HP VPN Firewall Appliances VPN Configuration Guide
203
# Create IPsec transform set tran1.
[FirewallC] ipsec transform-set tran1
# Configure the IPsec transform set to use the tunnel encapsulation mode.
[FirewallC-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Configure the IPsec transform set to use the ESP security protocol.
[FirewallC-ipsec-transform-set-tran1] transform esp
# Configure ESP to use the DES encryption algorithm and the SHA1 authentication algorithm.
[FirewallC-ipsec-transform-set-tran1] esp encryption-algorithm des
[FirewallC-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[FirewallC-ipsec-transform-set-tran1] quit
# Create and configure IKE peer center.
[FirewallC] ike peer center
[FirewallC-ike-peer-center] pre-shared-key abcde
[FirewallC-ike-peer-center] remote-address 192.168.0.1
# Enable IPsec anti-replay.
[FirewallC] ipsec anti-replay check
# Create an IPsec policy that use IKE, naming it map1 and setting its sequence number to 10.
[FirewallC] ipsec policy map1 10 isakmp
# Reference IPsec transform set tran1.
[FirewallC-ipsec-policy-isakmp-map1-10] transform-set tran1
# Reference ACL 3101.
[FirewallC-ipsec-policy-isakmp-map1-10] security acl 3101
# Reference IKE peer center.
[FirewallC-ipsec-policy-isakmp-map1-10] ike-peer center
[FirewallC-ipsec-policy-isakmp-map1-10] quit
# Apply IPsec policy group map1 to interface GigabitEthernet 0/1.
[FirewallC] interface gigabitethernet 0/1
[FirewallC-GigabitEthernet0/1] ipsec policy map1
[FirewallC-GigabitEthernet0/1] quit
Verifying the configuration
Create traffic between Host A (10.1.1.2) and Host B (10.2.2.2) to trigger IKE negotiation. After IKE
establishes IPsec SAs, traffic between Host A and Host B should travel over the IPsec tunnel, and Firewall
A should synchronize its IKE SA and IPsec SAs to Firewall B.
Verify the configuration on Firewall A:
# Display active IPsec SAs.
<FirewallA> display ipsec sa active
===============================
Interface: GE0/2
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10