HP 7102dl - ProCurve Secure Router Configuration Manual page 511

Parameter
*hash algorithm
*encryption algorithm
*PFS group
*IPSec SA lifetime
Refer to Table 10-5 for a summary of how you configure security policies for
the IPSec SA. You do not have to specify the same algorithms and other options
for the IKE SA and the IPSec SA. However, you must be sure to configure IPSec
proposals that match your peer's.
Table 10-5. Policies for IKE Phase 2: IPSec SA Establishment *Must Match Peer
Options
• MD5
• SHA
• DES
• 3DES
• AES (192-bit)
• AES (128-bit)
• AES (256-bit)
• Diffie-Hellman group 1
• Diffie-Hellman group 2
• 2560 to 536870912
kilobytes
• 120 to 86,400 seconds (2
minutes to 24 hours)
Authorized Peer ID. Typically, for a site-to-site VPN, the peer's remote ID
is the IP address of the interface on the remote router that connects to the
Internet. The remote ID can also be the device's domain name.
For a client-to-site VPN, you may need to allow remote users from many
different locations. You should configure the ID for connecting to the mobile
users as any. You have several options for configuring the ID that IKE will use
when authenticating peers—for example, a wildcard email address purely as
an identifier.
You configure the ID for the peers authorized to form the remote endpoint of
the VPN tunnel in several locations (see Table 10-6):
IKE policy
remote ID and preshared key list
crypto map entry
Default Configured in
no default transform set (which is
then associated with a
crypto map entry)
no default transform set (which is
then associated with a
crypto map entry)
PFS not used crypto map entry
8 hours crypto map entry
Virtual Private Networks
Configuring a VPN Using IPSec
Reference
page 10-40
page 10-40
page 10-42
page 10-42
10-17