R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

Item Descri

tion

IKE Negotiation Mode

Select the IKE negotiation mode in phase 1, which can be Main or Aggressive.

IMPORTANT:

If the IP address of one end of an IPsec tunnel is obtained dynamically (for

example, when the user uses a dialup line), the IKE negotiation mode must be

Aggressive. In this case, SAs can be established as long as the username and

password are correct.

Local ID Type

Select the local ID type in IKE negotiation phase 1. Options include:

• IP Address—Uses an IP address as the ID in IKE negotiation.

• Gateway Name—Uses a gateway name as the ID in IKE negotiation.

IMPORTANT:

In main mode, only the ID type of IP address can be used in IKE negotiation and

SA establishment.

Local IP Address

Type the IP address of the local gateway.

By default, it is the primary IP address of the interface referencing the security

policy. Configure this item when you want to specify a special address for the

local gateway

Remote

Gateway

IP Address

Type the IP address or host name of the remote gateway.

You can specify an IP address or a range of IP addresses for the remote

gateway. If the local end is the initiator of IKE negotiation, it can have only one

remote IP address and its remote IP address must match the local IP address

configured on its peer. If the local end is the responder of IKE negotiation, it can

have more than one remote IP address and one of its remote IP addresses must

match the local IP address configured on its peer.

The host name of the remote gateway is the only identifier of the IPsec peer in the

network. The host name can be resolved into an IP address by the DNS server.

If host name is used, the local end can serve as the initiator of IKE negotiation.

Hostname

Remote ID

Type the name of the remote gateway.

If the IKE negotiation initiator uses the security gateway name for IKE

negotiation, it sends its gateway name as identification to the current device,

and the current device uses the locally configured remote gateway name to

authenticate the initiator. Therefore, make sure that the remote gateway name

configured here is identical to the local gateway name configured on its peer.

Pre-Shared Key

Configure one of these two items according to the authentication method:

• If the authentication method is pre-shared key, select Pre-Shared Key and

then type the pre-shared key in the following text box.

• If the authentication method is RSA signature, select PKI Domain and then

select the PKI domain to which the certificate belongs in the following

drop-down box.

PKI Domain

Enable DPD Select the IKE DPD to be applied to the IKE peer.