R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

iii

Configuring the CPE of a tunnel ························································································································ 105

Configuring the AFTR of a tunnel······················································································································· 106

Configuration example ······································································································································· 107

Configuring an IPv6 over IPv6 tunnel ························································································································ 111

Configuration prerequisites ································································································································ 111

Configuration guidelines ···································································································································· 111

Configuration procedure ···································································································································· 111

Displaying and maintaining tunneling configuration ······························································································· 115

Troubleshooting tunneling configuration ··················································································································· 116

Symptom ······························································································································································· 116

Solution ································································································································································· 116

Configuring IKE ······················································································································································· 117

Feature and hardware compatibility ·························································································································· 117

IKE overview ································································································································································· 117

IKE security mechanism ······································································································································· 117

IKE operation ······················································································································································· 117

Functions of IKE in IPsec ····································································································································· 118

Relationship between IKE and IPsec ·················································································································· 119

Protocols ······························································································································································· 119

IKE configuration prerequisites ··································································································································· 119

Configuring IKE in the web interface ························································································································· 120

IKE configuration task list ···································································································································· 120

Configuring global IKE parameters ··················································································································· 120

Configuring an IKE proposal ····························································································································· 121

Configuring IKE DPD ··········································································································································· 123

Configuring an IKE peer ····································································································································· 124

Viewing IKE SAs ·················································································································································· 127

IKE configuration example in the web interface ······································································································· 128

Configuring IKE at the CLI ··········································································································································· 130

Configuring a name for the local security gateway ························································································ 131

Setting keepalive timers ······································································································································ 134

Setting the NAT keepalive timer ························································································································ 135

Configuring a DPD detector ······························································································································· 135

Disabling next payload field checking ············································································································· 136

Displaying and maintaining IKE ························································································································ 136

IKE configuration examples at the CLI ······················································································································· 137

Main mode IKE with pre-shared key authentication configuration example ················································ 137

Aggressive mode IKE with NAT traversal configuration example ································································· 141

Troubleshooting IKE ····················································································································································· 144

Invalid user ID ······················································································································································ 144

Proposal mismatch ·············································································································································· 145

Failing to establish an IPsec tunnel ···················································································································· 145

ACL configuration error ······································································································································ 145

Configuring IPsec ···················································································································································· 147

IPsec overview ······························································································································································ 147

IPsec implementation ··········································································································································· 147

Basic concepts ····················································································································································· 148

IPsec tunnel interface ··········································································································································· 150