Verifying the configuration – H3C Technologies H3C SecPath F1000-E User Manual
Page 217

205
[SecPathB-ike-peer-btoa] remote-name SecPatha
[SecPathB-ike-peer-btoa] quit
# Create an IPsec proposal named method1. This proposal uses the default settings: the security protocol
of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5.
[SecPathB] ipsec proposal method1
[SecPathB-ipsec-proposal-method1] quit
# Create an IPsec profile named btoa.
[SecPathB] ipsec profile btoa
# Configure the IPsec profile to reference the IKE peer.
[SecPathB-ipsec-profile-btoa] ike-peer btoa
# Configure the IPsec profile to reference the IPsec proposal method1.
[SecPathB-ipsec-profile-btoa] proposal method1
[SecPathB-ipsec-profile-btoa] quit
# Create tunnel interface Tunnel 1. This interface will be used to protect the data flows between SecPath
B and SecPath A. As the public IP address of the remote peer is not known, you do not need to configure
the destination address on the tunnel interface.
[SecPathB] interface tunnel 1
# Assign IPv4 address 10.1.1.2/24 to tunnel interface Tunnel 1.
[SecPathB–Tunnel1] ip address 10.1.1.2 24
# Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4.
[SecPathB–Tunnel1] tunnel-protocol ipsec ipv4
# Set the source interface of the tunnel to GigabitEthernet 0/1 on Tunnel 1.
[SecPathB–Tunnel1] source GigabitEthernet 0/1
# Apply IPsec profile btoa to tunnel interface Tunnel 1.
[SecPathB–Tunnel1] ipsec profile btoa
[SecPathB–Tunnel1] quit
# Configure a static route to SecPath A.
[SecPathB] ip route-static 172.17.17.0 255.255.255.0 tunnel 1
Verifying the configuration
After the configuration, IKE negotiation will be triggered to set up SAs when GigabitEthernet 0/1 on
SecPath A complements the dial-up process. If IKE negotiation is successful and SAs are set up, the IPsec
tunnel between SecPath A and SecPath B is up, and provides protection for packets traveling through it.
Using the display brief interface command on SecPath B, you will see the link status of the IPsec tunnel
interface is up.
[SecPathB] display brief interface tunnel 1
The brief information of interface(s) under route mode:
Interface Link Protocol-link Protocol type Main IP
Tun1 UP UP TUNNEL 10.1.1.2
Using the display ike sa command on SecPath B, you will see that the SAs of two phases are established.
[SecPathB] display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
2 1.1.1.2 RD 2 IPSEC
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS