Upload File

vpn config huawei

14
Site to Site VPN using GUI Item Data USG_A (1) Interface number: GigabitEthernet 0/0/1 IP address: 10.1.1.1/24 Zone: Trust (2) Interface number: GigabitEthernet 0/0/2 IP address: 200.1.1.1/24 Zone: Untrust IPSec configuration IKE version: V1 and V2 IKE negotiation mode: main mode Local ID type of IKE: IP IKE pre-shared key: abcde IKE peer address: fixed IP address, 200.10.1.1 IPSec encapsulation mode: Tunnel mode IPSec security protocol: ESP USG_B (3) Interface number: GigabitEthernet 0/0/2 IP address: 200.10.1.1/24 Zone: Untrust (4) Interface number: GigabitEthernet 0/0/1

Upload: abdul-waheed-kashif

Post on 26-Sep-2015

252 views

Category:

Documents


13 download

Report

Tags:

DESCRIPTION

This contains Site to site configuration of Huawei Firewalls.

TRANSCRIPT

  • Site to Site VPN using GUI

    Item Data

    USG_A (1) Interface number: GigabitEthernet 0/0/1

    IP address: 10.1.1.1/24

    Zone: Trust

    (2) Interface number: GigabitEthernet 0/0/2

    IP address: 200.1.1.1/24

    Zone: Untrust

    IPSec configuration IKE version: V1 and V2

    IKE negotiation mode: main mode

    Local ID type of IKE: IP

    IKE pre-shared key: abcde

    IKE peer address: fixed IP address, 200.10.1.1

    IPSec encapsulation mode: Tunnel mode

    IPSec security protocol: ESP

    USG_B (3) Interface number: GigabitEthernet 0/0/2

    IP address: 200.10.1.1/24

    Zone: Untrust

    (4) Interface number: GigabitEthernet 0/0/1

  • Item Data

    IP address: 192.168.1.1/24

    Zone: Trust

    IPSec configuration IKE version: V1 and V2

    IKE negotiation mode: main mode

    Local ID type of IKE: IP

    IKE pre-shared key: abcde

    IKE peer address: fixed IP address, 200.1.1.1

    IPSec encapsulation mode: Tunnel mode

    IPSec security protocol: ESP

    Configure USG_A.

    Step#1

    1. Configure the basic parameters of the interfaces. a. Choose Network > Interface > Interface.

    b. In Interface List, click of GE0/0/1. c. On the Modify GigabitEthernet Interface page, configure the following parameters:

    Zone: trust IP Address: 10.1.1.1 Subnet Mask: 255.255.255.0

    Other parameters are set to the default values.

    d. Click Apply.

    e. In Interface List, click of GE0/0/2. f. On the Modify GigabitEthernet Interface page, configure the following parameters:

    Zone: untrust IP Address: 200.1.1.1 Subnet Mask: 255.255.255.0

    Other parameters are set to the default values.

    g. Click Apply.

    Step#2

    For the USG, configure interzone packet filtering to ensure normal network communication. For the USG BSR/HSR, this

    operation is not required.

    a. Configure the security policy between the Local zone and the Untrust zone. 1. Choose Firewall > Security Policy > Local Policy.

  • 2. In Local Policy, click Add to configure the following parameters:

    Source Zone: untrust Source Address: 200.10.1.0/24 Action: permit

    3. Click Apply. b. Configure the security policy between the Trust zone and the Untrust zone.

    1. Choose Firewall > Security Policy > Forward Policy. 2. In Forward Policy List, click Add to configure the following parameters:

    Source Zone: trust Destination Zone: untrust Source Address: 10.1.1.0/24 Destination Address: 192.168.1.0/24 Action: permit

    3. Click Apply. 4. Choose Firewall > Security Policy > Forward Policy. 5. In Forward Policy List, click Add to configure the following parameters:

    Source Zone: untrust Destination Zone: trust Source Address: 192.168.1.0/24 Destination Address: 10.1.1.0/24 Action: permit

    6. Click Apply.

    Step#3

    Configure a static route from USG_A to network B, with the next-hop IP address of 200.1.1.2.

    a. Choose Route > Static > Static Route. b. In Static Route List, click Add. c. On the Add Static Route page, configure the following parameters:

    o Destination Address: 192.168.1.0 o Mask: 255.255.255.0 o Next Hop: 200.1.1.2

    Other parameters are set to the default values.

    d. Click Apply.

