HP 7102dl - ProCurve Secure Router Configuration Manual page 502

Virtual Private Networks
Overview
10-8
Defining an SA Manually. You can define the IPSec SA yourself, specifying
the algorithms to be used to secure data, defining the SA's SPI, and inputting
the actual keys. (See "Configuring a VPN using IPSec with Manual Keying" on
page 10-64.) However, because this method of configuration is relatively
insecure and complex, ProCurve Networking does not recommend it.
Defining an SA Using IKE. By far, the more secure and manageable solu-
tion for VPN configuration is to allow IKE to negotiate the IPSec SA. IKE
regulates the process as hosts authenticate each other, agree upon hash and
encryption algorithms, and generate the unique keys used to secure packets.
Using IPSec with IKE provides increased security because keys are randomly
generated and periodically changed.
IKE also eases configuration. Your role is simply to configure IKE to exchange
messages with certain, authorized peers and to define the security parameters
that IKE proposes when negotiating the IPSec SA.
IKE
IKE follows a set process to negotiate the IPSec SA and passes through two
phases. The first phase establishes a preliminary tunnel, or IKE SA. The second
phase establishes the IPSec SA. When you understand this process, you will
find it much easier to configure your ProCurve Secure Router to make a VPN
connection.
IKE Phase 1. During phase 1, IKE must fulfill three tasks:
negotiate security parameters for the IKE SA
generate the keys used to secure data sent using the IKE SA
authenticate the endpoints of the tunnel (the two hosts)
Typically, therefore, IKE phase 1 involves three exchanges between hosts, or
six total messages. (See Figure 10-2.)
Security parameters. In the first exchange, the host initiating the VPN
connection sends a message to the remote host, proposing one or more
security policies. Each policy specifies a hash algorithm, an encryption algo-
rithm, and an authentication method. The remote host searches its IKE
policies for one that matches one of the proposed policies. When it finds a
match, it returns these security parameters to the original host.
If the remote host cannot find a match, the VPN connection fails. This is why
it is very important that you match the IKE policies at both ends of the
connection.