Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
201202203204205206207208209210
197
[FirewallB-ike-peer-peer] quit
# Create an IPsec policy that uses IKE.
[FirewallB] ipsec policy use1 10 isakmp
# Reference ACL 3101 to identify the protected traffic.
[FirewallB-ipsec-policy-isakmp-use1-10] security acl 3101
# Reference IPsec transform set tran1.
[FirewallB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Reference IKE peer peer.
[FirewallB-ipsec-policy-isakmp-use1-10] ike-peer peer
[FirewallB-ipsec-policy-isakmp-use1-10] quit
# Apply IPsec policy use1 to interface GigabitEthernet 0/1.
[FirewallB] interface gigabitethernet 0/1
[FirewallB-GigabitEthernet0/1] ipsec policy use1
4. Verify the configuration:
# Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24. IKE negotiation is triggered to
establish IPsec SAs between Firewall A and Firewall B.
# Display the routing table on Firewall A.
[FirewallA] display ip routing-table
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost NextHop Interface
1.1.0.0/16 Direct 0 0 1.1.1.1 GE0/1
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.0/24 Static 60 0 1.1.1.2 GE0/1
10.4.4.0/24 Direct 0 0 10.4.4.1 GE0/2
10.4.4.4/32 Direct 0 0 127.0.0.1 InLoop0
10.5.5.0/24 Static 60 0 1.1.1.2 GE0/1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
The output shows that IPsec RRI has created a static route to subnet 10.5.5.0/24 with the next hop
1.1.1.2.
# Delete the IPsec SAs.
The static route is automatically deleted.
IPsec stateful failover configuration example
Network requirements
As shown in Figure 132, a network has two gateways, Firewall A and Firewall B, at the headquarters.
Configure an IPsec tunnel between the headquarters and the branch for secure communication, and
complete the following tasks to configure IPsec stateful failover on Firewall A and Firewall B for high
availability of the IPsec tunnel:
Deploy a physical link for IPsec service data backup between Firewall A and Firewall B, and
configure the connecting interfaces as failover interfaces.