Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
221222223224225226227228229230
212
[FirewallA] ipsec policy map1 10 isakmp
# Reference IPsec proposal tran1.
[FirewallA-ipsec-policy-isakmp-map1-10] proposal tran1
# Reference ACL 3101.
[FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101
# Reference IKE peer branch.
[FirewallA-ipsec-policy-isakmp-map1-10] ike-peer branch
[FirewallA-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy group map1 to interface GigabitEthernet 0/2.
[FirewallA] interface gigabitethernet 0/2
[FirewallA-GigabitEthernet0/2] ipsec policy map1
[FirewallA-GigabitEthernet0/2] quit
# Enable IPsec stateful failover.
[FirewallA] ipsec synchronization enable
Configuring Firewall B
Assign IPv4 addresses to the interfaces. Make sure that Firewall A, Firewall B, and Router have IP
connectivity between them.
1. Configure stateful failover
Log in to the web interface of Firewall B and configure stateful failover. The required configuration
is the same to the configuration on Firewall A, except that you must leave the Main Device for
Configuration Synchronization and Auto Synchronization options cleared on the Stateful Failover
Configuration page. See Figure 132 and Figure 133.
2. Configure VRRP:
# Create VRRP group 1 and assign a virtual IP address to the group.
<FirewallB> system-view
[FirewallB] interface gigabitethernet 0/1
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 10.1.1.1
# Set the priority of Firewall B in VRRP group 1 to 110.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 priority 110
# Configure Firewall B to work in preemption mode in VRRP group 1 and set the preemption delay
to 0 seconds. The default setting is the same. This step is optional.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 0
[FirewallB-GigabitEthernet0/1] quit
# Create VRRP group 2 and assign a virtual IP address to the group.
[FirewallB] interface gigabitethernet 0/2
[FirewallB-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1
# Set the priority of Firewall B in VRRP group B to 110.
[FirewallB-GigabitEthernet0/2] vrrp vrid 2 priority 110
# Configure Firewall B to work in preemption mode in VRRP group 2 and set the preemption delay
to 0 seconds. The default setting is the same. This step is optional.
[FirewallB-GigabitEthernet0/2] vrrp vrid 2 preempt-mode timer delay 0
[FirewallB-GigabitEthernet0/2] quit
3. Configure IPsec and enable IPsec stateful failover: