HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 956

Appendix A: Example Configuration
Configuring a Client-to-Site Virtual Private Network (VPN)
A-28
These are the steps to configure the Berlin router as a gateway device for the
client-to-site VPN:
1. Enable crypto commands. (The optional IPSec VPN module must be
installed in the router's rear panel.)
Berlin(config)# ip crypto
2. Configure an IKE mode config pool. This pool contains the IP addresses
and other configurations that allow remote users to function on the
private network. The IP addresses should belong to a network reserved
for that purpose. In the Berlin LAN, this network is 192.168.126.0 /24.
Berlin(config)# crypto ike client configuration pool RemoteUsers
Berlin(config-ike-client-pool)# ip-range 192.168.126.1 192.168.126.250
Berlin(config-ike-client-pool)# dns-server 10.10.10.10
Berlin(config-ike-client-pool)# netbios-name-server 192.168.3.3
Berlin(config-ike-client-pool)# exit
3. Add the preshared key (in this example, procurve) to the remote ID and
preshared key list. The Berlin router allows any remote user that knows
the key to access the private network.
Berlin(config)# crypto ike remote-id any preshared-key procurve
4. Enable AAA and configure the router to send authentication requests to
the network's TACACS+ server. Configure an AAA list for Xauth.
Berlin(config)# aaa on
Berlin(config)# tacacs-server host 192.168.1.23 key password
Berlin(config)# aaa authentication login xauth group tacacs
5. Configure an IKE policy, which the router uses to respond to IKE requests
from all remote users.
Berlin(config)# crypto ike policy 1
Berlin(config-ike)# no initiate
Berlin(config-ike)# respond anymode
Berlin(config-ike)# peer any
6. Associate the IKE policy with the IKE mode config pool and the AAA list
for Xauth.
Berlin(config-ike)# client configuration pool RemoteUsers
Berlin(config-ike)# client authentication server list xauth