Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
21222324252627282930
17
Task Remarks
Configuring an IKE
proposal
Optional
An IKE proposal defines a set of attributes describing how IKE negotiation should take
place. You may create multiple IKE proposals with different preferences. The
preference of an IKE proposal is represented by its sequence number, and the smaller
the sequence number, the higher the preference.
Two peers must have at least one pair of matched IKE proposals for successful IKE
negotiation. During IKE negotiation, the negotiation initiator sends its IKE proposals to
the peer. The peer will compare the IKE proposals against its own IKE proposals,
starting with the one with the smallest sequence number. The comparison goes on until
a match is found or all IKE proposals are found mismatched. The matched IKE
proposals will be used to establish the security tunnel.
Two matched IKE proposals have the same encryption algorithm, authentication
method, authentication algorithm, and DH group. The ISAKMP SA lifetime will take the
smaller one of the two matched IKE proposals.
By default, there is an IKE proposal, which has the lowest preference and uses the
default settings:
Authentication method: Pre-shared key,
Authentication algorithm: SHA,
Encryption algorithm: DES-CBC,
DH group: Group1,
SA lifetime: 86400 seconds.
Configuring IKE DPD
Optional
DPD irregularly detects dead IKE peers. With the DPD function enabled, if an end
receives no IPsec protected packets from its peer in the DPD query triggering interval, it
sends a DPD request to the peer to detect whether the IKE peer exists.
Configuring an IKE
peer
Required
Create an IKE peer and configure the related parameters.
IMPORTANT:
If you change the settings of an IKE peer, be sure to clear the established IPsec SAs and
ISAKMP SAs on the pages displayed after you select VPN > IKE > IKE SA and select VPN >
IPSec > IPSec SA respectively. Otherwise, SA renegotiation will fail.
Viewing IKE SAs
Optional
View the summary information of the current ISAKMP SA.
Configuring global IKE parameters
Select VPN > IKE > Global from the navigation tree to enter IKE global configuration page, as shown
in Figure 14. C
onfigure global IKE parameters as described in Table 4.