HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

171

172

173

174

175

176

177

178

179

180

170

• Directly configure it by configuring the parameters in IPsec policy view.

• Configure it by referencing an existing IPsec policy template with the parameters to be negotiated

configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA

negotiation but can respond to a negotiation request. The parameters not defined in the template

will be determined by the initiator. This method applies to scenarios where the remote end's

information, such as the IP address, is unknown.

Before you configure an IPsec policy that uses IKE, complete the following tasks:

• Configure the ACLs and the IPsec transform sets for the IPsec policy.

• Configure the IKE peer. For more information about IKE peer configuration, see "Configuring IKE."

The parameters for the local and remote ends must match.

1. Directly configure an IPsec policy that uses IKE:

Ste

Command

Remar

1. Enter system view.

system-view

N/A

2. Create an IPsec policy that

uses IKE and enter its view.

ipsec policy policy-name

seq-number isakmp

By default, no IPsec policy exists.

3. Configure an IPsec

connection name.

connection-name name

Optional.

By default, no IPsec connection

name is configured.

4. Assign an ACL to the IPsec

policy.

security acl acl-number

[ aggregation | per-host ]

By default, an IPsec policy

references no ACL.

5. Assign IPsec transform sets

to the IPsec policy.

transform-set

transform-set-name&<1-6>

By default, an IPsec policy

references no IPsec transform set.

6. Specify an IKE peer for the

IPsec policy.

ike-peer peer-name N/A

7. Enable and configure the

perfect forward secrecy

feature for the IPsec policy.

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 }

Optional.

By default, the PFS feature is not

used for negotiation.

For more information about PFS,

see "Configuring IKE."

The dh-group1 keyword is not

available for FIPS mode.

8. Set the SA lifetime.

sa duration { time-based seconds

| traffic-based kilobytes }

Optional.

By default, the global SA lifetime

is used.

9. Set the anti-replay

information synchronization

intervals in IPsec stateful

failover mode.

synchronization

anti-replay-interval inbound

inbound-number outbound

outbound-number

Optional.

By default, the inbound

anti-replay window information

is synchronized whenever 1000

packets are received, and the

outbound anti-replay sequence

number is synchronized

whenever 100000 packets are

sent.