H3C Intelligent Management CenterIPsec VPN ManagerAdministrator Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com So
iv Viewing the DVPN session information of a tunnel ························································································· 202Rese
90 a. Enter the number of the hub tunnel interface in the Hub Tunnel Number box. b. Enter the IP address of the hub tunnel interface in the Hub Tunn
91 4. Configure additional settings: The additional settings are inherited from the VPN domain. You can modify theses settings for the GRE over IPsec
92 Figure 38 DVPN network As shown in Figure 38, HubA, SpokeA, and SpokeB are VAM clients. The IMC Platform manages VAM ServerA, HubA, SpokeA, and S
93 4. Click Next. Configuring basic DVPN settings 1. Enter a name for the VPN domain in the Domain Name box. IVM uses a case-insensitive name and a
94 Configuring the VAM server A DVPN network can accommodate up to two VAM servers. One acts as the primary server, and the other acts as the backup
95 An unselected query condition is not used for device query. b. Click Query. All the devices matching the query conditions are displayed at the up
96 − Permit RADIUS Client—Select this option to enable the VAM server to receive and send RADIUS packets. { Local—Enables local authentication on VA
97 12. Select a tunnel source interface from the Tunnel Source Interface list. The Tunnel Source Interface list displays the interfaces that IVM obta
98 b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec packet, it checks the time the last IPsec packe
99 A window appears for you to select spokes by view through step 2 or by query through step 3. 2. Add spokes by view: a. Click the By View tab. Th
1 1 IPsec VPN Manager overview IPsec VPN Manager (IVM) is IMC's service component for managing Layer 3 Virtual Private Networks that are built us
100 c. Select devices in the Devices Found list and click the Add selected icon to add the devices to the Selected Devices list, or click the Add a
101 h. Enter the number of the tunnel interface. This setting corresponds to the CLI command interface tunnel number. i. Select a tunnel source inte
102 a. Enter a DPD name in the DPD Name box. b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec pac
103 You only need to deploy DVPN settings because VAM clients exchange VAM packets to establish DVPN tunnels. DVPN settings include VAM server setting
104 5 Building VPN networks with IVM and BIMS This chapter describes using IVM and BIMS to build IPsec VPN, GRE over IPsec VPN, and DVPN networks in w
105 Figure 40 Building an IPsec VPN network Adding IPsec devices After you add IPsec devices to the IMC Platform, IVM automatically manages the IPse
106 Configure basic VPN domain settings 1. Enter a name for the VPN domain in the Domain Name box. IVM uses a case-insensitive name and a type to un
107 You can configure the IPsec proposal through step 3, or import an IPsec proposal template through step 4. 3. Configure the IPsec proposal: a. Se
108 a. Click the Import icon next to the proposal number. The Select IKE Proposals window appears. This window automatically filters IKE proposal t
109 To remove a device from the Selected Devices list, select a device in the Selected Devices list and click the Remove Selected icon . d. Click OK.
