be a user account that has the directory search right in the User directory in the AD domain. Password Confirm Password Username Format 5. Set a password for the administrator account, and enter the password again to confirm the password. Set the username format used to log in to the AD server. Options include Without the AD domain name, With the AD domain name, and Login name.
Item Ask password again on the second authentication Description With this item selected, the system provides the login page and asks a user for a password again after the user passes the first authentication. If you do not select this item, the system automatically uses the password for the first authentication for the second authentication. IMPORTANT: This function takes effect only when you enable full customization of the user interface and the customized user interface can provide a login page twice.
Figure 262 Adding a security policy 3. Configure the security policy as described in Table 53. 4. Click Apply. Table 53 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. Level If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Item Description Set check rules for the security policy. Check rules fall into seven categories: operating system, browser, antivirus software, firewall, certificate, file, and process. Policy Configuration To pass the check of a category, a host needs to satisfy at least one rule of the category. To pass the check of a security policy, a host must satisfy all categories of the policy. Click the expansion button before a category to view the rule information.
Item Description Set an operator for antivirus software version check and virus definitions version check. • >=—The antivirus software and its virus definitions must be of the specified version or a later version. • >—The antivirus software and its virus definitions must have a version later Operator than the specified version. • =—The antivirus software and its virus definitions must be of the specified version.
1. Partially customize the SSL VPN interface: # Configure the text information: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. The Text Information tab appears. b. Configure the service page banner information, login page welcome information, and login page title on the page. c. Click Apply. Figure 263 Text information # Configure the login page logo: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. b.
Figure 265 Specifying a service page logo picture # Configure the service page background: a. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. b. Click the Service Page Background tab to enter the page shown in Figure 266. c. Click Browse to select a local picture file. d. Set whether to directly overwrite the file with the same name on the device. e. Click Apply. The picture is uploaded to the SSL VPN system and is used as the service page background picture.
c. Click Apply. Table 55 Configuration items Item Description Enable full customization Select this item to enable the full customization function. Directory Enter the directory where the customized page files are saved on the SSL VPN gateway. Page File Enter the name of the customized login page file. Configuring user access to SSL VPN This section introduces user access to the SSL VPN service interface provided by the system.
IMPORTANT: If you have enabled verification code authentication, the login page also provides the verification code and the user must enter the correct the verification code to log in.
• Clicking a resource name under TCP Applications to run the command you configured for the resource (if any), or performing configurations according to the information provided by the resource name and then access the resource. For example, a user can configure the Outlook email receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service.
Changing the login password To change the login password, a user only needs to: 1. Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 272. 2. Enter the new password, and confirm the new password. 3. Click Apply. When the user logs in again, the user must enter the new password.
Figure 273 Network diagram Configuration prerequisites Before performing the following configurations, make sure: • The SSL VPN gateway, the CA, and the hosts used by remote users can reach each other. • The CA is enabled with the CA service and can issue certificates to the SSL VPN gateway and the hosts. • The RADIUS server is properly configured to provide normal authentication function for users.
Figure 274 Configuring a PKI entity named en 2. Configure a PKI domain named sslvpn: a. Select VPN > Certificate Management > Domain from the navigation tree. b. Click Add to add a PKI domain. c. Enter the PKI domain name sslvpn and the CA identifier CA server. d. Select en as the local entity, and RA as the registration authority. e. Enter the certificate requesting URL http://10.2.1.1/certsrv/mscep/mscep.dll. f. Select Manual as the certificate request mode. g. Click Apply. h.
Figure 275 Configuring a PKI domain named sslvpn 3. Generate an RSA key pair: a. Select VPN > Certificate Management > Certificate from the navigation tree. b. Click Create Key to enter the key generation page. c. Set the key length to 1024. d. Click Apply. Figure 276 Generating an RSA key pair 4. Retrieve the CA certificate: a. After the key pair is generated, click the Retrieve Cert button on the certificate management page. b. Select sslvpn as the PKI domain and CA as the certificate type. c.
Figure 277 Retrieving the CA certificate to the local device 5. Request a local certificate: a. After the CA certificate retrieval operation is complete, click Request Cert on the certificate management page. b. Select sslvpn as the PKI domain. c. Click Apply. d. The system displays "Certificate request has been submitted." e. Click OK to confirm the operation. Figure 278 Requesting a local certificate You can view the retrieved CA certificate and the local certificate on the certificate management page.
Figure 279 Certificate management page 6. Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service; a. Select VPN > SSL VPN > Service Management from the navigation tree. b. Select the box before Enable SSL VPN. c. Set the port number to 443. d. Select sslvpn as the PKI domain. e. Click Apply. Figure 280 SSL VPN service management page Configuring SSL VPN resources 1. Configure a Web proxy resource named tech for the internal technology website 10.153.1.223: a.
Figure 281 Configuring a Web proxy resource 2. Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. b. Click the Desktop Sharing Service tab. c. Enter the resource name desktop. d. Enter the remote host address 10.153.70.120. e. Set the remote port for the server to 3389. f. Enter the local host address 127.0.0.2. g. Set the local port for the service to 20000. h.
e. Enter the subnet mask 24. f. Enter the gateway IP address 192.168.0.101. g. Click Apply. Figure 283 Configuring global parameters for IP network resources 4. Configure a host resource named sec_srv for hosts in subnet 10.153.2.0/24 in IP network mode: a. Click the Host Configuration tab. b. Click Add. c. Enter the resource name sec_srv. d. Click the Add button under the Network Services list. e. Enter the destination IP address 10.153.2.
Figure 285 Adding a shortcut h. Click Apply on the Add Host Resource page as shown in Figure 286. Figure 286 Configuring a host resource 5. Configure resource group res_gr1, and add resource desktop to it: a. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree. b. The resource group list page appears. c. Click Add. d. Enter the resource group name res_gr1. e. Select desktop on the Available Resources list and click the << button to add it to the Selected Resources list.
