Client-To-Site Configuration; Configuring A Remote Id List For A Vpn That Uses Digital Certificates - HP 7102dl - ProCurve Secure Router Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec
N o t e
10-34
You should identify the peer in the way most supported by your organization's
policies. You can also use the wildcard character (*) to ease configuration.
For example, if you are connecting multiple sites that all use your organiza-
tion's domain name, you might want to enter an FQDN that consists of a
wildcard character and your organization's domain name so that you only have
to enter one command. This option is, of course, less secure.
For example, you could configure both routers shown in figure 10-6 with this
remote ID for the peer:
ProCurve(config)# crypto ike remote-id fqdn *procurve.com preshared-key mysecret
If the routers are using IKE main mode, you must use an IP address for the
remote ID.

Client-to-Site Configuration

When your organization uses preshared keys, you may specify the peer's
remote ID as any. For example, enter:
ProCurve(config)# crypto ike remote-id any preshared-key mysecret
You can also use the wildcard character with your organization's domain name
or with a set of email addresses if the ID applies to all remote clients. The
remote ID is purely for identifying the client; email addresses do not have to
be valid. See Table 10-13 on page 10-33 for the command syntax for specifying
the remote ID.
IKE main mode requires an IP address for the remote ID. You can use any
rather than a domain name or email address if your VPN uses main mode.
Configuring a Remote ID List for a VPN that Uses Digital
Certificates
If your VPN uses digital certificates, you must enter the remote ID specified
in the peer's digital certificate. A digital certificate can identify a host in several
different ways including:
IP address
FQDN
email address
ASN-DN