H3C Firewall and UTM Devices IPsec-NAT Configuration Examples (Comware V5)

Similar documents
H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

IPsec VPN Application Guide REV:

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

ISG50 Application Note Version 1.0 June, 2011

H3C SSL VPN RADIUS Authentication Configuration Example

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

H3C SecPath UTM Series Anti-Spam Configuration Example

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

21.4 Network Address Translation (NAT) NAT concept

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

7. Configuring IPSec VPNs

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Katana Client to Linksys VPN Gateway

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Protocol Security Where?

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Lab Configure a PIX Firewall VPN

Greenbow VPN Client with Teldat VPN Server. Configuration Highlights

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

VPN. VPN For BIPAC 741/743GE

Internet. SonicWALL IP SEV IP IP IP Network Mask

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Overview. Author: Seth Scardefield Updated 11/11/2013

Check Point Security Administrator R70

Configuring IPsec VPN with a FortiGate and a Cisco ASA

ASA and Native L2TP IPSec Android Client Configuration Example

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

How to configure VPN function on TP-LINK Routers

How To Configure Syslog over VPN

Configuring the PIX Firewall with PDM

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

How To Configure L2TP VPN Connection for MAC OS X client

How to configure VPN function on TP-LINK Routers

How To Industrial Networking

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

VPN Configuration of ProSafe Client and Netgear ProSafe Router:

Using IPsec VPN to provide communication between offices

Configuring a VPN between a Sidewinder G2 and a NetScreen

LinkProof And VPN Load Balancing

GNAT Box VPN and VPN Client

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Chapter 4 Virtual Private Networking

CCNA Security 1.1 Instructional Resource

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

Introduction to Security and PIX Firewall

Cisco Which VPN Solution is Right for You?

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Interconnecting Cisco Networking Devices Part 2

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

IP Office Technical Tip

Release Notes. Pre-Installation Recommendations... 1 Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 2 Troubleshooting...

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

H3C SSL VPN Configuration Examples

VPN Wizard Default Settings and General Information

LAN-Cell to Cisco Tunneling

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

FortiOS Handbook IPsec VPN for FortiOS 5.0

ZyXEL ZyWALL P1 firmware V3.64

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Cisco SA 500 Series Security Appliance

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

HP Load Balancing Module

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Firewall Troubleshooting

Scenario: Remote-Access VPN Configuration

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Lab a Configure Remote Access Using Cisco Easy VPN

Portal Authentication Technology White Paper

Release Notes. Contents. Release Purpose. Pre-Installation Recommendations. Platform Compatibility. Dell SonicWALL Global VPN Client 4.

Understanding the Cisco VPN Client

Transcription:

H3C Firewall and UTM Devices IPsec-NAT Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

Contents Introduction 1 Prerequisites 1 Example: Configuring IPsec and NAT combined application 1 Network requirements 1 Software version used 1 Configuration procedures 2 Configuring Firewall A 2 Configuring Firewall B 14 Verifying the configuration 23 Configuration files 23 Related documentation 25 i

Introduction This document provides a configuration example for IPsec and NAT combined application. Prerequisites This document is not restricted to specific software or hardware versions. The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network. This document assumes that you have basic knowledge of IPsec and NAT. Example: Configuring IPsec and NAT combined application Network requirements As shown in Figure 1, an enterprise internal network LAN 1 accesses the Internet through Firewall A (a F1000-E firewall) and accesses the server in LAN 2 through an IPsec tunnel. Firewall A uses NAT to save public IP addresses. Firewall B (a F5000-A5 firewall) uses NAT to hide the internal server IP address. Figure 1 Network diagram Software version used This configuration example was created and verified on SecPath F1000-E Release 3734P06 and SecPath F5000-A5 Feature 3213. 1

Configuration procedures Configuring Firewall A Configuring Firewall A in the Web interface 1. Configure an IP address for GigabitEthernet 0/1: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 0/1 to enter the interface configuration page. c. Configure IP address 172.17.17.17 for the interface. d. Click Apply. Figure 2 Configuring interface GigabitEthernet 0/1 2. Configure an IP address for GigabitEthernet 0/3: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 0/3 to enter the interface configuration page. c. Configure IP address 118.22.91.4 for the interface. d. Click Apply. 2

Figure 3 Configuring interface GigabitEthernet 0/3 3. Configure a NAT address pool: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. The Address Pool & Dynamic NAT page appears. Figure 4 Address Pool & Dynamic NAT page b. In the Address Pool area, click Add. The Add NAT Address Pool page appears. c. Enter index 0, start IP address 118.22.91.50, and end IP address 118.22.91.100. d. Click Apply. 3

