HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

168

• IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.

Configuring a manual IPsec policy

To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies

at the two ends of an IPsec tunnel:

• The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,

security algorithms, and encapsulation mode.

• The remote IP address configured on the local end must be the same as the IP address of the remote

end.

• At each end, configure parameters for both the inbound SA and the outbound SA and make sure

that different SAs use different SPIs.

• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true

of the local outbound SA and remote inbound SA.

• The keys for the local and remote inbound and outbound SAs must be in the same format. For

example, if the local inbound SA uses a key in characters, the local outbound SA and remote

inbound and outbound SAs must use keys in characters.

Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:

• You do not need to configure ACLs or IPsec tunnel addresses.

• Within a certain routed network scope, the IPsec transform sets used by the IPsec policies on all

routers must have the same security protocols, security algorithms, and encapsulation mode. For

OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope

can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly

connected neighbors or a neighbor group.

• All SAs (both inbound and outbound) within the routed network scope must use the same SPI and

keys.

• Configure the keys on all routers within the routed network scope in the same format. For example,

if you enter the keys in hexadecimal format on one router, do so across the routed network scope.

Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and

IPsec transform sets. ACLs are not required for IPsec policies for an IPv6 protocol.

To configure a manual IPsec policy:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a manual IPsec

policy and enter its view.

ipsec policy policy-name

seq-number manual

By default, no IPsec policy exists.

3. Assign an ACL to the

IPsec policy.

security acl acl-number

Not needed for IPsec policies to be

applied to IPv6 routing protocols and

required for other applications.

By default, an IPsec policy references no

ACL.

The ACL supports match criteria of the

VPN attribute.

An IPsec policy can reference only one

ACL. If you apply multiple ACLs to an

IPsec policy, only the last one takes

effect.