2 • IPsec proposal management—Manages IPsec proposals that define security parameters for IPsec SA negotiation, including the security protocol, encr
110 2. Enter query conditions in the Device Name, Serial Number, and Device IP boxes, which support fuzzy query. 3. Click Query. 4. Select spoke d
111 A window appears. b. Enter a new IP address. c. Click OK. Configuring IPsec tunnels You can configure an IPsec tunnel when you add it, or modify
112 3. Click a VPN domain name to enter the VPN domain page. 4. Click the Device parameters icon for an existing IPsec tunnel. 5. Configure the e
113 2. Click OK. Configuring device parameters The Device Parameters page provides CA domain and protected traffic flow settings. A CA domain includ
114 { Operator—Operator used to match TCP and UDP ports on the hub. Operators include Equals, Less than, Greater than, Not Equals, and Range. { Port
115 e. Go to step 6. 5. Import an IPsec proposal that has been configured on a hub device in the current VPN domain: a. Click the import icon nex
116 The parameters in the IKE proposal template are automatically filled in the IKE proposal configuration page. e. Go to step 6. 5. Import an IKE
117 { This setting corresponds to the following CLI command when the IPsec policy template is enabled: ipsec policy policy-name seq-number isakmp tem
118 A menu appears for you to check tunnel settings: { View Hub's Current Configuration { View Spoke's Current Configuration { View IVM&a
119 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. 3. Click Add in the VPN Domain List to add a GRE ov
3 2 Quick start guide Accessing IVM IMC provides the following IVM access modes: • Classic—Log in to the classic IMC interface. Operators access IVM
120 If you select YES, the hub device only receives negotiation requests from peers, without initiating IKE negotiation. The IPsec policy template fea
121 c. Select the IPsec proposal template in the IPsec Proposal List. d. Click OK. The parameters in the IPsec proposal template are automatically
122 a. Select a hub device. b. Select spoke devices. c. Configure interfaces for GRE over IPsec tunnels. d. Configure GRE over IPsec tunnels 6. C
123 − Device Reachability—Select Reachable or Unreachable. An unselected query condition is not used for device query. b. Click Query. All the devi
124 A window appears. c. Enter a new name for the hub interface. d. Click OK. e. To copy the name and address of the hub interface to another tunn
125 The Basic Information tab provides the following basic settings: { IKE Negotiation Mode—Select Main or Aggressive mode for phase-1 IKE negotiati
126 { ID Type—Name or IP. If the ID type is Name, the Hub IKE Gateway Name and Spoke IKE Gateway Name are also displayed. { Encapsulation Mode—Tunn
127 d. Click OK. To modify the hub subnet, click the Modify icon and enter new settings in the window. To delete the hub subnet, select it and clic
128 b. Enter the complete name or part of the name of the IPsec proposal template you want to query, and click Query. c. Select the IPsec proposal t
129 You can add, modify, and delete IKE proposal templates in IKE Proposals. For more information about IKE proposal templates, see "Managing IKE
4 IVM navigation tree Figure 3 shows the navigation tree. To expand the IVM navigation tree: 1. Click the Service tab. 2. From the navigation tree,
130 { This setting corresponds to the following CLI command when the IPsec policy template is not enabled: ipsec policy policy-name seq-number isakmp
131 a. Enter the number of the hub tunnel interface in the Hub Tunnel Number box. b. Enter the IP address of the hub tunnel interface in the Hub Tun
132 4. Configure additional settings: The additional settings are inherited from the VPN domain. You can modify theses settings for the GRE over IPse
133 Figure 43 DVPN network As shown in Figure 43, HubA, SpokeA, and SpokeB are VAM clients. ServerA and HubA have static IP addresses, Spoke A is pr
134 d. Configure the hub. e. Configure spokes. The following sections describe these tasks. 4. Click Next. Configuring basic DVPN settings 1. Ente
135 7. Click Next to configure the VAM server. Configuring the VAM server A DVPN network can accommodate up to two VAM servers. One acts as the pri
136 − Device Reachability—Select Reachable or Unreachable. An unselected query condition is not used for device query. b. Click Query. All the devi
137 − Permit RADIUS Client—Select this option to enable the VAM server to receive and send RADIUS packets. { Local—Enables local authentication on V
138 12. Select a tunnel source interface from the Tunnel Source Interface list. The Tunnel Source Interface list displays the interfaces that IVM obt
139 b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec packet, it checks the time the last IPsec pack
5 Navigation menu option Task Options Configure BIMS and IVM parameters. DVPN Security Configuration View and modify the DVPN configuration templates
140 a. Click Select BIMS Spokes. A window appears for you to select spokes. b. Enter query conditions in the Device Name, Serial Number, and Device