Figure 5 Adding a NAT address pool 4. Configure ACL 3100 to match packets to be NATed: a. From the navigation tree, select Firewall > ACL. The ACL list is displayed. Figure 6 ACL list b. Click Add to create ACL 3100, as shown in Figure 7. c. Click Apply. ACL 3100 will be displayed in the ACL list. Figure 7 Adding an ACL Figure 8 ACL 3100 in the ACL list 4

d. Click the edit icon for ACL 3100. The Advanced ACL 3100 page appears. Figure 9 Advanced ACL 3100 page e. Click Add to add a rule for ACL 3100. Figure 10 Adding a rule for ACL 3100 f. Click Apply. The Advanced ACL 3100 page appears again, displaying the rule you just added. Figure 11 Rule added for ACL 3100 5. Configure ACL 3101 to match packets to be IPsec protected: a. From the navigation tree, select Firewall > ACL. The ACL list is displayed. 5

Figure 12 ACL list b. Click Add to create ACL 3101, as shown in Figure 13. c. Click Apply. ACL 3101 will be displayed in the ACL list. Figure 13 Adding an ACL Figure 14 ACL 3101 in the ACL list d. Click the edit icon for ACL 3101. The Advanced ACL 3101 page appears. Figure 15 Advanced ACL 3101 page e. Click Add to add a rule for ACL 3101. 6

Figure 16 Adding a rule for ACL 3101 f. Click Apply. The Advanced ACL 3101 page appears again, displaying the rule you just added. Figure 17 Rule added for ACL 3101 6. Configure an IKE proposal: a. From the navigation tree, select VPN > IKE > Proposal. The IKE proposal list page appears. Figure 18 IKE proposal list b. Click Add to configure an IKE proposal, as shown in Figure 19. c. Click Apply. 7

Figure 19 Adding an IKE proposal 7. Configure an IKE peer: a. From the navigation tree, select VPN > IKE > Peer. The IKE peer list page appears. Figure 20 IKE peer list b. Click Add to configure an IKE peer with the pre-shared key nat, as shown in Figure 21. c. Click Apply. 8

Figure 21 Adding an IKE peer 8. Specify the IKE proposal for the IKE peer to reference. This configuration is supported only at the CLI. For the CLI configuration, see "Configuring Firewall A at the CLI." 9. Configure an IPsec proposal: a. From the navigation tree, select VPN > IPSec > Proposal. The IPsec proposal list page appears. Figure 22 IPsec proposal list b. Click Add. The IPSec Proposal Configuration Wizard appears. Figure 23 IPsec proposal configuration wizard c. Click Custom mode to configure an IPsec proposal, as shown in Figure 24. 9

d. Click Apply. Figure 24 Adding an IPsec proposal 10. Configure an IPsec policy: a. From the navigation tree, select VPN > IPSec > Policy. The IPsec policy list page appears. Figure 25 IPsec policy list b. Click Add to configure an IPsec policy, as shown in Figure 26. c. Click Apply. 10

Figure 26 Adding an IPsec policy 11. Apply the IPsec policy to the interface GigabitEthernet 0/3: a. From the navigation tree, select VPN > IPSec > IPSec Application. b. Click the edit icon for interface GigabitEthernet 0/3. c. Select the IPsec policy nat_po. d. Click Apply. Figure 27 IPsec policy application 12. Configure dynamic NAT: a. From the navigation tree, select Firewall > NAT Policy > Dynamic NAT. 11

Figure 28 Address Pool & Dynamic NAT page b. In the Dynamic NAT area, click Add to configure dynamic NAT, as shown in Figure 29. c. Click Apply. Figure 29 Adding dynamic NAT Configuring Firewall A at the CLI Configure an IP address for interface GigabitEthernet 0/1. <FirewallA> system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ip address 172.17.17.17 255.255.255.0 [FirewallA-GigabitEthernet0/1] quit Configure an IP address for interface GigabitEthernet 0/3. [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] ip address 118.22.91.4 255.255.255.0 [FirewallA-GigabitEthernet0/3] quit Configure a NAT address pool. [FirewallA] nat address-group 0 118.22.91.50 118.22.91.100 level 1 Configure ACL 3100 to identify packets to be NATed. [FirewallA] acl number 3100 [FirewallA-acl-adv-3100] rule 0 permit ip source 172.17.17.0 0.0.0.255 destination 106.31.67.0 0.0.0.255 [FirewallA-acl-adv-3100] quit Configure ACL 3101 to identify packets to be IPsec protected. [FirewallA] acl number 3101 12

