HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 478

Virtual Private Networks
Quick Start
8-92
• ESP protocol:
Syntax: crypto ipsec transform-set <setname> [esp-des | esp-3des | esp-
aes-128-cbc | esp-aes-192-cbc | esp-aes-256-cbc | esp-null] [esp-md5-
hmac | esp-sha-hmac]
• AH and ESP protocol:
Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha-
hmac] [esp-des | esp-3des | esp-aes-128-cbc | esp-aes-192-cbc | esp-aes-
256-cbc | esp-null] [esp-md5-hmac | esp-sha-hmac]
11. Set the mode to tunnel:
ProCurve(cfg-crypto-trans)# mode tunnel
12. If so desired, repeat steps 11 and 12 to configure another transform set.
13. Specify the traffic allowed over the tunnel in an ACL:
a. Create an extended ACL:
Syntax: ip access-list extended <listname>
b. Add deny statements for hosts not allowed to access the tunnel.
Syntax: deny ip [any | host <source A.B.C.D> | hostname <source hostname>
| <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D> |
hostname <destination hostname> | <destination A.B.C.D> <wildcard bits>]
For example:
ProCurve(config-ext-nacl)# deny ip host 192.168.10.112 any
c. Add permit statements from the local VPN networks to the remote
VPN networks:
Syntax: permit ip [any | host <source A.B.C.D> | hostname <source host-
name> | <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D>
| hostname <destination hostname> | <destination A.B.C.D> <wildcard bits>]
You use wildcard bits, which operate on reverse logic from subnet
masks, to specify the range of addresses. For example, to select a
network with the subnet mask 255.255.255.0, enter:
ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
14. Configure a crypto map entry:
ProCurve(config)# crypto map <mapname> <map index> ipsec-ike
15. Specify one peer only for the crypto map entry:
Syntax: set peer <peer A.B.C.D>