Attached is a summary post: Huawei Firewall Basic Self-Study Series | Summary_COCOgsta’s Blog-CSDN Blog. Site to Site IPSec VPN networking.

Video source: B station "Qianyitang HCIP-HCIE-security Security Recorded in 2019"

While studying, sorting out the teacher's course content and experiment notes, and sharing it with everyone. If there is any infringement, it will be deleted. Thank you for your support!

Attached with a summary post: Huawei Firewall Basic Self-Study Series | Summary_COCOgsta's Blog - CSDN Blog

Site to Site IPSec VPN Networking

This typical site-to-site (Site to Site) IPSec VPN Topology

IPSec VPN Networking Communication networks are 10.1.1.0/24 and 10.1.2.0/24 (stream of interest), and the encryption point is the external interface addresses of the two firewalls.

switch Base underlayer bridge

Firewall Network configuration

IPsec VPN security policy configuration flowchart

FW1 configure IPSec policy-1 (Web)

New IPsec policy

FW1 configure IPsec policy-2 (Web)

Fill in IPsec basic configuration

FW1 configure IPsec policy-3 (Web)

New stream of interest

FW1 configure IPsec policy-4 (Web)

configure security proposal, just keep the default.

FW1 Configure security policy-1 (Web)

New service [isakmp], UDP protocol, destination port is 500.

FW1 configures security policy-2 (Web)

creates a new security policy and releases the esp and isakmp traffic of the two firewalls.

releases the traffic of interest on the local side and goes to the peer side.

FW1 configure IPsec-1 (CLI)

FW1 configure ACL

FW1 configure ike Proposal

FW1 configure IKE Peer

FW1 configure IPsec-2 (CLI)

FW1 configure IPsec proposal

FW1 configure IPsec policy

FW1 call IPsec policy

FW1 call IPsec policy

FW1 call IPsec policy

FW1 Configure security policy (CLI)

FW2 Configure IPsec policy-1 (Web)

Create a new IPsec policy and fill in the basic IPsec configuration.

FW2 configure IPsec policy-2 (Web)

configure security proposal, just keep the default.

FW2 Configure security policy-1 (Web)

New service [isakmp], UDP protocol, destination port is 500.

Create a new security policy and release the esp and isakmp traffic of the two firewalls.

releases the traffic of interest on the local side and goes to the peer side.

FW2 configure IPsec-1 (CLI)

FW2 configure ACL

FW2 configure IKE Proposal

FW2 configure IKE Peer

FW2 configure IPsec-2 (CLI)

FW2 configure IPsec proposal

FW1 configure IPsec policy

FW1 call IPsec policy

FW1 call IPsec policy

FW2 Configure security policy (CLI)

FW1 View IPsec status (Web)

Click [Monitoring] to view IPsec negotiation status.

IPsec communication network test

ping tests the address to PC2 on PC1 to test the connectivity of the stream of interest.

FW1View IKE SA

FW1View IPsec SA

FW1View encryption and decryption quantity

Experiment

SW1

interface Ethernet0/0/4description Link_FW1_G0/0/0port link-type accessport default vlan 16interface Ethernet0/0/8description Link_FW2_G0/0/0port link-type accessport default vlan 16interface Ethernet0/0/21description Link_HCNP_MGMTport link-type accessport default vlan 16interface Ethernet0/0/1description Link_FW1_G0/0/1port link-type accessport default vlan 10interface Ethernet0/0/9description Link_HCNP_Dot1x(PC1)port link-type accessport default vlan 10interface Ethernet0/0/5description Link_FW2_G0/0/1port link-type accessport default vlan 20interface Ethernet0/0/24description Link_HCNP_VPN_Client(PC2)port link-type accessport default vlan 20interface Ethernet0/0/2description Link_FW1_G0/0/2port link-type accessport default vlan 40interface Ethernet0/0/23description Link_HCNP_Untrustport link-type accessport default vlan 40interface Ethernet0/0/6description Link_FW2_G0/0/2port link-type accessport default vlan 40 copy code 

FW1

int g0/0/0ip address 192.168.0.10 24int g0/0/1ip address 10.1.1.10 24int g0/0/2ip address 202.100.1.10 24firewall zone trustadd int g0/0/1firewall zone untrustadd int g0/0/2ip route-static 0.0.0.0 0.0.0.0 202.100.1.11ike proposal 10encryption-algorithm aes-192authentication-algorithm md5ike peer fw2exchange-mode mainpre-shared-key Huawei@123ike-proposal 10remote-address 202.100.1.11undo version 2acl 3000rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 ipsec proposal 10encapsulation-mode tunnel encryption-algorithm desep authentication-algorithm sha1ipsec policy ipsec_policy 10 isakmpsecurity acl 3000ike-peer fw2proposal 10int g0/0/2ipsec policy ipsec_policy copy code 

FW2

int g0/0/0ip addresses 192.168.0.11 24int g0/0/1ip address 10.1.2.10 24int g0/0/2ip address 202.100.1.11 24service-manage ping permitfirewall zone untrustadd int g0/0/2firewall zone trustadd int g0/0/1ip route-static 0.0.0.0 0.0.0.0.0 202.100.1.10ike proposal 10encryption-algorithm aes-192authentication-algorithm md5ike peer fw1exchange-mode mainpre-shared-key Huawei@123ike-proposal 10remote-address 202.100.1.10undo version 2acl 3000rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255ipsec proposal 10encapsulation-mode tunnelep encryption-algorithm desep authentication-algorithm sha1ipsec policy ipsec_policy 10 isakmpsecurity acl 3000ike-peer fw1proposal 10int g0/0/2ipsec policy ipsec_policy copy code 

View

In the ipsec policy that does not configure auto-neg, you need to trigger the IPSec tunnel establishment through PING on the PC first. (Presumably, the firewall policy has been configured. For example, local-untrust needs to be released. ISKAMP and ESP, trust-unstrust needs to be released. All traffic between the address is required)