Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
191192193194195196197198199200
4-14
Configuring a VPN on the HP TMS zl Module
IPsec VPNs
“Configure an L2TP over IPsec Client-to-Site VPN” on page 4-253
“Configure a GRE over IPsec VPN with IKE” on page 4-340
IKE version 1
IKEv1 follows a set process to negotiate the IPsec SA and passes through two
phases. The first phase establishes a preliminary tunnel, or IKE SA. The second
phase establishes the IPsec SA. When you understand this process, you will
find it much easier to configure VPNs on the TMS zl Module.
IKE Phase 1
During phase 1, IKE must complete three tasks:
Negotiate security parameters for the IKE SA
Generate the keys used to secure data sent over the IKE SA
Authenticate the endpoints of the tunnel (the two hosts)
Therefore, IKE phase 1 typically involves three exchanges between hosts, or
six total messages.
Exchange 1: Security parameters. In the first exchange, the endpoint that
initiates the VPN connection sends a message to the remote endpoint with one
or more security proposals. Each proposal includes one of the options for
these parameters:
Authentication algorithm:
•MD5
•SHA-1
Encryption algorithm:
•DES
•3DES
AES with 128, 192, or 256-bit keys
Authentication method:
Preshared key
Certificates (Digital Signature Algorithm [DSA] or Rivest-Shamir-
Adleman [RSA] Signature)
Diffie-Hellman group:
Group 1 (768)
Group 2 (1024)
Group 5 (1536)