HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 473

4. Return the crypto map settings to the defaults:
ProCurve(config-crypto map)# no set pfs
ProCurve(config-crypto map)# no security-association lifetime
Try to ping the remote location from the local network. If the connection goes
up, you know that you had a problem with the security policies. You should
contact the IT staff at the remote site and agree upon which settings to use to
enforce your organization's security policies.
If the connection still does not go up, then the peer may not be using default
settings. You must contact the peer and bring your security settings into
agreement.
You can also try changing the IKE respond mode to anymode and the initiate
mode to the mode not currently used. Move to the IKE policy for the peer and
enter:
ProCurve(config-ike)# respond anymode
ProCurve(config-ike)# initiate [aggressive | main]
The peer may also be using different algorithms to secure the IPSec SA. The
Secure Router OS does not set any default algorithms for the permanent VPN
connection. You can try the settings automatically established when you
configure a VPN using the VPN wizard in the Web browser interface, which are:
ESP 3DES for the encryption key
ESP MD5 for an authentication key
no PFS group
28,800 second SA lifetime
Enter this command to configure the transform set:
ProCurve(config)# crypto ipsec transform-set <setname> esp-3des esp-md5-hmac
You might also have a problem with your addressing. Verify the peer's public
address, which should be set in the crypto map, IKE policy, and, if you are
using main mode, the remote ID list. Also, if the peer has a dynamic address,
you cannot initiate the VPN connection. The peer must initiate a connection
with the local router.
Virtual Private Networks
Troubleshooting a VPN That Uses IPSec
8-87