Crypto Maps - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec
N o t e
8-42
You complete the first four steps in a single command entered from the global
configuration mode context. Refer to Table 8-14 for the exact command syntax
for configuring a transform set. Enter commands such as the following:
ProCurve(config)# crypto ipsec transform-set T1ah-sha-hmac esp-3des
ProCurve(config)# crypto ipsec transform-set T2 ah-md5-hmac esp-aes-128-cbc esp-
sha-hmac
ProCurve(config)# crypto ipsec transform-set T3 esp-des
ProCurve(config)# crypto ipsec transform-set T4 esp-3des esp-sha-hmac
The setname is alphanumeric.
If you want to use ESP transformation without encryption, use the esp-null
keyword. If you select this option, however, you must include an ESP hash
algorithm. For example:
ProCurve(config)# crypto ipsec transform-set T5 esp-null esp-md5-hmac
After you name the transform set and add the algorithms, you will enter the
transform set configuration mode context. Specify tunnel mode, which allows
the ProCurve Secure Router to act as a gateway device for hosts on
connected LANs:
ProCurve(cfg-crypto-trans)# mode tunnel

Crypto Maps

You configure a crypto map entry to specify the security parameters that IKE
will propose during phase 2. These settings determine what kind of authenti-
cation and encryption keys will define and secure the VPN tunnel. You also
specify the peer with which the IPSec SA will be established and the networks
involved in the VPN.
For each crypto map, you must specify:
peer's remote ID (unless the router will only respond to, not initiate, IPSec
requests)
hash and/or encryption algorithms (a transform set)
the traffic carried over the VPN tunnel (an extended ACL)
You can optionally specify:
a perfect forward secrecy (PFS) group
an IPSec SA lifetime