HP VPN Firewall Appliances System Management and Maintenance Command Reference

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

231

232

233

234

235

236

237

238

239

240

226

vpn-instance vpn-instance-name: Specifies the VPN to which the server belongs, where the

vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public

network, do not specify this option.

identity-key: Specifies the algorithm for publickey authentication. In non-FIPS mode, the algorithm is

either dsa or rsa and the default is dsa. In FIPS mode, the algorithm is rsa.

• dsa: Specifies the public key algorithm dsa.

• rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is

not used.

• zlib: Specifies the compression algorithm ZLIB.

• zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com.

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.

• 3des: Specifies the encryption algorithm 3des-cbc.

• aes128: Specifies the encryption algorithm aes128-cbc.

• aes256: Encryption algorithm aes256-cbc.

• des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.

• md5: Specifies the HMAC algorithm hmac-md5.

• md5-96: Specifies the HMAC algorithm hmac-md5-96.

• sha1: Specifies the HMAC algorithm hmac-sha1.

• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

efer-kex: Sp

ecifies the preferred key exchange algorithm. The default is dh-group-exchange in

non-FIPS mode, and is dh-group14 in FIPS mode.

• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.

Usage guidelines

When the server adopts publickey authentication to authenticate a client, the client must get the local

private key for digital signature. In non-FIPS mode, because the publickey authentication uses either RSA

or DSA algorithm, you must specify the public key algorithm of the client (by using the identity-key

keyword) to get the correct local private key.

In non-FIPS mode, the default algorithms are as follows:

• The public key algorithm is dsa.

• The preferred client-to-server encryption algorithm is aes128.

• The preferred client-to-server HMAC algorithm is sha1-96.

• The preferred key exchange algorithm is dh-group-exchange.

• The preferred server-to-client encryption algorithm is aes128.

• The preferred server-to-client HMAC algorithm is sha1-96.