Figure 287 Configuring resource group res_gr1 6. Configure resource group res_gr2, and add resources tech and sec_srv to it: a. Click Add on the resource group list page. b. Enter the resource group name res_gr2. c. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list. d. Click Apply.
Figure 288 Configuring resource group res_gr2 Configuring SSL VPN users 1. Configure a local user account usera: a. Select VPN > SSL VPN > User Management > Local User from the navigation tree. b. Click Add. c. Enter the username usera, enter the password passworda, and confirm the password. d. Select the box before Enable public account. e. Set the maximum number of users for the public account to 1. f. Select Permitted as the user status. g. Click Apply.
Figure 289 Adding local user usera 2. Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: a. Select VPN > SSL VPN > User Management > User Group from the navigation tree. b. Click Add. c. Enter the user group name user_gr1. d. Select res_gr1 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list. e.
Figure 290 Configuring user group user_gr1 3. Configure user group user_gr2, and assign resource group res_gr2 to the user group: a. Click Add on the user group list page. b. Enter the user group name user_gr2. c. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list. d. Click Apply.
Figure 291 Configuring user group user_gr2 Configuring an SSL VPN domain 1. Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. b. Select the box before Use verification code. c. Select RADIUS as the default authentication method. d. Click Apply.
Figure 292 Configuring the domain policy 2. Configure a RADIUS scheme named system: a. Select User > RADIUS from the navigation tree. b. Click Add. c. Enter the scheme name system, select Extended as the supported server type, and select Without domain name as the username format. d. Click the Add button in the RADIUS Server Configuration area. e. Select Primary Authentication Server as the server type, select IPv4 and enter IP address 10.153.10.
Figure 293 Configuring RADIUS scheme named system 3. Enable RADIUS authentication: a. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. b. Click the RADIUS Authentication tab. c. Select the box before Enable RADIUS authentication. d. Click Apply. Figure 294 Enabling RADIUS authentication Verifying the configuration Launch a browser on a host, and enter https://10.1.1.
Change the authentication mode to Local. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 295. Click the resource name to access the shared desktop of the specified host, as shown in Figure 296.
Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, all hosts in subnet 10.153.2.0/24, and the security server. Click tech to access the technology website. Click shortcut ftp_security-server to access the security server through FTP.
Configuring AFT AFT can be configured only at the CLI. Overview Address Family Translation (AFT) is a transition technology for communication between IPv4 and IPv6 networks. As shown in Figure 299, the AFT router performs address and protocol translation between IPv4 and IPv6 networks. With AFT, IPv6 and IPv4 hosts can communicate with one another without having their configurations changed.
Figure 300 DNS64 prefix is added to an IPv4 address to translate it into an IPv6 address When an IPv4 packet is sent from an IPv4 host to an IPv6 host, AFT translates its source IPv4 address to an IPv6 address by adding a DNS64 prefix. When an IPv6 host sends a packet to an IPv4 host, the destination IPv6 address is formed by adding the DNS64 prefix to the IPv4 address of the IPv4 host.
Stateful AFT is used only when the source IPv6 address of an IPv6 packet is translated into an IPv4 address and the source IPv6 address is not an IVI address. Otherwise, stateless AFT is used. Stateful AFT can also perform port address translation (PAT) to translate both addresses and TCP/UDP port numbers. This method can translate multiple IPv6 addresses into one IPv4 address. It distinguishes the IPv6 addresses by port number.
5. Translates and forwards the response packet. Upon receiving a response from the IPv4 host, the AFT replaces the IPv4 addresses in the packet header with IPv6 addresses based on the recorded address mappings and forwards the packet to the IPv6 host. To view the address mappings, use the display session table command. For more information about this command, see Security Configuration Guide.
DNS64 function A DNS client in an IPv6 network cannot communicate with a DNS server in an IPv4 network because their address formats are different. The DNS64 function of AFT can solve this issue. When an IPv6 host sends an AAAA (IPv6) DNS query to an IPv4 DNS server, the destination IPv6 address is translated from the IPv4 address of the DNS server.
Task Remarks Configuring an IVI prefix Required. Configuring a 6to4 AFT policy Perform either one. When communication is initiated by an IPv4 host Task Remarks Enabling AFT Required. Configuring a DNS64 prefix Required. Configuring an IVI prefix Required. Configuring 4to6 AFT policies Required. Configuration prerequisites Before you configure AFT: 1. Enable IPv6 on the AFT. For more information, see Network Management Configuration Guide. 2.
The DNS64 prefix cannot be the same as the IVI prefix. • To configure a DNS64 prefix: Step Enter system view. 1. Configure a DNS64 prefix. 2. Command Remarks system-view N/A aft prefix-dns64 dns64-prefix prefix-length No DNS64 prefix is configured by default. Repeat the command to configure multiple DNS64 prefixes. Configuring an IVI prefix Step 1. Enter system view. Command Remarks system-view N/A No IVI prefix is configured by default. 2. Configure an IVI prefix.
Type 4—Associate a DNS64 prefix with an interface address • If the prefix of the destination IPv6 address is the DNS64 prefix specified in the policy, AFT translates the source address into the IPv4 address of the interface associated with the DNS64 prefix. The port number is also translated. The AFT address pool contains a range of continuous IPv4 addresses. When the AFT policy is type 1 or type 3, the AFT chooses an IPv4 address from the address pool as the translated IPv4 address.
AFT translates the address into an IPv6 address by using the first configured DNS64 prefix in system view. Policy for destination IPv4 address translation—If the destination IPv4 address matches the specified ACL, the AFT translates the address into an IPv6 address by using the specified IVI prefix. If not, the address is not translated and the packet is forwarded according to the destination IPv4 address. • To configure 4to6 AFT policy: Step Command Remarks 1. Enter system view. system-view N/A 2.
