HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

111

Item Descri

tion

IKE Negotiation Mode

Select the IKE negotiation mode in phase 1, which can be Main or Aggressive.

IMPORTANT:

• If you configure one end of an IPsec tunnel to obtain an IP address

dynamically, the IKE negotiation mode must be Aggressive. In this case, SAs

can be established as long as the username and password are correct.

• The specified negotiated mode is used when the local peer is the negotiation

initiator. When acting as the responder, the negotiation mode of the initiator

is used.

Local ID Type

Select the local ID type for IKE negotiation phase 1. Options include:

• IP Address—Uses an IP address as the ID in IKE negotiation.

• FQDN—Uses the FQDN type as the ID in IKE negotiation. If this option is

selected, type a name string without any at sign (@) for the local security

gateway, for example, foo.bar.com.

• User FQDN—Uses a user FQDN type as the ID in IKE negotiation. If this

option is selected, enter a name string with an at sign (@) for the local

security gateway, for example, test@foo.bar.com.

IMPORTANT:

In main mode, only the ID type of IP address can be used in IKE negotiation and

SA establishment.

Local IP Address

Enter the IP address of the local security gateway.

By default, it is the primary IP address of the interface referencing the security

policy. Configure this item when you want to specify a special address for the

local security gateway.

IMPORTANT:

Typically, you do not need to specify the local IP address unless you want to specify

a special address, such as the loopback interface address. For the local peer to act

as the initiator, you must configure the remote security gateway name or IP

address, so that the initiator can find the remote peer during the negotiation.

Remote Gateway Address

Enter the IP address or host name of the remote security gateway.

• IP Address—Specify an IP address or a range of IP addresses for the remote

gateway. If the local end is the initiator of IKE negotiation, it can have only

one remote IP address and its remote IP address must match the local IP

address configured on its peer. If the local end is the responder of IKE

negotiation, it can have more than one remote IP address and one of its

remote IP addresses must match the local IP address configured on its peer.

• Hostname—Enter the host name of the remote gateway, which is the only

identifier of the IPsec peer in the network. The host name can be resolved into

an IP address by the DNS server. If host name is used, the local end can serve

as the initiator of IKE negotiation.

Remote Gateway Name

Enter the name of the remote security gateway.

If the local ID type configured for the IKE negotiation initiator is FQDN or user

FQDN, the initiator sends its gateway name (IKE Local Name) to the responder

for identification. The responder then uses the locally configured remote

gateway name to authenticate the initiator. Make sure that the remote gateway

name configured here is identical to the local gateway name (IKE Local Name)

configured on its peer.