Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
131132133134135136137138139140
130
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 89389742 (0x553faae)
transform-set: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3590
max sequence-number sent: 5
udp encapsulation used for nat traversal: N
Configuring aggressive mode IKE with NAT traversal
Network requirements
As shown in Figure 93, the branch and the headquarters connect to an ATM network through a router
and a firewall. The router connects to the public network through an ADSL line and acts as the PPPoE
client. The interface connecting to the public network uses a private address dynamically assigned by the
ISP. The firewall uses a fixed public IP address for the interface connected to the public network.
Configure IPsec tunnels between the router and the firewall to protect traffic between the branch and its
headquarters. Use IKE to establish the IPsec tunnels.
Figure 93 Network diagram
Configuration guidelines
The IKE negotiation mode must be aggressive because the router uses a dynamic IP address.
You must configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a
public IP address but the other end uses a private IP address.
Configuration procedure
1. Configure the firewall:
# Specify a name for the local security gateway.
<Firewall> system-view
[Firewall] ike local-name firewall
# Configure an ACL.
[Firewall] acl number 3101
[Firewall-acl-adv-3101] rule 0 permit ip source 172.16.0.0 0.0.0.255 destination
192.168.0.0 0.0.0.255
[Firewall-acl-adv-3101] quit
# Configure an IKE proposal.