3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

181

182

183

184

185

186

187

188

189

190

182 CHAPTER 11: IKE CONFIGURATION

# Apply the pre-shared key authentication mode.

[3Com-ike-proposal-10] authentication-method pre-share

# Set the lifetime duration of ISAKMP SA to 5000 seconds.

[3Com-ike-proposal-10] sa duration 5000

2 Make the following configurations on the security GW B:

# Configure an IKE peer.

[SW8800] ike peer peer

[3Com-ike-peer-peer] pre-shared-key abcde

[3Com-ike-peer-peer] remote address 202.38.160.1

The configurations made above can ensure the proper IKE negotiation between

GWs A and B. As GW A is configured with proposal 10 and

authentication-algorithm md5 but GW B is configured with only a default IKE

proposal and authentication-algorithm sha, GW B will not have a proposal

matching the IKE proposal 10 configured on GW A. For this reason, the system will

find only a match, that is, the default IKE proposal for the both parties when it

makes the match operation in proposals starting from the one with the highest

priority. In addition, no match operation will be done on duration in the proposal

matching process, as the lifetime is decided by the initiator of IKE negotiation.

For more information about IPsec configurations, see "Typical IPsec Configuration

Examples" in Chapter 5.

Typical IKE Aggressive

Mode and NAT Traversal

Configuration Example

Networking requirement

■ The Ethernet0/0/0 interface of 3Com A has a fixed IP address in public network

and 3Com B obtains IP address dynamically.

■ Since 3Com B can only access public network through NAT devices of service

provider, so a company branch has to obtain IKE aggressive mode and NAT

traversal function to set up IP Sec connection.

■ To ensure information security, IPsec/IKE is adopted to create a security Tunnel.

Networking diagram

Figure 41 Networking for the application of IKE aggressive mode and NAT traversal

Configuration procedure

1 Configure 3Com A:

# Set a name for the local security GW.

[3ComA] ike local-name 3ComA

Internet

GW B GW A

Branch

Headquarters

E0/0/0

Internet

GW B GW A

Branch

Headquarters

E0/0/0