AFT configuration examples An IPv6 host with an IVI address initiates communication with an IPv4 host Network requirements As shown in Figure 304, Host A is in an IPv6 network and has an address of 6:0:ff06:606:200::, and Host C is in an IPv4 network and has an address of 4.4.4.2. Host A wishes to communicate with Host B. Figure 304 An IPv6 host with an IVI address initiates communication with an IPv4 host Configuration consideration The IPv6 address of Host A is an IVI address.
{ Configure a static route to network 2000::/32 (the DNS64 prefix) and the next hop address 6:0:ff06:606:100::. Configure Host B: 3. Perform the following configurations on Host B. (Details not shown.) { { Configure IPv4 address 4.4.4.2/24. Configure a static route to the IPv4 network (6.6.6.0/24) embedded in the IVI address and the next hop address 4.4.4.1. Verifying the configuration # Host B's IPv4 address 4.4.4.2 is translated to 2000:0:404:402:: by using the DNS64 prefix.
Configuration procedure 1. Configure Firewall (the AFT): # Enable IPv6. system-view [Firewall] ipv6 # Configure IP addresses for the interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2 and enable AFT on the interfaces. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 6:0:ff06:606:100::/64 [Firewall-GigabitEthernet0/1] aft enable [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 4.4.4.
{ Configure a static route to IPv6 network 2000::/32 (the DNS64 prefix) and the next hop address 6:0:ff06:606:100::. Configure Host B: 3. Perform the following configurations on Host B. (Details not shown.) { { Configure IPv4 address 4.4.4.2/24. Configure a static route to the IPv4 network (6.6.6.0/24) embedded in the IVI address and the next hop address 4.4.4.1. Verifying the configuration # The IPv4 address embedded in the IPv6 address of Host A is 6.6.6.2. Use the ping 6.6.6.2 command on Host B.
Figure 306 Network diagram Configuration consideration To meet the requirements, perform the following configurations: • On Firewall, enable AFT, and configure a DNS64 prefix and a 6to4 AFT policy because the address of Host A is not an IVI address. • On Host A, specify the IPv6 address 2000:0:303:305:: of the DNS server (which is translated from IPv4 address 3.3.3.5 by using the DNS64 prefix). Configuration procedure 1. Configure Firewall (the AFT): # Enable IPv6.
# Create ACL 2000 to permit packets from network 4.4.4.0/24 where Host B resides (this step is optional). [Firewall] acl number 2000 [Firewall-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255 [Firewall-acl-basic-2000] quit # Configure a 4to6 AFT policy for source address translation so that if the resolved IPv4 address is in network 4.4.4.0/24, the address is translated into an IPv6 address by using DNS64 prefix 2000::/32 (this step is optional).
Pro: UDP(17) App: DNS State: UDP-READY Start time: 2010-12-21 17:00:06 Root TTL: 52s Zone(in): Zone(out): Management Received packet(s)(Init): 1 packet(s) 77 byte(s) Received packet(s)(Reply): 2 packet(s) 183 byte(s) Initiator: Source IP/Port : 0006::0002/32768 Dest IP/Port : 2000:0:0404:0402::/44012 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 4.4.4.2/0 Dest IP/Port : 6.6.6.
Solution Verify that the IVI address complies with the IVI address format. If not, change the address of the IPv6 host or configure a 6to4 AFT policy.
Configuring DVPN The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Feature and hardware compatibility Hardware DVPN compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules No Overview DVPN enables enterprise branches that use dynamic public addresses to establish a VPN network.
• VAM client—A VAM client registers its private address and public address with the VAM server and obtains information about other VAM clients from the VAM server. The VAM client function must be implemented on DVPN nodes. Unless otherwise noted, the term "VAM client" refers to a hub or a spoke. • Hub—A hub is a type of VAM client. As a central device of a VPN, it is the exchange center of routing information. A hub in a hub-spoke network is also a data forwarding center.
Figure 307 Full mesh DVPN • Hub-spoke DVPN—In a hub-spoke DVPN, no tunnel can be established between two spokes, and data between them has to be forwarded through the hub. The hub is used as both the routing information exchange center and the data forwarding center. As shown in Figure 308, each spoke establishes a permanent tunnel with the hub, and data between spokes is forwarded through the hub.
Connection initialization phase When a client accesses the server for the first time, connection initialization is performed. During the initialization procedure, the two parties negotiate whether VAM protocol packets should be secured. If so, they negotiate the packet encryption and integrity verification algorithms, generate the keys, and acknowledge the negotiated result.
Registration phase Figure 310 Registration process Client Server 1) Registration request 2) Identity authentication request 3) Identity information 4) Registration acknowledgement Figure 310 shows the registration process: 1. The client sends the server a registration request, which carries information about the client. 2. Upon receiving the registration request, the server first determines whether to authenticate the identity of the client.
{ To establish a hub-spoke tunnel: After a spoke registers itself successfully, it needs to establish a permanent tunnel with each hub in the VPN. Upon receiving the registered information of the hubs from the server, the spoke checks whether a tunnel is present to each hub. If no tunnel exists between the spoke and a hub, the spoke sends a tunnel establishment request to the hub.
Encryption of VAM protocol packets VAM protocol packets can be encrypted by using AES-128, AES-256, DES, or 3DES. IPsec protection of data packets Data packets in a DVPN tunnel can be protected by an IPsec profile, using security protocols ESP, AH, or AH-ESP (ESP first, and then AH) and negotiating security policies through IKE. Centralized management of policies A VAM server manages all policies in a VPN domain centrally. Support for multiple VPN domains A VAM server supports up to 10 VPN domains.
Step Remarks Required. To establish private networks across the public network by using DVPN, you must perform routing configuration for devices in the private networks. In a DVPN, route-related operations, such as neighbor discovery, route updating, routing table establishment, are done over DVPN tunnels. Routing information is exchanged between Hubs or between Hubs and Spokes. It is not exchanged between Spokes. DVPN clients support routing protocols OSPF and BGP.
