HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 413
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Virtual Private Networks
Configuring a VPN Using IPSec
Site-to-Site Configuration. Typically, you can leave the initiate and
respond modes at their defaults.
However, if the remote router takes a dynamic address, the local router cannot
initiate IKE. To prevent the router from initiating IKE, enter:
ProCurve(config-ike)# no initiate
Conversely, if the WAN interface on your ProCurve Secure Router has a
dynamic address, it must initiate IKE. It will not, however, be able to respond
to IKE because the remote router will not know where to send the first IKE
message. You should configure the local router to initiate IKE only:
ProCurve(config-ike)# no respond
In addition to configuring the router to initiate and respond to IKE, you can
configure the mode in which it does so. You will recall that IKE main mode is
more secure, though it consumes more bandwidth. (See "IKE Phase 1" on page
8-8 in the chapter overview for information.)
To set the mode to which the router will respond to IKE, enter:
Syntax: respond [main | aggressive | anymode]
By default, the router is set to the anymode option. You can tighten security
by only allowing the router to respond to IKE only in main mode. This option
is particularly attractive when your VPN uses preshared keys as the authenti-
cation method. When they use aggressive mode, peers send their preshared
keys before exchanges are encrypted. When your router uses aggressive
mode, you risk making a connection with a peer whose identity has been
compromised. To prevent the router from responding to IKE aggressive mode,
enter:
ProCurve(config-ike)# respond main
Conversely, you can set the mode in which the router itself will initiate IKE:
Syntax: initiate [main | aggressive]
By default, the router initiates IKE in the more secure, main mode. You can
allow the router to initiate IKE in aggressive mode. Be aware that although
this option speeds IKE negotiations, it can expose your authentication infor-
mation. Enter:
ProCurve(config-ike)# initiate aggressive
8-27
Advertisement
Chapters
Table of Contents
Troubleshooting