141 This setting corresponds to the CLI command interface tunnel number. i. Select a tunnel source interface from the Tunnel Source Interface list. T
142 b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec packet, it checks the time the last IPsec pack
143 and spokes, and tunnel, routing, and IPsec settings for all VAM clients. If client authentication is needed, deploy AAA authentication settings to
144 6 IVM service report The IVM service report function is implemented through the report function of the IMC Platform. The IMC Platform uses report
145 { Begin Time—Set the statistics collection start time. Click the field to select the time in the calendar that appears. The valid format is YYYY-
146 { Begin Time—Set the statistics collection start time. Click the field to select the time in the calendar that appears. The valid format is YYYY-
147 { End Time—Set the statistics collection end time. Click the field to select the time in the calendar that appears. The valid format is YYYY-MM-D
148 3. Click OK. The IPsec tunnel receive rate report appears. Figure 47 IPsec tunnel receive rate report Parameter description: { Statistical
149 The IPsec tunnel outbound drop rate report appears. Figure 48 IPsec tunnel outbound drop rate report Parameter description: { Statistical Ran
6 Application Task IP Tunnels Query, view, and monitor IPsec tunnels. IPsec Proposals Query, view, add, modify, and delete IPsec proposals. IKE Prop
150 Figure 49 IPsec tunnel inbound drop rate report Parameter description: { Statistical Range—IPsec tunnels involved in the report. { From/To—S
151 b. Enter the full template name or part of the template name. This option supports fuzzy matching. c. In the Query Template area, select VPN S
152 7. (Optional.) Set the time when a report becomes invalid. Then, the IMC Platform does not generate any scheduled report. Click the field to sele
153 − Quarterly—Options include Begin time, One month after begin time, Two months after begin time, and End time. − Half Yearly—Options include Beg
154 7 Maintaining VPNs This chapter describes how to maintain the IPsec VPN, GRE over IPsec, and DVPN domains. For information about how to add VPN d
155 address for fuzzy query. For example, you can enter 192.168 to query all devices that have an IP address starting with 192.168. − Device IP List
156 Modifying an IPsec VPN domain An IPsec VPN domain contains IPsec and IKE settings for tunnels in the domain. IPsec tunnels in a VPN domain inherit
157 { ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type must be Name when NAT traversal is enabled, and mu
158 − Security Protocol—Select the security protocol to be used by the IPsec proposal. Options are AH, ESP, and AH + ESP. − AH AuthN—This parameter
159 { ESP Encryption—This parameter appears only when ESP or AH + ESP is selected for Security Protocol. Select the encryption algorithm to be used b
7 Figure 6 24-Hour IPsec Tunnel Trend Click TopN on the top right corner of the graph to view more IPsec tunnel statistics, including the following
160 The IKE Proposal List displays all the IKE proposals that use the same authentication method as is specified for the VPN domain by the IKE Authent
161 3. Click the name of the IPsec VPN domain you want to query. 4. Click Basic Query on the upper right side of the Query Tunnels area. You can p
162 3. Click the name of an IPsec VPN domain. The Tunnel List displays all tunnels in the IPsec VPN domain. 4. Select the tunnels you want to unde
163 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. The VPN Domain List displays all VPN domains. 3.
164 { Number of Virtual Spokes—Enter the number of virtual spokes. IVM automatically creates a tunnel for each virtual spoke. { Interface Name—Ente
165 − Device Name—Modify the name of the virtual spoke. − Interface Name—Modify the name of the spoke interface. − Interface IP—Modify the IP add
166 The import file must meet the following requirements: • The file format must be .txt. • The first line must be the column titles. The other line
167 7. Click Select Hub. The Select Devices dialog box appears. 8. Select a device as the hub and click OK. 9. Click Import from File. The Impo
168 Modifying a GRE over IPsec VPN domain A GRE over IPsec VPN domain contains IPsec and IKE settings for tunnels in the domain. GRE over IPsec tunnel
169 { ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type must be Name when NAT traversal is enabled, and mu
8 Figure 7 Top 5 Devices by Average Active IPsec Tunnels VPN Domain Traffic Trend graph As shown in Figure 8, the graph shows the transmit and recei
170 The Add IPsec Proposal page appears. 2. Enter a name for the IPsec proposal. You can configure the IPsec proposal through step 3 or import an IP
171 { AH Authentication—This parameter appears only when AH or AH + ESP is selected for Security Protocol. Select the authentication algorithm to be
172 4. Import an IKE proposal template: a. Click the Import the security proposal from the template icon next to the Proposal Num. field. The Se
