Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
41424344454647484950
41
Configuring IPsec in the web interface
Configuration task list
The firewall implements all the IPsec features previously described. The idea behind the implementation
is as follows:
1. By configuring IPsec, provide different security services (authentication, encryption, or both) for
different data flows.
2. IPsec depends on the rules in an ACL to identify data flows to be protected. Packets permitted by
the ACL will be protected, while those denied will not. ACLs can be used to protect inbound data
flows and outbound data flows. Data flows are protected in one of the following two modes:
Standard mode: One ACL rule identifies one data flow, and one tunnel is used to protect only one
data flow.
Aggregation mode: One tunnel is used to protect all data flows permitted by all the rules of an ACL.
3. Organize the parameters required for security protection (including the security protocol,
authentication and encryption algorithms, and encapsulation mode) into a group called an IPsec
proposal for configuration convenience.
4. Configure IPsec policies to define the association between data flows and IPsec proposals (that is,
which data flows are to be protected by using which IPsec proposals) and specify the SA
negotiation mode, peer IP addresses (namely the starting/ending point of the IPsec tunnel),
required keys, and SA lifetime.
5. At last, apply the IPsec policies to interfaces to finish IPsec configuration.
Perform the tasks in Table 9 to
configure IPsec.
Table 9 IPsec configuration task list
Task Remarks
Configuring an IPsec proposal
Required
Configure an IPsec proposal.
An IPsec proposal defines the security parameters for IPsec SA
negotiation, including the security protocol, encryption/authentication
algorithms, and encapsulation mode.
IMPORTANT:
Changes to an IPsec proposal affect only SAs negotiated after the changes
are made.
Configuring an IPsec policy template
Required when an IPsec policy needs to reference an IPsec policy
template.
Create an IPsec policy template. When configuring an IPsec policy, you
can reference an IPsec policy template.