HP 7102dl - ProCurve Secure Router Configuration Manual page 592

Virtual Private Networks
Quick Start
10-98
13. If so desired, configure another IKE policy to connect to a remote site.
(See "Configuring a Site-to-Site VPN" on page 10-90.)
14. Exit to the global configuration mode and configure algorithms for the
IPSec SA in a transform set:
• AH protocol:
Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha-
hmac]
• ESP protocol:
Syntax: crypto ipsec transform-set <setname> [esp-des | esp-3des | esp-
aes-128-cbc | esp-aes-192-cbc | esp-aes-256-cbc | esp-null] [esp-md5-
hmac | esp-sha-hmac]
• AH and ESP protocol:
Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha-
hmac] [esp-des | esp-3des | esp-aes-128-cbc | esp-aes-192-cbc | esp-aes-
256-cbc | esp-null] [esp-md5-hmac | esp-sha-hmac]
15. Set the mode to tunnel:
ProCurve(cfg-crypto-trans)# mode tunnel
16. If so desired, repeat steps 15 and 16 to configure another transform set.
17. Specify the traffic allowed over the tunnel in an ACL:
a. Create an extended ACL:
Syntax: ip access-list extended <listname>
b. Add deny statements for hosts not allowed to access the tunnel:
Syntax: deny ip [any | host <source A.B.C.D> | hostname <source hostname>
| <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D> |
hostname <destination hostname> | <destination A.B.C.D> <wildcard bits>]
For example:
ProCurve(config-ext-nacl)# deny ip host 192.168.10.112 any