HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

201

202

203

204

205

206

207

208

209

210

201

[FirewallA] ipsec policy map1 10 isakmp

# Reference IPsec transform set tran1.

[FirewallA-ipsec-policy-isakmp-map1-10] transform-set tran1

# Reference ACL 3101.

[FirewallA-ipsec-policy-isakmp-map1-10] security acl 3101

# Reference IKE peer branch.

[FirewallA-ipsec-policy-isakmp-map1-10] ike-peer branch

[FirewallA-ipsec-policy-isakmp-map1-10] quit

# Apply IPsec policy group map1 to interface GigabitEthernet0/2.

[FirewallA] interface gigabitethernet 0/2

[FirewallA-GigabitEthernet0/2] ipsec policy map1

[FirewallA-GigabitEthernet0/2] quit

# Enable IPsec stateful failover.

[FirewallA] ipsec synchronization enable

Configuring Firewall B

1. Configure stateful failover:

# Log in to the Web interface of Firewall B and configure stateful failover. The required

configuration is the same to the configuration on Firewall A, except that you must leave the Main

Device for Configuration Synchronization and Auto Synchronization options cleared on the

Stateful Failover Configuration page. See Figure 133 an

d Figure 134.

2. Conf

igure VRRP:

# Create VRRP group 1 and assign a virtual IP address to the group.

<FirewallB> system-view

[FirewallB] interface gigabitethernet 0/1

[FirewallB-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 10.1.1.1

# Set the priority of Firewall B in VRRP group 1 to 110.

[FirewallB-GigabitEthernet0/1] vrrp vrid 1 priority 110

# Configure Firewall B to operate in preemption mode in VRRP group 1 and set the preemption

delay to 0 seconds. The default setting is the same. This step is optional.

[FirewallB-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 0

[FirewallB-GigabitEthernet0/1] quit

# Create VRRP group 2 and assign a virtual IP address to the group.

[FirewallB] interface gigabitethernet 0/2

[FirewallB-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1

# Set the priority of Firewall B in VRRP group B to 110.

[FirewallB-GigabitEthernet0/2] vrrp vrid 2 priority 110

# Configure Firewall B to operate in preemption mode in VRRP group 2 and set the preemption

delay to 0 seconds. The default setting is the same. This step is optional.

[FirewallB-GigabitEthernet0/2] vrrp vrid 2 preempt-mode timer delay 0

[FirewallB-GigabitEthernet0/2] quit

3. Configure IPsec and enable IPsec stateful failover:

# Create ACL 3101, and add a rule to permit traffic from subnet 10.1.1.0/24 to subnet

10.2.2.0/24.

[FirewallB] acl number 3101