Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
81828384858687888990
85
# Configure a static route to Host A.
[FirewallB] ip route-static 10.1.1.0 255.255.255.0 serial 2/2
# Create an IPsec proposal named tran1.
[FirewallB] ipsec proposal tran1
# Specify the encapsulation mode as tunnel.
[FirewallB-ipsec-proposal-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[FirewallB-ipsec-proposal-tran1] transform esp
# Specify the algorithms for the proposal.
[FirewallB-ipsec-proposal-tran1] esp encryption-algorithm des
[FirewallB-ipsec-proposal-tran1] esp authentication-algorithm sha1
[FirewallB-ipsec-proposal-tran1] quit
# Configure the IKE peer.
[FirewallB] ike peer peer
[FirewallB-ike-peer-peer] pre-shared-key abcde
[FirewallB-ike-peer-peer] remote-address 2.2.2.1
[FirewallB-ike-peer-peer] quit
# Create an IPsec policy that uses IKE for IPsec SA negotiation.
[FirewallB] ipsec policy use1 10 isakmp
# Apply the ACL.
[FirewallB-ipsec-policy-isakmp-use1-10] security acl 3101
# Apply the IPsec proposal.
[FirewallB-ipsec-policy-isakmp-use1-10] proposal tran1
# Apply the IKE peer.
[FirewallB-ipsec-policy-isakmp-use1-10] ike-peer peer
[FirewallB-ipsec-policy-isakmp-use1-10] quit
# Configure the IP address of the serial interface.
[FirewallB] interface GigabitEthernet 0/2
[FirewallB-GigabitEthernet 0/2] ip address 2.2.3.1 255.255.255.0
# Apply the IPsec policy group to the interface.
[FirewallB-GigabitEthernet 0/2] ipsec policy use1
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up, the traffic
between the two subnets will be IPsec protected.
Example for configuring IPsec with IPsec tunnel interfaces
Network requirements
As shown in Figure 53, the gateway of the branch accesses the Internet through a dial-up line and
obtains the IP address dynamically, the headquarters accesses the Internet by using a fixed IP address.
Configure an IPsec tunnel to protect the traffic between the branch and the headquarters. Make sure that
the IPsec configuration of the headquarters’ gateway remains relatively stable despite of changes of the
branch's private IP address segment.