R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

171

Ste

Command

Remarks

4. Specify the security

algorithms.

• Specify the encryption

algorithm for ESP:

esp encryption-algorithm

{ 3des | aes [ key-length ] |

des }

• Specify the authentication

algorithm for ESP:

esp

authentication-algorithm

{ md5 | sha1 }

• Specify the authentication

algorithm for AH:

ah authentication-algorithm

{ md5 | sha1 }

Optional.

By default, the encryption algorithm for

ESP is DES, the authentication algorithm for

ESP is MD5, and the authentication

algorithm for AH is MD5.

In FIPS mode, the firewall does not support

DES, 3DES, or MD5, and the default

encryption algorithm for ESP is AES-128,

the default authentication algorithm for ESP

is SHA1, and the default authentication

algorithm for AH is SHA1.

In FIPS mode, if you use ESP, you must

specify both an encryption algorithm and

an authentication algorithm for ESP.

5. Specify the IP packet

encapsulation mode for

the IPsec proposal.

encapsulation-mode { transport

| tunnel }

Optional.

Tunnel mode by default.

Transport mode applies only when the

source and destination IP addresses of

data flows match those of the IPsec tunnel.

IPsec for IPv6 routing protocols supports

only the transport mode.

Configuring a manual IPsec policy

IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy

is uniquely identified by its name and sequence number.

IPsec policies fall into two categories:

• Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the

IP addresses of the two ends in tunnel mode.

• IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.

This section describes how to configure a manual IPsec policy.

Configuration guidelines

To ensure successful SA negotiations, follow these guidelines when you configure manual IPsec policies

at the two ends of an IPsec tunnel:

• The IPsec policies at the two ends must have IPsec proposals that use the same security protocols,

security algorithms, and encapsulation mode.

• The remote IP address configured on the local end must be the same as the IP address of the remote

end.

• At each end, configure parameters for both the inbound SA and the outbound SA and make sure

that different SAs use different SPIs.

• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true

of the local outbound SA and remote inbound SA.