ProCurve VPN Client and ProCurve Secure Router 7000dl Series - Application Note
4. Access Control List
An Extended Access Control List (ACL) is used to specify which traffic needs to be sent
securely over the VPN tunnel. The entries in the list are defined with respect to the local
system. For this sample configuration, the source is the LAN IP network behind the
ProCurve 7000dl is 192.168.100.0. The destination is the vpn pool IP network
(192.168.4.0) specified in the “client configuration pool vpn_users”
Figure 8 Specifying traffic to encrypt
6. Create Crypto Map
A Crypto Map is used to define a set of encryption schemes to be used for a given
interface. A crypto map entry has a unique index within the crypto map set. This crypto
map will encrypt traffic that matches access-list vpn_traffic, use the highly_secure
transform, set the IPSec lifetime seconds to 1800 and will not use perfect forward secrecy.
Figure 9 Creating crypto map
7. Apply Crypto Map
The crypto map should be applied to the interface that will transmit the encrypted traffic to
the remote peer. The example below shows the crypto map being applied to interface
PPP 1. If your WAN protocol is frame-relay, you would apply the crypto map to the frame-
relay interface.
Figure 10 Applying crypto map to interface
Se
cureSiteRouter
(config)
#
ip access
-
list extended vpn_traffic
SecureSiteRouter(config-ext-nacl)# permit ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
SecureSiteRouter
(
config)#
interface ppp 1
SecureSiteRouter(config-ppp)# crypto map corporate_vpn
SecureSiteRouter
(
config)#
crypto map corporate_vpn 1 ipsec
-
ike
SecureSiteRouter(config-crypto-map)# match address vpn_traffic
SecureSiteRouter(config-crypto-map)# set security-association lifetime seconds 1800
SecureSiteRouter(config-crypto-map)# no set pfs