Attribute Policy - HP 7102dl - ProCurve Secure Router Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec
10-28
Client-to-Site Configuration. The router cannot initiate IKE with mobile
users in a client-to-site configuration. Enter the following command:
ProCurve(config-ike)# no initiate
Setting the respond mode to main can cause problems in a client-to-site VPN:
main mode requires the peer to use an IP address for its ID, but you may need
to use a different type of ID for mobile users. Generally, you should keep the
default setting, anymode, which allows the router to respond to IKE in
either mode.

Attribute Policy

The attribute policy contains the security parameters IKE proposes in its first
phase 1 message:
authentication method
hash algorithm
encryption algorithm
IKE SA lifetime
Diffie-Hellman group
The authentication method determines whether peers will exchange pre-
shared keys or digital certificates before establishing the IKE SA. The hash
and encryption algorithms determine how data transmitted using the IKE SA
will be transformed. The Diffie-Hellman group specifies the length of the prime
number IKE will use when generating the keys for this transformation.
You must configure at least one attribute policy. Enter:
Syntax: attribute <policynumber>
The valid range for a policynumber is 1 to 65,535.
IKE always proposes the security parameters configured in the attribute
policy with the lowest number first. Numbering the first attribute policy you
configure higher than 1 leaves room for updates in your organization's security
policies. For example:
ProCurve(config-ike)# attribute 10
All attribute policy settings must match those of the peer. You can only
configure a single IKE policy for each peer. However, you can make IKE more
flexible and raise the chances of establishing a connection by configuring
multiple attribute policies for that IKE policy.