HP 7102dl - ProCurve Secure Router Configuration Manual page 593

c. Add permit statements from the local VPN networks to the network
addresses in the IKE mode config pool:
Syntax: permit ip [any | host <source A.B.C.D> | | hostname <source host-
name> | <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D>
| hostname <destination hostname> | <destination A.B.C.D> <wildcard bits>]
You use wildcard bits, which operate on reverse logic from subnet
masks, to specify the range of addresses. The destination network
address is the network that contains the addresses specified for the
IKE mode config pool. For example:
ProCurve(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.100.0
0.0.0.255
18. Configure a crypto map entry:
Syntax: crypto map <mapname> <map index> ipsec-ike
19. You can associate the crypto map entry with the IKE policy configured
for the remote peer.
Syntax: ike-policy <policy number>
20. Assign up to six transform sets to the crypto map entry:
Syntax: set transform-set <setname1> [<setname2>] [<setname3>]
[<setname4>] [<setname5>] [<setname6>]
21. Apply the ACL to the crypto map entry:
Syntax: match address <ACL listname>
22. Set the IPSec SA lifetime (unless accepting default). You can configure it
in kilobytes, seconds, or both:
Syntax: set security-association lifetime [kilobytes <kilobytes> | seconds
<seconds>]
23. If the router is also connecting to remote sites, configure a map entry for
each site. (See "Configuring a Site-to-Site VPN" on page 10-90.) Use the
same mapname for each entry, but a different map index number.
Virtual Private Networks
Quick Start
10-99