Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
919293949596979899100
89
sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP
dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 1974923076 (0x75b6ef44)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3503
max received sequence-number: 5
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2364632148 (0x8cf16c54)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3503
max sent sequence-number: 6
udp encapsulation used for nat traversal: N
On Firewall B, ping the IP address of the interface on Firewall A that connects to the branch.
[FirewallB] ping -a 192.168.1.1 172.17.17.1
PING 172.17.17.1: 56 data bytes, press CTRL_C to break
Reply from 172.17.17.1: bytes=56 Sequence=1 ttl=255 time=15 ms
Reply from 172.17.17.1: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 172.17.17.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 172.17.17.1: bytes=56 Sequence=4 ttl=255 time=5 ms
Reply from 172.17.17.1: bytes=56 Sequence=5 ttl=255 time=4 ms
--- 172.17.17.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/8/15 ms
Similarly, you can view the information on Firewall A. (Omitted)
IPsec configuration guidelines
When configuring IPsec, follow these guidelines:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. You must make sure that flows of these protocols are not denied on the
interfaces with IKE or IPsec configured.
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, ensure that they use the same
classification rules. IPsec classification rules depend on the referenced ACL rules.