HP VPN Firewall Appliances VPN Configuration Guide
112
Item Descri
p
tion
Pre-Shared Key
PKI Domain
To use the authentication method of pre-shared key, select Pre-Shared Key and
enter consistent pre-shared keys in the Key and Confirm Key fields.
To use the authentication method of RSA signature, select PKI Domain and then
select the PKI domain to which the certificate belongs in the following list.
Available PKI domains are those configured on the page you enter by selecting
VPN > Certificate Manager > Domain from the navigation tree.
Enable DPD Select the IKE DPD to be applied to the IKE peer.
Enable the NAT traversal
function
Enable the NAT traversal function for IPsec/IKE.
The NAT traversal function must be enabled if a NAT security gateway exists in
an IPsec/IKE VPN tunnel.
In main mode, NAT traversal supports only the RSA signature authentication
method, but it does not support the pre-shared key authentication method.
IMPORTANT:
To save IP addresses, ISPs often deploy NAT gateways on public networks to
allocate private IP addresses to users. In this case, one end of an IPsec/IKE tunnel
might have a public address while the other end might have a private address,
and NAT traversal must be configured at the private network side to set up the
tunnel.
Viewing IKE SAs
Select VPN > IKE > IKE SA from the navigation tree to display brief information about established
ISAKMP SAs, as shown in Figure 82.
You can cli
ck Delete All to remove all ISAKMP SAs. When you clear a local IPsec SA, if the
corresponding ISAKMP SA is still present, the local end sends a Delete Message to the remote end across
the ISAKMP SA. The message notifies the remote end to delete the IPsec SA. If the corresponding ISAKMP
SA is no longer present, the local end cannot notify the remote end to clear the IPsec SA.
Figure 82 IKE SA list
Table 9 Field description
Field Descri
p
tion
Connection ID Identifier of the ISAKMP SA.
Remote IP Address
Remote IP address of the SA.