F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
161
• Configure an IPsec tunnel between Device A and Device B to protect traffic between the
headquarters subnet 10.1.1.0/24 and the branch subnet 10.1.2.0/24.
• Configure the tunnel to use the security protocol ESP, encryption algorithm DES, and authentication
algorithm SHA-1.
• Enable IPsec RRI on Device A, so Device A can automatically create a static route from the
headquarters to the branch when the IPsec SA is established. Specify the next hop as 2.2.2.2.
Figure 119 Network diagram
435B
Configuring Device A
1.
Assign IP addresses for the interfaces and then add them to target zones. (Details not shown.)
2.
Define ACL 3101 to permit packets from subnet 10.1.1.0/24 to subnet 10.1.2.0/24:
a.
Select Firewall > ACL from the navigation tree.
b.
Click Add.
c.
On the page that appears, enter the ACL number 3101, select the match order Config, and
click Apply.
Figure 120 Creating ACL 3101
d.
From the ACL list, select ACL 3101 and click the icon.
e.
Click Add.
f.
On the page that appears, select Permit from the Operation list, select Source IP Address and
enter 10.1.1.0 and 0.0.0.255 in the following fields, select Destination IP Address and enter
10.1.2.0 and 0.0.0.255 in the following fields, and click Apply.
Headquarter
Branch
Internet
Device A Device B
GE0/1
2.2.2.1/24
GE0/1
2.2.3.1/24
GEth0/0
10.1.1.1/24
GE0/0
10.1.2.1/24
Host A
10.1.1.2/24
Host B
10.1.2.2/24