173 Performing a basic query 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains.
174 To undeploy GRE over IPsec tunnels: 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > V
175 undeploy the undeployment failed tunnel and then change the status of the tunnel from Undeployment Failed to Undeployed. To change the deployment
176 2. Specify the following parameters for the virtual spokes: { Device Name—Enter the name of the virtual spoke. If you specify multiple spokes wi
177 a. Click the Modify Spoke Device Info icon next to a virtual spoke name. The Modify Virtual Spoke Settings window appears. b. Modify the fol
178 Importing GRE over IPsec tunnels from a file You can bulk import GRE over IPsec tunnels from a file to IVM. The file contains the hub and spoke in
179 Column title Description Remarks GRE Spoke Tunnel Number Number of the GRE tunnel on the hub side, in the range 0 to 1023. Optional. GRE Hub Tu
9 VPN Domain Tunnel Counts pie chart As shown in Figure 9, IVM displays the numbers of IPsec tunnels in different types of VPN domains in a pie chart.
180 5. Select the column number or Do not select from the file for each of the following column titles in the file: { Spoke Device Type { Spoke Dev
181 2. From the navigation tree, select IPsec VPN Manager > Automatic Discovery. The page for selecting a VAM server appears. 3. Select the DVPN
182 c. Select a device in the Devices Found list and click the Add selected icon to add the device to the Selected Devices list. d. To remove a de
183 To modify global DVPN settings: 1. Modify the name of the domain in the Domain Name field. The domain name must be unique in IVM. 2. Modify th
184 4. If the security template requires the VAM server to authenticate VAM clients, enter the ISP domain name in the ISP Domain Name field, and sele
185 4. Modify the private IP address of hub 1 in the Private IP Address box. The VAM server uses private IP addresses to identify VAM clients. Hub 1
186 { VPN Name—Name of the DVPN, configured in global DVPN settings. { Routing Protocol—Routing protocol used by DVPN, which is OSPF, iBGP, or eBGP
187 { area area-id { network ip-address wildcard-mask 9. Add a BGP network in the BGP Network List if the routing protocol used by DVPN is iBGP or
188 If the authentication method is RADIUS, whether to include the domain name in the entered username depends on the Username Format setting in RADIU
189 The default setting is inherited from the security template. 5. Enter a pre-shared key in the Pre-Shared Key box. The default setting is inherite
Copyright © 2013-2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi
10 Figure 10 Top 5 VPN Domains by Traffic Top 5 IPsec Tunnels by Receive Rate As shown in Figure 11, IVM displays the top 5 IPsec tunnels with the h
190 bgp as-number network ip-address mask IVM automatically configures the relationships between BGP peers. 10. Click OK to complete DVPN domain mod
191 − View DVPN sessions—Select this option to view the DVPN sessions. For more information, see "Viewing the DVPN sessions of a VAM client.&quo
192 To add a spoke to a DVPN network in which the hub device has a fixed IP address but the spoke devices have no fixed IP addresses or reside behind
193 To delete DVPN configuration from a device 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources
194 The configuration page of the DVPN domain appears. The page contains two tabs: Device Information and Tunnel Connectivity Audit. By default, the D
195 { Device IP—IP address of the spoke. { Device Type—Type of the device, BIMS or Routers. BIMS indicates that the device is managed by IMC BIMS.
