Initiate And Response Mode - HP 7102dl - ProCurve Secure Router Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec
Parameter Options
initiate mode • aggressive
• main
respond mode • aggressive
• main
• any mode
10-26
Client-to-Site Configuration. A client-to-site VPN connects mobile users
(such as telecommuters) to a private network through the individual users'
Internet connection. It would not be feasible for you to configure a peer ID
for each mobile user, even if they all had a static IP addresses. You should
allow IKE to establish a VPN tunnel with any peer:
ProCurve(config-ike)# peer any
This setting does not open a security breach because the peer must still
authenticate itself with a preshared key or digital certificate.
Default IKE Policy. An IKE policy whose peer is set to any also acts as the
default policy. You can store only one such policy in the running-config. You
should always assign this policy the highest index number (lowest priority)
so that the router will process other policies, matching specific peers, first.

Initiate and Response Mode

By default, an IKE policy allows the router to initiate IKE in main mode and
respond to IKE in any mode. Depending on your VPN topology and security
needs, you might need to alter these settings. The local router must be able to
respond to the mode in which the remote peer initiates. If the local router
initiates IKE, it must do so in a mode to which the remote peer can respond.
And, of course, at least one peer must be able to initiate and the other, to
respond.
View Table 10-11 for guidelines on how you should configure IKE modes to
connect to various types of peers.
Table 10-11. IKE Modes
Default
main
any mode
Static peer Dynamic peer
match peer's no initiate
respond mode
match peer's match peer's
initiate mode initiate mode
Mobile peer
no initiate
match peer's
initiate mode