F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

431

432

433

434

435

436

437

438

439

440

423

Item Descri

tion

Keepalive Interval

Set the interval between sending keepalive packets and the maximum number of

attempts for sending keepalive packets when there is no response.

IMPORTANT:

In a VPN domain, the DVPN keepalive settings for all tunnel interfaces must be

consistent.

Keepalive Retries

7. Specify whether to enable IPsec.

An IPsec profile can be used to secure the transmission of data packets and control packets over

a DVPN tunnel. It uses ESP or AH and employs IKE for security policy negotiation.

If you select this option, you can perform the IPsec configuration.

1052HTable 65 describes the IPsec

configuration items in detail.

Table 65 Configuration items

Item Descri

tion

Authentication Method

Specify an authentication method for IKE negotiation.

• Pre-Shared Key—Uses the pre-shared key authentication method. If you

select this method, you must configure the pre-shared key. Make sure that

the configured key and the confirmed key are the same.

• Certificate—Uses the digital signature authentication method. If you select

this method, you must select a subject of the local certificate. Available

local certificates are those configured in VPN > Certificate Management.

Gateway ID

Remote ID Type

Select the remote ID type for IKE

negotiation phase 1.

• IP Address—Uses the remote-end IP

address of the DVPN session as the ID in

IKE negotiation.

• Gateway Name—Uses the gateway

name in the FQDN type as the ID in IKE

negotiation. If you select this type,

specify the remote gateway ID.

IMPORTANT:

• If the IKE negotiation

initiator uses the local ID

type of gateway name as

the ID for IKE negotiation,

it sends its gateway ID to

the peer. The peer uses the

locally configured remote

gateway ID to

authenticate the initiator.

Therefore, make sure that

the remote gateway ID

specified here is identical

to the local gateway ID

specified on its peer.

• In main mode, only the ID

type of IP address can be

used in IKE negotiation

and SA establishment.

Local ID Type

Select the local ID type for IKE negotiation

phase 1.

• IP Address: Uses the local-end IP

address of the DVPN session as the ID in

IKE negotiation.

• Gateway Name: Uses the gateway

name in the FQDN type as the ID in IKE

negotiation. If you select this type, you

need to specify the local gateway ID,

which is a string without the at sign (@),

such as foo.bar.com.

Phase 1

Exchange

Mode

Select the IKE exchange mode in phase 1, which can be Main or Aggressive.

IMPORTANT:

• If you select Gateway Name for Local ID Type, you must set the exchange

mode to Aggressive.

• An IKE peer uses its configured exchange mode when it is the negotiation

initiator. A negotiation responder uses the same exchange mode as the

initiator.