Verifying the configuration, Configuration guidelines – H3C Technologies H3C MSR 50 User Manual
Page 396
11
f.
Click Apply.
Figure 375 Configuring a static route to Host A
3.
Configure an IPsec connection.
a.
Select VPN > IPsec VPN from the navigation tree.
b.
Click Add to enter the IPsec connection configuration page (see
c.
Enter map1 as the IPsec connection name.
d.
Select interface Ethernet0/1.
e.
Enter 2.2.2.1 as the remote gateway IP address.
f.
Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields.
g.
In the Selector area, select the selector type Characteristics of Traffic.
h.
Specify 10.1.2.0/0.0.0.255 as the source address/wildcard. Specify 10.1.1.0/0.0.0.255
as the destination address/wildcard.
i.
Click Apply.
Verifying the configuration
After you complete the configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet
10.1.2.0/24 triggers the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are
established, a static route to subnet 10.1.2.0/24 through 2.2.2.2 is added to the routing table on Device
A, and traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.
Configuration guidelines
When you configure IPsec, follow these guidelines:
•
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or
IPsec configured.
•
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction might be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure the characteristics of traffic
in IPsec are the same as traffic classification in QoS.