Typical configuration of IKEv2-based IPsec tunnels across VPN instances

H3C F1000-AI-90 and Cisco FTD 3120 establish an IPSec tunnel based on the Tunnel interface:

#

ip vpn-instance 2               // Extranet VPN

#

ip vpn-instance 1              // Intranet VPN

#

vlan 985

#

interface Vlan-interface985     // Interface for connecting to the external network

 ip binding vpn-instance 2

 ip address 2.2.2.1 255.255.255.0

#

interface Ten-GigabitEthernet1/0/14

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 985

 port link-aggregation group 14

#

interface Ten-GigabitEthernet1/0/15

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 985

 port link-aggregation group 14

#

interface Tunnel100 mode ipsec

 ip binding vpn-instance 1

 ip address 3.3.3.1 255.255.255.252

 source 2.2.2.1

 destination 2.2.2.2

 tunnel vpn-instance 2                            // Use tunnel vpn-instance to specify a VPN instance for the destination address of a tunnel interface.

 tunnel protection ipsec profile TEST

 ipsec no-nat-process enable

#

security-zone name Untrust                           // Add interfaces to the security zone

 import interface Vlan-interface985

 import interface Bridge-Aggregation14 985

#

 ip route-static vpn-instance 1 172.XX.56.0 24 3.3.3.2     //Specify the next hop of the route to the peer private network as the peer tunnel port address

#

ipsec transform-set TEST_IPv4_100

 esp encryption-algorithm aes-cbc-256

 esp authentication-algorithm sha256

 pfs dh-group14

#

ipsec profile TEST isakmp

 transform-set TEST_IPv4_100

 ikev2-profile TEST_IPv4_100

#

ikev2 keychain TEST_IPv4_100

 peer 1

  address 2.2.2.2 255.255.255.255

  identity address 2.2.2.2

  pre-shared-key ciphertext $c$3$9nGFCpgHMn/ZgDKXbG3UZITNYc7oCmvZJRoLp2BzO3w=

#

ikev2 profile TEST_IPv4_100

 authentication-method local pre-share

 authentication-method remote pre-share

 keychain TEST_IPv4_100

 identity local address 2.2.2.1

 match vrf name 2

 match remote identity address 2.2.2.2 255.255.255.255

#

ikev2 proposal TEST

 encryption aes-cbc-256 aes-ctr-256

 integrity sha256

 dh group20

#

ikev2 policy TEST

 match vrf name 2

 proposal TEST

 match local address 2.2.2.1

#

security-policy ip

 rule 25 name local_trust_2

  action pass

  vrf 2

  source-zone Local

  source-zone Trust

  destination-zone Trust

  destination-zone Local

 rule 26 name local_untrust_2

  action pass

  vrf 2

  source-zone Local

  source-zone Untrust

  destination-zone Untrust

  destination-zone Local

 rule 27 name trust_untrust_2

  action pass

  vrf 2

  source-zone Trust

  source-zone Untrust

  destination-zone Untrust

  destination-zone Trust

 rule 41 name local_trust_1

  action pass

  vrf 1

  source-zone Local

  source-zone Trust

  destination-zone Trust

  destination-zone Local

 rule 42 name local_untrust_1

  action pass

  vrf 1

  source-zone Local

  source-zone Untrust

  destination-zone Untrust

  destination-zone Local

 rule 43 name trust_untrust_1

  action pass

  vrf 1

  source-zone Trust

  source-zone Untrust

  destination-zone Untrust

  destination-zone Trust

#

1. Add VPN instances to the security policy (one for each of the internal network port VPN and the external network port VPN)

2. Specify the VPN instance to which the tunnel destination address belongs under the tunnel interface (external network port VPN)

3. Configure VPN routing (bind the tunnel to the internal network port VPN, and directly specify the tunnel destination address as the next hop)

4. Configure VPN (external network port VPN) in the ikev2 profile

5. Configure VPN (external network port VPN) in the ikev2 policy