    Step#4

    Configure IKE phase 1 and IKE phase 2.

    a. Choose VPN > IPSec > IKE Negotiation. b. Click Phase 1. c. Set IKE phase 1 parameters on the Add Phase 1 page, as shown in Figure 10-12. Among the parameters, Pre-Shared

    Key is set to abcde.

  • Figure 10-12 Configuring IKE phase 1 of USG_A

    d. Click Apply.

    e. Click of ike_a to create IKE phase 2. f. Configure IKE phase 2 parameters on the Add Phase 2 page, as shown in Figure 10-13.

    Figure 10-13 Configuring IKE phase 2 of USG_A

    g. Click Apply.

    Step#5

    Apply the IPSec policy.

    a. Choose VPN > IPSec > IPSec Policy. b. Click Add. c. On the Add IPSec Policy page, configure the data flows to be protected by the IPSec tunnel, as shown in Figure 10-14.

  • Figure 10-14 Configuring on USG_A the data flows to be protected

    d. Click Apply.

    Step#6

    Bind the IPSec policy to interfaces.

    a. Choose VPN > IPSec > IPSec Policy. b. Click Applied to interface: - NONE - of policy1. c. Select GE0/0/2 from the drop-down list. d. Click Apply.

    Configure USG_B.

    Step#1

    1. Configure the basic parameters of the interfaces. a. Choose Network > Interface > Interface.

    b. In Interface List, click of GE0/0/1.

    c. In Interface List, click of GE0/0/1. d. On the Modify GigabitEthernet Interface page, configure the following parameters:

    Zone: trust IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0

    Other parameters are set to the default values.

    e. Click Apply.

    f. In Interface List, click of GE0/0/2. g. On the Modify GigabitEthernet Interface page, configure the following parameters:

    Zone: untrust IP Address: 200.10.1.1 Subnet Mask: 255.255.255.0

    Other parameters are set to the default values.

    h. Click Apply.

  • Step#2

    2. For the USG, configure interzone packet filtering to ensure normal network communication. For the USG BSR/HSR, this operation is not required.

    a. Configure the security policy between the Local zone and the Untrust zone. 1. Choose Firewall > Security Policy > Local Policy. 2. In Local Policy, click Add to configure the following parameters:

    Source Zone: untrust Source Address: 200.1.1.0/24 Action: permit

    3. Click Apply. b. Configure the security policy between the Trust zone and the Untrust zone.

    0. Choose Firewall > Security Policy > Forward Policy. 1. In Forward Policy List, click Add to configure the following parameters:

    Source Zone: trust Destination Zone: untrust Source Address: 192.168.1.0/24 Destination Address: 10.1.1.0/24 Action: permit

    2. Click Apply. 3. Choose Firewall > Security Policy > Forward Policy. 4. In Forward Policy List, click Add to configure the following parameters:

    Source Zone: untrust Destination Zone: trust Source Address: 10.1.1.0/24 Destination Address: 192.168.1.0/24 Action: permit

    5. Click Apply.

    Step#3

    3. configure a static route from USG_B to network A, with the next-hop IP address of 200.10.1.2. a. Choose Route > Static > Static Route. b. In Static Route List, click Add. c. On the Add Static Route page, configure the following parameters:

    Destination Address: 10.1.1.0 Mask: 255.255.255.0 Next Hop: 200.10.1.2

    Other parameters are set to the default values.

    d. Click Apply.

    Step#4

    4. Configure IKE phase 1 and IKE phase 2. a. Choose VPN > IPSec > IKE Negotiation. b. Click Phase 1. c. Configure IKE phase 1 parameters on the Add Phase 1 page, as shown in Figure 10-15. Among the

    parameters, Pre-Shared Key is set to abcde.

  • Figure 10-15 Configuring IKE phase 1 of USG_B

    d. Click Apply.

    e. Click of ike_b to create IKE phase 2. f. Configure IKE phase 2 parameters on the Add Phase 2 page, as shown in Figure 10-16.

    Figure 10-16 Configuring IKE phase 2 of USG_B

    g. Click Apply.

    Step#5

    5. Apply the IPSec policy. a. Choose VPN > IPSec > IPSec Policy. b. Click Add. c. Figure 10-17. On the Add IPSec Policy page, configure the data flows to be protected by the IPSec tunnel, as

    shown in Figure 10-17.

  • Figure 10-17 Configuring on USG_B the data flows to be protected

    d. Click Apply.

    Step#6

    6. Bind the IPSec policy to interfaces. a. Choose VPN > IPSec > IPSec Policy. b. Click Applied to interface: - NONE - of policy1. c. Select GE0/0/2 from the drop-down list. d. Click Apply.

