HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

191

192

193

194

195

196

197

198

199

200

4-13

Configuring a VPN on the HP TMS zl Module

IPsec VPNs

When sending outbound packets (which have already passed firewall, NAT,

and IDS/IPS checks), the TMS zl Module checks whether the packet matches

the traffic selector in an active outbound SA. If it does, the module uses the

keys in the SA to encrypt and encapsulate the packet. The module also checks

whether the packet matches a traffic selector in an IPsec policy. If the packet

matches an IPsec policy, the module uses the associated IKE policy to estab-

lish an SA and then uses the SA to encrypt and encapsulate the packet.

The TMS zl Module can establish SAs in two ways:

■ Manually

■ Using IKEv1

Defining an SA Manually

You can define the IPsec SA yourself. In this case, you must specify:

■ The SA’s SPI

■ The authentication and encryption algorithms

■ The authentication and encryption keys, both inbound and outbound

■ The traffic selector

Because this method of configuration is relatively unsecure and complex, HP

Networking does not generally recommend it. However, manual keying is

required when you select ICMP Echo or ICMP Timestamp traffic for the VPN.

“Configuring an IPsec Site-to-Site VPN with Manual Keying” on page 4-230 and

“Configure a GRE over IPsec VPN with Manual Keying” on page 4-373 explain

how to set up a VPN using this method.

Defining an SA Using IKE

By far, the more secure and manageable solution for VPN configuration is to

allow IKE to negotiate the IPsec SA. IKE regulates the process as hosts

authenticate each other, agree upon hash and encryption algorithms, and

generate the unique keys used to secure packets. Using IPsec with IKE

provides increased security because keys are randomly generated and peri-

odically changed.

IKE also eases configuration. Instead of configuring the SA manually, you

configure IKE policies. (You must also set some security parameters and a

traffic selector in the IPsec policy.) These sections include instructions for

setting up IPsec SA’s using IKE:

■ “Configure an IPsec Client-to-Site VPN” on page 4-27

■ “Configuring an IPsec Site-to-Site VPN with IKE” on page 4-106