R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
214
[Router-acl-adv-3101] rule permit ip source 10.2.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
[Router-acl-adv-3101] quit
# Configure a static route to Host A.
[Router] ip route-static 10.1.1.0 255.255.255.0 192.168.0.1
# Create IPsec proposal tran1.
[Router] ipsec proposal tran1
# Configure the proposal to use the tunnel encapsulation mode.
[Router-ipsec-proposal-tran1] encapsulation-mode tunnel
# Configure the proposal to use the ESP security protocol.
[Router-ipsec-proposal-tran1] transform esp
# Configure ESP to use the DES encryption algorithm and the SHA1 authentication algorithm.
[Router-ipsec-proposal-tran1] esp encryption-algorithm des
[Router-ipsec-proposal-tran1] esp authentication-algorithm sha1
[Router-ipsec-proposal-tran1] quit
# Create and configure IKE peer center.
[Router] ike peer center
[Router-ike-peer-center] pre-shared-key abcde
[Router-ike-peer-center] remote-address 192.168.0.1
# Enable IPsec anti-replay.
[Router] ipsec anti-replay check
# Create an IPsec policy that use IKE, naming it map1 and setting its sequence number to 10.
[Router] ipsec policy map1 10 isakmp
# Reference IPsec proposal tran1.
[Router-ipsec-policy-isakmp-map1-10] proposal tran1
# Reference ACL 3101.
[Router-ipsec-policy-isakmp-map1-10] security acl 3101
# Reference IKE peer center.
[Router-ipsec-policy-isakmp-map1-10] ike-peer center
[Router-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy group map1 to interface Ethernet 1/1.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ipsec policy map1
[Router-Ethernet1/1] quit
Verifying the configuration
After the configuration, traffic between Host A (10.1.1.2) and Host B (10.2.2.2) should be able to trigger
IKE negotiation. After IPsec SAs are established, traffic between Host A and Host B should be transferred
through the IPsec tunnel, and Firewall A should synchronize its IKE SA and IPsec SAs to Firewall B.
# Display the active IPsec SAs on Firewall A.
<FirewallA> display ipsec sa active
===============================
Interface: GE0/2
path MTU: 1500