H3c-technologies H3C Intelligent Management Center User Manual Page 1

H3C Intelligent Management CenterIPsec VPN ManagerAdministrator Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com So

iv Viewing the DVPN session information of a tunnel ························································································· 202Rese

90 a. Enter the number of the hub tunnel interface in the Hub Tunnel Number box. b. Enter the IP address of the hub tunnel interface in the Hub Tunn

91 4. Configure additional settings: The additional settings are inherited from the VPN domain. You can modify theses settings for the GRE over IPsec

92 Figure 38 DVPN network As shown in Figure 38, HubA, SpokeA, and SpokeB are VAM clients. The IMC Platform manages VAM ServerA, HubA, SpokeA, and S

93 4. Click Next. Configuring basic DVPN settings 1. Enter a name for the VPN domain in the Domain Name box. IVM uses a case-insensitive name and a

94 Configuring the VAM server A DVPN network can accommodate up to two VAM servers. One acts as the primary server, and the other acts as the backup

95 An unselected query condition is not used for device query. b. Click Query. All the devices matching the query conditions are displayed at the up

96 − Permit RADIUS Client—Select this option to enable the VAM server to receive and send RADIUS packets. { Local—Enables local authentication on VA

97 12. Select a tunnel source interface from the Tunnel Source Interface list. The Tunnel Source Interface list displays the interfaces that IVM obta

98 b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec packet, it checks the time the last IPsec packe

99 A window appears for you to select spokes by view through step 2 or by query through step 3. 2. Add spokes by view: a. Click the By View tab. Th

1 1 IPsec VPN Manager overview IPsec VPN Manager (IVM) is IMC's service component for managing Layer 3 Virtual Private Networks that are built us

100 c. Select devices in the Devices Found list and click the Add selected icon to add the devices to the Selected Devices list, or click the Add a

101 h. Enter the number of the tunnel interface. This setting corresponds to the CLI command interface tunnel number. i. Select a tunnel source inte

102 a. Enter a DPD name in the DPD Name box. b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec pac

103 You only need to deploy DVPN settings because VAM clients exchange VAM packets to establish DVPN tunnels. DVPN settings include VAM server setting

104 5 Building VPN networks with IVM and BIMS This chapter describes using IVM and BIMS to build IPsec VPN, GRE over IPsec VPN, and DVPN networks in w

105 Figure 40 Building an IPsec VPN network Adding IPsec devices After you add IPsec devices to the IMC Platform, IVM automatically manages the IPse

106 Configure basic VPN domain settings 1. Enter a name for the VPN domain in the Domain Name box. IVM uses a case-insensitive name and a type to un

107 You can configure the IPsec proposal through step 3, or import an IPsec proposal template through step 4. 3. Configure the IPsec proposal: a. Se

108 a. Click the Import icon next to the proposal number. The Select IKE Proposals window appears. This window automatically filters IKE proposal t

109 To remove a device from the Selected Devices list, select a device in the Selected Devices list and click the Remove Selected icon . d. Click OK.

2 • IPsec proposal management—Manages IPsec proposals that define security parameters for IPsec SA negotiation, including the security protocol, encr

110 2. Enter query conditions in the Device Name, Serial Number, and Device IP boxes, which support fuzzy query. 3. Click Query. 4. Select spoke d

111 A window appears. b. Enter a new IP address. c. Click OK. Configuring IPsec tunnels You can configure an IPsec tunnel when you add it, or modify

112 3. Click a VPN domain name to enter the VPN domain page. 4. Click the Device parameters icon for an existing IPsec tunnel. 5. Configure the e

113 2. Click OK. Configuring device parameters The Device Parameters page provides CA domain and protected traffic flow settings. A CA domain includ

114 { Operator—Operator used to match TCP and UDP ports on the hub. Operators include Equals, Less than, Greater than, Not Equals, and Range. { Port

115 e. Go to step 6. 5. Import an IPsec proposal that has been configured on a hub device in the current VPN domain: a. Click the import icon nex