Figure 313 Adding a VPN domain 3. Configure the VPN domain as described in Table 58. 4. Click Apply. Table 58 Configuration items Item Description VPN Domain Name Enter a name for the VPN domain. Identity Authentication Settings Authentication Method Select an authentication method that the VAM server uses to authenticate VAM clients. Options include PAP, CHAP, and None. None means no authentication. ISP Domain Name Specify the ISP domain for VAM client authentication.
Item Description Authentication Algorithms Select authentication and encryption algorithms for VAM protocol packets. Encryption Algorithms With the selected authentication and encryption algorithms, the VAM server negotiates with a client to determine the packet integrity authentication and encryption algorithms to be used for VAM protocol packets between them. • Available authentication algorithms include SHA1 and MD5, in descending order of priority.
Configuring an ISP domain 1. Click the Add button of ISP Domain Name in Figure 313 to enter the Add ISP Domain page. Figure 314 Adding an ISP domain 2. Configure the ISP domain as described in Table 59. 3. Click Apply. Table 59 Configuration items Item Description ISP Domain Name Enter a name for the ISP domain. Select the authentication server type for DVPN users. • None—All users are trusted and no authentication is performed. Generally, do not use this method.
Item Description Select the authorization server type for DVPN users. • None—No authorization exchange is performed. Every user is trusted and has the corresponding default rights of the system. Server Type Authorization Method Primary Method • Local—Uses local authorization. • RADIUS—Uses RADIUS authorization. • If you do not select any authorization method, the default authorization method of the ISP domain is used. By default, the default authorization method is Local.
Displaying VAM client information 1. From the navigation tree, select VPN > DVPN > Server. 2. Click the VAM Client Info tab. Table 60 describes fields in the tab page. Figure 315 VAM client information Table 60 Field description Field Description VPN Domain VPN domain to which the VAM client belongs. Private IP Private IP address that the VAM client registers with the VAM server. Public IP Public IP address that the VAM client registers with the VAM server.
2. Click Add to enter the Add Tunnel page, as shown in Figure 317.
3. Select the tunnel encapsulation mode, GRE or UDP. 4. Configure the tunnel interface as described in Table 61. Table 61 Configuration items Item Description Tunnel Encapsulation Mode Select the DVPN tunnel encapsulation mode, which can be GRE or UDP. Tunnel Interface Number Enter a sequence number for the tunnel interface. Specify the private IP address and mask for the tunnel interface.
Table 63 Configuration items Item Description Session Idle Time Set the idle timeout for the DVPN Spoke-Spoke tunnel. Keepalive Interval Set the interval between sending keepalive packets and the maximum number of attempts for sending keepalive packets when there is no response. IMPORTANT: Keepalive Retries 7. In a VPN domain, the DVPN keepalive settings for all tunnel interfaces must be consistent. Specify whether to enable IPsec.
Item Description Select the IKE exchange mode in phase 1, which can be Main or Aggressive. Exchange Mode IMPORTANT: • If you select Gateway Name for Local ID Type, you must set the exchange mode to Aggressive. • An IKE peer uses its configured exchange mode when it is the negotiation initiator. A negotiation responder uses the same exchange mode as the initiator. Authentication Algorithm Select the authentication algorithm to be used in IKE negotiation.
Item Description Select the security protocols to be used. Security Protocol • ESP—Uses the ESP protocol. • AH—Uses the AH protocol. • AH-ESP—Uses ESP first and then AH. AH Authentication Algorithm Select an authentication algorithm for AH when you select AH or AH-ESP for Security Protocol. Available authentication algorithms include MD5 and SHA1. Select an authentication algorithm for ESP when you select ESP or AH-ESP for Security Protocol. ESP Authentication Algorithm You can select MD5 or SHA1.
Item Description Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature. • None: Disables PFS. • Diffie-Hellman Group1—Enables PFS and uses the 768-bit Diffie-Hellman group. • Diffie-Hellman Group2—Enables PFS and uses the 1024-bit Diffie-Hellman group. • Diffie-Hellman Group5—Enables PFS and uses the 1536-bit Diffie-Hellman group. PFS • Diffie-Hellman Group14—Enables PFS and uses the 2048-bit Diffie-Hellman group.
3. Click the 319. icon of a session to view the detailed information of the session, as shown in Figure Figure 318 DVPN session list Figure 319 DVPN session details Table 65 Field description Field Description Interface of Session DVPN tunnel interface. Private Address of Tunnel Private IP address of the DVPN session peer. Public Address of Tunnel Public IP address of the DVPN session peer. Session Type Tunnel type of the DVPN session.
Field Description Session Status State of the DVPN tunnel, which can be SUCCESS (tunnel established), ESTABLISH (tunnel is being established), or DUMB (tunnel failed to be established and is now quiet). Holding time Period of time that the tunnel keeps in the current state. Input Statistics for received packets, including the counts of all packets, data packets, control packets, multicast packets, and error packets.
Figure 320 Network diagram Device Interface IP address Device Interface IP address Hub 1 GE0/1 192.168.1.1/24 Spoke 1 GE0/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 GE0/2 10.0.3.1/24 Tunnel2 10.0.2.1/24 Tunnel1 10.0.1.3/24 GE0/1 192.168.1.2/24 GE0/1 192.168.1.4/24 Tunnel1 10.0.1.2/24 GE0/2 10.0.4.1/24 Tunnel2 10.0.2.2/24 GE0/3 10.0.6.1/24 GE0/1 192.168.1.5/24 Tunnel1 10.0.1.4/24 GE0/2 10.0.5.1/24 Tunnel2 10.0.2.4/24 Tunnel2 10.0.2.3/24 Primary VAM server GE0/1 192.168.
