HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

106

Ste

Remarks

2. Configuring an IKE

proposal

Required when IKE peers need to specify an IKE proposal.

An IKE proposal defines a set of attributes describing how IKE negotiation

should take place. You can create multiple IKE proposals with different

preferences. The preference of an IKE proposal is represented by its

sequence number, and the smaller the sequence number, the higher the

preference.

Two peers must have at least one pair of matched IKE proposals for

successful IKE negotiation. During IKE negotiation, the negotiation initiator

sends its IKE proposals to the peer. The peer will match the IKE proposals

against its own IKE proposals, starting with the one with the smallest

sequence number. The match goes on until a match is found or all IKE

proposals are found mismatched. The matched IKE proposals will be used to

establish the security tunnel.

Two matched IKE proposals have the same encryption algorithm,

authentication method, authentication algorithm, and DH group. The

ISAKMP SA lifetime will take the smaller one of the two matched IKE

proposals.

By default, there is an IKE proposal, which has the lowest preference and

uses these default settings:

• Pre-shared key authentication method

• SHA authentication algorithm

• DES-CBC encryption algorithm

• DH group named Group1

• SA lifetime of 86400 seconds

3. Configuring IKE DPD

Optional.

DPD irregularly detects dead IKE peers. When the local end sends an IPsec

packet, DPD checks the time the last IPsec packet was received from the peer.

If the time exceeds the DPD interval, it sends a DPD hello to the peer. If the

local end receives no DPD acknowledgement within the DPD packet

retransmission interval, it retransmits the DPD hello. If the local end still

receives no DPD acknowledgement after having made the maximum number

of retransmission attempts (two by default), it considers the peer already

dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

4. Configuring an IKE peer

Required.

Create an IKE

peer and configure the related parameters.

IMPORTANT:

If you change the settings of an IKE peer, make sure you clear the established

IPsec SAs and ISAKMP SAs on the pages displayed after you select VPN >

IKE > IKE SA and select VPN > IPSec > IPSec SA, respectively. Otherwise, SA

renegotiation will fail.

5. Viewing IKE SAs

Optional.

View the summary information of the current ISAKMP SA.

Configuring global IKE parameters

1. Select VPN > IKE > Global from the navigation tree to enter the IKE global configuration page.