116 The parameters in the IKE proposal template are automatically filled in the IKE proposal configuration page. e. Go to step 6. 5. Import an IKE

117 { This setting corresponds to the following CLI command when the IPsec policy template is enabled: ipsec policy policy-name seq-number isakmp tem

118 A menu appears for you to check tunnel settings: { View Hub's Current Configuration { View Spoke's Current Configuration { View IVM&a

119 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. 3. Click Add in the VPN Domain List to add a GRE ov

3 2 Quick start guide Accessing IVM IMC provides the following IVM access modes: • Classic—Log in to the classic IMC interface. Operators access IVM

120 If you select YES, the hub device only receives negotiation requests from peers, without initiating IKE negotiation. The IPsec policy template fea

121 c. Select the IPsec proposal template in the IPsec Proposal List. d. Click OK. The parameters in the IPsec proposal template are automatically

122 a. Select a hub device. b. Select spoke devices. c. Configure interfaces for GRE over IPsec tunnels. d. Configure GRE over IPsec tunnels 6. C

123 − Device Reachability—Select Reachable or Unreachable. An unselected query condition is not used for device query. b. Click Query. All the devi

124 A window appears. c. Enter a new name for the hub interface. d. Click OK. e. To copy the name and address of the hub interface to another tunn

125 The Basic Information tab provides the following basic settings: { IKE Negotiation Mode—Select Main or Aggressive mode for phase-1 IKE negotiati

126 { ID Type—Name or IP. If the ID type is Name, the Hub IKE Gateway Name and Spoke IKE Gateway Name are also displayed. { Encapsulation Mode—Tunn

127 d. Click OK. To modify the hub subnet, click the Modify icon and enter new settings in the window. To delete the hub subnet, select it and clic

128 b. Enter the complete name or part of the name of the IPsec proposal template you want to query, and click Query. c. Select the IPsec proposal t

129 You can add, modify, and delete IKE proposal templates in IKE Proposals. For more information about IKE proposal templates, see "Managing IKE

4 IVM navigation tree Figure 3 shows the navigation tree. To expand the IVM navigation tree: 1. Click the Service tab. 2. From the navigation tree,

130 { This setting corresponds to the following CLI command when the IPsec policy template is not enabled: ipsec policy policy-name seq-number isakmp

131 a. Enter the number of the hub tunnel interface in the Hub Tunnel Number box. b. Enter the IP address of the hub tunnel interface in the Hub Tun

132 4. Configure additional settings: The additional settings are inherited from the VPN domain. You can modify theses settings for the GRE over IPse

133 Figure 43 DVPN network As shown in Figure 43, HubA, SpokeA, and SpokeB are VAM clients. ServerA and HubA have static IP addresses, Spoke A is pr

134 d. Configure the hub. e. Configure spokes. The following sections describe these tasks. 4. Click Next. Configuring basic DVPN settings 1. Ente

135 7. Click Next to configure the VAM server. Configuring the VAM server A DVPN network can accommodate up to two VAM servers. One acts as the pri

136 − Device Reachability—Select Reachable or Unreachable. An unselected query condition is not used for device query. b. Click Query. All the devi

137 − Permit RADIUS Client—Select this option to enable the VAM server to receive and send RADIUS packets. { Local—Enables local authentication on V

138 12. Select a tunnel source interface from the Tunnel Source Interface list. The Tunnel Source Interface list displays the interfaces that IVM obt

139 b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec packet, it checks the time the last IPsec pack

5 Navigation menu option Task Options Configure BIMS and IVM parameters. DVPN Security Configuration View and modify the DVPN configuration templates

140 a. Click Select BIMS Spokes. A window appears for you to select spokes. b. Enter query conditions in the Device Name, Serial Number, and Device

141 This setting corresponds to the CLI command interface tunnel number. i. Select a tunnel source interface from the Tunnel Source Interface list. T

142 b. Enter the DPD interval in seconds in the DPD Interval(s) box. When the local end sends an IPsec packet, it checks the time the last IPsec pack

