R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

441

Ste

p

Command

Remarks

5. Specify the source address or

interface of the tunnel

interface.

source { ip-address |

interface-type

interface-number }

The source IP address is the IP address of the

physical interface that sends the DVPN

packets.

A tunnel interface has no source address or

interface configured by default.

6. Bind a VAM client to the

tunnel interface.

vam client client-name

A DVPN tunnel interface must be bound to a

VAM client; otherwise the tunnel interface

cannot come up.

The client to be bound must exist and has not

been bound to any other tunnel interface.

No VAM client is bound to a DVPN tunnel

interface by default.

7. Set the DVPN keepalive

interval and transmission

attempt limit.

keepalive [ seconds

[ times ] ]

Optional.

The defaults are as follows:

• 180 seconds for the DVPN keepalive

interval,

• 3 times for the transmission attempt limit.

8. Set the idle timeout for the

spoke-spoke tunnel.

dvpn session idle-time

time-interval

Optional.

600 seconds by default.

9. Set the DVPN tunneling quiet

period.

dvpn session

dumb-time time-interval

Optional.

120 seconds by default.

10. Specify the network type of

the OSPF interface.

ospf network-type

{ broadcast | p2mp }

Required when OSPF is used.

Not specified by default

A DVPN tunnel can use only two types of OSPF

interfaces: broadcast and point to multi-point

(P2MP).

11. Set the DR priority of the OSPF

interface.

ospf dr-priority priority

Optional for a hub but required for a spoke,

when OSPF is used.

By default, the interface DR priority is 1.

The DR priority of a hub should be higher than

that of a spoke. HP recommends setting the DR

priority of a spoke to 0 to keep the spoke from

participating in DR/BDR election.

12. Bind an IPsec profile to the

DVPN tunnel interface.

ipsec profile

ipsec-profile-name

Optional.

By default, no IPsec profile is bound to a DVPN

tunnel interface.

The IPsec profile to be bound must already

exist.

13. Associate the tunnel interface

with a VPN instance.

ip binding vpn-instance

vpn-instance-name

Optional.

By default, a tunnel interface is associated with

no VPN instance.

To isolate individual VPN domains, you need

to configure multiple VPN instances to

distinguish routes of private networks.