HP 7102dl - ProCurve Secure Router Configuration Manual page 523

Parameter
hash algorithm
encryption algorithm
authentication method
IKE SA lifetime
Diffie-Hellman key group
N o t e
The attribute policy is accessible only to the IKE policy in which you configure
it. This means that you cannot assume IKE can propose parameters to one
peer that you have configured for another peer.
Table 10-12. Attribute Policy Settings: Match Peer's Settings
Options (Most to Least
Secure)
• SHA
• MD5
• AES (256-bit key)
• AES (192-bit)
• 3DES
• AES (128-bit)
• DES
• RSA digital certificate
• DSS digital certificate
• preshared key
60 to 86,400 seconds (1
minute to 1 day)
• group 1
• group 2
You can leave the attribute policy settings at their defaults or customize them
according to your organization's security policies. Refer to Table 10-12 for the
commands for setting these policies. (See "IKE Phase 1" on page 10-8 in the
chapter overview for more information on selecting either preshared keys or
digital certificates.)
You must configure at least one attribute policy for each IKE policy even if
you do not alter its default settings.
Example Configuration. Figure 10-5 illustrates a VPN between headquar-
ters and two branch offices. The VPN must also allow mobile users remote
access. The company has established the security parameters shown beneath
the headquarters router for IKE SAs. However, because mobile users' clients
might not support these options, the company decides to allow greater flexi-
bility for client-to-site IKE SAs. You would configure two IKE policies on the
headquarters router. The policy for the branch office sites would include the
Default Command Syntax
SHA hash [md5 | sha]
DES encryption [aes-256-cbc | aes-192-cbc | 3des
| aes-128-cbc | des]
preshared key authentication [rsa-sig | dss-sig | pre-share]
8 hours lifetime <seconds>
group 1 group [1 | 2]
Virtual Private Networks
Configuring a VPN Using IPSec
10-29