143 and spokes, and tunnel, routing, and IPsec settings for all VAM clients. If client authentication is needed, deploy AAA authentication settings to

144 6 IVM service report The IVM service report function is implemented through the report function of the IMC Platform. The IMC Platform uses report

145 { Begin Time—Set the statistics collection start time. Click the field to select the time in the calendar that appears. The valid format is YYYY-

146 { Begin Time—Set the statistics collection start time. Click the field to select the time in the calendar that appears. The valid format is YYYY-

147 { End Time—Set the statistics collection end time. Click the field to select the time in the calendar that appears. The valid format is YYYY-MM-D

148 3. Click OK. The IPsec tunnel receive rate report appears. Figure 47 IPsec tunnel receive rate report Parameter description: { Statistical

149 The IPsec tunnel outbound drop rate report appears. Figure 48 IPsec tunnel outbound drop rate report Parameter description: { Statistical Ran

6 Application Task IP Tunnels Query, view, and monitor IPsec tunnels. IPsec Proposals Query, view, add, modify, and delete IPsec proposals. IKE Prop

150 Figure 49 IPsec tunnel inbound drop rate report Parameter description: { Statistical Range—IPsec tunnels involved in the report. { From/To—S

151 b. Enter the full template name or part of the template name. This option supports fuzzy matching. c. In the Query Template area, select VPN S

152 7. (Optional.) Set the time when a report becomes invalid. Then, the IMC Platform does not generate any scheduled report. Click the field to sele

153 − Quarterly—Options include Begin time, One month after begin time, Two months after begin time, and End time. − Half Yearly—Options include Beg

154 7 Maintaining VPNs This chapter describes how to maintain the IPsec VPN, GRE over IPsec, and DVPN domains. For information about how to add VPN d

155 address for fuzzy query. For example, you can enter 192.168 to query all devices that have an IP address starting with 192.168. − Device IP List

156 Modifying an IPsec VPN domain An IPsec VPN domain contains IPsec and IKE settings for tunnels in the domain. IPsec tunnels in a VPN domain inherit

157 { ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type must be Name when NAT traversal is enabled, and mu

158 − Security Protocol—Select the security protocol to be used by the IPsec proposal. Options are AH, ESP, and AH + ESP. − AH AuthN—This parameter

159 { ESP Encryption—This parameter appears only when ESP or AH + ESP is selected for Security Protocol. Select the encryption algorithm to be used b

7 Figure 6 24-Hour IPsec Tunnel Trend Click TopN on the top right corner of the graph to view more IPsec tunnel statistics, including the following

160 The IKE Proposal List displays all the IKE proposals that use the same authentication method as is specified for the VPN domain by the IKE Authent

161 3. Click the name of the IPsec VPN domain you want to query. 4. Click Basic Query on the upper right side of the Query Tunnels area. You can p

162 3. Click the name of an IPsec VPN domain. The Tunnel List displays all tunnels in the IPsec VPN domain. 4. Select the tunnels you want to unde

163 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. The VPN Domain List displays all VPN domains. 3.

164 { Number of Virtual Spokes—Enter the number of virtual spokes. IVM automatically creates a tunnel for each virtual spoke. { Interface Name—Ente

165 − Device Name—Modify the name of the virtual spoke. − Interface Name—Modify the name of the spoke interface. − Interface IP—Modify the IP add

166 The import file must meet the following requirements: • The file format must be .txt. • The first line must be the column titles. The other line

167 7. Click Select Hub. The Select Devices dialog box appears. 8. Select a device as the hub and click OK. 9. Click Import from File. The Impo

168 Modifying a GRE over IPsec VPN domain A GRE over IPsec VPN domain contains IPsec and IKE settings for tunnels in the domain. GRE over IPsec tunnel

169 { ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type must be Name when NAT traversal is enabled, and mu

8 Figure 7 Top 5 Devices by Average Active IPsec Tunnels VPN Domain Traffic Trend graph As shown in Figure 8, the graph shows the transmit and recei

