Verification – H3C Technologies H3C SecPath F1000-E User Manual

31

# Apply IPsec profile btoa to tunnel interface Tunnel 1.

[DeviceB–Tunnel1] ipsec profile btoa

[DeviceB–Tunnel1] quit

# Configure a static route to Device A.

[DeviceB] ip route-static 172.17.17.0 255.255.255.0 tunnel 1

Verification

After above configuration, IKE negotiation will be triggered to set up SAs when Gigabitethernet 0/1 on

Device A complements the dial-up process. If IKE negotiation is successful and SAs are set up, the IPsec

tunnel between Device A and Device B is up, and provides protection for packets traveling through it.
Using the display brief interface command on Device B, you will see the link status of the IPsec tunnel

interface is up.

[DeviceB] display brief interface tunnel 1

The brief information of interface(s) under route mode:

Interface Link Protocol-link Protocol type Main IP

Tun1 UP UP TUNNEL 10.1.1.2

Using the display ike sa command on Device B, you will see that the SAs of two phases are established.

[DeviceB] display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

2 1.1.1.2 RD 2 IPSEC

1 1.1.1.2 RD 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT

You can also view the IPsec SA information.

[DeviceB] display ipsec sa

===============================

Interface: Tunnel1

path MTU: 1443

===============================

-----------------------------

IPsec policy name: "btoa"

sequence number: 1

mode: tunnel

-----------------------------

connection id: 3

encapsulation mode: tunnel

perfect forward secrecy:

tunnel:

local address: 1.1.1.1

remote address: 1.1.1.2

flow :

sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP

dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP