How The Procurve Secure Router Processes Ike Policies; And Crypto Maps - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Virtual Private Networks
Configuring a VPN Using IPSec
Parameter
key protocol
SPI
encryption key
authentication key
8-20
Table 8-9.
Inbound and Outbound Manually Configured Keys
Options
Default
• AH
no default
• ESP
256 to 4294967295
no default
hex string
no default
hex string
no default
Table 8-9 displays the parameters that you must configure to establish IPSec
keys manually.
You must also configure all other settings discussed for IPSec with IKE, except
those for IKE phase 1.
How the ProCurve Secure Router Processes IKE Policies and
Crypto Maps
When a packet arrives on a VPN interface, the ProCurve Secure Router follows
a set procedure for deciding to which VPN tunnel it belongs, if any, and
securing it according the security policies established for that tunnel. (See
Figure 8-3.)
As mentioned above, you can configure more than one crypto map entry and/
or IKE policy. When you create a crypto map entry, you assign it an alpha-
numeric name and a map index between 0 and 65,535. Entries with the same
name (but different index numbers) are grouped together as a single crypto
map, which you assign to a WAN interface as a set.
When an outgoing packet is transmitted on the WAN interface, the ProCurve
Secure Router reads the source and destination address in the packet's IP
header. The router then searches the ACLs associated with the interface's
crypto map to determine whether it needs to negotiate a VPN tunnel over
which to send the packet. The router processes ACL in the crypto map entry
with the lowest number first. If the router does not find a match in this ACL,
it begins processing the crypto map entry with the next highest number. If the
router never finds a match, it discards the packet. If the router finds that the
packet matches a crypto map entry, for which an active IPSec SA that also
Configured in
crypto map, set session-key
command
crypto map, set session-key
command
crypto map, set session-key
command
crypto map, set session-key
command
Reference
page 8-64
page 8-64
page 8-64
page 8-64
Advertisement
Chapters
Table of Contents
Troubleshooting