170 The Add IPsec Proposal page appears. 2. Enter a name for the IPsec proposal. You can configure the IPsec proposal through step 3 or import an IP

171 { AH Authentication—This parameter appears only when AH or AH + ESP is selected for Security Protocol. Select the authentication algorithm to be

172 4. Import an IKE proposal template: a. Click the Import the security proposal from the template icon next to the Proposal Num. field. The Se

173 Performing a basic query 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains.

174 To undeploy GRE over IPsec tunnels: 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > V

175 undeploy the undeployment failed tunnel and then change the status of the tunnel from Undeployment Failed to Undeployed. To change the deployment

176 2. Specify the following parameters for the virtual spokes: { Device Name—Enter the name of the virtual spoke. If you specify multiple spokes wi

177 a. Click the Modify Spoke Device Info icon next to a virtual spoke name. The Modify Virtual Spoke Settings window appears. b. Modify the fol

178 Importing GRE over IPsec tunnels from a file You can bulk import GRE over IPsec tunnels from a file to IVM. The file contains the hub and spoke in

179 Column title Description Remarks GRE Spoke Tunnel Number Number of the GRE tunnel on the hub side, in the range 0 to 1023. Optional. GRE Hub Tu

9 VPN Domain Tunnel Counts pie chart As shown in Figure 9, IVM displays the numbers of IPsec tunnels in different types of VPN domains in a pie chart.

180 5. Select the column number or Do not select from the file for each of the following column titles in the file: { Spoke Device Type { Spoke Dev

181 2. From the navigation tree, select IPsec VPN Manager > Automatic Discovery. The page for selecting a VAM server appears. 3. Select the DVPN

182 c. Select a device in the Devices Found list and click the Add selected icon to add the device to the Selected Devices list. d. To remove a de

183 To modify global DVPN settings: 1. Modify the name of the domain in the Domain Name field. The domain name must be unique in IVM. 2. Modify th

184 4. If the security template requires the VAM server to authenticate VAM clients, enter the ISP domain name in the ISP Domain Name field, and sele

185 4. Modify the private IP address of hub 1 in the Private IP Address box. The VAM server uses private IP addresses to identify VAM clients. Hub 1

186 { VPN Name—Name of the DVPN, configured in global DVPN settings. { Routing Protocol—Routing protocol used by DVPN, which is OSPF, iBGP, or eBGP

187 { area area-id { network ip-address wildcard-mask 9. Add a BGP network in the BGP Network List if the routing protocol used by DVPN is iBGP or

188 If the authentication method is RADIUS, whether to include the domain name in the entered username depends on the Username Format setting in RADIU

189 The default setting is inherited from the security template. 5. Enter a pre-shared key in the Pre-Shared Key box. The default setting is inherite

Copyright © 2013-2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

10 Figure 10 Top 5 VPN Domains by Traffic Top 5 IPsec Tunnels by Receive Rate As shown in Figure 11, IVM displays the top 5 IPsec tunnels with the h

190 bgp as-number network ip-address mask IVM automatically configures the relationships between BGP peers. 10. Click OK to complete DVPN domain mod

191 − View DVPN sessions—Select this option to view the DVPN sessions. For more information, see "Viewing the DVPN sessions of a VAM client.&quo

192 To add a spoke to a DVPN network in which the hub device has a fixed IP address but the spoke devices have no fixed IP addresses or reside behind

193 To delete DVPN configuration from a device 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources

194 The configuration page of the DVPN domain appears. The page contains two tabs: Device Information and Tunnel Connectivity Audit. By default, the D

195 { Device IP—IP address of the spoke. { Device Type—Type of the device, BIMS or Routers. BIMS indicates that the device is managed by IMC BIMS.

