Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
201202203204205206207208209210
198
[FirewallB-ipsec-policy-isakmp-use1-10] ike-peer peer
[FirewallB-ipsec-policy-isakmp-use1-10] quit
# Configure the IP address of the GigabitEthernet interface.
[FirewallB] interface gigabitethernet 0/2
[FirewallB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0
# Apply the IPsec policy group to the interface.
[FirewallB-GigabitEthernet0/2] ipsec policy use1
Verifying the configuration
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up, the traffic
between the two subnets will be IPsec protected.
IPsec with IPsec tunnel interfaces configuration example
Network requirements
As shown in Figure 128, the gateway of the branch accesses the Internet through a dial-up line and
obtains the IP address dynamically. The headquarters accesses the Internet by using a fixed IP address.
Configure an IPsec tunnel to protect the traffic between the branch and the headquarters. Make sure that
the IPsec configuration of the headquarters' gateway remains relatively stable despite of changes of the
branch's private IP address segment.
Figure 128 Network diagram
Configuation considerations
To meet the requirements, configure an IPsec tunnel interface on each Firewall and configure a static
route on each Firewall to route the packets destined to the peer to the IPsec tunnel interface for IPsec
protection.
Configuring Firewall A
# Name the local gateway Firewalla.
<FirewallA> system-view
[FirewallA] ike local-name Firewalla
# Configure an IKE peer named atob. As the local peer obtains the IP address automatically, set the IKE
negotiation mode to aggressive.
[FirewallA] ike peer atob
[FirewallA-ike-peer-atob] exchange-mode aggressive
[FirewallA-ike-peer-atob] pre-shared-key simple aabb