Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
141142143144145146147148149150
141
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3590
max received sequence-number: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 89389742 (0x553faae)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3590
max received sequence-number: 5
udp encapsulation used for nat traversal: N
Aggressive mode IKE with NAT traversal configuration
example
Network requirements
As shown in Figure 94, the branch and the headquarters connect to an ATM network through a router
and a firewall, respectively. The router connects to the public network through an ADSL line and acts as
the PPPoE client. The interface connecting to the public network uses a private address dynamically
assigned by the ISP. The Firewall uses a fixed public IP address for the interface connected to the public
network.
Configure IPsec tunnels between the router and Firewall to protect traffic between the branch and its
headquarters. Use IKE to establish the IPsec tunnels.
Figure 94 Network diagram
Configuration considerations
The IKE negotiation mode must be aggressive because Router uses a dynamic IP address.
Configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a public
IP address but the other end uses a private IP address.
Configuring the Firewall
# Specify a name for the local security gateway.
<Firewall> system-view
[Firewall] ike local-name Firewall
# Configure an ACL.