196 − Device Status—Select a status from the list to query devices in that status. The Device Status list includes Unmanaged, Unknown, Normal, Warnin

197 The configuration page of the DVPN domain appears. The page contains two tabs: Device Information and Tunnel Connectivity Audit. By default, the D

198 A window appears, displaying all DVPN sessions of the VAM client. Each session represents a DVPN tunnel established on the VAM client. DVPN Sessi

199 a. Select View DVPN sessions from the shortcut menu. The DVPN Session List window appears. b. Select the DVPN sessions you want to reset. c.

11 As shown in Figure 12, IVM displays the top 5 IPsec tunnels with the highest transmit rate in a specified VPN domain or in all VPN domains in a lis

200 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. The VPN Domain List displays all VPN domains. 3.

201 Deleting audited DVPN tunnels You can manually delete a spoke-spoke tunnel from the Tunnel List on the Tunnel Connectivity Audit tab of a DVPN dom

202 The VPN Domain List displays all VPN domains. 3. Click the name of the DVPN domain. The configuration page of the DVPN domain appears. The page

203 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains. The VPN Domain List displays all VPN domains. 3.

12 Figure 14 Top 5 IPsec Tunnels by Outbound Drop Rate Highlighted IPsec Devices As shown in Figure 15, IVM displays the top 10 IPsec devices with t

13 Figure 16 IVM quick start wizard Common operations Navigating a list If a list spans multiple pages, use the following aids to navigate the list:

14 Figure 17 Navigating the IPsec device list Sorting a list Sort a list by every field that contains a Sort icon in the column label. • When the

15 Determining network scenarios For security and confidentiality purposes, enterprises and organizations build VPNs over IPsec to secure Layer 3 comm

16 Figure 20 IMC components For a static network scenario, deploy the following components: • IMC Platform—Manages the hub and all spokes. • IMC I

17 [Hub] snmp-agent community read public [Hub] snmp-agent community write private For more information about the SNMP configuration, see the configur

18 Configuring CWMP CPE WAN Management Protocol (CWMP), also known as the TR-069 protocol, can be configured manually or through DHCP Option 43. This

19 3 Managing IVM IVM provides various management functions. The procedures for configuring VPNs are complicated and vary with the VPN technology used

Preface The H3C IMC IVM Administrator Guide includes 7 chapters, which describe the management and deployment of IPsec-based VPNs, such as IPsec VPN,

20 4. Click Query. The VPN Domain List displays all VPN domains that match the query criterion. Click Reset to clear the query criterion and display

21 − Synchronizing icon ( )—The Synchronizing icon indicates the synchronization is in progress. − Failure icon ( )—The Failure icon indicates the

22 4. Click Query. The IPsec Device List displays all IPsec devices matching the query criteria. Click Reset to clear the query criteria and display

23 − Location—Enter the location of the device.IVM supports fuzzy matching for this filed. For example, if you enter Lab, all the devices with locati

24 7. Select one or more BIMS devices you want to import. 8. Click OK. The Device List displays information about the selected devices, including

25 To set tunnel traps for a device: 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > IPsec

26 5. Configure the following parameters: { Slot Number—This field displays the slot number of the encryption card. For example, 3/0 indicates that

27 { Traffic-based Lifetime (KB)—Specify the maximum traffic that the SA can process, in kilobytes. { Time-based Lifetime (s)—Specify the amount of

28 The Registration Information Details window appears. Registration Information Details contents { Device Name—Name of the VAM client. { Interval

29 Viewing the tunnel list 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > IPsec Resources > IPsec Tunnels.

Convention Description CAUTION An alert that calls attention to important information that if not understood or followed can result in data loss, dat

30 Viewing IPsec tunnel details You can only view detailed information about IPsec tunnels in Ready state. To view an IPsec tunnel details: 1. Clic

31 4. Click Back to return to the Tunnel List. Enabling/disabling monitoring of IPsec tunnels By default, IVM monitors all IPsec tunnels. You can ma

32 { Action—Tunnel event, tunnel setup or disconnect. { Local IP—Local end IP address of the IPsec tunnel. { Remote IP—Remote end IP address of t

33 Managing IPsec proposals Basic concepts An IPsec proposal defines a set of security parameters for IPsec SA negotiation, including security protoco

