HP VPN Firewall Appliances VPN Configuration Guide
187
[FirewallB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0
# Apply the IPsec policy group to the interface.
[FirewallB-GigabitEthernet0/2] ipsec policy use1
3. Verify the configuration:
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up,
the traffic between the two subnets will be IPsec protected.
IPsec with IPsec tunnel interfaces configuration example
Network requirements
As shown in Figure 129, the gateway of the branch accesses the Internet through a dial-up line and
obtains the IP address dynamically. The headquarters accesses the Internet by using a fixed IP address.
Configure an IPsec tunnel to protect the traffic between the branch and the headquarters. Make sure the
IPsec configuration of the headquarters' gateway remains relatively stable despite of changes of the
branch's private IP address segment.
Figure 129 Network diagram
Configuration considerations
Configure an IPsec tunnel interface on each router and configure a static route on each firewall to route
the packets destined to the peer to the IPsec tunnel interface for IPsec protection.
Configuration procedure
1. Configure Firewall A:
# Name the local gateway firewalla.
<FirewallA> system-view
[FirewallA] ike local-name firewalla
# Configure an IKE peer named atob. As the local peer obtains the IP address automatically, set
the IKE negotiation mode to aggressive.
[FirewallA] ike peer atob
[FirewallA-ike-peer-atob] exchange-mode aggressive
[FirewallA-ike-peer-atob] pre-shared-key simple aabb
[FirewallA-ike-peer-atob] id-type name
[FirewallA-ike-peer-atob] remote-name firewallb
[FirewallA-ike-peer-atob] quit
Internet
GE0/2
GE0/2
1.1.1.1/24
Branch
Headquarters
172.17.17.0/24
192.168.1.0/24
IPsec tunnel
Tunnel1
10.1.1.1/24
Tunnel1
10.1.1.2/24
Firewall A Firewall B