HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

131

132

133

134

135

136

137

138

139

140

122

If you do not specify any IKE proposals, the local end initiates IKE negotiation by using the

following guidelines:

{ If the IKE negotiation mode in phase 1 is main, the local end sends the first 100 supported IKE

proposals to the remote end for IKE negotiation.

{ If the IKE negotiation mode in phase 1 is aggressive, the local end sends the IKE proposal with

the smallest sequence number to the remote end for IKE negotiation.

• Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature

authentication.

• Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key

authentication, the ID type must be IP address for main mode IKE negotiation and can be IP address,

FQDN, or user FQDN for aggressive mode IKE negotiation.

• Specify the name or IP address of the local security gateway. You perform this task only when you

want to specify a special address, a loopback interface address, for example, as the local security

gateway address.

• Specify the name or IP address of the remote security gateway. For the local end to initiate IKE

negotiation, you must specify the name or IP address of the remote security gateway on the local

end so the local end can find the remote end.

• Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure NAT

traversal at the two ends of the IPsec tunnel, because one end might use a public address while the

other end uses a private address.

• Specify the DPD detector for the IKE peer.

To configure an IKE peer:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an IKE peer and

enter IKE peer view.

ike peer peer-name N/A

3. Specify the IKE negotiation

mode for phase 1.

exchange-mode { aggressive |

main }

Optional.

The default is main.

In FIPS mode, the aggressive mode is

not supported.

4. Specify the IKE proposals for

the IKE peer to reference.

proposal

proposal-number&<1-6>

Optional.

By default, an IKE peer references no

IKE proposals, and, when

responding to an IKE negotiation

request, it uses the IKE proposals

configured in system view.

5. Configure a pre-shared key

for pre-shared key

authentication or specify a

PKI domain for digital

signature authentication.

• To configure a pre-shared key:

pre-shared-key [ cipher |

simple ] key

• To specify a PKI domain:

certificate domain

domain-name

Configure either command

according to the authentication

method for the IKE proposal.

In FIPS mode, you cannot configure a

plaintext pre-shared-key, the

pre-shared-key must contain at least 8

characters comprising uppercase

letters, lowercase letters, digits, and

special characters.