Figure 321 Configuring a RADIUS scheme c. Enter the scheme name system, and select the server type Extended. d. In the RADIUS Server Configuration area, click Add. e. On the page that appears, select Primary Authentication as the server type, enter the IP address 192.168.1.11, enter the port number 1812, enter the key expert, enter expert to confirm the key, and then click Apply. The added primary authentication server appears on the RADIUS server list. f.
Figure 322 Configuring VPN domain vpn1 c. Enter vpn1 in the VPN Domain Name field, select CHAP as the authentication method, select system (the default ISP domain) as the ISP domain, and then click Modify. The ISP domain modification page appears.
d. Select RADIUS as the server type for the primary authentication, authorization, and accounting methods, and select Enable from the Accounting Optional list. Click Apply to finish the ISP domain configuration and return to the VPN domain configuration page. e. Enter the pre-shared key 123, enter 123 to confirm the key, enter the Hub 1 private IP 10.0.1.1, and the Hub 2 private IP 10.0.1.2, and then click Apply. 4. Configure VPN domain vpn2 (see the figures for vpn1 configuration): a.
Figure 324 Configuring tunnel interface Tunnel1 425
c. Select the tunnel encapsulation mode UDP, enter the tunnel interface number 1, enter the IP address/mask 10.0.1.1/24, select security zone Management for the tunnel interface, select the tunnel source interface GigabitEthernet0/1, enter the VPN domain name vpn1, the VAM server address 192.168.1.22, the secondary VAM server address 192.168.1.
Figure 326 OSPF configuration page c. In the Area Configuration area, click Add. Figure 327 Configuring OSPF area 0 d. Enter the area ID 0, select Normal as the area type. e. Enter the network address 192.168.1.0, select the network mask 0.0.0.255, and then click Add Network. f. Enter the network address 10.0.1.0, select the network mask 0.0.0.255, and then click Add Network.
g. Enter the network address 10.0.2.0, select the network mask 0.0.0.255, and then click Add Network. h. Click Apply. i. Click More>> to perform OSPF interface configuration. j. Click the icon of Tunnel1. Figure 328 Configuring OSPF interface k. Select Broadcast as the network type and click Apply. l. Repeat steps i through k to configure the same settings for interface Tunnel2. Configuring Hub 2 Figures are omitted. 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
b. Select the tunnel encapsulation mode GRE, enter the tunnel interface number 2, enter the IP address/mask 10.0.2.2/24, select the security zone Management for the tunnel interface, select the tunnel source interface GigabitEthernet0/1, and enter the VPN domain name vpn2, the VAM server address 192.168.1.22, the secondary VAM server address 192.168.1.
d. Select the IPsec authentication method Pre-Shared Key and then enter abcde in the Key and Confirm Key fields. e. Select IP Address as both the remote ID type and the local ID type. f. Click Apply. 3. Configure OSPF: a. From the navigation tree, select Network > Routing Management > OSPF. b. Select Enable OSPF and click Apply. c. In the Area Configuration area, click Add. d. Enter the area ID 0. Select Normal as the area type. e. Enter the network address 192.168.3.0, select the network mask 0.0.0.
interface GigabitEthernet0/1. Enter VPN domain name vpn2. Enter the VAM server address 192.168.1.22. Enter the secondary VAM server address 192.168.1.33. Enter the VAM client username dvpn2spoke2. Enter the VAM client password dvpn2spoke2. Enter the password dvpn2spoke2 for confirmation. Enter the VAM client pre-shared key 456. Enter the key 456 for confirmation. c. Select Enable IPsec. d. Select the IPsec authentication method Pre-Shared Key and then enter abcde in the field. e.
c. Select Enable IPsec. d. Select the IPsec authentication method Pre-Shared Key and then enter abcde in the field. e. Select IP Address as both the remote ID type and the local ID type. f. Click Apply. 2. Configure OSPF: a. From the navigation tree, select Network > Routing Management > OSPF. b. Select Enable OSPF and click Apply. c. In the Area Configuration area, click Add. d. Enter the area ID 0. e. Select Normal as the area type. f. Enter network address 192.168.1.0, select network mask 0.0.0.
3. From the navigation tree of the secondary VAM server, select VPN > DVPN > Server. Click the VAM Client Info tab to view the address mapping information of all VAM clients that have registered with the secondary VAM server. 4. The figure shows that Hub 1, Hub 2, Spoke 1, Spoke 2, and Spoke 3 all have registered their address mapping information with the secondary VAM server. Figure 330 Viewing VAM client information on the secondary VAM server 5.
8. Click the DVPN Session tab to view all DVPN session information. The figure shows that in VPN 1 and VPN 2, Spoke 2 has established two Spoke-Hub permanent tunnels, one with Hub 1 and the other with Hub 2. The session information on Spoke 1 and Spoke 3 is similar. Figure 332 Viewing DVPN session information on Spoke 2 9. From Spoke 2, ping the private address of Spoke 3 10.0.5.1. The ping operation succeeds. 10. Refresh the DVPN session list of Spoke 2. Figure 333 shows the DVPN session information.
IMC performs VAM client authentication and accounting. With each being the backup of the other, the two Hubs perform data forwarding and routing information exchange. Establish a permanent tunnel between each Hub-Spoke pair. Figure 334 Network diagram Device Interface IP address Device Interface IP address Hub 1 GE0/1 192.168.1.1/24 Spoke 1 GE0/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 GE0/2 10.0.2.1/24 GE0/1 192.168.1.2/24 Tunnel1 10.0.1.
Figure 335 Configuring a RADIUS scheme c. Enter the scheme name system, and select the server type Extended. d. In the RADIUS Server Configuration area, click Add. e. On the page that appears, select Primary Authentication as the server type, enter the IP address 192.168.1.11, enter the port number 1812, enter the key expert, enter expert to confirm the key, and then click Apply. f. The added primary authentication server appears on the RADIUS server list. g.