[FirewallA-acl-adv-3101] rule 0 permit ip source 118.22.91.0 0.0.0.255 destination 106.31.67.0 0.0.0.255 [FirewallA-acl-adv-3101] quit Configure IKE proposal 1. [FirewallA] ike proposal 1 [FirewallA-ike proposal-1] authentication-method pre-share [FirewallA-ike-proposal-1] authentication-algorithm md5 [FirewallA-ike-proposal-1] encryption-algorithm des-cbc [FirewallA-ike-proposal-1] dh group1 [FirewallA-ike proposal-1] quit Create IKE peer peer_nat. [FirewallA] ike peer peer_nat Set the pre-shared key for IKE negotiation to plaintext string nat. [FirewallA-ike-peer-peer_nat] pre-shared-key nat Specify the IP address of the remote IKE security gateway. [FirewallA-ike-peer-peer_nat] remote-address 106.31.67.7 Specify IKE proposal 1 for the IKE peer to reference. [FirewallA-ike-peer-peer_nat] proposal 1 [FirewallA-ike-peer-peer_nat] quit Configure an IPsec transform set. [FirewallA] ipsec transform-set nat_prop [FirewallA-ipsec-transform-set-nat_prop] encapsulation-mode tunnel [FirewallA-ipsec-transform-set-nat_prop] transform esp [FirewallA-ipsec-transform-set-nat_prop] esp authentication-algorithm md5 [FirewallA-ipsec-transform-set-nat_prop] esp encryption-algorithm des [FirewallA-ipsec-transform-set-nat_prop] quit Create an IKE-based IPsec policy with the name nat_po and sequence number 1. [FirewallA] ipsec policy nat_po 1 isakmp Reference ACL 3101. [FirewallA-ipsec-policy-isakmp-nat_po-1] security acl 3101 Reference IKE peer peer_nat. [FirewallA-ipsec-policy-isakmp-nat_po-1] ike-peer peer_nat Reference IPsec transform set nat_prop. [FirewallA-ipsec-policy-isakmp-nat_po-1] transform-set nat_prop [FirewallA-ipsec-policy-isakmp-nat_po-1] quit Apply the IPsec policy to the interface GigabitEthernet 0/3. [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] ipsec policy nat_po Apply the NAT address pool to the interface GigabitEthernet 0/3. [FirewallA-GigabitEthernet0/3] nat outbound 3100 address-group 0 [FirewallA-GigabitEthernet0/3] quit 13

Configuring Firewall B Configuring Firewall B in the Web interface 1. Configure an IP address for GigabitEthernet 1/1: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 1/1 to enter the interface configuration page. c. Configure IP address 192.168.168.104 for the interface. d. Click Apply. Figure 30 Configuring interface GigabitEthernet 1/1 2. Configure an IP address for GigabitEthernet 1/3: a. From the navigation tree, select Device Management > Interface. b. Click the icon for interface GigabitEthernet 1/3 to enter the interface configuration page. c. Configure IP address 106.31.67.7 for the interface. d. Click Apply. 14

Figure 31 Configuring interface GigabitEthernet 1/3 3. Configure ACL 3101 for IPsec: a. From the navigation tree, select Firewall > ACL. The ACL list is displayed. Figure 32 ACL list b. Click Add to create ACL 3101, as shown in Figure 33. c. Click Apply. ACL 3101 will be displayed in the ACL list. Figure 33 Adding an ACL 15

Figure 34 ACL 3101 in the ACL list d. Click the edit icon for ACL 3101. The Advanced ACL 3101 page appears. Figure 35 Advanced ACL 3101 e. Click Add to add a rule for ACL 3101, as shown in Figure 36. f. Click Apply. The Advanced ACL 3101 page appears again, displaying the rule you just added. Figure 36 Adding a rule for ACL 3101 Figure 37 Rule added for ACL 3101 4. Configure an IKE proposal: 16

a. From the navigation tree, select VPN > IKE > Proposal. The IKE proposal list page appears. Figure 38 IKE proposal list b. Click Add to configure an IKE proposal, as shown in Figure 39. c. Click Apply. Figure 39 Adding an IKE proposal 5. Configure an IKE peer: a. From the navigation tree, select VPN > IKE > Peer. The IKE peer list page appears. Figure 40 IKE peer list b. Click Add to configure an IKE peer with the pre-shared key nat, as shown in Figure 41. c. Click Apply. 17

