HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

311

312

313

314

315

316

317

318

319

320

303

# Request a certificate.

[FirewallA] pki retrieval-certificate ca domain 1

[FirewallA] pki retrieval-crl domain 1

[FirewallA] pki request-certificate domain 1

# Configure IKE proposal 1, using RSA signature for identity authentication.

[FirewallA] ike proposal 1

[FirewallA-ike-proposal-1] authentication-method rsa-signature

[FirewallA-ike-proposal-1] quit

# Specify the PKI domain for the IKE peer.

[FirewallA] ike peer peer

[FirewallA-ike-peer-peer] certificate domain 1

2. Configure Firewall B:

# Configure the entity DN.

<FirewallB> system-view

[FirewallB] pki entity en

[FirewallB-pki-entity-en] ip 3.3.3.1

[FirewallB-pki-entity-en] common-name firewallb

[FirewallB-pki-entity-en] quit

# Configure the PKI domain. The URL of the registration server is for illustration only.

[FirewallB] pki domain 1

[FirewallB-pki-domain-1] ca identifier CA1

[FirewallB-pki-domain-1] certificate request url

http://1.1.1.100/certsrv/mscep/mscep.dll

[FirewallB-pki-domain-1] certificate request entity en

[FirewallB-pki-domain-1] ldap-server ip 1.1.1.102

# Set the registration authority to RA.

[FirewallB-pki-domain-1] certificate request from ra

# Configure the CRL distribution URL. This is not necessary if CRL checking is disabled.

[FirewallB-pki-domain-1] crl url ldap://1.1.1.102

[FirewallB-pki-domain-1] quit

# Create a local key pair using RSA.

[FirewallB] public-key local create rsa

# Request a certificate.

[FirewallB] pki retrieval-certificate ca domain 1

[FirewallB] pki retrieval-crl domain 1

[FirewallB] pki request-certificate domain 1

# Configure IKE proposal 1, using RSA signature for identity authentication.

[FirewallB] ike proposal 1

[FirewallB-ike-proposal-1] authentication-method rsa-signature

[FirewallB-ike-proposal-1] quit

# Specify the PKI domain for the IKE peer.

[FirewallB] ike peer peer

[FirewallB-ike-peer-peer] certificate domain 1

The configuration procedure covers only the configurations for IKE negotiation using RSA digital

signature. For an IPsec tunnel to be established, you also need to perform IPsec configurations. For more

information about IPsec configuration, see "Configuring IPsec."