Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
211212213214215216217218219220
208
# Set the pre-shared key.
[FirewallB-ike-peer-peer] pre-shared-key abcde
# Specify the IP address of the peer security gateway.
[FirewallB-ike-peer-peer] remote-address 1.1.1.1
[FirewallB-ike-peer-peer] quit
# Create an IPsec policy that uses IKE.
[FirewallB] ipsec policy use1 10 isakmp
# Reference ACL 3101 to identify the protected traffic.
[FirewallB-ipsec-policy-isakmp-use1-10] security acl 3101
# Reference IPsec proposal tran1.
[FirewallB-ipsec-policy-isakmp-use1-10] proposal tran1
# Reference IKE peer peer.
[FirewallB-ipsec-policy-isakmp-use1-10] ike-peer peer
[FirewallB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to interface GigabitEthernet 0/1.
[FirewallB] interface gigabitethernet 0/1
[FirewallB-GigabitEthernet0/1] ipsec policy use1
Verifying the configuration
# Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24 or from subnet 10.4.4.0/24 to
10.5.5.0/24. IKE negotiation is triggered to establish IPsec SAs between Firewall A and Firewall B.
# Display the routing table on Firewall A.
[FirewallA] display ip routing-table
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost NextHop Interface
1.1.0.0/16 Direct 0 0 1.1.1.1 GE0/1
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.0/24 Static 60 0 1.1.1.2 GE0/1
10.4.4.0/24 Direct 0 0 10.4.4.1 GE0/2
10.4.4.4/32 Direct 0 0 127.0.0.1 InLoop0
10.5.5.0/24 Static 60 0 1.1.1.2 GE0/1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
The output shows that IPsec RRI has created a static route to subnet 10.5.5.0/24 with the next hop 1.1.1.2.
# Delete the IPsec SAs. The static route is automatically deleted.
IPsec stateful failover configuration example
Network requirements
As shown in Figure 131, a network has two gateways, Firewall A and Firewall B, at the headquarters.
Configure an IPsec tunnel between the headquarters and the branch to ensure secure communication.
Configure IPsec stateful failover on the firewalls for high availability of the IPsec tunnel: