HP 7102dl - ProCurve Secure Router Configuration Manual page 516

Virtual Private Networks
Configuring a VPN Using IPSec
10-22
If the packet does not match an active IPSec SA, then the ProCurve Secure
Router looks up the IKE policy associated with the peer specified in the entry.
It uses this policy to initiate IKE with the peer, establish an IKE SA, and
negotiate an IPSec SA to secure the packet. (If the associated IKE policy does
not allow the router to initiate IKE, the packet will be discarded.)
The ProCurve Secure Router also prioritizes IKE policies according to their
index numbers, which can be between 1 and 10,000. The router processes the
lowest-numbered IKE policy first.
Each IKE policy contains one or more IKE attribute policies, which are also
numbered and processed from lowest to highest number. The attribute policy
contains the settings IKE uses in its IKE phase 1 exchanges. You can configure
different authentication methods, hash and encryption algorithms, and other
security parameters in different IKE attribute policies in a single IKE policy.
This makes it more likely that IKE will be able to negotiate an IKE SA with
the peer.
When an incoming packet arrives on a WAN interface to which you have
assigned a crypto map, the ProCurve Secure Router checks its SPI and
searches for the matching IPSec SA. If it cannot find a match, it discards the
packet. If the packet does not have a SPI, the router can attempt to negotiate
an IPSec SA with the peer that sent the packet. It does so using lowest
numbered IKE policy configured to initiate IKE with that peer.
When a peer initiates IKE with the router, the router responds using the lowest-
number IKE policy that allows it to respond to that peer.
Table 10-10 summarizes how the router matches traffic to a VPN tunnel (IPSec
SA) or to a policy for establishing a VPN tunnel.
Table 10-10. How the Router Matches Traffic to VPN Policies
The Router Matches To
an outgoing packet • a crypto map entry
• an IPSec SA (if one exists)
a crypto map entry an IKE policy, which negotiates
an IPSec SA
an incoming packet an IPSec SA
IKE phase 1 message an IKE policy, which negotiates
from peer an IPSec SA
According to
source and destination IP
(defined by the map entry's ACL
and in the SA)
• peer ID
SPI
peer ID