Configuring The Transform Set - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

For these reasons, you are advised to always use IKE with IPSec.
However, if you are establishing a VPN with a site that does not support IKE,
you will have to use manual keying. To maintain security and reduce the
chance of misconfigurations, you should only use manual keying to connect
two sites managed by the same IT staff.
To configure a VPN with manual keying, you must complete all steps described
for configuring IPSec with IKE except those related to IKE phase 1. You must:
1. Install the IPSec VPN module and enable crypto commands.
2. Define the networks included in the VPN.
3. Configure a transform set.
4. Configure a crypto map entry.
5. Apply the crypto map to a WAN interface
This section will explain how to configure a crypto map entry that uses manual
keying. (You perform the other steps exactly as you would to configure IPSec
with IKE. See "Configuring IPSec with IKE" on page 8-15 for instructions.)
When you use manual keying, you take over IKE's task during phase 2 and
define the keys for the IPSec SA. (The router does not establish a preliminary
SA, which eliminates the purpose of IKE phase 1.)
In the crypto map entry, you must define:
hash and/or encryption algorithms (in a transform set)
inbound and outbound SPIs
a unique inbound key for each algorithm
a unique outbound key for each algorithm
an IPSec SA lifetime
You must also define:
the peer's remote ID
traffic allowed to access the tunnel

Configuring the Transform Set

The transform set contains the algorithms used to secure data. You create the
transform set from the global configuration mode context with this command:
Syntax: crypto ipsec transform-set <setname> [ah-sha-hmac | ah-md5-hmac] [esp-
aes-256-cbc | esp-aes-192-cbc | esp-3des | esp-aes-128-cbc | esp-des | esp-null]
[esp-sha-hmac esp-md5-hmac]
Virtual Private Networks
Configuring a VPN Using IPSec
8-65