R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

173

Ste

Command

Remarks

6. Configure the

remote address of

the tunnel.

tunnel remote ip-address Not configured by default.

7. Configure the SPIs

for the SAs.

sa spi { inbound | outbound } { ah |

esp } spi-number

N/A

8. Configure keys for

the SAs.

• Configure an authentication key

in hexadecimal for AH:

sa authentication-hex { inbound

| outbound } ah hex-key

• Configure an authentication key

in characters for AH:

sa string-key { inbound |

outbound } ah string-key

• Configure a key in characters for

ESP:

sa string-key { inbound |

outbound } esp string-key

• Configure an authentication key

in hexadecimal for ESP:

sa authentication-hex { inbound

| outbound } esp hex-key

• Configure an encryption key in

hexadecimal for ESP:

sa encryption-hex { inbound |

outbound } esp hex-key

Configure an authentication key for AH in

either hexadecimal or character format.

Configure an authentication key, an

encryption key, or both for ESP. If you

configure a key in characters for ESP, the

router automatically generates an

authentication key and an encryption key for

ESP.

If you configure a key in two modes: string

and hexadecimal, only the last configured

one will be used.

In FIPS mode, the firewall does not support

the sa string-key command for AH or ESP.

NOTE:

You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To

create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to confi

ure an IPsec

policy.

Configuring an IPsec policy that uses IKE

IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy

is uniquely identified by its name and sequence number.

IPsec policies fall into two categories:

• Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the

IP addresses of the two ends in tunnel mode.

• IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.

This section describes how to configure a manual IPsec policy.

Configuration guidelines

To configure an IPsec policy that uses IKE, use either of the following methods:

• Directly configure it by configuring the parameters in IPsec policy view.

• Configure it by referencing an existing IPsec policy template with the parameters to be negotiated

configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA

negotiation but can respond to a negotiation request. The parameters not defined in the template