HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

iii

Protocols and standards ····································································································································· 105

Configuring IKE in the Web interface ························································································································ 105

Recommended configuration procedure ··········································································································· 105

Configuring global IKE parameters ··················································································································· 106

Configuring an IKE proposal ····························································································································· 107

Configuring IKE DPD ··········································································································································· 109

Configuring an IKE peer ····································································································································· 110

Viewing IKE SAs ·················································································································································· 112

IKE configuration example ································································································································· 113

Configuring IKE at the CLI ··········································································································································· 119

Configuring a name for the local security gateway ························································································ 120

Setting keepalive timers ······································································································································ 124

Setting the NAT keepalive timer ························································································································ 124

Configuring a DPD detector ······························································································································· 124

Disabling next payload field checking ············································································································· 125

Displaying and maintaining IKE ························································································································ 125

Configuring main mode IKE with pre-shared key authentication ··································································· 126

Configuring aggressive mode IKE with NAT traversal ···················································································· 130

Troubleshooting IKE ····················································································································································· 133

Invalid user ID ······················································································································································ 133

Proposal mismatch ·············································································································································· 134

Failing to establish an IPsec tunnel ···················································································································· 134

ACL configuration error ······································································································································ 134

Configuring IPsec ···················································································································································· 136

Overview ······································································································································································· 136

Basic concepts ····················································································································································· 136

IPsec tunnel interface ··········································································································································· 138

IPsec for IPv6 routing protocols ·························································································································· 140

IPsec RRI································································································································································ 140

IPsec stateful failover ··········································································································································· 141

Configuration guidelines ············································································································································· 142

Configuring IPsec in the Web interface ····················································································································· 142

Configuration considerations ····························································································································· 142

Recommended configuration procedure ··········································································································· 142

Configuring ACLs ················································································································································ 143

Configuring an IPsec proposal ·························································································································· 147

Configuring an IPsec policy template ················································································································ 149

Configuring an IPsec policy ······························································································································· 152

Applying an IPsec policy group ························································································································· 155

Viewing IPsec SAs ··············································································································································· 155

Viewing packet statistics ····································································································································· 156

IPsec configuration example ······························································································································ 156

Configuring IPsec at the CLI ········································································································································ 162

Implementing IPsec ·············································································································································· 162

Implementing ACL-based IPsec ·························································································································· 162

Implementing tunnel interface-based IPsec ······································································································· 176

Configuring IPsec for IPv6 routing protocols ···································································································· 180

Configuring IPsec stateful failover ····················································································································· 180

Displaying and maintaining IPsec ····················································································································· 182

Manual mode IPsec tunnel for IPv4 packets configuration example ····························································· 182

IKE-based IPsec tunnel for IPv4 packets configuration example ····································································· 185