Configuring secpath b – H3C Technologies H3C SecPath F1000-E User Manual

Page 229

217

[SecPathA-ike-peer-branch] pre-shared-key abcde

[SecPathA-ike-peer-branch] local-address 192.168.0.1

[SecPathA-ike-peer-branch] remote-address 192.168.0.2

[SecPathA-ike-peer-branch] quit

# Create an IPsec policy that use IKE, naming it map1 and setting its sequence number to 10.

[SecPathA] ipsec policy map1 10 isakmp

# Reference IPsec proposal tran1.

[SecPathA-ipsec-policy-isakmp-map1-10] proposal tran1

# Reference ACL 3101.

[SecPathA-ipsec-policy-isakmp-map1-10] security acl 3101

# Reference IKE peer branch.

[SecPathA-ipsec-policy-isakmp-map1-10] ike-peer branch

[SecPathA-ipsec-policy-isakmp-map1-10] quit

# Apply IPsec policy group map1 to interface GigabitEthernet 0/2.

[SecPathA] interface GigabitEthernet 0/2

[SecPathA-GigabitEthernet0/2] ipsec policy map1

[SecPathA-GigabitEthernet0/2] quit

# Enable IPsec stateful failover.

[SecPathA] ipsec synchronization enable

Configuring SecPath B

Assign IPv4 addresses to the interfaces. Make sure that SecPath A, SecPath B, and Router have IP

connectivity between them.

Configure stateful failover:
Log in to the Web interface of SecPath B and configure stateful failover. The required configuration
is the same to the configuration on SecPath A, except that you must leave the Main Device for

Configuration Synchronization and Auto Synchronization options cleared on the Stateful Failover

Configuration page. See

Figure 132

and

Figure 133

Configure VRRP:
# Create VRRP group 1 and assign a virtual IP address to the group.

system-view

[SecPathB] interface GigabitEthernet 0/1

[SecPathB-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 10.1.1.1

# Set the priority of SecPath B in VRRP group 1 to 110.

[SecPathB-GigabitEthernet0/1] vrrp vrid 1 priority 110

# Configure SecPath B to work in preemption mode in VRRP group 1 and set the preemption delay
to 0 seconds. The default setting is the same. This step is optional.

[SecPathB-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 0

[SecPathB-GigabitEthernet0/1] quit

# Create VRRP group 2 and assign a virtual IP address to the group.

[SecPathB] interface GigabitEthernet 0/2

[SecPathB-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1

# Set the priority of SecPath B in VRRP group B to 110.

[SecPathB-GigabitEthernet0/2] vrrp vrid 2 priority 110

# Configure SecPath B to work in preemption mode in VRRP group 2 and set the preemption delay

to 0 seconds. The default setting is the same. This step is optional.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS