R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

141

142

143

144

145

146

147

148

149

150

137

IKE configuration examples at the CLI

Main mode IKE with pre-shared key authentication

configuration example

Network requirements

As shown in Figure 93, configure an IPsec tunnel that uses IKE negotiation between Firewall A and

Firewall B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.

For Firewall A, configure an IKE proposal that uses the sequence number 10 and authentication

algorithm MD5. Leave Firewall B with only the default IKE proposal. Configure the two firewalls to use the

pre-shared key authentication method.

Figure 93 Network diagram

Configuring Firewall A

Make sure that Firewall A and Firewall B can reach each other.

# Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.

<FirewallA> system-view

[FirewallA] acl number 3101

[FirewallA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0

0.0.0.255

[FirewallA-acl-adv-3101] quit

# Create IPsec proposal tran1.

[FirewallA] ipsec proposal tran1

# Set the packet encapsulation mode to tunnel.

[FirewallA-ipsec-proposal-tran1] encapsulation-mode tunnel

# Use security protocol ESP.

[FirewallA-ipsec-proposal-tran1] transform esp

# Specify encryption and authentication methods.

[FirewallA-ipsec-proposal-tran1] esp encryption-algorithm des

[FirewallA-ipsec-proposal-tran1] esp authentication-algorithm sha1

[FirewallA-ipsec-proposal-tran1] quit

# Create IKE peer peer.

[FirewallA] ike peer peer

IP network

Host A

10.1.1.2/24

Firewall A

Host B

10.1.2.2/24

Firewall B

GE0/1

1.1.1.1/16

GE0/1

2.2.2.2/16

GE0/2

10.1.1.1/24

GE0/2

10.1.2.1/24