Figure 41 Adding an IKE peer 6. Specify the IKE proposal for the IKE peer to reference. This configuration is supported only at the CLI. For the CLI configuration, see "Configuring Firewall B at the CLI." 7. Configure an IPsec proposal: a. From the navigation tree, select VPN > IPSec > Proposal. The IPsec proposal list page appears. Figure 42 IPsec proposal list b. Click Add. The IPSec Proposal Configuration Wizard appears. Figure 43 IPsec proposal configuration wizard c. Click Custom mode to configure an IPsec proposal, as shown in Figure 44. d. Click Apply. 18

Figure 44 Adding an IPsec proposal 8. Configure an IPsec policy: a. From the navigation tree, select VPN > IPSec > Policy. The IPsec policy list page appears. Figure 45 IPsec policy list b. Click Add to configure an IPsec policy, as shown in Figure 46. c. Click Apply. 19

Figure 46 Adding an IPsec policy 9. Apply the IPsec policy to interface GigabitEthernet 1/3: a. From the navigation tree, select VPN > IPSec > IPSec Application. b. Click the edit icon for interface GigabitEthernet 1/3. c. Select the IPsec policy nat_po. d. Click Apply. Figure 47 IPsec policy application 10. Configure the internal server: a. From the navigation tree, select Firewall > NAT Policy > Internal Server. 20

Figure 48 Internal Server & DNS-MAP page b. In the Internal Server area, click Add to configure the internal server, as shown in Figure 49. c. Click Apply. Figure 49 Adding an internal server Configuring Firewall B at the CLI Configure an IP address for interface GigabitEthernet 1/1. <FirewallB> system-view [FirewallB] interface gigabitethernet 1/1 [FirewallB-GigabitEthernet1/1] ip address 192.168.168.104 255.255.255.0 [FirewallB-GigabitEthernet1/1] quit Configure an IP address for interface GigabitEthernet 1/3. [FirewallB] interface gigabitethernet 1/3 [FirewallB-GigabitEthernet1/3] ip address 106.31.67.7 255.255.255.0 [FirewallB-GigabitEthernet1/3] quit Enable the system-defined interzone policy to match packets that do not match any other interzone policy. [FirewallB] interzone policy default by-priority Configure ACL 3101 for IPsec. 21

[FirewallB] acl number 3101 [FirewallB-acl-adv-3101] rule 0 permit ip source 106.31.67.0 0.0.0.255 destination 118.22.91.0 0.0.0.255 [FirewallB-acl-adv-3101] quit Configure IKE proposal 1. [FirewallB] ike proposal 1 [FirewallB-ike proposal-1] authentication-method pre-share [FirewallB-ike proposal-1] authentication-algorithm md5 [FirewallB-ike-proposal-1] encryption-algorithm des-cbc [FirewallB-ike-proposal-1] dh group1 [FirewallB-ike proposal-1] quit Create IKE peer peer_nat. [FirewallB] ike peer peer_nat Set the pre-shared key for IKE negotiation to plaintext string nat. [FirewallB-ike-peer-peer_nat] pre-shared-key nat Specify the IP address of the local IKE security gateway. [FirewallB-ike-peer-peer_nat] local-address 106.31.67.7 Specify IKE proposal 1 for the IKE peer to reference. [FirewallB-ike-peer-peer_nat] proposal 1 [FirewallB-ike-peer-peer_nat] quit Configure an IPsec transform set. [FirewallB] ipsec transform-set nat_prop [FirewallB-ipsec-transform-set-nat_prop] encapsulation-mode tunnel [FirewallB-ipsec-transform-set-nat_prop] transform esp [FirewallB-ipsec-transform-set-nat_prop] esp authentication-algorithm md5 [FirewallB-ipsec-transform-set-nat_prop] esp encryption-algorithm des [FirewallB-ipsec-transform-set-nat_prop] quit Create an IKE-based IPsec policy with the name nat_po and sequence number to 1. [FirewallB] ipsec policy nat_po 1 isakmp Reference ACL 3101. [FirewallB-ipsec-policy-isakmp-nat_po-1] security acl 3101 Reference IKE peer peer_nat. [FirewallB-ipsec-policy-isakmp-nat_po-1] ike-peer peer_nat Reference IPsec transform set nat_prop. [FirewallB-ipsec-policy-isakmp-nat_po-1] transform-set nat_prop [FirewallB-ipsec-policy-isakmp-nat_po-1] quit Apply the IPsec policy to the interface GigabitEthernet 1/3. [FirewallB] interface gigabitethernet 1/3 [FirewallB-GigabitEthernet1/3] ipsec policy nat_po Apply the internal server to the interface GigabitEthernet 1/3. [FirewallB-GigabitEthernet1/3] nat server protocol udp global 106.31.67.20 any inside 192.168.168.164 any [FirewallB-GigabitEthernet1/3] quit 22

