2
Enter 170.0.0.1 in the Local endpoint text box.
Enter 171.0.0.1 in the Remote endpoint text box.
b.Configuring from IP Unit 2 to IP Unit 1: Enter 10.0.0.2 in the Local address text box. Enter 10.0.0.1 in the Remote address text box. Enter 171.0.0.1 in the Local endpoint text box. Enter 170.0.0.1 in the Remote endpoint text box.
c.Configuring from IP Unit 3 to IP Unit 4: Enter 11.0.0.1 in the Local address text box. Enter 11.0.0.2 in the Remote address text box. Enter 170.0.1.1 in the Local endpoint text box. Enter 171.0.1.1 in the Remote endpoint text box
d.Configuring from IP Unit 4 to IP Unit 3: Enter 11.0.0.2 in the Local address text box. Enter 11.0.0.1 in the Remote address text box. Enter 171.0.1.1 in the Local endpoint text box. Enter 170.0.1.1 in the Remote endpoint text box.
2.OSPF provides redundancy in case a tunnel becomes available. OSPF detects when the firewall at the other end of an HA GRE tunnel is no longer reachable and then obtains a new route by using the backup HA GRE tunnel and forwards the packets to the backup firewall. Perform the steps as presented in the “Configuring OSPF” and “Configuring OSPF Example” sections. For this example, enable OSPF by using the following interface values: IP Unit 1: 10.0.0.1 and 192.168.0.1
IP Unit 2: 10.0.0.2 and 192.168.1.1
IP Unit 3: 11.0.0.1 and 192.168.0.2
IP Unit 4: 11.0.0.2 and 192.168.1.2
Use iclid to show all OSPF neighbors. Each firewall should show two neighbors and also show that the best route to the destination network is through the corresponding HA GRE tunnel.
3.VRRP provides redundancy in case one of the firewalls is lost. Perform the steps as presented in “Configuring VRRP” on page 186. Use the following values to configure VRRP:
IP Unit 1: Enable VRRP on 192.168.0.1 with 192.168.0.2 as a backup
IP Unit 2: Enable VRRP on 192.168.1.1 with 192.168.1.2 as a backup
IP Unit 3: Enable VRRP on 192.168.0.2 with 192.168.0.1 as a backup
IP Unit 4: Enable VRRP on 192.168.1.2 with 192.168.1.1 as a backup
4.HA GRE tunnels work by encapsulating the original packet and resending the packet through the firewall. The first time the firewall sees the packet, it has the original IP header; the second time, the packet has the end points of the tunnels as the src and dst IP addresses.
The firewall needs to be configured to accept all packets with the original IP header so the encapsulation can take place. An encryption rule is then defined to encrypt those packets that match the tunnel endpoints.
124 | Nokia Network Voyager for IPSO 4.0 Reference Guide |