Figure 336 Configuring VPN domain vpn1 c. Enter vpn1 in the VPN Domain Name field, select CHAP as the authentication method, select system (the default ISP domain) as the ISP domain, and then click Modify. The ISP domain modification page appears.
d. Select RADIUS as the server type for the primary authentication, authorization, and accounting methods, and select Enable from the Accounting Optional list. Click Apply to finish the ISP domain configuration and return to the VPN domain configuration page. e. Enter the pre-shared key 123, enter 123 to confirm the key, enter the Hub 1 private IP 10.0.1.1, and the Hub 2 private IP 10.0.1.2, and then click Apply. Configuring the secondary VAM server See "Configuring the primary VAM server.
Figure 338 Configuring tunnel interface Tunnel1 439
3. Configure OSPF: a. From the navigation tree, select Network > Routing Management > OSPF. b. In the Global area, select Enable OSPF, and then click Apply. Figure 339 Enabling the OSPF protocol c. In the Area Configuration area, click Add. d. Enter the area ID 0. Select Normal as the area type. Enter the network address 192.168.1.0, select the network mask 0.0.0.255, and then click Add Network. Enter the network address 10.0.1.0, select the network mask 0.0.0.255, and then click Add Network. Click Apply.
Figure 341 Configuring OSPF on tunnel interface Configuring Hub 2 Hub 2 configuration pages are similar to Hub 1 configuration pages. See the figures for Hub 1 configuration. 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure tunnel interface Tunnel1 for VPN domain vpn1: a. From the navigation tree, select VPN > DVPN > Client, and then click Add. b. Select the tunnel encapsulation mode UDP. Enter the tunnel interface number 1. Enter the IP address/mask 10.0.1.2/24.
g. Enter the network address 10.0.1.0, select the network mask 0.0.0.255, and then click Add Network. h. Click Apply. i. Click More>> to perform OSPF interface configuration. j. Click the icon of interface Tunnel1. k. Select P2MP as the network type. l. Click Apply. Configuring Spoke 1 Spoke 1 configuration pages are similar to Hub 1 configuration pages. See the figures for Hub 1 configuration. 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
Configure Spoke 2 Spoke 2 configuration pages are similar to Hub 1 configuration pages. See the figures for Hub 1 configuration. 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure tunnel interface Tunnel1 for VPN domain vpn1. a. From the navigation tree, select VPN > DVPN > Client, and then click Add. b. Select the tunnel encapsulation mode UDP, enter the tunnel interface number 1, enter IP address/mask 10.0.1.
Figure 342 Viewing VAM client information on the primary VAM server 2. From the navigation tree of the secondary VAM server, select VPN > DVPN > Server. Click the VAM Client Info tab to view the address mapping information of all VAM clients that have registered with the secondary VAM server. The figure shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping information with the secondary VAM server. Figure 343 Viewing VAM client information on the secondary VAM server 3.
Figure 344 Viewing DVPN session information on Hub 1 4. From the navigation tree of Spoke 1, select VPN > DVPN > Client. Click the DVPN Session tab to view all DVPN session information. The previous figure shows that in VPN 1, Spoke 1 has established two Spoke-Hub permanent tunnels, one with Hub 1 and the other with Hub 2. The session information on Spoke 2 is similar. Figure 345 Viewing DVPN session information on Spoke 1 5. From Spoke 1, ping the private address of Spoke 2 10.0.3.1.
Configuring DVPN at the CLI DVPN configuration task list When configuring DVPN, perform configuration in this order: the VAM server, the hubs, the spokes. Complete the following tasks to configure DVPN: Task Remarks Server side configuration Client side configuration Configuring AAA Optional. Configuring the VAM server Required. Configuring a VAM client Required. Configuring an IPsec profile Optional. Configuring DVPN tunnel parameters Required. Configuring routing Required.
Enabling VAM server Step 1. Enter system view. Command Remarks system-view N/A • (Method 1) Enable VAM server for one or all VPN domains: vam server enable { all | vpn vpn-name } 2. Enable VAM server. • (Method 2) Enable VAM server for a VPN domain: a. vam server vpn vpn-name Use either method. By default, VAM server is disabled. b. server enable Configuring the listening IP address and UDP port number To configure the listening IP address and UDP port number of the VAM server: Step 1.
Step 3. Command Specify the algorithms for protocol packet authentication and their priorities. authentication-algorithm { none | { md5 | sha-1 } * } Remarks Optional. By default, SHA-1 is used for protocol packet authentication. Optional. 4. Specify the algorithms for protocol packet encryption and their priorities. encryption-algorithm { { 3des | aes-256 | aes-128 | des } * | none } By default, four encryption algorithms are available and preferred in this order: AES-128, AES-256, 3DES, and DES.
In the connection initialization process, the pre-shared key is used to generate the initial key for validating and encrypting connection requests and connection responses. If encryption and authentication is needed for subsequent packets, the pre-shared key is also used to generate the connection key for validating and encrypting the subsequent packets. To configure the pre-shared key of the VAM server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VPN domain view.
Task Remarks Specifying the primary VAM server Required. Specifying the secondary VAM server Specify a primary VAM server, a secondary VAM server, or both. Configuring the username and password Optional. Specifying the VPN domain of the VAM client Required. Configuring the pre-shared key of the VAM client Required. Enabling VAM client Required. Creating a VAM client Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VAM client and enter its view.
Step 3. Specify the secondary VAM server. Command Remarks server secondary ip-address ip-address [ port port-number] Not specified by default. Configuring the username and password A client needs a username and a password to be authenticated by the server. You can configure the username and password for a client by creating a local user. Only one local user can be configured for a VAM client. To configure a username and password for a VAM client: Step Command Remarks 1. Enter system view.
Enabling VAM client Step Enter system view. 1. Command Remarks system-view N/A • (Method 1) Enable VAM client for all Enable VAM client. 2. VAM clients or a specific VAM client: vam client enable { all | name client-name } Use either method. • (Method 2) Enable VAM client for a Disabled by default. VAM client: a. vam client name client-name b. client enable Configuring an IPsec profile An IPsec profile secures the transmission of data packets and control packets over a DVPN tunnel.
