HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 402

Virtual Private Networks
Configuring a VPN Using IPSec
Parameter
*hash algorithm
*encryption algorithm
*authentication method
*IKE SA lifetime
Parameter
initiate mode
respond mode
8-16
Table 8-3. Policies for IKE Phase 1: IKE SA Establishment *Must Match Peer
Options
• MD5
• SHA
• DES
• 3DES
• AES (128-bit)
• AES (192-bit)
• AES (256-bit)
• preshared key
• DSS digital certificate
• RSA digital certificate
• 60 to 86,400 seconds (1
minute to 1 day)
Table 8-4 displays parameters for the modes in which the router will initiate
and respond to IKE.
Table 8-4. Policies for IKE Phase 1: IKE Mode
Options
• aggressive
• main
• aggressive
• main
• any mode
Policies for IKE Phase 2 (IPSec SAs Establishment). You must config-
ure the security parameters IKE proposes for the IPSec SA in a crypto map
entry. Again, each policy must include a hash algorithm, and (if using ESP
protocol) an encryption algorithm. You specify algorithms in one or more
transform sets, which you then bind to the crypto map.
If you do not want IKE to refer to the keys created in IKE phase 1 when it
generates the new keys for the IPSec SA, you must specify a perfect-forward
secrecy (PFS) group. The PFS group defines the Diffie-Hellman group for the
new keys.
You can also specify the lifetime for the VPN tunnel.
Default Configured in
SHA IKE attribute policy
DES IKE attribute policy
preshared key IKE attribute policy
8 hours IKE attribute policy
Default Configured in
main IKE policy
any mode IKE policy
Reference
page 8-28
page 8-28
page 8-28
page 8-28
Reference
page 8-26
page 8-26