H3c-technologies H3C SecPath F1000-E Manual de usuario descargar pdf (Pagina 175)

Example for Configuring IKE Aggressive Mode and NAT

Traversal

Network requirements

• As shown in Figure 12, the branch office is connected to the headquarters through a leased line.

The Gigabitethernet 0/1 interface of Device A has a fixed public IP address and Device B obtains

an IP address dynamically.

• Because the Serial 2/0 of Device B uses a private IP address and the Gigabitethernet 0/1 of Device

A uses the public one, you must enable NAT traversal on Device B.

• For higher security, IKE is used to create an IPsec tunnel.

NOTE:

For the purpose of highlighting the configurations of IKE aggressive mode and NAT traversal, Device B

this example are connected through the serial interface . Refer to this example if you access the Internet

using the dial-up or broadband service.

Figure 12 Network diagram for configuring IKE aggressive mode and NAT traversal

Configuration procedure

1. Configure Device A

# Specify a name for the local security gateway.

<DeviceA> system-view

[DeviceA] ike local-name devicea

# Configure an ACL.

[DeviceA] acl number 3101 match-order auto

[DeviceA-acl-adv-3101] rule permit ip source any destination any

[DeviceA-acl-adv-3101] quit

# Configure an IP address pool.

[DeviceA] ip pool 1 10.0.0.2 10.0.0.10

# Configure an IKE peer.

[DeviceA] ike peer peer

[DeviceA-ike-peer-peer] exchange-mode aggressive

[DeviceA-ike-peer-peer] pre-shared-key abc

[DeviceA-ike-peer-peer] id-type name

[DeviceA-ike-peer-peer] remote-name deviceb

[DeviceA-ike-peer-peer] nat traversal

[DeviceA-ike-peer-peer] quit

# Create an IPsec proposal named prop.

[DeviceA] ipsec proposal prop

[DeviceA-ipsec-proposal-prop] encapsulation-mode tunnel

1 2 ... 170 171 172 173 174 175 176 177 178 179 180 181 182

Sin comentarios

H3c-technologies H3C SecPath F1000-E Manual de usuario Pagina 175