Network requirements, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

11

Example for Configuring IKE Aggressive Mode and NAT
Traversal

Network requirements

•

As shown in

Figure 12

, the branch office is connected to the headquarters through a leased line.

The Gigabitethernet 0/1 interface of Device A has a fixed public IP address and Device B obtains
an IP address dynamically.

•

Because the Serial 2/0 of Device B uses a private IP address and the Gigabitethernet 0/1 of Device
A uses the public one, you must enable NAT traversal on Device B.

•

For higher security, IKE is used to create an IPsec tunnel.

NOTE:

For the purpose of highlighting the configurations of IKE aggressive mode and NAT traversal, Device B in
this example are connected through the serial interface . Refer to this example if you access the Internet

using the dial-up or broadband service.

Figure 12 Network diagram for configuring IKE aggressive mode and NAT traversal

Configuration procedure

1.

Configure Device A

# Specify a name for the local security gateway.

system-view

[DeviceA] ike local-name devicea

# Configure an ACL.

[DeviceA] acl number 3101 match-order auto

[DeviceA-acl-adv-3101] rule permit ip source any destination any

[DeviceA-acl-adv-3101] quit

# Configure an IP address pool.

[DeviceA] ip pool 1 10.0.0.2 10.0.0.10

# Configure an IKE peer.

[DeviceA] ike peer peer

[DeviceA-ike-peer-peer] exchange-mode aggressive

[DeviceA-ike-peer-peer] pre-shared-key abc

[DeviceA-ike-peer-peer] id-type name

[DeviceA-ike-peer-peer] remote-name deviceb

[DeviceA-ike-peer-peer] nat traversal

[DeviceA-ike-peer-peer] quit

# Create an IPsec proposal named prop.

[DeviceA] ipsec proposal prop

[DeviceA-ipsec-proposal-prop] encapsulation-mode tunnel