HP 7102dl - ProCurve Secure Router Configuration Manual page 538

Virtual Private Networks
Configuring a VPN Using IPSec
N o t e
10-44
Unlike an IKE policy, you can only set one peer for the crypto map entry. This
is because the crypto map entry actually defines the VPN tunnel, and a VPN
tunnel is a point-to-point connection.
If the remote gateway has a dynamic address, you cannot set the peer ID. The
router will respond to requests to open a VPN tunnel. If both routers have
dynamic addresses, you cannot establish a VPN.
For client-to-site configurations, you do not need to set a peer. The router will
use the crypto map entry to respond to requests from mobile users to connect
to the private network.
IKE Policy. You can also explicitly associate the crypto map entry with an
IKE policy. Enter this command from the crypto map configuration mode
context:
Syntax: ike-policy <policy number>
Make sure that the policy you specify includes the same peer that you set for
the crypto map entry.
Hash and Encryption Algorithms. You must assign at least one transform
set to the crypto map entry. (The transform set contains the AH or ESP
algorithms that IKE uses to secure the VPN tunnel.) Use the set command to
specify one or more transform sets by name:
Syntax: set transform-set <setname> [<additional setname>]
You can assign each crypto map entry up to six transform sets.
Using more than one transform set makes it more likely that IKE will be able
to select a security policy compatible with the peer's. You can also assign the
same transform set to more than one crypto map entry. IPSec SAs negotiated
using these entries will use the same algorithms (although each SA will have
its own unique keys).
For example, you have configured three transform sets named T1, T2, and T3
to contain different security algorithms. IKE first proposes the algorithms in
set T1. If these do not match the peer's settings, then IKE proposes the
algorithms in set T2, and so forth. You would enter:
ProCurve(config-crypto-map)# set transform-set T1 T2 T3