196 − Device Status—Select a status from the list to query devices in that status. The Device Status list includes Unmanaged, Unknown, Normal, Warnin
197 The configuration page of the DVPN domain appears. The page contains two tabs: Device Information and Tunnel Connectivity Audit. By default, the D
198 A window appears, displaying all DVPN sessions of the VAM client. Each session represents a DVPN tunnel established on the VAM client. DVPN Sessi
199 a. Select View DVPN sessions from the shortcut menu. The DVPN Session List window appears. b. Select the DVPN sessions you want to reset. c.
11 As shown in Figure 12, IVM displays the top 5 IPsec tunnels with the highest transmit rate in a specified VPN domain or in all VPN domains in a lis
200 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. The VPN Domain List displays all VPN domains. 3.
201 Deleting audited DVPN tunnels You can manually delete a spoke-spoke tunnel from the Tunnel List on the Tunnel Connectivity Audit tab of a DVPN dom
202 The VPN Domain List displays all VPN domains. 3. Click the name of the DVPN domain. The configuration page of the DVPN domain appears. The page
203 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. The VPN Domain List displays all VPN domains. 3.
12 Figure 14 Top 5 IPsec Tunnels by Outbound Drop Rate Highlighted IPsec Devices As shown in Figure 15, IVM displays the top 10 IPsec devices with t
13 Figure 16 IVM quick start wizard Common operations Navigating a list If a list spans multiple pages, use the following aids to navigate the list:
14 Figure 17 Navigating the IPsec device list Sorting a list Sort a list by every field that contains a Sort icon in the column label. • When the
15 Determining network scenarios For security and confidentiality purposes, enterprises and organizations build VPNs over IPsec to secure Layer 3 comm
16 Figure 20 IMC components For a static network scenario, deploy the following components: • IMC Platform—Manages the hub and all spokes. • IMC I
17 [Hub] snmp-agent community read public [Hub] snmp-agent community write private For more information about the SNMP configuration, see the configur
18 Configuring CWMP CPE WAN Management Protocol (CWMP), also known as the TR-069 protocol, can be configured manually or through DHCP Option 43. This
19 3 Managing IVM IVM provides various management functions. The procedures for configuring VPNs are complicated and vary with the VPN technology used
Preface The H3C IMC IVM Administrator Guide includes 7 chapters, which describe the management and deployment of IPsec-based VPNs, such as IPsec VPN,
20 4. Click Query. The VPN Domain List displays all VPN domains that match the query criterion. Click Reset to clear the query criterion and display
21 − Synchronizing icon ( )—The Synchronizing icon indicates the synchronization is in progress. − Failure icon ( )—The Failure icon indicates the
22 4. Click Query. The IPsec Device List displays all IPsec devices matching the query criteria. Click Reset to clear the query criteria and display
23 − Location—Enter the location of the device.IVM supports fuzzy matching for this filed. For example, if you enter Lab, all the devices with locati
24 7. Select one or more BIMS devices you want to import. 8. Click OK. The Device List displays information about the selected devices, including
25 To set tunnel traps for a device: 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > IPsec
26 5. Configure the following parameters: { Slot Number—This field displays the slot number of the encryption card. For example, 3/0 indicates that
27 { Traffic-based Lifetime (KB)—Specify the maximum traffic that the SA can process, in kilobytes. { Time-based Lifetime (s)—Specify the amount of
28 The Registration Information Details window appears. Registration Information Details contents { Device Name—Name of the VAM client. { Interval
