HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

421

422

423

424

425

426

427

428

429

430

415

Table 63 Configuration items

Item Descri

tion

Session Idle Time Set the idle timeout for the DVPN Spoke-Spoke tunnel.

Keepalive Interval

Set the interval between sending keepalive packets and the maximum number of

attempts for sending keepalive packets when there is no response.

IMPORTANT:

In a VPN domain, the DVPN keepalive settings for all tunnel interfaces must be

consistent.

Keepalive Retries

7. Specify whether to enable IPsec.

An IPsec profile can be used to secure the transmission of data packets and control packets over

a DVPN tunnel. It uses ESP or AH and employs IKE for security policy negotiation.

If you select this option, you can perform the IPsec configuration. Table 64 describes the IPsec

configuration items in detail.

Table 64 Configuration items

Item Descri

tion

Authentication Method

Specify an authentication method for IKE negotiation.

• Pre-Shared Key—Uses the pre-shared key authentication method. If

you select this method, you must configure the pre-shared key. Make

sure that the configured key and the confirmed key are the same.

• Certificate—Uses the digital signature authentication method. If you

select this method, you must select a subject of the local certificate.

Available local certificates are those configured in VPN > Certificate

Management.

Gateway ID

Remote ID

Type

Select the remote ID type for IKE

negotiation phase 1.

• IP Address—Uses the remote-end IP

address of the DVPN session as the ID

in IKE negotiation.

• Gateway Name—Uses the gateway

name in the FQDN type as the ID in

IKE negotiation. If you select this type,

specify the remote gateway ID.

IMPORTANT:

• If the IKE negotiation

initiator uses the local ID

type of gateway name

as the ID for IKE

negotiation, it sends its

gateway ID to the peer.

The peer uses the locally

configured remote

gateway ID to

authenticate the initiator.

Therefore, make sure

that the remote gateway

ID specified here is

identical to the local

gateway ID specified on

its peer.

• In main mode, only the

ID type of IP address can

be used in IKE

negotiation and SA

establishment.

Local ID Type

Select the local ID type for IKE

negotiation phase 1.

• IP Address: Uses the local-end IP

address of the DVPN session as the ID

in IKE negotiation.

• Gateway Name: Uses the gateway

name in the FQDN type as the ID in

IKE negotiation. If you select this type,

you need to specify the local gateway

ID, which is a string without the at

sign (@), such as foo.bar.com.