HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

169

Ste

Command

Remarks

4. Assign an IPsec

transform set to the IPsec

policy.

transform-set transform-set-name

By default, an IPsec policy references no

IPsec transform set.

A manual IPsec policy can reference only

one IPsec transform set. To change an

IPsec transform set for an IPsec policy,

you must remove the reference first.

5. Configure the local

address of the IPsec

tunnel

tunnel local ip-address

Not needed for IPsec policies to be

applied to IPv6 routing protocols and

required for other applications.

Not configured by default.

6. Configure the remote

address of the IPsec

tunnel

tunnel remote ip-address Not configured by default.

7. Configure an SPI for an

SA.

sa spi { inbound | outbound } { ah

| esp } spi-number

By default, no SPI is configured for an

SA.

8. Configure keys for the

SA.

• Configure an authentication

key in hexadecimal for AH:

sa authentication-hex

{ inbound | outbound } ah

[ cipher string-key | simple

hex-key ]

• Configure an authentication

key in characters for AH:

sa string-key { inbound |

outbound } ah [ cipher |

simple ] string-key

• Configure a key in characters

for ESP:

sa string-key { inbound |

outbound } esp [ cipher |

simple ] string-key

• Configure an authentication

key in hexadecimal for ESP:

authentication-hex.{ inbound

| outbound } esp [ cipher

string-key | simple hex-key ]

• Configure an encryption key in

hexadecimal for ESP:

sa encryption-hex.{ inbound |

outbound } esp [ cipher

string-key | simple hex-key ]

Configure keys correctly for the security

protocol (AH or ESP) you have specified.

If you configure a key in two modes:

string and hexadecimal, only the last

configured one will be used.

ESP supports three IP packet protection

schemes: encryption only, authentication

only, or both encryption and

authentication.

If you configure a key in characters for

ESP, the device automatically generates

an authentication key and an encryption

key for ESP.

The command sa string-key is not

available for FIPS mode.

NOTE:

You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To

create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to confi

ure an IPsec

policy.

Configuring an IPsec policy that uses IKE

To configure an IPsec policy that uses IKE, use one of the following methods: