HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

461

462

463

464

465

466

467

468

469

470

453

Ste

Command

Remarks

3. Specify the IPsec transform

sets for the IPsec profile to

reference.

transform-set

transform-set-name&<1-6>

By default, an IPsec profile

references no IPsec transform set.

4. Specify the IKE peer for the

IPsec profile to reference.

ike-peer peer-name

By default, an IPsec profile

references no IKE peer.

5. Enable and configure perfect

forward secrecy (PFS).

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 }

Optional.

By default, PFS is not used for

negotiation.

For information about PFS, see

Security Configuration Guide.

6. Configure the SA lifetime.

sa duration { time-based seconds |

traffic-based kilobytes }

Optional.

By default, an IPsec profile uses the

global SA lifetime.

For information about global SA

lifetime, see Security Configuration

Guide.

For more information about commands ipsec profile, transform-set, ike-peer, pfs, and sa duration, see

Security Command Reference.

Configuring DVPN tunnel parameters

Configuration guidelines

• If you configure the source address of a tunnel interface by specifying the source interface, the

tunnel takes the primary IP address of the source interface as its source address.

• To configure multiple DVPN tunnels that use GRE encapsulation, you must configure unique source

addresses and source interfaces for these tunnels.

• Tunnel interfaces of the same VPN domain must be configured with private addresses in the same

segment.

• Tunnel interfaces of the same VPN domain must be configured with the same DVPN keepalive

interval and transmission attempt limit.

• A DVPN tunnel interface can reference only one IPsec profile. To change the IPsec profile referenced

by a DVPN tunnel interface, you need to cancel the reference of the current IPsec profile and then

apply a new IPsec profile to the tunnel interface.

Configuration prerequisites

IP addresses have been configured for the source interfaces (VLAN interfaces, Ethernet interfaces, or

Loopback interfaces) of the virtual tunnel interfaces and there are routes available between the

interfaces.

Configuration procedure

To configure a DVPN tunnel:

Ste

Command

Remarks

1. Enter system view.

system-view N/A