    Configuration Verification

    1. After the configuration is complete, ping an IP address of network B from network A. The IP address can be pinged through successfully.

    2. Check the establishment of a security association (SA) on USG_A and USG_B. For example, on USG_A, if the following information is displayed, an IPSec tunnel is

    established successfully.

    a. Choose VPN > IPSec > Monitor. b. In IPSec Traffic Statistics, click Refresh to view traffic statistics of all IPSec

    tunnels, as shown in Figure 10-18.

    Figure 10-18 Viewing IPSec traffic statistics on USG_A

    c. In SA Monitoring, select IKE SA List and click Refresh to view information about the established IKE SA, as shown in Figure 10-19.

  • Figure 10-19 Viewing information about IKE SA on USG_A

    d. In SA Monitoring, select IPSec SA List and click Refresh to view information about the established IPSec SA, as shown in Figure 10-20.

    Figure 10-20 Viewing information about IPSec SA on USG_A

  • Site to Site VPN Using Cli

    Item Data

    USG_A (1) Interface: GigabitEthernet 0/0/1

    IP address: 10.1.1.1/24

    (2) Interface: GigabitEthernet 0/0/2

    IP address: 202.38.163.1/24

    IPSec configuration Encapsulation mode: tunnel mode

    Security protocol: ESP

    ESP authentication algorithm: SHA1

    ESP encryption algorithm: AES

    IKE negotiation mode: main mode

    IKE pre-shared key: abcde

    IKE authentication type: IP

    IKE peer address: 202.38.169.1

    IKE version: IKEv2

    USG_B (3) Interface: GigabitEthernet 0/0/2

    IP address: 202.38.169.1/24

    (4) Interface: GigabitEthernet 0/0/1

    IP address: 10.1.2.1/24

    IPSec configuration Encapsulation mode: tunnel mode

    Security protocol: ESP

  • Item Data

    ESP authentication algorithm: SHA1

    ESP encryption algorithm: AES

    IKE negotiation mode: main mode

    IKE pre-shared key: abcde

    IKE authentication type: IP

    IKE peer address: 202.38.163.1

    IKE version: IKEv2

    Step#1

    For the USG, add interfaces to corresponding security zones and configure interzone packet filtering to ensure normal network

    communication. Details are omitted. For the USG BSR/HSR, these operations are not required.

    Step#2

    Set the IP addresses of interfaces as shown in Figure 10-5 and the table that follows. Details are omitted.

    Step#3

    Create an advanced ACL on USG_A and USG_B to define the data flow to be protected.

    # Create an ACL on USG_A to permit the traffic destined from 10.1.1.0/24 to 10.1.2.0/24.

    [USG_A] acl 3000

    [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0

    0.0.0.255

    [USG_A-acl-adv-3000] quit

    # Create an ACL on USG_B to permit the traffic destined from 10.1.2.0/24 to 10.1.1.0/24.

    [USG_B] acl 3000

    [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0

    0.0.0.255

    [USG_B-acl-adv-3000] quit

    Step#4

    Create a static route on USG_A and USG_B.

    # Create on USG_A a static route to Network B, and set the next hop to 202.38.163.2

    [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2

    # Create on USG_B a static route to Network A, and set the next hop to 202.38.169.2

    [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2

  • Step#5

    Configure an IPSec proposal on USG_A and USG_B.

    # Configure an IPSec proposal on USG_A.

    [USG_A] ipsec proposal tran1

    [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel

    # By default, the encapsulation mode is tunnel mode. If you use the default mode, skip the command for configuring the

    encapsulation mode. [USG_A-ipsec-proposal-tran1] transform esp

    [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1

    [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes

    [USG_A-ipsec-proposal-tran1] quit

    # By default, the security protocol is ESP, the ESP authentication algorithm is SHA1, and the ESP encryption algorithm is AES.

    If you use the default settings, skip the commands for configuring the security protocol, authentication algorithm, and encryption

    algorithm.

    # Configure an IPSec proposal on USG_B.

    [USG_B] ipsec proposal tran1

    [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel

    # By default, the encapsulation mode is tunnel mode. If you use the default mode, skip the command for configuring the

    encapsulation mode. [USG_B-ipsec-proposal-tran1] transform esp

    [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1

    [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes

    [USG_B-ipsec-proposal-tran1] quit

    # By default, the security protocol is ESP, the ESP authentication algorithm is SHA1, and the ESP encryption algorithm is AES.

    If you use the default settings, skip the commands for configuring the security protocol, authentication algorithm, and encryption

    algorithm.

