Applying The Acl To A Crypto Map - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec
8-38
To permit traffic from Site A to Site B, you enter:
ProCurve(config-ext-nacl)# permit ip 10.1.0.0 0.0.15.255 10.1.16.0 0.0.15.255
You can also use wildcard bits to include only part of a subnet, according to
topology of your VPN.
Client-to-Site Configuration. The router uses IKE mode config to assign
remote users addresses on the private network after they have established an
IKE SA with the router. (Refer to "Granting Remote Users a Private Network
Address with IKE Mode Config (Required for Client-to-Site VPNs)" on page
8-47 for more information on IKE mode config.) In the permit statement, the
local network is the source. The addresses in the IKE client configuration pool
used for the connection are the destination:
ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 100.1.1.0 0.0.0.255
For more information on configuring ACLs, see Chapter 5: Applying Access
Control to Router Interfaces.

Applying the ACL to a Crypto Map

After configuring the ACL, you should associate it with a crypto map entry.
Create the crypto map entry and move to the crypto map configuration mode
context. (You will learn how to configure a crypto map in "Crypto Maps" on
page 8-42.)
From the crypto map configuration mode context, enter:
Syntax: match address <ACL listname>
For example:
ProCurve(config-crypto-map)# match address VPNTraffic
Remember that the ACL defines the traffic permitted over an individual VPN
tunnel. That is, it defines, according to source and destination IP address,
which packets will be secured by a specific IPSec SA. Even though you can
add any number of permit and deny statements to the ACL, you should only
add statements for traffic destined to networks behind a single gateway
device. If your VPN connects multiple remote sites, you will need to configure
an ACL and crypto map entry for each site.