Nokia IPSO 4.0 Cell Phone User Manual


 
2
124 Nokia Network Voyager for IPSO 4.0 Reference Guide
Enter 170.0.0.1 in the Local endpoint text box.
Enter
171.0.0.1 in the Remote endpoint text box.
b. Configuring from IP Unit 2 to IP Unit 1:
Enter
10.0.0.2 in the Local address text box.
Enter
10.0.0.1 in the Remote address text box.
Enter
171.0.0.1 in the Local endpoint text box.
Enter
170.0.0.1 in the Remote endpoint text box.
c. Configuring from IP Unit 3 to IP Unit 4:
Enter
11.0.0.1 in the Local address text box.
Enter
11.0.0.2 in the Remote address text box.
Enter
170.0.1.1 in the Local endpoint text box.
Enter
171.0.1.1 in the Remote endpoint text box
d. Configuring from IP Unit 4 to IP Unit 3:
Enter
11.0.0.2 in the Local address text box.
Enter
11.0.0.1 in the Remote address text box.
Enter
171.0.1.1 in the Local endpoint text box.
Enter
170.0.1.1 in the Remote endpoint text box.
2. OSPF provides redundancy in case a tunnel becomes available. OSPF detects when the
firewall at the other end of an HA GRE tunnel is no longer reachable and then obtains a new
route by using the backup HA GRE tunnel and forwards the packets to the backup firewall.
Perform the steps as presented in the “Configuring OSPF” and “Configuring OSPF
Example” sections. For this example, enable OSPF by using the following interface values:
IP Unit 1:
10.0.0.1 and 192.168.0.1
IP Unit 2: 10.0.0.2 and 192.168.1.1
IP Unit 3: 11.0.0.1 and 192.168.0.2
IP Unit 4: 11.0.0.2 and 192.168.1.2
Use iclid to show all OSPF neighbors. Each firewall should show two neighbors and also
show that the best route to the destination network is through the corresponding HA GRE
tunnel.
3. VRRP provides redundancy in case one of the firewalls is lost. Perform the steps as
presented in “Configuring VRRP” on page 186. Use the following values to configure
VRRP:
IP Unit 1: Enable VRRP on
192.168.0.1 with 192.168.0.2 as a backup
IP Unit 2: Enable VRRP on
192.168.1.1 with 192.168.1.2 as a backup
IP Unit 3: Enable VRRP on
192.168.0.2 with 192.168.0.1 as a backup
IP Unit 4: Enable VRRP on
192.168.1.2 with 192.168.1.1 as a backup
4. HA GRE tunnels work by encapsulating the original packet and resending the packet
through the firewall. The first time the firewall sees the packet, it has the original IP header;
the second time, the packet has the end points of the tunnels as the src and dst IP
addresses.
The firewall needs to be configured to accept all packets with the original IP header so the
encapsulation can take place. An encryption rule is then defined to encrypt those packets
that match the tunnel endpoints.