HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 454
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
Virtual Private Networks
Configuring a VPN Using IPSec
Key Type
Key Matches
inbound ESP key
peer's outbound key
outbound ESP key
peer's inbound key
inbound AH key
peer's outbound key
outbound AH key
peer's inbound key
8-68
Each crypto map entry should include one inbound and one outbound key for
the protocol(s) selected in the associated transform sets. If you have selected
more than one transform set, then the key must meet the longest minimum
length requirement.
When the router transmits a packet selected by this crypto map entry's ACL,
it encrypts and hashes the packet using the outbound keys. It also inserts the
outbound SPI into the IPSec header. When the peer router receives the packet,
it matches the SPI to an inbound session-key configured in its crypto map
entry. It then uses the associated keys to decrypt and de-hash the packet.
Therefore, you must match the outbound SPI and keys on one router to the
inbound SPI and keys on the peer router, and vice versa.
Table 8-21. Manual Keys
Function
decrypts (and authenticates) data
received from a peer
encrypts (and authenticates) data
sent to a peer
authenticates data received from a
peer
authenticates data sent to a peer
Other Crypto Map Entry Configurations. In the crypto map entry, you
must also define the peer's remote ID—its public IP address. For example,
enter:
ProCurve(config-crypto-map)# set peer 10.2.2.1
You also must match the crypto map to an ACL. This ACL should permit traffic
between the local and remote networks that are included in the VPN:
ProCurve(config-crypto-map)# match address VPNTraffic
See "Crypto Maps" on page 8-42 for more detailed discussion on setting these
and other parameters, such as the IPSec SA lifetime.
Command Syntax
set session-key inbound esp
<SPI> cipher <HEX key>
[authenticator <HEX key>]
set session-key outbound esp
<SPI> cipher <HEX key>
[authenticator <HEX key>]
set session-key inbound ah <SPI>
<HEX key>
set session-key outbound ah
<SPI> <HEX key>
Advertisement
Chapters
Table of Contents
Troubleshooting
