Aggressive Mode With Nat Traversal Configuration Example - HP MSR Series Configuration Manual

Connection ID: 2
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843200/3484
Max received sequence-number:
UDP encapsulation used for NAT traversal: N
Status: Active
# Display the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device
B.
[DeviceB] display ike sa
[DeviceB] display pki certificate domain domain2 ca
[DeviceB] display pki certificate domain domain2 local
[DeviceB] display ipsec sa

Aggressive mode with NAT traversal configuration example

This configuration example is not available when the device is operating in FIPS mode.
Network requirements
Device A is behind the NAT device. Hosts behind Device A use public IP address 3.3.3.1 to access
the external network. Configure an IKE-based IPsec tunnel between Device A and Deice B to secure
the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure Device A and Device B to use the default IKE proposal for the aggressive IKE negotiation
to set up the IPsec SAs. Configure the two devices to use the pre-shared key authentication method
for the IKE negotiation phase 1.
Figure 111 Network diagram
Device A
GE2/0/2
10.1.1.1/24
Host A
10.1.1.2/24
Configuration procedure
1. Configure Device A:
# Assign an IP address to each interface. (Details not shown.)
# Configure ACL 3000 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<DeviceA> system-view
[DeviceA] acl advanced 3000
[DeviceA-acl-ipv4-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination
10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3000] quit
# Create an IPsec transform set named transform1.
[DeviceA] ipsec transform-set transform1
# Use the ESP protocol for the IPsec transform set.
NAT
GE2/0/1
1.1.1.1/16 1.1.1.2/16 3.3.3.1/16
Internet
353
Device B
GE2/0/1
2.2.2.2/16
GE2/0/2
10.1.2.1/24
Host B
10.1.2.2/24