beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 150

background image

138

Step Command

Remarks

7.

Configure the names of the
two ends.

a.

Specify a name for the

local security gateway:
local-name name

b.

Configure the name of the
remote security gateway:

remote-name name

Optional.
By default, no name is configured

for the local security gateway in IKE
peer view, and the security

gateway name configured by using

the ike local-name command is
used.
The remote gateway name
configured with remote-name

command on the local gateway

must be identical to the local name
configured with the local-name

command on the peer.

8.

Configure the IP addresses

of the two ends.

a.

Specify an IP address for
the local gateway:

local-address ip-address

b.

Configure the IP addresses

of the remote gateway:
remote-address.{ hostnam

e [ dynamic ] |

low-ip-address
[ high-ip-address ] }

Optional.
By default, it is the primary IP
address of the interface referencing

the security policy.
The remote IP address configured
with the remote-address command

on the local gateway must be

identical to the local IP address
configured with the local-address

command on the peer.

9.

Enable the NAT traversal
function for IPsec/IKE.

nat traversal

This step is required when a NAT
gateway is present in the VPN

tunnel constructed by IPsec/IKE.
Disabled by default.

10.

Set the subnet types of the

two ends.

a.

Set the subnet type of the
local end:

local { multi-subnet |

single-subnet }

b.

Set the subnet type of the

peer end:
peer { multi-subnet |

single-subnet }

Optional.
The default subnet type is
single-subnet.
Used only when the device is
working together with a NetScreen

device.

11.

Apply a DPD detector to the

IKE peer.

dpd dpd-name

Optional.
No DPD detector is applied to an
IKE peer by default. For more

information about DPD
configuration, see "

Configuring a

DPD detector

."

NOTE:

After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.