Aggressive Mode With Nat Traversal Configuration Example - HP MSR2000 Configuration Manual

[Outbound ESP SAs]
SPI: 738451674 (0x2c03e0da)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: active
# Use the same commands to verify the information about the CA certificate, local certificate, IKE SA,
and IPsec SA on Device B. (Details not shown.)

Aggressive mode with NAT traversal configuration example

This configuration example does not apply when the device operates in FIPS mode.
Network requirements
Device A is behind the NAT device. Configure an IPsec tunnel that uses IKE negotiation between Device
A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use the default IKE proposal for the aggressive IKE negotiation to set
up the IPsec SAs. Configure the two devices to use the pre-shared key authentication method for the IKE
negotiation phase 1.
Figure 53 Network diagram
Device A
Eth1/2
10.1.1.1/24
Host A
10.1.1.2/24
Configuration procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure ACL 3000 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[DeviceA-acl-adv-3000] quit
# Create an IPsec transform set named transform1.
[DeviceA] ipsec transform-set transform1
NAT
Eth1/1
1.1.1.1/16
Eth1/1
2.2.2.2/16
Internet
201
Device B
Eth1/2
10.1.2.1/24
Host B
10.1.2.2/24