R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

Item Descri

tion

Tunnel Source

IP/Interface

Specify the source IP address for the tunnel interface.

You can input an IP address or select an interface. In the latter case, the primary IP

address of the interface will be used as the tunnel source address.

IMPORTANT:

• You must configure a source address on a P2MP GRE tunnel interface. Two or

more P2MP GRE tunnel interfaces cannot share the same source address.

• On each branch node, you need to configure the destination address of the GRE

over IPv4 tunnel interface as the source address of the P2MP GRE tunnel

interface.

Branch Network Mask

Configure the mask of the private network addresses of the branch to be used in

tunnel entries.

After you configure a mask, the firewall at the headquarters will establish only one

tunnel entry for all private IP addresses that belong to the same network segment.

This is to reduce the number of tunnel entries on the firewall. On a branch network,

you can simulate a traffic flow destined for the headquarters to trigger the firewall

at the headquarters to create a tunnel entry for the entire branch network.

IMPORTANT:

• By default, the mask of branch network addresses is 255.255.255.255.

• Modifying the mask will delete all tunnel entries created on the firewall.

• Before configuring a mask, make sure that all the branch networks of the

enterprise have the same mask length. For a branch device with a different mask

length, you can configure NAT to implement the mask length consistency.

Aging Time

Configure the aging time for P2MP GRE tunnel entries.

The creation of a tunnel entry for a branch network is triggered by the traffic from

the branch network. If the firewall at the headquarters does not receive traffic from

the branch network within the aging time, the firewall will age out the tunnel entry.

Enable Interface Backup

Select whether to enable the interface backup function, and if yes, specify the

backup tunnel interface.

IMPORTANT:

• The backup tunnel interface to be specified must be a GRE over IPv4 tunnel

interface.

• The backup tunnel interface to be specified must have existed.

Backup Interface

GRE Packet Checksum

Enable or disable the GRE packet checksum function. With this function enabled,

the tunnel interface will verify the validity of packets and discard those invalid.

You can enable or disable the checksum function at both ends of the tunnel as

needed. If checksum is enabled at the local end but not at the remote end, the local

end calculates the checksum of a packet to be sent but does not check the checksum

of a received packet. In contrast, if the checksum function is enabled at the remote

end but not at the local end, the local end checks the checksum of a received packet

but does not calculate the checksum of a packet to be sent.

Displaying information about established P2MP GRE tunnels

Select VPN > GRE > P2MP from the navigation tree and then click the Tunnel List tab to view the P2MP

GRE tunnel list, as shown in Figure 23.