Configuring A Vpn Using Ipsec; Configuring Ipsec With Ike - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Configuring a VPN Using IPSec
In order to establish a VPN connection, you must define how the IPSec SA is
to be negotiated and with what peers. The IPSec SA can be created either
manually or using IKE. This guide will focus on IKE configuration, which is
recommended. (To learn how to configure an IPSec SA manually, see "Config-
uring a VPN using IPSec with Manual Keying" on page 8-64.)
Configuring IPSec with IKE
Your role is primarily to give IKE the information it needs to carry out IKE
phase 1 and phase 2 with an authorized peer. You must also inform the router
of what traffic to include in the VPN. VPN settings break down into five general
categories:
policies proposed during IKE phase 1 (IKE SA definitions)
policies proposed during IKE phase 2 (IPSec SA definitions)
authorized peer IDs
VPN traffic (defined in an access control list [ACL])
authentication information
Policies for IKE Phase 1 (IKE SA Establishment). You must configure
at least one IKE policy. For each policy, you must define:
the peer with which the router exchanges IKE messages
the modes in which the router can initiate and respond to IKE
the security parameter proposals
You configure the security parameter proposals in an attribute policy. Each
policy contains an authentication method, a hash algorithm, and an encryption
algorithm. You also select the Diffie-Hellman group, which specifies the length
of the prime number used to generate shared keys, and the lifetime for the SA.
When the ProCurve Secure Router cannot find a match for a peer's IKE policy
proposals, it terminates the connection. Therefore, you must be careful to
configure the same settings on both sides of the connection. You can configure
multiple attribute policies for an IKE policy to maximize the chances that
peers come to an agreement.
You can refer to Table 8-3 for a summary of policies you can configure for the
IKE SA. Each setting must match the peer's setting.
Virtual Private Networks
Configuring a VPN Using IPSec
8-15
Advertisement
Chapters
Table of Contents
Troubleshooting
