Verifying the configuration – H3C Technologies H3C SecPath F1000-E User Manual

Page 217

205

[SecPathB-ike-peer-btoa] remote-name SecPatha

[SecPathB-ike-peer-btoa] quit

# Create an IPsec proposal named method1. This proposal uses the default settings: the security protocol
of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5.

[SecPathB] ipsec proposal method1

[SecPathB-ipsec-proposal-method1] quit

# Create an IPsec profile named btoa.

[SecPathB] ipsec profile btoa

# Configure the IPsec profile to reference the IKE peer.

[SecPathB-ipsec-profile-btoa] ike-peer btoa

# Configure the IPsec profile to reference the IPsec proposal method1.

[SecPathB-ipsec-profile-btoa] proposal method1

[SecPathB-ipsec-profile-btoa] quit

# Create tunnel interface Tunnel 1. This interface will be used to protect the data flows between SecPath
B and SecPath A. As the public IP address of the remote peer is not known, you do not need to configure

the destination address on the tunnel interface.

[SecPathB] interface tunnel 1

# Assign IPv4 address 10.1.1.2/24 to tunnel interface Tunnel 1.

[SecPathB–Tunnel1] ip address 10.1.1.2 24

# Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4.

[SecPathB–Tunnel1] tunnel-protocol ipsec ipv4

# Set the source interface of the tunnel to GigabitEthernet 0/1 on Tunnel 1.

[SecPathB–Tunnel1] source GigabitEthernet 0/1

# Apply IPsec profile btoa to tunnel interface Tunnel 1.

[SecPathB–Tunnel1] ipsec profile btoa

[SecPathB–Tunnel1] quit

# Configure a static route to SecPath A.

[SecPathB] ip route-static 172.17.17.0 255.255.255.0 tunnel 1

Verifying the configuration

After the configuration, IKE negotiation will be triggered to set up SAs when GigabitEthernet 0/1 on

SecPath A complements the dial-up process. If IKE negotiation is successful and SAs are set up, the IPsec

tunnel between SecPath A and SecPath B is up, and provides protection for packets traveling through it.
Using the display brief interface command on SecPath B, you will see the link status of the IPsec tunnel

interface is up.

[SecPathB] display brief interface tunnel 1

The brief information of interface(s) under route mode:

Interface Link Protocol-link Protocol type Main IP

Tun1 UP UP TUNNEL 10.1.1.2

Using the display ike sa command on SecPath B, you will see that the SAs of two phases are established.

[SecPathB] display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

2 1.1.1.2 RD 2 IPSEC

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS