F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

iii

Relationship between IKE and IPsec ·················································································································· 108

Protocols and standards ····································································································································· 108

Configuring IKE in the Web interface ························································································································ 108

Recommended configuration procedure ··········································································································· 108

Configuring global IKE parameters ··················································································································· 109

Configuring an IKE proposal ····························································································································· 110

Configuring IKE DPD ··········································································································································· 112

Configuring an IKE peer ····································································································································· 112

Viewing IKE SAs ·················································································································································· 115

IKE configuration example ································································································································· 116

Configuring IKE at the CLI ··········································································································································· 122

Configuring a name for the local security gateway ························································································ 123

Setting keepalive timers ······································································································································ 127

Setting the NAT keepalive timer ························································································································ 127

Configuring a DPD detector ······························································································································· 127

Disabling next payload field checking ············································································································· 128

Displaying and maintaining IKE ························································································································ 128

Configuring main mode IKE with pre-shared key authentication ··································································· 129

Configuring aggressive mode IKE with NAT traversal ···················································································· 133

Troubleshooting IKE ····················································································································································· 136

Invalid user ID ······················································································································································ 136

Proposal mismatch ·············································································································································· 136

Failing to establish an IPsec tunnel ···················································································································· 137

ACL configuration error ······································································································································ 137

Configuring IPsec ···················································································································································· 139

Overview ······································································································································································· 139

Basic concepts ····················································································································································· 139

IPsec tunnel interface ··········································································································································· 141

IPsec for IPv6 routing protocols ·························································································································· 143

IPsec RRI································································································································································ 143

IPsec stateful failover ··········································································································································· 144

Configuration guidelines ············································································································································· 145

Configuring IPsec in the Web interface ····················································································································· 146

Configuration considerations ····························································································································· 146

Recommended configuration procedure ··········································································································· 146

Configuring ACLs ················································································································································ 147

Configuring an IPsec proposal ·························································································································· 151

Configuring an IPsec policy template ················································································································ 153

Configuring an IPsec policy ······························································································································· 156

Applying an IPsec policy group ························································································································· 159

Viewing IPsec SAs ··············································································································································· 159

Viewing packet statistics ····································································································································· 160

IPsec configuration example ······························································································································ 160

Configuring IPsec at the CLI ········································································································································ 166

Implementing IPsec ·············································································································································· 166

Implementing ACL-based IPsec ·························································································································· 166

Implementing tunnel interface-based IPsec ······································································································· 181

Configuring IPsec for IPv6 routing protocols ···································································································· 185

Configuring IPsec stateful failover ····················································································································· 185

Displaying and maintaining IPsec ····················································································································· 187

Manual mode IPsec tunnel for IPv4 packets configuration example ····························································· 188