HP TMS zl Module Security Administrator's Guide
4-77
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
a. For Key Exchange Mode, select Main Mode or Aggressive Mode.
The mode must match that configured on remote endpoints. See “IKE
modes” on page 4-18 for guidelines.
b. For Authentication Method, select one of the following:
– Preshared Key
– DSA Signature
– RSA Signature
If you want to use SCEP to install certificates, select RSA Signature
rather than DSA Signature.
If you select DSA Signature or RSA Signature, you can go directly to
step 13. (After you finish the IKEv1 policy, you must install certificates
manually or using SCEP (for the latter, the CA must support SCEP as
well). Read the appropriate section:
– “Install Certificates Manually” on page 4-394
– “Install Certificates Using SCEP” on page 4-418
c. If you selected Preshared Key, type a string of 12 to 49 alphanumeric
or special characters in the Preshared Key box. Type the same string
in the Confirm Preshared Key box.
The string (which is case-sensitive) must match the string that is
configured on the remote endpoints.
14. Under Security Parameters Proposal, configure the security settings pro-
posed by the TMS zl Module for the IKE SA (the IKE policy on remote
endpoints must match):
a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman
key exchange:
– Group 1 (768)
– Group 2 (1024)
– Group 5 (1536)
The group determines the length of the prime number used during the
exchange. The larger the number, the more secure the key generated
by the exchange.
b. For Encryption Algorithm, select one of these protocols, listed from
least secure (and least processor-intensive) to most:
–DES
– AES-128 (16)
–3DES
– AES-192 (24)
– AES-256 (32)
The number in parentheses after AES options indicates the key length
for the algorithm in bytes.