HP VPN Firewall Appliances VPN Configuration Guide
452
Enabling VAM client
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable VAM client.
• (Method 1) Enable VAM client for all
VAM clients or a specific VAM client:
vam client enable { all | name
client-name }
• (Method 2) Enable VAM client for a
VAM client:
a. vam client name client-name
b. client enable
Use either method.
Disabled by default.
Configuring an IPsec profile
An IPsec profile secures the transmission of data packets and control packets over a DVPN tunnel. It uses
the security protocol ESP, AH, or AH-ESP (ESP first, and then AH) and employs IKE for security policy
negotiation.
Configuration guidelines
• An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec
transform sets. IKE searches for IPsec transform sets that match at both ends during negotiation. If no
match is found, SAs cannot be established and the packets requiring IPsec protection will be
discarded.
• When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote end
must also use PFS for negotiation and both ends must use the same DH group. Otherwise, the
negotiation will fail.
• When an IPsec profile protects DVPN traffic, you can configure the IPsec transform sets referenced
by the IPsec profile to use the ESP protocol, the AH protocol, or both.
• As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer that
an IPsec profile references does not take effect on the initiator.
Configuration prerequisites
Before you configure an IPsec profile, complete the following tasks:
• Configure the IPsec transform sets for the IPsec profile to reference
• Configure the IKE peer for the IPsec profile to reference
For more information about IPsec and IKE, see Security Configuration Guide.
Configuration procedure
To configure an IPsec profile:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IPsec profile and
enter IPsec profile view.
ipsec profile profile-name
By default, no IPsec profile is
created.