R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

451

452

453

454

455

456

457

458

459

460

442

Ste

Command

Remarks

14. Specify the VPN to which the

tunnel destination address

belongs.

tunnel vpn-instance

vpn-instance-name

Optional.

By default, a tunnel’s destination address

belongs to the public network. The device

searches the public routing table to forward

tunneled packets.

If you use this command to specify the VPN to

which the tunnel destination address belongs,

the device searches the routing table of the

specified VPN instance to forward tunneled

packets.

You can use the ip binding vpn-instance

command on the tunnel’s source interface to

specify the VPN to which the tunnel source

address belongs. The tunnel source address

and the tunnel destination address must belong

to the same VPN or both belong to the public

network.

NOTE:

• If you configure the source address of a tunnel interface by specifying the source interface, the tunnel

takes the primary IP address of the source interface as its source address.

• To configure multiple DVPN tunnels that use GRE encapsulation, you must configure unique source

addresses and source interfaces for these tunnels.

• Tunnel interfaces of the same VPN domain must be configured with private addresses in the same

segment.

• Tunnel interfaces of the same VPN domain must be confi

ured with the same DVPN keepalive interval

and transmission attempt limit.

• A DVPN tunnel interface can reference only one IPsec profile. To chan

e the IPsec profile referenced by

a DVPN tunnel interface, you need to cancel the reference of the current IPsec profile and then apply a

new IPsec profile to the tunnel interface.

• For more information about commands interface tunnel, tunnel-protocol, source, and ipsec profile,

see

VPN Command Reference

• For more information about the ospf network-type and ospf dr-priority commands, see

Network

Management Command Reference

Configuring routing

To establish private networks across the public network by using DVPN, you must perform routing

configuration for devices in the private networks. In private networks of this type, route-related operations,

such as neighbor discovery, route updating, routing table establishment, are done over DVPN tunnels.

Routing information is exchanged between hubs or between hubs and spokes; it is not exchanged

between spokes.

The routing protocol can be OSPF or BGP in a DVPN network.

• When the routing protocol is OSPF, set the network type of an OSPF interface to broadcast in a full

mesh network and P2MP in a hub-spoke network.