HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

162

g. Enter the ACL number 3101.

h. Click Apply.

7. Apply IPsec policy map1 to GigabitEthernet 0/1:

a. From the navigation tree, select VPN > IPSec > IPSec Application.

b. Click the icon of interface GigabitEthernet 0/1.

c. Select the policy of map1.

d. Click Apply.

Verifying the configuration

After you complete the configuration, packets from subnet 10.1.2.0/24 to subnet 10.1.1.0/24 between

Device A and Device B triggers the negotiation of SAs by IKE. Because Device A does not have any route

to subnet 10.1.2.0/24, the route is added by IPSec RRI after a successful negotiation. After the IPsec SAs

are established, a static route to subnet 10.1.2.0/24 through 2.2.3.1 is added to the routing table on

Device A, and traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.

Configuring IPsec at the CLI

Implementing IPsec

IPsec can be implemented based on ACLs, tunnel interfaces, or applications:

• ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,

configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces

(see "Implementing ACL-based IPsec"). By using A

CLs, you can customize IPsec policies as needed,

implementing IPsec flexibly.

• Tunnel interface-based IPsec, or routing-based IPsec, depends on the routing mechanism to select

the data flows to be protected. To implement tunnel interface-based IPsec, configure IPsec profiles

and apply them to IPsec tunnel interfaces (see "Implementing tunnel interface-based IPsec")

. By

using IPse

c profiles, this IPsec implementation method simplifies IPsec VPN configuration and

management, and improves the scalability of large VPN networks.

• Application-based IPsec protects the packets of a service. This IPsec implementation method can be

used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the

routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the

policies to an IPv6 routing protocol. See "Configuring IPsec for IPv6 routing protocols."

Implementing ACL-based IPsec

The following is the generic configuration procedure for implementing ACL-based IPsec:

1. Configure an ACL for identifying data flows to be protected.

2. Configure IPsec transform sets to specify the security protocols, and authentication and encryption

algorithms.

3. Configure an IPsec policy group to associate data flows with the IPsec transform sets and specify

the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the

required keys, and the SA lifetime.

4. Apply the IPsec policies to interfaces to finish IPsec configuration.