Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
101102103104105106107108109110
97
157BConfiguration example
392BNetwork requirements
As shown in 721HFigure 71, a private IPv4 network and a public IPv4 network are separated by an IPv6
network.
Build a DS-lite tunnel between CPE (Firewall A) and AFTR (Firewall B) and configure NAT on AFTR's
interface connecting to the public IPv4 network, so that hosts in the private IPv4 network can access the
public IPv4 network and hosts from different private IPv4 networks can use the same IPv4 addresses.
In the IPv6 network, deploy a DHCPv6 server (Firewall C) for CPE to obtain AFTR's IPv6 address.
Figure 71 Network diagram
393BConfiguration procedure
Before you configure a DS-lite tunnel, make sure Firewall A and Firewall B are reachable to each other.
In this example, Firewall A and Firewall C are in the same network segment. Otherwise, you must deploy
a DHCPv6 relay agent between them. DHCPv6 relay agent is beyond the scope of this document. For
more information about DHCPv6, see Network Management Configuration Guide.
Configure Firewall A (the CPE):
# Enable IPv6.
<FirewallA> system-view
[FirewallA] ipv6
# Configure an IPv4 address for interface GigabitEthernet 0/1.
[FirewallA] interface gigabitethernet 0/1
[FirewallA-GigabitEthernet0/1] ip address 10.0.0.2 255.255.255.0
[FirewallA-GigabitEthernet0/1] quit
# Configure an IPv6 address for interface GigabitEthernet 0/2 (the physical interface of the
tunnel).
[FirewallA] interface GigabitEthernet0/2
[FirewallA- GigabitEthernet0/2] ipv6 address 1::1 64
[FirewallA- GigabitEthernet0/2] quit
# Create interface Tunnel 1.
[FirewallA] interface tunnel 1
# Configure an IPv4 address for interface Tunnel 1.
[FirewallA-Tunnel1] ip address 30.1.2.1 255.255.255.0
# Specify the tunnel encapsulation mode as IPv4 over IPv6.
[FirewallA-Tunnel1] tunnel-protocol ipv4-ipv6 dslite-cpe