Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
171172173174175176177178179180
178 CHAPTER 11: IKE CONFIGURATION
Configuring IP addresses of the local security GW and remote device
If the initiator uses its IP address in IKE negotiation (that is, id-type ip is used), it
sends its IP address to the peer as its identity, whereas the peer uses the address
configured using the remote-address ip-address command to authenticate the
initiator. To pass authentication, this address must be the same one configured
using the local-address command on the initiator.
Perform the following configuration in IKE-peer view.
Generally speaking, you do not need to configure the local-address command
unless you want to specify a special address for the local GW (such as the address
of loopback interface).
Configuring NAT traversal
The NAT traversal function must be configured so long as there is a NAT IPsec
device on the VPN Tunnel constructed using IPsec/IKE.
Perform the following configuration in IKE-peer view.
To save IP address space, ISPs often add NAT gateways to public networks, so as to
allocate private IP addresses to users. This may lead to IPsec/IKE Tunnel having
public network address and network address at both ends respectively. Hence you
must enable NAT traversal at both ends of the Tunnel, so as to ensure normal
negotiation and establishment for the Tunnel.
Configuring subnet type of the IKE peer
You can use these two commands only when your security gateway is
interoperable with a Netscreen device.
Perform the following configuration in IKE-peer view:
Remove the name of the remote device undo remote-name
Tabl e 178 Configure IP address of the local security GW and remote device
Operation Command
Configure IP address of the local security GW local-address ip-address
Delete IP address of the local security GW undo local-address
Configure IP address of the remote device remote-address ip-address
Delete the IP address of the remote device undo remote-address
Tabl e 179 Configure the NAT traversal function of IPsec/IKE
Operation Command
Enable the NAT traversal function of IPsec/IKE nat-traversal
Disable the NAT traversal function of IPsec/IKE undo nat-traversal
Table 177 Specify name of the remote device
Operation Command