Configuring Aggressive Mode Ike With Nat Traversal - HP 6600 Security Configuration Manual

[inbound ESP SAs]
[outbound ESP SAs]

Configuring aggressive mode IKE with NAT traversal

Network requirements
As shown in
and Router A. Router B connects to the public network through an ADSL line and acts as the PPPoE client.
The interface connecting to the public network uses a private address dynamically assigned by the ISP.
Router A uses a fixed public IP address for the interface connected to the public network.
Configure IPsec tunnels between Router A and Router B to protect traffic between the branch and its
headquarters. Use IKE to establish the IPsec tunnels.
Figure 105 Network diagram
GE3/0/1
192.168.0.1/24
Branch
Configuration guidelines
The IKE negotiation mode must be aggressive because Router B uses a dynamic IP address.
You must configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a
public IP address but the other end uses a private IP address.
dest addr: 10.1.2.0/255.255.255.0
spi: 0x3d6d3a62(1030568546)
transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1
in use setting: Tunnel
connection id: 1
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3590
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
spi: 0x553faae(89389742)
transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1
in use setting: Tunnel
connection id: 2
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3590
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
Figure 105, the branch and the headquarters connect to an ATM network through Router B
NAT
ADSL line
ATM1/1/1
Router B
PPPoE client
port: 0
S2/1/1
100.1.1.1/24
Internet
Router A
307
protocol: IP
GE3/0/1
172.16.0.1/24
Headquarters