HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

181

182

183

184

185

186

187

188

189

190

179

4. Apply an IPsec profile to the IPsec tunnel interface.

After the link layer of the IPsec tunnel interface comes up, packets routed to the tunnel interface will be

protected by IPsec. To make sure the link layer of the IPsec tunnel interface comes up, make sure the

following requirements are met:

• The source address of the tunnel interface is the IP address of the local physical interface that

connects to the remote.

• The IPsec tunnel interfaces of the IPsec tunnel are configured with proper IPsec profiles.

• The expected IKE SA and IPsec SAs are established between the local security gateway and the

peer gateway. Use the display ike sa command to view the status the IKE SA and the IPsec SAs.

To configure an IPsec tunnel interface:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a tunnel interface

and enter its view.

interface tunnel number

By default, no tunnel interface

exists on the device.

3. Assign a private IPv4

address to the tunnel

interface.

ip address ip-address { mask |

mask-length } [ sub ]

Configure one type of address.

By default, no private IP address

is assigned to a tunnel interface.

4. Set the tunnel mode of the

tunnel interface to IPsec

over IPv4.

tunnel-protocol ipsec ipv4

By default, the encapsulation

mode is GRE.

5. Specify the source address

or interface of the tunnel

interface.

source { ip-address | interface-type

interface-number }

By default, no source address or

interface is specified for a tunnel

interface.

If you specify an interface, the

tunnel interface will take the

primary IP address of the source

interface.

6. Specify the destination

address of the tunnel

interface.

destination ip-address

Optional for an IKE negotiation

responder, and required for an

IKE negotiation initiator.

By default, no tunnel destination

address is configured.

7. Apply an IPsec profile to

the tunnel interface.

ipsec profile profile-name

The IPsec profile must have been

created and have not been

applied to any DVPN tunnel

interface.

For more information about commands interface tunnel, tunnel-protocol, source and destination, see

VPN Command Reference.

An IPsec profile cannot be applied to both an IPsec tunnel interface and a DVPN tunnel interface

simultaneously.

An IPsec tunnel interface can reference only one IPsec profile.

Apply an IPsec profile to only one IPsec tunnel interface. Although an IPsec profile can be applied to

multiple IPsec tunnel interfaces, it takes effect only on the IPsec tunnel interface that goes up first.