HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

151

152

153

154

155

156

157

158

159

160

142

Protocols and standards

• RFC 2401, Security Architecture for the Internet Protocol

• RFC 2402, IP Authentication Header

• RFC 2406, IP Encapsulating Security Payload

• RFC 4552, Authentication/Confidentiality for OSPFv3

• RFC4301, Security Architecture for the Internet Protocol

• RFC4302, IP Authentication Header

• RFC4303, IP Encapsulating Security Payload (ESP)

Configuration guidelines

When you configure IPsec, follow these guidelines:

• Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51

and 50, respectively. You must make sure flows of these protocols are not denied on the interfaces

with IKE or IPsec configured.

• If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different

queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay

operation, packets outside the anti-replay window in the inbound direction might be discarded,

resulting in packet loss. When using IPsec together with QoS, make sure that they use the same

classification rules. IPsec classification rules depend on the referenced ACL rules.

Configuring IPsec in the Web interface

Configuration considerations

You configure IPsec tunnels on the device by configuring IPsec polices. The IPsec policies use ACLs to

identify protected traffic, and take effect after being applied to physical interfaces.

The following is the generic IPsec policy configuration procedure:

1. Configure ACLs for identifying the data flows to be protected by IPsec.

2. Configure IPsec proposals to specify the security protocols, authentication and encryption

algorithms, and encapsulation mode. An IPsec proposal applies to data flows associated with it.

3. Configure IPsec policies to associate data flows with IPsec proposals and specify the SA

negotiation mode, the start and end points of the IPsec tunnels, the privacy keys, and the SA

lifetime.

4. Apply the IPsec policies to interfaces.

Recommended configuration procedure

Ste

Remarks

1. Configuring ACLs

Required.

Confi

gure ACLs to identify the data flows to be protected by IPsec.