HP VPN Firewall Appliances VPN Configuration Guide
195
IPsec RRI configuration example
Network requirements
As shown in Figure 131, configure an IPsec tunnel between Firewall A and Firewall B to protect the traffic
between the headquarters and the branch. Configure the tunnel to use the security protocol ESP, the
encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96. Use IKE for automatic SA
negotiation.
Configure IPsec RRI on Firewall A to automatically create a static route to the branch based on the
established IPsec SAs. Specify the next hop of the route as 1.1.1.2.
Figure 131 Network diagram
Configuration procedure
1. Assign IPv4 addresses to the interfaces on the firewalls according to Figure 131. Make sure
Firewall A and Firewall B can reach each other. (Details not shown.)
2. Configure Firewall A:
# Configure ACL 3101 to identify traffic from subnet 10.4.4.0/24 to subnet 10.5.5.0/24.
<FirewallA> system-view
[FirewallA] acl number 3101
[FirewallA-acl-adv-3101] rule permit ip source 10.4.4.0 0.0.0.255 destination 10.5.5
0 0.0.0.255
[FirewallA-acl-adv-3101] quit
# Create IPsec transform set tran1.
[FirewallA] ipsec transform-set tran1
# Set the packet encapsulation mode to tunnel.
[FirewallA-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Use ESP as the security protocol.
[FirewallA-ipsec-transform-set-tran1] transform esp
# Use DES as the encryption algorithm and SHA1-HMAC-96 as the authentication algorithm.
[FirewallA-ipsec-transform-set-tran1] esp encryption-algorithm des
[FirewallA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[FirewallA-ipsec-transform-set-tran1] quit
# Create IKE peer peer.
[FirewallA] ike peer peer
Headquarter
Branch
Internet
Firewall A Firewall B
GE0/1
1.1.1.1/16
GE0/1
2.2.2.2/16
GE0/2
10.4.4.1/24
GE0/2
10.5.5.1/24
Host A
10.4.4.4/24
Host B
10.5.5.5/24