HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

411

412

413

414

415

416

417

418

419

420

405

{ To establish a hub-spoke tunnel:

After a spoke registers itself successfully, it needs to establish a permanent tunnel with each

hub in the VPN. Upon receiving the registered information of the hubs from the server, the

spoke checks whether a tunnel is present to each hub. If no tunnel exists between the spoke and

a hub, the spoke sends a tunnel establishment request to the hub.

{ To establish a hub-hub tunnel:

After a hub registers itself successfully, the server sends the registered information of the other

hubs in the VPN to the hub and the hub checks whether a tunnel exists to each of its peer hubs.

If not, the hub sends a tunnel establishment request to the peer hub.

{ To establish a spoke-spoke tunnel:

In a full mesh network, when a spoke receives a data packet but finds no tunnel for forwarding

the packet, it sends an address resolution request to the server and then, after receiving the

resolved address, sends a tunnel establishment request to the peer spoke.

2. The tunnel establishment request receiver saves the tunnel establishment information and sends a

response to the sender. If the request sender receives the response, a tunnel is established.

Otherwise, tunnel establishment attempt fails.

Supported DVPN features

NAT traversal for UDP-encapsulated DVPN packets

When a spoke needs to communicate with another spoke, one of the following cases will occur:

• If neither of the two spokes is behind a NAT gateway, a direct tunnel will be established between

them.

• If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established

traversing the NAT gateway.

• If the tunnel request receiver is behind a NAT gateway, packets must be forwarded by a hub before

the intended receiver originates a tunnel establishment request.

• If both spokes reside behind NAT gateways, no tunnel can be established between them and

packets between them will be forwarded by a hub.

Support for dynamic VAM client IP address

As each VAM client registers its public and private addresses with the VAM server and can get the public

address of the peer VAM client from the VAM server, no tunnel destination address needs to be

configured on either tunnel interface of a tunnel. When a VAM client has its IP address changed, it

reregisters with the VAM server, thus supporting dynamic IP address.

AAA identity authentication of VAM clients on the VAM server

After the initialization process completes, a VAM client registers with the VAM server. You can specify to

authenticate VAM clients during the registration process. VAM supports PAP authentication and CHAP

authentication. The VAM server uses AAA to authenticate clients in the VPN domain. A VAM client must

pass authentication to access the VPN.

Identity authentication of the VAM server and VAM client by using the pre-shared key

A VAM client and the VAM server must be configured with the same pre-shared key to generate the

encryption/integrity verification key. The VAM client/VAM server can determine whether the pre-shared

keys of both sides are the same by checking the result of packet decryption and integrity verification, so

as to implement identity authentication of the VAM server/VAM client.