Verifying the configuration, Network requirements, Configuring secpath a – H3C Technologies H3C SecPath F1000-E User Manual

Page 213

201

[SecPathB-ipsec-policy-manual-use1-10] sa string-key inbound esp abcdefg

[SecPathB-ipsec-policy-manual-use1-10] quit

# Configure the IP address of the GigabitEthernet interface.

[SecPathB] interface GigabitEthernet 0/2

[SecPathB-GigabitEthernet0/2] ip address 2.2.3.1 255.255.255.0

# Apply the IPsec policy group to the interface.

[SecPathB-GigabitEthernet0/2] ipsec policy use1

Verifying the configuration

After the configuration, an IPsec tunnel between SecPath A and SecPath B should be established, and the

traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 should be IPsec protected.

IKE-based IPsec tunnel for IPv4 packets configuration example

Network requirements

As shown in

Figure 127

, configure an IPsec tunnel between SecPath A and SecPath B to protect data flows

between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel to use the security protocol
ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.

Configuring SecPath A

# Define an ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.

system-view

[SecPathA] acl number 3101

[SecPathA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0

0.0.0.255

[SecPathA-acl-adv-3101] quit

# Configure a static route to Host B.

[SecPathA] ip route-static 10.1.2.0 255.255.255.0 GigabitEthernet 0/2

# Create an IPsec proposal named tran1.

[SecPathA] ipsec proposal tran1

# Specify the encapsulation mode as tunnel.

[SecPathA-ipsec-proposal-tran1] encapsulation-mode tunnel

# Specify the security protocol as ESP.

[SecPathA-ipsec-proposal-tran1] transform esp

# Specify the algorithms for the proposal.

[SecPathA-ipsec-proposal-tran1] esp encryption-algorithm des

[SecPathA-ipsec-proposal-tran1] esp authentication-algorithm sha1

[SecPathA-ipsec-proposal-tran1] quit

# Configure the IKE peer.

[SecPathA] ike peer peer

[SecPathA-ike-peer-peer] pre-shared-key abcde

[SecPathA-ike-peer-peer] remote-address 2.2.3.1

[SecPathA-ike-peer-peer] quit

# Create an IPsec policy that uses IKE for IPsec SA negotiation.

[SecPathA] ipsec policy map1 10 isakmp

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS