Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
201202203204205206207208209210
192
# Apply the IPsec transform set.
[FirewallB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Apply the IKE peer.
[FirewallB-ipsec-policy-isakmp-use1-10] ike-peer peer
[FirewallB-ipsec-policy-isakmp-use1-10] quit
# Configure the IP address for GigabitEthernet 0/2.
[FirewallB] interface gigabitethernet 0/2
[FirewallB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0
# Apply the IPsec policy group to the interface.
[FirewallB-GigabitEthernet0/2] ipsec policy use1
3. Verify the configuration:
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up,
the traffic between the two subnets will be IPsec protected.
214BIPsec with IPsec tunnel interfaces configuration example
459BNetwork requirements
As shown in 804HFigure 129, the gateway of the branch accesses the Internet through a dial-up line and
obtains the IP address dynamically. The headquarters accesses the Internet by using a fixed IP address.
Configure an IPsec tunnel to protect the traffic between the branch and the headquarters. Make sure the
IPsec configuration of the headquarters' gateway remains relatively stable despite of changes of the
branch's private IP address segment.
Figure 129 Network diagram
460BConfiguation considerations
Configure an IPsec tunnel interface on each router and configure a static route on each firewall to route
the packets destined to the peer to the IPsec tunnel interface for IPsec protection.
461BConfiguation procedure
1. Configure Firewall A:
# Name the local gateway firewalla.
<FirewallA> system-view
[FirewallA] ike local-name firewalla
# Configure an IKE peer named atob. As the local peer obtains the IP address automatically, set
the IKE negotiation mode to aggressive.
Internet
GE0/2
GE0/2
1.1.1.1/24
Branch
Headquarters
172.17.17.0/24
192.168.1.0/24
IPsec tunnel
Tunnel1
10.1.1.1/24
Tunnel1
10.1.1.2/24
Firewall A Firewall B