Configuring ipsec tunnels, Configuring existing ipsec tunnels – H3C Technologies H3C Intelligent Management Center User Manual
Page 79
69
Configuring IPsec tunnels
You can configure an IPsec tunnel when you add it, or modify an existing IPsec tunnel. The two
configuration methods have different configurable parameters.
When you add an IPsec tunnel, you can let the tunnel inherit the basic settings and security proposals of
the VPN domain, or you can modify the basic settings for the tunnel. After you add the tunnel, you cannot
modify the basic settings for the tunnel.
When you add an IPsec tunnel, four tab pages are available in the IPsec tunnel configuration page.
When you modify an existing IPsec tunnel, two more tab pages are available in the IPsec tunnel
configuration page: Hub Advanced Settings and Spoke Advanced Settings.
This section only describes the basic settings that you can modify when you add an IPsec tunnel. For other
tunnel settings, see "
Configuring existing IPsec tunnels
To configure an IPsec tunnel:
1.
Click the Device Parameters icon
for a tunnel to enter the IPsec tunnel configuration page,
which includes four tab pages:
{
Basic Information
{
Device Parameters
{
Security Proposals
{
Spoke Additional Settings
The Basic Information tab provides the following basic settings:
{
IKE Negotiation Mode—Select Main or Aggressive mode for phase-1 IKE negotiation.
{
NAT Traversal—Select YES or NO. Only aggressive mode supports NAT traversal.
{
IKE Authentication—Select the authentication method Pre-Shared Key or CA Authentication
used to authenticate the IKE peer. This setting is inherited from the VPN domain and can be
modified.
{
ID Type—Select an ID type Name or IP for the IKE peer. If the IKE negotiation mode is Main, you
must select IP.
{
Encapsulation Mode—Select Tunnel or Transport. If NAT traversal is enabled, you must select
Tunnel.
{
Use Policy Template—Select YES or NO. If you select YES, the hub device only responds to
negotiation requests from the peer, without initiating IKE negotiation. Use the policy template
feature when the IP addresses of spoke devices are unknown.
2.
Click OK to apply the settings.
3.
Click Back and configure other tunnels in the same way.
Configuring existing IPsec tunnels
To configure an existing IPsec tunnel:
1.
Click the Service tab.
2.
From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains.
3.
Click a VPN domain name to enter the VPN domain page.
4.
Click the Device parameters icon
for an existing IPsec tunnel.
5.
Configure the existing IPsec tunnel in the following tab pages: