F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

211

212

213

214

215

216

217

218

219

220

207

# Create an IPsec policy that use IKE, naming it map1 and setting its sequence number to 10.

[FirewallA] ipsec policy map1 10 isakmp

# Reference IPsec transform set tran1.

[FirewallA-ipsec-policy-isakmp-map1-10] transform-set tran1

# Reference ACL 3101.

[FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101

# Reference IKE peer branch.

[FirewallA-ipsec-policy-isakmp-map1-10] ike-peer branch

[FirewallA-ipsec-policy-isakmp-map1-10] quit

# Apply IPsec policy group map1 to interface GigabitEthernet0/2.

[FirewallA] interface gigabitethernet 0/2

[FirewallA-GigabitEthernet0/2] ipsec policy map1

[FirewallA-GigabitEthernet0/2] quit

# Enable IPsec stateful failover.

[FirewallA] ipsec synchronization enable

470BConfiguring Firewall B

1. Configure stateful failover:

# Log in to the Web interface of Firewall B and configure stateful failover. The required

configuration is the same to the configuration on Firewall A, except that you must leave the Main

Device for Configuration Synchronization and Auto Synchronization options cleared on the

Stateful Failover Configuration page. See

812HFigure 133 and 813HFigure 134.

2. Configure VRRP:

# Create VRRP group 1 and assign a virtual IP address to the group.

<FirewallB> system-view

[FirewallB] interface gigabitethernet 0/1

[FirewallB-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 10.1.1.1

# Set the priority of Firewall B in VRRP group 1 to 110.

[FirewallB-GigabitEthernet0/1] vrrp vrid 1 priority 110

# Configure Firewall B to operate in preemption mode in VRRP group 1 and set the preemption

delay to 0 seconds. The default setting is the same. This step is optional.

[FirewallB-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 0

[FirewallB-GigabitEthernet0/1] quit

# Create VRRP group 2 and assign a virtual IP address to the group.

[FirewallB] interface gigabitethernet 0/2

[FirewallB-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1

# Set the priority of Firewall B in VRRP group B to 110.

[FirewallB-GigabitEthernet0/2] vrrp vrid 2 priority 110

# Configure Firewall B to operate in preemption mode in VRRP group 2 and set the preemption

delay to 0 seconds. The default setting is the same. This step is optional.

[FirewallB-GigabitEthernet0/2] vrrp vrid 2 preempt-mode timer delay 0

[FirewallB-GigabitEthernet0/2] quit

3. Configure IPsec and enable IPsec stateful failover:

# Create ACL 3101, and add a rule to permit traffic from subnet 10.1.1.0/24 to subnet

10.2.2.0/24.

[FirewallB] acl number 3101