Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
361362363364365366367368369370
C-21
Configure VPNs Using the HP ProCurve Threat Management Services zl Module
Configure a Site-to-Site IPsec VPN
Note If your traffic selector includes traffic to which the module also applies NAT (for example, your
module might apply NAT to all local traffic destined to external IP addresses), you must create
a NAT exclusion policy. See the HP ProCurve Threat Management Services zl Module
Management and Configuration Guide.
10. For Proposal, select your IPsec proposal. For this example, select Esp3desMd5.
11. Click Next.
Figure C-27. Add IPsec Policy Window—Step 2 of 4
12. For Key Exchange Method, keep the default, Auto (with IKEv1).
13. For IKEv1 Policy, select the IKEv1 policy that you created earlier. For this example, select
SiteB.
14. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces
the tunnel endpoints to generate new keys for the IPsec SA. In the list that is displayed,
select one of the following:
Group 1 (768)
Group 2 (1024)
Group 5 (1536)
For this example, leave the box clear.
15. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or
type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a
lifetime in kilobytes).
For this example, leave the default 28800.
16. For SA Lifetime in Kilobytes, type a value between 2560 and 4194304. Or leave the default 0
if you do not want to specify a lifetime in kilobytes (in this case, you must specify a lifetime
in seconds).
For this example, leave the default 0.