Configuring A Peer's Remote Id And Preshared Key - HP 7102dl - ProCurve Secure Router Configuration Manual
Procurve secure router 7000dl series - advanced management and configuration guide
Hide thumbs
Also See for 7102dl - ProCurve Secure Router:
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
Virtual Private Networks
Configuring a VPN Using IPSec
10-32
If the peers discover NAT, then they encapsulate packets in the UDP/IP header.
The peer behind the NAT device should also use a one-byte UDP packet that
ensures that it keeps the same NAT assignment for the duration of the VPN
tunnel.
You specify whether the ProCurve Secure Router will allow a peer to use NAT-
T in the IKE policy used to negotiate an IKE SA with that peer. Enter the
following command from the IKE policy configuration mode context to set
the NAT-T policy:
Syntax: nat-traversal [v1 | v2] [allow | disable | force]
By default, the router allows a peer to request either NAT-T version 1 or NAT-
T version 2. Enter the following commands to return the router to the defaults:
ProCurve(config-ike)# nat-traversal v1 allow
ProCurve(config-ike)# nat-traversal v2 allow
NAT-T may affect performance because it adds 200 bytes in the IKE security
association negotiations and 20 bytes to each IPSec packet. Also, IPSec must
use ESP rather than AH to encapsulate the packet. If you want to prevent peers
from using a particular NAT-T version or from using NAT-T at all, use the
disable keyword. For example:
ProCurve(config-ike)# nat-traversal v1 disable
If, on the other hand, you want the router to end negotiations unless the peer
agrees to use NAT-T, use the force keyword with one of the version options.
Configuring a Peer's Remote ID and Preshared Key
You should add the peer's remote ID to a list configured from the global
configuration mode context. IKE uses the settings configured in this list when
negotiating an IKE SA with a remote peer. Particularly, IKE uses the informa-
tion specified in this list to authenticate the peer. When using preshared keys
as the authentication method, you must also associate the remote ID with a
preshared key. This list is like a username and password database for the VPN.
The remote ID is like the username, and the preshared key, the password.
You enter one of the commands shown in Table 10-13 for each peer with which
you want to establish a VPN connection. For example, enter this command
from the global configuration mode context:
ProCurve(config)# crypto ike remote-id fqdn siteb.procurve.com preshared-key
mysecret
- Quick Links:
- Procurve Secure Router
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