Step Command Remarks 3. Specify the IPsec transform sets for the IPsec profile to reference. transform-set transform-set-name&<1-6> By default, an IPsec profile references no IPsec transform set. 4. Specify the IKE peer for the IPsec profile to reference. ike-peer peer-name By default, an IPsec profile references no IKE peer. Optional. Enable and configure perfect forward secrecy (PFS). 5. pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 } By default, PFS is not used for negotiation.
Step Command Remarks 2. Create a tunnel interface and enter its view. interface tunnel number No tunnel interface is created by default. 3. Configure a private IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] A tunnel interface has no private IPv4 address configured by default. 4. Configure the tunnel mode as DVPN, and specify the encapsulation mode of the DVPN tunnel.
Step Command Remarks Optional for a hub but required for a spoke, when OSPF is used. 11. Set the DR priority of the OSPF interface. By default, the interface DR priority is 1. ospf dr-priority priority The DR priority of a hub should be higher than that of a spoke. HP recommends setting the DR priority of a spoke to 0 to keep the spoke from participating in DR/BDR election. Optional. 12. Bind an IPsec profile to the DVPN tunnel interface.
For more information about OSPF, BGP, and routing policies, see Layer 3—IP Routing Configuration Guide. Displaying and maintaining DVPN Task Command Remarks Display address mapping information about VAM clients registered with the VAM server. display vam server address-map { all | vpn vpn-name [ private-ip private-ip ] } [ | { begin | exclude | include } regular-expression ] Available in any view. Display statistics about VAM clients registered with the VAM server.
Figure 347 Network diagram Device Interface IP address Device Interface IP address Hub 1 GE0/1 192.168.1.1/24 Spoke 1 Eth1/1 192.168.1.3/24 Tunnel1 10.0.1.1/24 Eth1/2 10.0.3.1/24 Tunnel2 10.0.2.1/24 Tunnel1 10.0.1.3/24 GE0/1 192.168.1.2/24 Eth1/1 192.168.1.4/24 Tunnel1 10.0.1.2/24 Eth1/2 10.0.4.1/24 Tunnel2 10.0.2.2/24 Eth1/3 10.0.6.1/24 Eth1/1 192.168.1.5/24 Tunnel1 10.0.1.4/24 Eth1/2 10.0.5.1/24 Tunnel2 10.0.2.4/24 Tunnel2 10.0.2.3/24 Primary server Eth1/1 192.
[PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun [PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun [PrimaryServer-isp-domain1] quit [PrimaryServer] domain default enable domain1 3. Configure the VAM server: # Specify the listening address of the server. [PrimaryServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [PrimaryServer] vam server vpn 1 # Set the pre-shared key to 123.
# Create a local user named dvpn1hub1, setting the password as dvpn1hub1. [Hub1-vam-client-name-dvpn1hub1] user dvpn1hub1 password simple dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] client enable [Hub1-vam-client-name-dvpn1hub1] quit # Create a VAM client named dvpn2hub1 for VPN 2. [Hub1] vam client name dvpn2hub1 [Hub1-vam-client-name-dvpn2hub1] vpn 2 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn2hub1] server primary ip-address 192.168.1.
[Hub1-Tunnel2] tunnel-protocol dvpn gre [Hub1-Tunnel2] vam client dvpn2hub1 [Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0 [Hub1-Tunnel2] source gigabitethernet 0/1 [Hub1-Tunnel2] ospf network-type broadcast [Hub1-Tunnel2] ipsec profile vamp [Hub1-Tunnel2] quit 5. Configure OSPF: # Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private networks.
[Hub2-vam-client-name-dvpn2hub2] client enable [Hub2-vam-client-name-dvpn2hub2] quit 3. Configure the IPsec profile: # Configure the IPsec transform set. [Hub2] ipsec transform-set vam [Hub2-ipsec-transform-set-vam] encapsulation-mode tunnel [Hub2-ipsec-transform-set-vam] transform esp [Hub2-ipsec-transform-set-vam] esp encryption-algorithm des [Hub2-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Hub2-ipsec-transform-set-vam] quit # Configure the IKE peer.
# Configure OSPF for the private networks. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255 [Hub2-ospf-200-area-0.0.0.0] quit [Hub2] ospf 300 [Hub2-ospf-300] area 0 [Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255 Configuring Spoke 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: system-view # Create a VAM client named dvpn1spoke1 for VPN 1.
[Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type broadcast [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.
3. Configure the IPsec profile # Configure the IPsec transform set. [Spoke2] ipsec transform-set vam [Spoke2-ipsec-transform-set-vam] encapsulation-mode tunnel [Spoke2-ipsec-transform-set-vam] transform esp [Spoke2-ipsec-transform-set-vam] esp encryption-algorithm des [Spoke2-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Spoke2-ipsec-transform-set-vam] quit # Configure the IKE peer.
# Configure OSPF for the private networks. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.4.1 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] quit [Spoke2] ospf 300 [Spoke2-ospf-300] area 0 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255 [Spoke2-ospf-300-area-0.0.0.0] network 10.0.6.1 0.0.0.255 Configuring Spoke 3 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
# Configure tunnel interface Tunnel 2 for VPN 2. Tunnel 2 uses GRE for encapsulation. [Spoke3] interface tunnel 2 [Spoke3-Tunnel2] tunnel-protocol dvpn gre [Spoke3-Tunnel2] vam client dvpn2spoke3 [Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0 [Spoke3-Tunnel2] source ethernet 1/1 [Spoke3-Tunnel2] ospf network-type broadcast [Spoke3-Tunnel2] ospf dr-priority 0 [Spoke3-Tunnel2] ipsec profile vamp [Spoke3-Tunnel2] quit 5. Configure OSPF: # Configure OSPF for the public network.
