ProCurve VPN Client and ProCurve Secure Router 7000dl Series - Application Note
The following IKE policy is configured to use any peer IP address since it is assumed the
dial-up users will all have differing IP addresses. This IKE policy is set not to initiate a
tunnel but respond to main or aggressive mode, use 3DES encryption and SHA1 hash. A
pre-shared key will be used for authentication, Diffie-Hellman Group 1 and an IKE lifetime
in seconds of 600.
Figure 5 Creating IKE policy
The crypto ike remote-id command is used to specify the remote-id information for a peer
connecting to the system. This command is also used to specify the preshared-key
associated with the specific remote-id. The VPN client will identify itself as remote.com and
also have a pre-shared key of “ProCurve_Networking”.
Figure 6 Setting remote-id information
3. IPSec transform
A transform-set defines the encryption and authentication algorithms to be used to secure
the data transmitted over the VPN tunnel. In this example, a transform-set named
“highly_secure” has been created. This transform-set defines ESP with Authentication to
be implemented using 3DES encryption and SHA1 hash algorithm for authentication.
Figure 7 Creating IPSec attributes
SecureSiteRouter(config)# crypto ike remote-id fqdn remote.com preshared-key ProCurve_Networking
SecureSiteRouter
(
config)#
crypto ipsec transform
-
set highly_secure esp
-
3des esp
-
sha
-
hmac
SecureSiteRouter(cfg-crypto-trans)# mode tunnel
SecureSiteRouter
(
config)#
crypto ike policy 10
SecureSiteRouter(config-ike)# peer any
SecureSiteRouter(config-ike)# no initiate
SecureSiteRouter(config-ike)# respond anymode
SecureSiteRouter(config-ike)# client configuration pool vpn_users
SecureSiteRouter(config-ike)# attribute 10
SecureSiteRouter(config-ike-attribute)# encryption 3des
SecureSiteRouter(config-ike-attribute)# hash sha
SecureSiteRouter(config-ike-attribute)# authentication pre-share
SecureSiteRouter(config-ike-attribute)# group 1
SecureSiteRouter(config-ike-attribute)# lifetime 600