R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

• If you configure a source interface for a tunnel interface, the tunnel interface takes the primary IP

address of the source interface as its source address.

• You can enable or disable the checksum function at both ends of the tunnel as needed. If the

checksum function is enabled at the local end but not at the remote end, the local end calculates the

checksum of a packet to be sent but does not check the checksum of a received packet. Contrarily,

if the checksum function is enabled at the remote end but not at the local end, the local end checks

the checksum of a received packet but does not calculate the checksum of a packet to be sent.

• When configuring a route through the tunnel, you are not allowed to set up a static route whose

destination address is in the subnet of the tunnel interface. Instead, you can do one of the following:

{ Configure a static route, using the address of the network segment that the original packet is

destined for as its destination address and the address of the peer tunnel interface as its next

hop.

{ Enable a dynamic routing protocol on both the tunnel interface and the router interface

connecting the private network, so that the dynamic routing protocol can establish a routing

entry that allows the tunnel to forward packets through the tunnel.

Configuration prerequisites

On each of the peer devices, configure an IP address for the interface to be used as the source interface

of the tunnel interface (which can be a, for example, VLAN interface, Ethernet interface, or loopback

interface), and make sure that this interface can normally communicate with the interface used as the

source interface of the tunnel interface on the peer device.

Configuration procedure

Follow these steps to configure a GRE over IPv4 tunnel:

To do… Use the command…

Remarks

Enter system view system-view —

Create a tunnel interface and enter

tunnel interface view

interface tunnel interface-number

Required

By default, the firewall has no

tunnel interface.

Configure an IPv4 address for the

tunnel interface

ip address ip-address { mask |

mask-length }

Required

By default, a tunnel interface has

no IPv4 address.

Set the tunnel mode to GRE over

IPv4

tunnel-protocol gre

Optional

You must configure the same tunnel

mode on both ends of a tunnel.

Otherwise, packet delivery will

fail.

Configure the source address or

interface for the tunnel interface

source { ip-address | interface-type

interface-number }

Required

By default, no source address or

interface is configured for a tunnel

interface.

Configure the destination address

for the tunnel interface

destination ip-address

Required

By default, no destination address

is configured for a tunnel interface.

Enable GRE keepalive and set the

interval and the maximum number

of transmission attempts

keepalive [ seconds [ times ] ]

Optional

Disabled by default