10.0.1.2 192.168.1.2 hub 0H 50M 30S 10.0.1.3 192.168.1.3 spoke 0H 31M 24S 10.0.1.4 192.168.1.4 spoke 0H 22M 15S VPN name: 2 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.2.1 192.168.1.1 hub 0H 54M 43S 10.0.2.2 192.168.1.2 hub 0H 49M 44S 10.0.2.3 192.168.1.5 spoke 0H 14M 24S 10.0.2.4 192.168.1.
165 multicasts, Interface: Tunnel2 0 errors VPN name: 2 Private IP: 10.0.2.2 Public IP: 192.168.1.2 Session type: hub-Hub State: Total number: 3 SUCCESS Holding time: 0h 12m 10s Input: 183 packets, 182 data packets, 0 multicasts, Output: 186 packets, 0 errors 185 data packets, 155 multicasts, 1 control packets 0 errors Private IP: 10.0.2.4 Public IP: 192.168.1.
374 multicasts, Output: 384 packets, 0 errors 376 data packets, 369 multicasts, 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.2 Session type: spoke-Hub State: 8 control packets SUCCESS Holding time: 0h 21m 53s Input: 251 packets, 249 data packets, 230 multicasts, Output: 252 packets, Interface: Tunnel2 0 errors 240 data packets, 224 multicasts, 7 control packets 0 errors VPN name: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.
--- 10.0.5.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms # Display the DVPN tunnel information of interface Tunnel 2 on Spoke 2. [Spoke2] display dvpn session interface tunnel 2 Interface: Tunnel2 VPN name: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.
charge of VAM client authentication and accounting. With each being the backup of the other, the two hubs perform data forwarding and routing information exchange. Create a permanent tunnel between each hub-spoke pair.
[PrimaryServer-isp-domain1] authentication dvpn radius-scheme radsun [PrimaryServer-isp-domain1] authorization dvpn radius-scheme radsun [PrimaryServer-isp-domain1] accounting dvpn radius-scheme radsun [PrimaryServer-isp-domain1] quit [PrimaryServer] domain default enable domain1 3. Configure the VAM server: # Specify the listening address of the server. [PrimaryServer] vam server ip-address 192.168.1.22 # Create VPN domain 1. [PrimaryServer] vam server vpn 1 # Set the pre-shared key to 123.
[Hub1-ipsec-transform-set-vam] quit # Configure the IKE peer. [Hub1] ike peer vam [Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] transform-set vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit 4. Configure DVPN tunnels: # Configure tunnel interface Tunnel 1 for VPN 1.
system-view # Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2.
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source gigabitethernet 0/1 [Hub2-Tunnel1] ospf network-type p2mp [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Hub2] ospf 100 [Hub2-ospf-100] area 0 [Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255 [Hub2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Hub2] ospf 200 [Hub2-ospf-200] area 0 [Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.
[Spoke1-ipsec-profile-vamp] ike-peer vam [Spoke1-ipsec-profile-vamp] sa duration time-based 600 [Spoke1-ipsec-profile-vamp] pfs dh-group2 [Spoke1-ipsec-profile-vamp] quit 4. Configure the DVPN tunnel: # Configure tunnel interface Tunnel 1 for VPN 1. To use UDP for tunnel encapsulation, perform the following configurations: [Spoke1] interface tunnel 1 [Spoke1-Tunnel1] tunnel-protocol dvpn udp [Spoke1-Tunnel1] vam client dvpn1spoke1 [Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2. [Spoke2-vam-client-name-dvpn1spoke2] user dvpn1spoke2 password simple dvpn1spoke2 [Spoke2-vam-client-name-dvpn1spoke2] client enable [Spoke2-vam-client-name-dvpn1spoke2] quit 3.
[Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Spoke2] ospf 100 [Spoke2-ospf-100] area 0 [Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255 [Spoke2-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke2] ospf 200 [Spoke2-ospf-200] area 0 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255 [Spoke2-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.
Holding time: 0h 1m 44s Input: 101 packets, 100 data packets, 87 multicasts, Output: 106 packets, 0 errors 99 data packets, 87 multicasts, 7 control packets 10 errors Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: hub-spoke State: 1 control packets SUCCESS Holding time: 0h 4m 32s Input: 36 packets, 18 data packets, 10 multicasts, Output: 35 packets, 0 errors 17 data packets, 11 multicasts, 18 control packets 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.
Output: 252 packets, 240 data packets, 224 multicasts, 7 control packets 0 errors The output shows that in VPN 1, Spoke 1 has established a permanent hub-spoke tunnel with Hub 1 and Hub 2. The DVPN tunnel information of Spoke 2 is similar to that of Spoke 1. # On Spoke 1, ping private address 10.0.3.1 of Spoke 2. [Spoke1] ping 10.0.3.1 PING 10.0.3.1: 56 data bytes, press CTRL_C to break Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms Reply from 10.0.3.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ACDEFHOPRST Configuring L2TP in the Web interface,223 A Configuring PKI at the CLI,287 Advantages of SSL VPN,319 Configuring PKI in the Web interface,260 AFT configuration examples,392 Configuring SSL VPN at the CLI,320 AFT configuration task list,387 Configuring SSL VPN in the Web interface,322 C Contacting HP,481 Configuration guidelines,142 Conventions,482 Configuration prerequisites,388 Creating a local asymmetric key pair,309 Configuration task list,308 D Configuring 4to6 AFT pol
Overview,318 Specifying the peer public key on the local device,311 Overview,383 T Overview,21 Troubleshooting AFT,398 Overview,257 Troubleshooting GRE,20 P Troubleshooting IKE,133 PKI configuration guidelines,259 Troubleshooting L2TP,255 Public key configuration examples,313 Troubleshooting PKI,305 R Troubleshooting tunneling configuration,102 Tunneling configuration task list,67 Related information,481 S 485