29 Viewing the tunnel list 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > IPsec Tunnels.
Convention Description CAUTION An alert that calls attention to important information that if not understood or followed can result in data loss, dat
30 Viewing IPsec tunnel details You can only view detailed information about IPsec tunnels in Ready state. To view an IPsec tunnel details: 1. Clic
31 4. Click Back to return to the Tunnel List. Enabling/disabling monitoring of IPsec tunnels By default, IVM monitors all IPsec tunnels. You can ma
32 { Action—Tunnel event, tunnel setup or disconnect. { Local IP—Local end IP address of the IPsec tunnel. { Remote IP—Remote end IP address of t
33 Managing IPsec proposals Basic concepts An IPsec proposal defines a set of security parameters for IPsec SA negotiation, including security protoco
34 • Transport mode—IPsec protects only the IP payload. It uses only the IP payload to calculate the AH or ESP header, and inserts the calculated hea
35 Viewing the IPsec proposal details 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > Security Proposals >
36 Modifying an IPsec proposal 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > Security Proposals > IPsec P
37 { Pre-shared key—Two IKE peers use the pre-configured shared key for identity authentication. { CA—Two IKE peers use digital certificates issued
38 4. Click Query. The IKE Proposal List displays all IKE Proposals that match the query criterion. Click Reset to clear the query criterion and dis
39 { ISAKMP SA Lifetime—ISAKMP SA lifetime in seconds. The value range is 60 to 604800 and the default is 86400. Since DH computation can be time-con
Documents Purposes H3C IMC Centralized Deployment Guide with Local Database Provides a complete guide to IMC platform and component centralized deploy
40 Viewing the DVPN security configuration list A DVPN security configuration contains VAM security parameters and IPsec security parameters. Securit
41 authentication services for IKE peers. The main mode is applied in scenarios that require high security levels, while the aggressive mode is used i
42 To be considered a match, two IKE proposals must have the same encryption algorithm, authentication method, authentication algorithm, and DH group.
43 { ID Type—Select the ID type for ISAKMP SA phase 1 negotiation. Options are IP and Name. When the negotiation mode is Main, the ID type can only b
44 7. To delete IPsec proposals, select the IPsec proposals, click Delete, and then click OK on the confirmation dialog box that appears. 8. To add
45 2. From the navigation tree, select IPsec VPN Manager > Options. The BIMS Service Settings tab displays all BIMS service parameters. 3. Conf
46 Parameter type Parameter Description Retires Enter the number of SNMPv3 retires. The value range is 1 to 20. 5. Modify the Telnet template: a.
47 Modifying monitor settings 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > Options. 3. Click the Monitor
48 Monitoring tunnels and VPN domains IVM monitors and collects index data from IPsec tunnels and VPN domains in real time. It uses the collected data
49 Figure 21 IPsec tunnel monitoring statistics Tunnel monitor indexes: • IPsec Tunnel Receive Rate (bps)—Displays the average receive rate (in bp
Obtaining documentation Access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top n
50 • IPsec Tunnel Outbound Dropped Packets—Displays the number of dropped packets within every 5 minutes in the outbound direction of the IPsec tunne
51 Figure 22 VPN domain monitoring data Managing VPN domain topologies IVM allows you to view the topology of the VPN domains to locate network prob
52 Figure 23 HTML5-type VPN domain topology Figure 24 Applet-type VPN domain topology
53 Access the VPN domain topology page You can access the VPN domain topology page from the VPN Domain List page, the IPsec Device List page, or the N
54 All the VPN domains in IVM are listed under the Topology > VPN Domain Topology node in the left navigation tree. Double click a VPN domain name
55 Alarm level Color Meaning Major Orange The highest alarm level is Major on the device. Minor Yellow The highest alarm level is Minor on the dev
56 Figure 26 IPsec VPN tunnel information IPsec VPN tunnel information: • Link Name—Tunnel name. • Hub Device—Hub device name. • Hub Interface—I
57 Figure 27 GRE over IPsec tunnel information A GRE over IPsec tunnel has the following information different from an IPsec VPN tunnel: • GRE Hub
58 • Tunnel Status—State of the DVPN tunnel during the last polling interval. • Hub Private IP—Private IP address used by the hub client to register
59 Figure 31 IPsec tunnel topology • Display Protected Subnets—Select this option to display the protected subnets in the VPN domain topology, as s
i Contents 1 IPsec VPN Manager overview ··············································································································
60 Figure 33 Right-click menu of a VPN domain topology VPN domain topology right-click menu options: • Device Label—Provides options that allows yo
61 4 Building VPN networks with IVM This chapter describes using IVM to build IPsec VPN, GRE over IPsec VPN, and DVPN networks in which the hub and sp
62 Figure 35 Building an IPsec VPN network Adding IPsec devices After you add IPsec devices to the IMC Platform, IVM automatically manages the IPsec
63 Configure basic VPN domain settings 1. Enter a name for the VPN domain in the Domain Name box. IVM uses a case-insensitive name and a type to uni
64 You can configure the IPsec proposal through step 3, or import an IPsec proposal template through step 4. 3. Configure the IPsec proposal: a. Sel
65 The Select IKE Proposals window appears. This window automatically filters IKE proposal templates that do not match the IKE Authentication method s
66 3. Add a hub by query: a. Click the Advanced tab, which provides the following query conditions: − Device IP—Enter the IPv4 address of a device.