    Step#6

    Configure an IKE proposal on USG_A and USG_B.

    # Configure an IKE proposal on USG_A.

    [USG_A] ike proposal 10

    [USG_A-ike-proposal-10] authentication-method pre-share

    # The default IKE authentication method is pre-shared key authentication. If you choose to use the default IKE authentication

    method, skip the command for specifying the authentication method. [USG_A-ike-proposal-10] authentication-algorithm sha1

    # The default IKE authentication algorithm is SHA1. If you choose to use the default authentication algorithm, skip the command

    for specifying the authentication algorithm. [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96

    # The default IKE integrity algorithm is HMAC-SHA1-96. If you choose to use the default integrity algorithm, skip the

    command for specifying the integrity algorithm. [USG_A-ike-proposal-10] quit

    # Configure an IKE proposal on USG_B. [USG_B] ike proposal 10

    [USG_B-ike-proposal-10] authentication-method pre-share

    # The default IKE authentication method is pre-shared key authentication. If you choose to use the default IKE authentication

    method, skip the command for specifying the authentication method. [USG_B-ike-proposal-10] authentication-algorithm sha1

    # The default IKE authentication algorithm is SHA1. If you choose to use the default authentication algorithm, skip the command

    for specifying the authentication algorithm. [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96

  • # The default IKE integrity algorithm is HMAC-SHA1-96. If you choose to use the default integrity algorithm, skip the

    command for specifying the integrity algorithm. [USG_B-ike-proposal-10] quit

    Sep#7

    Configure the IKE peer.

    By default, IKE peers use IKEv2.

    # Configure the IKE peer on USG_A. [USG_A] ike peer b

    [USG_A-ike-peer-b] ike-proposal 10

    [USG_A-ike-peer-b] remote-address 202.38.169.1

    [USG_A-ike-peer-b] pre-shared-key abcde

    [USG_A-ike-peer-b] quit

    # Configure the IKE peer on USG_B. [USG_B] ike peer a

    [USG_B-ike-peer-a] ike-proposal 10

    [USG_B-ike-peer-a] remote-address 202.38.163.1

    [USG_B-ike-peer-a] pre-shared-key abcde

    [USG_B-ike-peer-a] quit

    Step#8

    Create an IPSec policy on USG_A and USG_B.

    # Create an IPSec policy on USG_A.

    [USG_A] ipsec policy map1 10 isakmp

    [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000

    [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1

    [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b

    [USG_A-ipsec-policy-manual-map1-10] quit

    # Create an IPSec policy on USG_B.

    [USG_B] ipsec policy map1 10 isakmp

    [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000

    [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1

    [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a

    [USG_B-ipsec-policy-isakmp-map1-10] quit

    Step#9

    Apply the IPSec policies.

    # On USG_A, apply the IPSec policy on interface (2).

    [USG_A] interface GigabitEthernet 0/0/2

    [USG_A-GigabitEthernet0/0/2] ipsec policy map1

    # On USG_B, apply the IPSec policy on interface (3).

    [USG_B] interface GigabitEthernet 0/0/2

  • [USG_B-GigabitEthernet0/0/2] ipsec policy map1

    Configuration Verification

    If the configurations are correct, Network A can ping network B, and after you run the display ike sa and display ipsec sa

    commands on USG_A and USG_B, the output indicates that the data is encrypted. Take USG_B as an example. If the following

    information is displayed, the IKE SA and IPSec SA are successfully established.


HUAWEI - · PDF file• Support for inter-operation with Huawei's carrier-class MPLS VPN management system • Support for Huawei Group Management Protocol (HGMP)

Westermo VPN Config Guide - TheGreenBo · This application note covers the setup of TheGreenBow™ VPN IPsec client to a Westermo DR-250 router. TheGreenBow™ client is a commercial

VPN Config Guide

WI Huawei VDSL2 Modem - HG655a Config Guide (Addition ATA)_Rev7_26062011

FVX538v2 Client-Box Mode Config Configuration · Mode Config of a VPN tunnel from ProSafe Client to FVX538v2 Router: Mode Config is a feature included in some of the Netgear Routers

@TriGeek SCZ NYOUG …nyoug.org/wp-content/uploads/2017/09/OAC-NYOUG.pptx.pdf · Limited config supported Full control on network access including VPN ... On-line Access Supported

Asdm 71 VPN Config

341nku) - Switch config get immediate recovery scenario in the event of failure of one of ... 3Com Set User Access create 10 save config ... 3Com and Huawei ,

