HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

121

122

123

124

125

126

127

128

129

130

119

d. Enter the IPsec proposal name tran1, and select the packet encapsulation mode Tunnel,

security protocol ESP, authentication algorithm SHA1, and encryption algorithm DES.

e. Click Apply.

6. Create an IPsec policy named map1:

a. Select VPN > IPSec > Policy from the navigation tree.

b. Click Add.

c. Enter the IPsec policy name map1. Enter the sequence number 10. Select the IKE peer peer.

Select the IPsec proposal tran1 from the Available Proposal list, and click <<. Enter the ACL

number 3101.

d. Click Apply.

7. Apply the IPsec policy to interface GigabitEthernet 0/1:

a. Select VPN > IPSec > IPSec Application from the navigation tree.

b. Click the icon for interface GigabitEthernet0/1.

c. Select policy map1.

d. Click Apply.

8. Configure a static route to Host A:

a. Select Network > Routing Management > Static Routing from the navigation tree.

b. Cli

ck Add.

c. Enter 10.1.1.0 as the destination IP address, select 25

5.255.255.0 from the mask list, and

enter 1.1.1.1 as the next hop.

d. Click Apply.

Verifying the configuration

After you complete the configuration, a packet destined to subnet 10.1.2.0/24 or 10.1.1.0/24 from

Device A or Device B triggers IKE negotiation. Device A is configured with IKE proposal 10, which uses

the authentication algorithm of MD5. Device B uses the default IKE proposal, which uses the default

authentication algorithm of SHA. Device B has no proposal matching proposal 10 of Device A, and the

two devices have only one pair of matched proposals—the default IKE proposals. The two devices do not

need to have the same ISAKMP SA lifetime, and they will negotiate one instead.

Configuring IKE at the CLI

Determine the following parameters prior to IKE configuration:

• The strength of the algorithms for IKE negotiation (the security protection level), including the

identity authentication method, encryption algorithm, authentication algorithm, and DH group.

Different algorithms provide different levels of protection. A stronger algorithm means more

resistance to decryption of protected data but requires more resources. Generally, the longer the key,

the stronger the algorithm.

• The pre-shared key or the PKI domain the certificate belongs to. For more information about PKI

configuration, see "Managing certificates."

To configure IKE:

Task Remarks

Configuring a name for the local security gateway Optional.

无法显示链接的图像。该文

件可能已被移动、重命名或

删除。请验证该链接是否指

向正确的文件和位置。