67 b. Collapse a view. All devices for the view are displayed at the upper right of the window. c. Select devices in the Devices Found list and cli
68 e. Click OK. To replace a spoke device, click the Select Spokes icon for that spoke device, and repeat step 2 or 3 to select a new spoke device.
69 Configuring IPsec tunnels You can configure an IPsec tunnel when you add it, or modify an existing IPsec tunnel. The two configuration methods have
ii Querying IPsec proposals ··························································································································
70 { Basic Information { Device Parameters { Security Proposals { Spoke Additional Settings { Hub Advanced Settings { Spoke Advanced Settings Co
71 Configuring device parameters The Device Parameters page provides CA domain and protected traffic flow settings. A CA domain includes certificate
72 { Port number—A port or a port range protected by IPsec on the hub. { IP Address/Mask at the Spoke Side—Spoke network protected by IPsec. { Op
73 5. Import an IPsec proposal that has been configured on a hub device in the current VPN domain: a. Click the import icon next to the hub propos
74 e. Go to step 6. 5. Import an IKE proposal that has been configured on a hub device in the current VPN domain: a. Click the import icon next t
75 ipsec policy policy-name seq-number isakmp template template-name The policy-name and seq-number arguments have the same functions as those in the
76 { View Hub's Current Configuration { View Spoke's Current Configuration { View IVM's Configuration for Hub { View IVM's Con
77 3. Click Add in the VPN Domain List to add a GRE over IPsec VPN domain by completing the following settings: a. Configure basic settings − Confi
78 If you select YES, the hub device only responds to negotiation requests from peers, without initiating IKE negotiation. The IPsec policy template f
79 c. Select the IPsec proposal template in the IPsec Proposal List. d. Click OK. The parameters in the IPsec proposal template are automatically
iii Configuring existing GRE over IPsec tunnels ···································································································· 1
80 a. Select a hub device. b. Select spoke devices. c. Configure interfaces for GRE over IPsec tunnels. d. Configure GRE over IPsec tunnels 6. Cl
81 − Device Reachability—Select Reachable or Unreachable. An unselected query condition is not used for device query. b. Click Query. All the devic
82 − Device Label—Enter a device label. You can enter an incomplete label for fuzzy query. For example, you can enter db to query all devices that ha
83 d. Click OK. e. To copy the name and address of the hub interface to another tunnel, click the Clone this interface to all subsequent hubs icon .
84 { NAT Traversal—Select YES or NO. Only aggressive mode supports NAT traversal. { IKE Authentication—Select the authentication method Pre-Shared
85 { Encapsulation Mode—Tunnel or Transport. If NAT traversal is enabled, the encapsulation mode must be Tunnel. This setting cannot be modified. You
86 To modify the hub subnet, click the Modify icon and enter new settings in the window. To delete the hub subnet, select it and click Delete. 4.
87 b. Enter the complete name or part of the name of the IPsec proposal template you want to query, and click Query. c. Select the IPsec proposal te
88 You can add, modify, and delete IKE proposal templates in IKE Proposals. For more information about IKE proposal templates, see "Managing IKE
89 { This setting corresponds to the following CLI command when the IPsec policy template is not enabled: ipsec policy policy-name seq-number isakmp
Comments to this Manuals