HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

151

152

153

154

155

156

157

158

159

160

143

Ste

Remarks

2. Configuring an IPsec proposal

Required.

An IPsec proposal defines a set of security parameters for IPsec SA

negotiation, including the security protocol, encryption and

authentication algorithms, and encapsulation mode.

IMPORTANT:

Changes to an IPsec proposal affect only SAs negotiated after the

changes are made.

3. Configuring an IPsec policy

template

Required if you are using an IPsec policy template group to create an

IPsec policy.

An IPsec policy template group is a collection of IPsec policy templates

with the same name but different sequence numbers. In an IPsec policy

template group, an IPsec policy template with a smaller sequence

number has a higher priority.

4. Configuring an IPsec policy

Required.

Configure an IPsec policy

by specifying the parameters directly or using

a created IPsec policy template. The device supports only IPsec policies

that use IKE.

An IPsec policy group is a collection of IPsec policies with the same

name but different sequence numbers. The smaller the sequence

number, the higher the priority of the IPsec policy in the policy group.

IMPORTANT:

An IPsec policy referencing a template cannot be used to initiate SA

negotiations but can be used to respond to a negotiation request. The

parameters specified in the IPsec policy template must match those of the

remote end. The parameters not defined in the template are determined

by the initiator.

5. Applying an IPsec policy group

Required.

Apply an IPsec policy group to an interface (logical or physical) to

protect certain data flows.

6. Viewing IPsec SAs

Optional.

View brief information about established IPsec SAs to verify your

configuration.

7. Viewing packet statistics

Optional.

View packet statistics to verify your configuration.

Configuring ACLs

This document introduces only how to reference ACLs in IPsec. To create ACLs, select Firewall > ACL from

the navigation tree. For more information about the procedure, see Access Control Configuration Guide.

If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different queues

by QoS, causing some packets to be sent out of order. Because IPsec performs anti-replay operation,

packets outside the anti-replay window in the inbound direction might be discarded, resulting in packet

loss. When using IPsec together with QoS, make sure that they use the same classification rules. IPsec

classification rules depend on the referenced ACL rules. For more information about QoS classification

rules, see Network Management Configuration Guide.