Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
54
[FirewallC-Tunnel0] destination 11.1.1.1
[FirewallC-Tunnel0] quit
# Configure a static route to the headquarters network with the outgoing interface being the tunnel
interface Tunnel0 and priority value being 1.
[FirewallC] ip route-static 192.168.11.0 255.255.255.0 tunnel 0 preference 1
# Create a tunnel interface named Tunnel1 and configure an IP address for it.
[FirewallC] interface tunnel 1
[FirewallC-Tunnel1] ip address 172.168.2.3 255.255.255.0
# Configure the tunnel encapsulation mode of the tunnel interface Tunnel1 as GRE over IPv4.
[FirewallC-Tunnel1] tunnel-protocol gre
# Configure the source and destination IP addresses of the tunnel interface Tunnel1.
[FirewallC-Tunnel1] source 11.1.1.3
[FirewallC-Tunnel1] destination 11.1.1.2
[FirewallC-Tunnel1] quit
# Configure a static route to the headquarters network with the outgoing interface being Tunnel 1
and priority value being 10. This makes the priority of this route lower than that of the static route
of interface Tunnel 0, making sure Firewall C prefers the tunnel between Firewall A and Firewall
C for packet forwarding.
[FirewallC] ip route-static 192.168.11.0 255.255.255.0 tunnel 1 preference 10
If the link between Firewall A and Firewall C goes down, Firewall C will detect the failure and try
to send packets to Firewall B, initiating the establishment of the tunnel between Firewall B and
Firewall C. Only then can Firewall B learn the tunnel entry.
If Firewall A and Firewall C are directly connected, configuring a static route on Firewall C can
make sure that Firewall C senses the failure of the link between Firewall A and Firewall C. If the two
are not directly connected, you can use either of the following methods to achieve the effect:
{ Configure dynamic routing on Firewall A, Firewall B, and Firewall C.
{ On Firewall C, associate the static route with a track entry, so as to use the track entry to track
the status of the static route. For details about track entry, see High Availability Configuration
Guide.
5. Verify the configuration:
# Ping Host A from Host C. The operation succeeds. View the tunnel entries on Firewall A and
Firewall B.
[FirewallA] display gre p2mp tunnel-table interface tunnel 0
Dest Addr Mask Tunnel Dest Addr Gre Key
192.168.12.0 255.255.255.0 11.1.1.3
[FirewallB] display gre p2mp tunnel-table interface tunnel 0
Dest Addr Mask Tunnel Dest Addr Gre Key
The output shows that on Firewall A has a tunnel entry to the branch network. Packets to the branch
network are forwarded through Firewall A.
# On Firewall C, shut down interface Tunnel0 to cut off the tunnel link between Firewall A and
Firewall C.
[FirewallC] interface tunnel 0
[FirewallC-Tunnel0] shutdown
# After the tunnel entry aging time (20 seconds in this example) elapses, view the tunnel entry
information on Firewall A.
[FirewallA] display gre p2mp tunnel-table interface tunnel 0