Verifying the configuration Enable NAT packet debugging on Firewall A and B. This example uses Firewall A. <FirewallA> debugging nat packet <FirewallA> terminal debugging <FirewallA> terminal monitor <FirewallA> system-view [FirewallA] info-center enable Access the server in LAN 2 from a host in LAN 1. NAT packet debugging information is generated on both firewalls. <FirewallA> *Feb 29 14:35:18:960 2013 FirewallA NAT/7/debug: (GigabitEthernet0/3-out:)Pro : UDP ( 172.17.17.16: 1024-106.31.67.20: 1024) ------> ( 118.22.91.66: 1025-106.31.67.20: 1024) <FirewallB> *Feb 29 14:38:54:729 2013 FirewallB NAT/7/debug: (GigabitEthernet1/3-in:)Pro : UDP is to NAT server ( 118.22.91.66: 1026-106.31.67.20: 1024) ------> ( 118.22.91.66: 1026-192.168.168.164: 1024) Display the IKE SAs established on the firewalls. <FirewallA> display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi status ----------------------------------------------------------------------- 51 106.31.67.7 RD ST 1 IPSEC -- 52 106.31.67.7 RD ST 2 IPSEC -- flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT <FirewallB> display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi status ----------------------------------------------------------------------- 17 118.22.91.4 RD 1 IPSEC -- 18 118.22.91.4 RD 2 IPSEC -- flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO TIMEOUT Configuration files Firewall A: nat address-group 0 118.22.91.50 118.22.91.100 level 1 23

acl number 3100 rule 0 permit ip source 172.17.17.0 0.0.0.255 destination 106.31.67.0 0.0.0.255 acl number 3101 rule 0 permit ip source 118.22.91.0 0.0.0.255 destination 106.31.67.0 0.0.0.255 ike proposal 1 authentication-algorithm md5 ike peer peer_nat proposal 1 pre-shared-key cipher $c$3$2kwok6fyspmm5vbgpjhuft4myh1ccq== remote-address 106.31.67.7 ipsec transform-set nat_prop encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm des ipsec policy nat_po 1 isakmp security acl 3101 ike-peer peer_nat transform-set nat_prop interface GigabitEthernet0/1 port link-mode route ip address 172.17.17.17 255.255.255.0 interface GigabitEthernet0/3 port link-mode route nat outbound 3100 address-group 0 ip address 118.22.91.4 255.255.255.0 ipsec policy nat_po Firewall B: interzone policy default by-priority acl number 3101 rule 0 permit ip source 106.31.67.0 0.0.0.255 destination 118.22.91.0 0.0.0.255 ike proposal 1 authentication-algorithm md5 ike peer peer_nat proposal 1 pre-shared-key cipher $c$3$mtwnfgqkumgkblan1+s81xz579tlkg== local-address 106.31.67.7 24

ipsec transform-set nat_prop encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm des ipsec policy nat_po 1 isakmp security acl 3101 ike-peer peer_nat transform-set nat_prop interface GigabitEthernet1/1 port link-mode route ip address 192.168.168.104 255.255.255.0 interface GigabitEthernet1/3 port link-mode route nat server protocol udp global 106.31.67.20 any inside 192.168.168.164 any ip address 106.31.67.7 255.255.255.0 ipsec policy nat_po Related documentation H3C SecPath Series Firewalls and UTM Devices Access Control Configuration Guide H3C SecPath Series Firewalls and UTM Devices Access Control Command Reference H3C SecPath Series Firewalls and UTM Devices VPN Configuration Guide H3C SecPath Series Firewalls and UTM Devices VPN Command Reference H3C SecPath Series Firewalls and UTM Devices Network Management Configuration Guide H3C SecPath Series Firewalls and UTM Devices Network Management Command Reference 25