HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

201

202

203

204

205

206

207

208

209

210

200

the priority value of Firewall B so Firewall B can become the master. In this example, the priority

value decrement is 60.

[FirewallA-GigabitEthernet0/1] vrrp vrid 1 track interface gigabitethernet 0/2

reduced 60

[FirewallA-GigabitEthernet0/1] quit

# Create VRRP group 2 and assign a virtual IP address to the group.

[FirewallA] interface gigabitethernet 0/2

[FirewallA-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1

# Set the priority of Firewall A in VRRP group 2 to 150.

[FirewallA-GigabitEthernet0/2] vrrp vrid 2 priority 150

# Configure Firewall A to operate in preemption mode in VRRP group 2 and set the preemption

delay to 255 seconds.

[FirewallA-GigabitEthernet0/2] vrrp vrid 2 preempt-mode timer delay 255

# Configure Firewall A to monitor the status of the downlink interface GigabitEthernet 0/1 and,

when the interface becomes unavailable, reduce its own priority in VRRP group 2 to a value lower

than the priority value of Firewall B so that Firewall B can become the master. In this example, the

priority value decrement is 60.

[FirewallA-GigabitEthernet0/2] vrrp vrid 2 track interface gigabitethernet 0/1

reduced 60

[FirewallA-GigabitEthernet0/2] quit

3. Configure IPsec and enable IPsec stateful failover:

# Create ACL 3101, and add a rule to permit traffic from subnet 10.1.1.0/24 to subnet

10.2.2.0/24.

[FirewallA] acl number 3101

[FirewallA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination

10.2.2.0 0.0.0.255

[FirewallA-acl-adv-3101] quit

# Configure a static route to Host B.

[FirewallA] ip route-static 10.2.2.0 255.255.255.0 192.168.0.2

# Create IPsec transform set tran1.

[FirewallA] ipsec transform-set tran1

# Configure the IPsec transform set to use the tunnel encapsulation mode.

[FirewallA-ipsec-transform-set-tran1] encapsulation-mode tunnel

# Configure the IPsec transform set to use the ESP security protocol.

[FirewallA-ipsec-transform-set-tran1] transform esp

# Configure ESP to use the DES encryption algorithm and the SHA1 authentication algorithm.

[FirewallA-ipsec-transform-set-tran1] esp encryption-algorithm des

[FirewallA-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[FirewallA-ipsec-transform-set-tran1] quit

# Create and configure IKE peer branch.

[FirewallA] ike peer branch

[FirewallA-ike-peer-branch] pre-shared-key abcde

[FirewallA-ike-peer-branch] local-address 192.168.0.1

[FirewallA-ike-peer-branch] remote-address 192.168.0.2

[FirewallA-ike-peer-branch] quit

# Create an IPsec policy that use IKE, naming it map1 and setting its sequence number to 10.