HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 484

Virtual Private Networks
Quick Start
8-98
• AH and ESP protocol:
Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha-
hmac] [esp-des | esp-3des | esp-aes-128-cbc | esp-aes-192-cbc | esp-aes-
256-cbc | esp-null] [esp-md5-hmac | esp-sha-hmac]
15. Set the mode to tunnel:
ProCurve(cfg-crypto-trans)# mode tunnel
16. If so desired, repeat steps 15 and 16 to configure another transform set.
17. Specify the traffic allowed over the tunnel in an ACL:
a. Create an extended ACL:
Syntax: ip access-list extended <listname>
b. Add deny statements for hosts not allowed to access the tunnel:
Syntax: deny ip [any | host <source A.B.C.D> | hostname <source hostname>
| <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D> |
hostname <destination hostname> | <destination A.B.C.D> <wildcard bits>]
For example:
ProCurve(config-ext-nacl)# deny ip host 192.168.10.112 any
c. Add permit statements from the local VPN networks to the network
addresses in the IKE mode config pool:
Syntax: permit ip [any | host <source A.B.C.D> | | hostname <source host-
name> | <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D>
| hostname <destination hostname> | <destination A.B.C.D> <wildcard bits>]
You use wildcard bits, which operate on reverse logic from subnet
masks, to specify the range of addresses. The destination network
address is the network that contains the addresses specified for the
IKE mode config pool. For example:
ProCurve(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.100.0
0.0.0.255
18. Configure a crypto map entry:
Syntax: crypto map <mapname> <map index> ipsec-ike
19. You can associate the crypto map entry with the IKE policy configured
for the remote peer.
Syntax: ike-policy <policy number>