HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 404

Virtual Private Networks
Configuring a VPN Using IPSec
Parameter
peer ID (for establishing
communications)
peer ID (for identification
in a remote ID list)
8-18
Table 8-6. Authorized Peer ID
Options
• public IP address (site-to-
site)
• any (client-to-site)
• public IP address
• domain name
• email address
• ASN distinguished name
(when using digital
certificates only)
• any
You must configure the peer's ID in an IKE policy. The IKE policy controls the
initiation of the IKE process. Setting a peer's address in the IKE policy allows
IKE to send the first IKE message to it, establish an IKE SA, and, ultimately,
open a VPN connection.
You should also add a remote ID for each peer (together with a preshared key,
if used) to a list configured from the global configuration mode context.
If you want your ProCurve Secure Router to initiate IKE with a peer, you
should configure the ID for this peer in a crypto map entry. When the router
needs to create a VPN tunnel to a peer, it uses the ID set in the crypto map to
reference an IKE policy.
You can map different peers to different crypto map entries and/or IKE policies
to create various security levels according to your organization's needs.
VPN Traffic. You must also specify which LANs will connect through the
VPN by matching the crypto map entry to an extended access control list
(ACL). In the ACL, you add entries permitting traffic from a local network to
a remote network.
For a client-to-site VPN, the remote network is the addresses on the private
network that IKE mode config assigns to clients.
Table 8-7 refers you to the sections in which you will learn how to configure
the selectors for VPN traffic.
Default Configured in
no default • IKE policy
• crypto map entry
no default remote ID and
preshared key list
Reference
page 8-24
page 8-42
page 8-32