34 • Transport mode—IPsec protects only the IP payload. It uses only the IP payload to calculate the AH or ESP header, and inserts the calculated hea

35 Viewing the IPsec proposal details 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > Security Proposals >

36 Modifying an IPsec proposal 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > Security Proposals > IPsec P

37 { Pre-shared key—Two IKE peers use the pre-configured shared key for identity authentication. { CA—Two IKE peers use digital certificates issued

38 4. Click Query. The IKE Proposal List displays all IKE Proposals that match the query criterion. Click Reset to clear the query criterion and dis

39 { ISAKMP SA Lifetime—ISAKMP SA lifetime in seconds. The value range is 60 to 604800 and the default is 86400. Since DH computation can be time-con

Documents Purposes H3C IMC Centralized Deployment Guide with Local Database Provides a complete guide to IMC platform and component centralized deploy

40 Viewing the DVPN security configuration list A DVPN security configuration contains VAM security parameters and IPsec security parameters. Securit

41 authentication services for IKE peers. The main mode is applied in scenarios that require high security levels, while the aggressive mode is used i

42 To be considered a match, two IKE proposals must have the same encryption algorithm, authentication method, authentication algorithm, and DH group.

43 { ID Type—Select the ID type for ISAKMP SA phase 1 negotiation. Options are IP and Name. When the negotiation mode is Main, the ID type can only b

44 7. To delete IPsec proposals, select the IPsec proposals, click Delete, and then click OK on the confirmation dialog box that appears. 8. To add

45 2. From the navigation tree, select IPsec VPN Manager > Options. The BIMS Service Settings tab displays all BIMS service parameters. 3. Conf

46 Parameter type Parameter Description Retires Enter the number of SNMPv3 retires. The value range is 1 to 20. 5. Modify the Telnet template: a.

47 Modifying monitor settings 1. Click the Service tab. 2. From the navigation tree, select IPsec VPN Manager > Options. 3. Click the Monitor

48 Monitoring tunnels and VPN domains IVM monitors and collects index data from IPsec tunnels and VPN domains in real time. It uses the collected data

49 Figure 21 IPsec tunnel monitoring statistics Tunnel monitor indexes: • IPsec Tunnel Receive Rate (bps)—Displays the average receive rate (in bp

Obtaining documentation Access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top n

50 • IPsec Tunnel Outbound Dropped Packets—Displays the number of dropped packets within every 5 minutes in the outbound direction of the IPsec tunne

51 Figure 22 VPN domain monitoring data Managing VPN domain topologies IVM allows you to view the topology of the VPN domains to locate network prob

52 Figure 23 HTML5-type VPN domain topology Figure 24 Applet-type VPN domain topology

53 Access the VPN domain topology page You can access the VPN domain topology page from the VPN Domain List page, the IPsec Device List page, or the N

54 All the VPN domains in IVM are listed under the Topology > VPN Domain Topology node in the left navigation tree. Double click a VPN domain name

55 Alarm level Color Meaning Major Orange The highest alarm level is Major on the device. Minor Yellow The highest alarm level is Minor on the dev

56 Figure 26 IPsec VPN tunnel information IPsec VPN tunnel information: • Link Name—Tunnel name. • Hub Device—Hub device name. • Hub Interface—I

57 Figure 27 GRE over IPsec tunnel information A GRE over IPsec tunnel has the following information different from an IPsec VPN tunnel: • GRE Hub

58 • Tunnel Status—State of the DVPN tunnel during the last polling interval. • Hub Private IP—Private IP address used by the hub client to register

59 Figure 31 IPsec tunnel topology • Display Protected Subnets—Select this option to display the protected subnets in the VPN domain topology, as s

i Contents 1 IPsec VPN Manager overview ··············································································································

60 Figure 33 Right-click menu of a VPN domain topology VPN domain topology right-click menu options: • Device Label—Provides options that allows yo

