Configuring A Vpn Using Ipsec With Manual Keying - HP 7102dl - ProCurve Secure Router Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec
N o t e
10-64
For example to delete the self certificate shown in Figure 10-12, enter:
ProCurve(config)# crypto ca certificate chain MyCA
ProCurve(config-cert-chain)# no certificate 3f9fdcd9
The Secure Router OS uses the commands in the certificate chain command
set to load certificates. You should only use these commands to delete certif-
icates.
Managing CRLs. A CRL is a list of digital certificate subscribers. It includes
information about each subscriber's certificates, including:
current status
date of issue
CA from which the certificate was obtained
The CRL also lists revoked certificates, accompanied by the cause for the
revocation.
IKE uses the CRL to help determine whether a peer can be trusted to connect
over the VPN tunnel. To keep your private network secure, you should make
sure that the CA profile contains an up-to-date CRL.
To delete a CRL:
1. Access the certificate chain command set for the corresponding CA
profile:
Syntax: crypto ca certificate chain <profile name>
2. Delete the CRL:
ProCurve(config-cert-chain)# no crl
If the ProCurve Secure Router OS does not contain a CRL, the router will
accept all certificates signed by the CA as authentic.

Configuring a VPN using IPSec with Manual Keying

IKE manages the generation of keys automatically using the Diffie-Hellman
key exchange protocol. Using IKE offers several advantages. IKE:
relieves an often over-extended IT staff from configuring cumbersome
keys
eliminates the need to communicate keys between two sites, thus closing
a vulnerability window
periodically changes keys for heightened security