H3C Technologies H3C SecPath F1000-E User Manual
Page 707
10
Item
Description
Local IP Address
Type the IP address of the local security gateway.
By default, it is the primary IP address of the interface referencing the security
policy. Configure this item when you want to specify a special address for the
local gateway
IMPORTANT:
Normally, you do not need to specify the local IP address unless you want to
specify a special address, such as the loopback interface address. For the
local peer to act as the initiator, you need to configure the remote gateway
name or IP address, so that the initiator can find the remote peer during the
negotiation.
IP Address
Remote
Gateway
Hostname
Type the IP address or host name of the remote security gateway.
•
You can specify an IP address or a range of IP addresses for the remote
gateway. If the local end is the initiator of IKE negotiation, it can have only
one remote IP address and its remote IP address must match the local IP
address configured on its peer. If the local end is the responder of IKE
negotiation, it can have more than one remote IP address and one of its
remote IP addresses must match the local IP address configured on its peer.
•
The host name of the remote gateway is the only identifier of the IPsec peer
in the network. The host name can be resolved into an IP address by the DNS
server. If host name is used, the local end can serve as the initiator of IKE
negotiation.
Remote ID
Type the name of the remote security gateway.
If the local ID type configured for the IKE negotiation initiator is Gateway
Name, the initiator sends its gateway name (IKE Local Name) to the responder
for identification. The responder then uses the locally configured remote
gateway name (Remote ID) to authenticate the initiator. Therefore, make sure
that the remote gateway name configured here is identical to the local gateway
name (IKE Local Name) configured on its peer.
Pre-Shared Key
PKI Domain
Configure one of these two items according to the authentication method:
If the authentication method is pre-shared key, select Pre-Shared Key and then
type the pre-shared key in the following text box.
If the authentication method is RSA signature, select PKI Domain and then select
the PKI domain to which the certificate belongs in the following drop-down box.
Enable DPD
Select the IKE DPD to be applied to the IKE peer.
Enable the NAT traversal
function
Enable the NAT traversal function for IPsec/IKE.
The NAT traversal function must be enabled if a NAT security gateway exists in
an IPsec/IKE VPN tunnel.
In main mode, IKE does not support NAT traversal and therefore this item is
unavailable.
IMPORTANT:
To save IP addresses, ISPs often deploy NAT gateways on public networks
so as to allocate private IP addresses to users. In this case, one end of an
IPsec/IKE tunnel may have a public address while the other end may have a
private address, and therefore NAT traversal must be configured at the
private network side to set up the tunnel.
.