61 4 Building VPN networks with IVM This chapter describes using IVM to build IPsec VPN, GRE over IPsec VPN, and DVPN networks in which the hub and sp

62 Figure 35 Building an IPsec VPN network Adding IPsec devices After you add IPsec devices to the IMC Platform, IVM automatically manages the IPsec

63 Configure basic VPN domain settings 1. Enter a name for the VPN domain in the Domain Name box. IVM uses a case-insensitive name and a type to uni

64 You can configure the IPsec proposal through step 3, or import an IPsec proposal template through step 4. 3. Configure the IPsec proposal: a. Sel

65 The Select IKE Proposals window appears. This window automatically filters IKE proposal templates that do not match the IKE Authentication method s

66 3. Add a hub by query: a. Click the Advanced tab, which provides the following query conditions: − Device IP—Enter the IPv4 address of a device.

67 b. Collapse a view. All devices for the view are displayed at the upper right of the window. c. Select devices in the Devices Found list and cli

68 e. Click OK. To replace a spoke device, click the Select Spokes icon for that spoke device, and repeat step 2 or 3 to select a new spoke device.

69 Configuring IPsec tunnels You can configure an IPsec tunnel when you add it, or modify an existing IPsec tunnel. The two configuration methods have

ii Querying IPsec proposals ··························································································································

70 { Basic Information { Device Parameters { Security Proposals { Spoke Additional Settings { Hub Advanced Settings { Spoke Advanced Settings Co

71 Configuring device parameters The Device Parameters page provides CA domain and protected traffic flow settings. A CA domain includes certificate

72 { Port number—A port or a port range protected by IPsec on the hub. { IP Address/Mask at the Spoke Side—Spoke network protected by IPsec. { Op

73 5. Import an IPsec proposal that has been configured on a hub device in the current VPN domain: a. Click the import icon next to the hub propos

74 e. Go to step 6. 5. Import an IKE proposal that has been configured on a hub device in the current VPN domain: a. Click the import icon next t

75 ipsec policy policy-name seq-number isakmp template template-name The policy-name and seq-number arguments have the same functions as those in the

76 { View Hub's Current Configuration { View Spoke's Current Configuration { View IVM's Configuration for Hub { View IVM's Con

77 3. Click Add in the VPN Domain List to add a GRE over IPsec VPN domain by completing the following settings: a. Configure basic settings − Confi

78 If you select YES, the hub device only responds to negotiation requests from peers, without initiating IKE negotiation. The IPsec policy template f

79 c. Select the IPsec proposal template in the IPsec Proposal List. d. Click OK. The parameters in the IPsec proposal template are automatically

iii Configuring existing GRE over IPsec tunnels ···································································································· 1

80 a. Select a hub device. b. Select spoke devices. c. Configure interfaces for GRE over IPsec tunnels. d. Configure GRE over IPsec tunnels 6. Cl

81 − Device Reachability—Select Reachable or Unreachable. An unselected query condition is not used for device query. b. Click Query. All the devic

82 − Device Label—Enter a device label. You can enter an incomplete label for fuzzy query. For example, you can enter db to query all devices that ha

83 d. Click OK. e. To copy the name and address of the hub interface to another tunnel, click the Clone this interface to all subsequent hubs icon .

84 { NAT Traversal—Select YES or NO. Only aggressive mode supports NAT traversal. { IKE Authentication—Select the authentication method Pre-Shared

85 { Encapsulation Mode—Tunnel or Transport. If NAT traversal is enabled, the encapsulation mode must be Tunnel. This setting cannot be modified. You

86 To modify the hub subnet, click the Modify icon and enter new settings in the window. To delete the hub subnet, select it and click Delete. 4.

87 b. Enter the complete name or part of the name of the IPsec proposal template you want to query, and click Query. c. Select the IPsec proposal te

88 You can add, modify, and delete IKE proposal templates in IKE Proposals. For more information about IKE proposal templates, see "Managing IKE

89 { This setting corresponds to the following CLI command when the IPsec policy template is not enabled: ipsec policy policy-name seq-number isakmp