Config Servidores, Proxy y VPN

BGP-MPLS VPN extension for IPv4/IPv6 Hybrid Network Defeng Li [email protected] Huawei Technologies

Broadband VPN Firewall Router User's Manual (English) · 2019. 11. 20. · 3.4.3.7.1 Remote Config ... QUAKE, Real Player, etc. • Universal Plug and Play compliant (UPnP) • Dynamic

Huawei Eudemon8000E-X/USG9500 Series Firewall ... · PDF fileHuawei Eudemon8000E-X/USG9500 Series Firewall V300R001C01SPC300 Security Target ... Network (VPN), Virtual Local Area Network

Howto Config VPN Ms Windows7

Nortel VPN Router Config

Huawei S3700 Series Switches Product Datasheet · Huawei Enterprise Sx700 Series Switch Product 3. Product Features Reliable service support • The S3700 provides the Multi-VPN-Instance

Changes of Huawei Big Data Platform - cedar.liris.cnrs.fr · PDF fileOSS . NE Parameter NE Config . Alert . NE ... OD Graph&Matrix Population Density OD transport classification Traffic

Configuration Guide - TP-LinkQinQ...2.1.2 Managing VLAN VPN Basic VLAN-VPN Configuration 2-2 Configuring Global VLAN-VPN and Up-link Ports Choose the menu VLAN > VLAN-VPN > VPN Config

HUAWEI HiSecEngine USG6500E Series Firewalls (Desktop) · 2019. 10. 21. · VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, L2TP VPN, and

SR7000dl Advanced Management Config Guide - Combined Indexwhp-aus1.cold.extweb.hp.com/pub/networking/software/SR7000dl-C… · 2 – Index for VPN traffic applying to crypto map …

Microwave L3 VPN Solution White Paper - Huawei/media/CORPORATE/PDF/white paper/microwave-l… · Microwave L3 VPN Solution White Paper H Issue 01 ... 5 To ensure user data ... Figure

Cisco Group Encrypted Transport VPN Technical Overview · MPLS VPN Network VPN A VPN A VPN A VPN A VPN B VPN B VPN B VPN B Multicast Source VPN B Multicast Source VPN A Multicast

AnyConnect Dynamic Split Tunneling - Cisco Community · 2020. 3. 22. · asa-vpn(config)# anyconnect-custom-data dynamic-split-exclude-domains excluded-domains webex.com, ciscospark.com,

Oracle® Communications IP Service Activator · PDF file3 Layer 3 MPLS VPN Table 2 lists the Layer 3 MPLS VPN support on the Huawei cartridge. Supported Services Virtual Private LAN

HYLAFAX-CONFIG(5F) HYLAFAX-CONFIG(5F)people.ifax.com/~aidan/hylafax/man/hylafax-config.4f.pdf · HYLAFAX-CONFIG(5F) HYLAFAX-CONFIG(5F) NAME config − HylaFA X configuration database

eSight V300R001C10 BGP/MPLS VPN Technical White … · eSight V300R001C10 BGP/MPLS VPN Technical White Paper Issue 01 Date 2013-12-10 HUAWEI TECHNOLOGIES CO., LTD

NetFlow – The De Facto Standard for Traffic Analytics · PDF fileNetFlow – The De Facto Standard for Traffic Analytics ... Analysis Network Config Mgmt ... Huawei / 3COM devices

Huawei Secoway SVN2260 VPN Gateway & GreenBow IPsec VPN Software Configuration

Developer Guide - HUAWEI CLOUDThe kubectl config init command completes the operations performed by running the four commands: kubectl config set-cluster, kubectl config set-credentials,

shared key authentication VPN Router...cisco(config-isakmp)# nd to set the appropriate phase 1 SA lifetime. When selecting the value please keep in mind that the Nortel VPN Router

Cisco VPN Config Guide_cg

GUÍA CONFIGURACIÓN iPhone - iPad - Servicio VPN ...vpn.ual.es/config/guia-apple.pdf · Servicio Acceso Remoto VPN Guía Instalación iPhone- iPad STIC – Servicio de Tecnologías

Speed, Reliable, Flexible NE Series Routers NE Routers Pr… · 1996: Huawei R Series NP based 2.5G platform Flexible interfaces VPN, VRRP, BFD, FRR, GR 10G platform 2005: Huawei

VPN Access Config En

TheGreenBow Linux VPN Client · - "DPD" (Dead Peer Detection) features - Mode config (IKEv1) and Mode CP (IKEv2) management - Intuitive and powerful graphical interface See chapter

Asa 91 VPN Config