Vpn Overlay - HP 7102dl - ProCurve Secure Router Configuration Manual

Table 10-2. IKE Phase 2 Exchanges
IKE Phase 2 Exchange
security proposal
Diffie-Hellman key
generation

VPN Overlay

You can also establish a VPN using Generic Routing Encapsulation (GRE)
tunneling. A GRE tunnel establishes a virtual point-to-point connection
between two routers across a common, public network such as the Internet.
You configure a tunnel that uses an address in the private network. The tunnel
endpoints, however, use public IP addresses. The router encapsulates traffic
that arrives on the tunnel with a GRE header and a new IP header, with a
destination address of the remote tunnel endpoint.
The new IP header allows traffic to cross the public network to the remote
tunnel endpoint. The GRE header renders the payload transparent to inter-
vening routers in the public network. Only at the remote tunnel endpoint can
a router decapsulate packets and send them on to their private network
destination. In this way, traffic crosses from point to point in the private
network through the public network, as if the public network did not exist.
GRE tunnels therefore offer some of the same advantages as a VPN estab-
lished using IPSec:
a virtual private point-to-point connection between remote routers
a private connection carried cost-effectively through a public network
Disadvantages of GRE include:
because packets are not encrypted, the tunnel is less secure
each tunnel must be manually configured
Message Includes
• one to three
algorithms:
– AH hash
– ESP encryption
– ESP hash
• perfect forward
secrecy (Diffie-
Hellman) group
(optional)
• IPSec SA lifetime
public value
Virtual Private Networks
You Must Configure
• transform set
containing the
algorithm(s)
• crypto map entry
containing:
– transform set
– perfect forward
secrecy group
(optional)
– IPSec SA lifetime
—
Overview
Reference
page 10-40
—
10-13