TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

451

452

453

454

455

456

457

458

459

460

7-8

Virtual Private Networks

IPsec VPNs

When receiving inbound packets, the TMS zl Module first checks the packet

for an IPsec header. If an IPsec header is present, the module uses the SPI to

identify the packet’s SA. The module then uses the keys in the SA to decrypt

and authenticate the packet.

When sending outbound packets, the TMS zl Module checks whether the

packet matches the traffic selector in an active outbound SA. If it does, the

module uses the keys in the SA to encrypt and encapsulate the packet. The

module also checks whether the packet matches a traffic selector in an IPsec

policy. If the packet does, the module uses the associated IKE policy to

establish an SA and then uses the SA to encrypt and encapsulate the packet.

The TMS zl Module can establish SAs in two ways:

■ Manually

■ Using IKEv1

Defining an SA Manually. You can define the IPsec SA yourself. In this

case, you must specify:

■ The SA’s SPI

■ The authentication and encryption algorithms

■ The authentication and encryption keys, both inbound and outbound

See “Create an IPsec Policy That Uses Manual Keying” on page 7-64.

Because this method of configuration is relatively unsecure and complex,

ProCurve Networking does not generally recommend it. However, manual

keying is required when you specify ICMP traffic for the VPN.

Defining an SA Using IKE. By far, the more secure and manageable solu-

tion for VPN configuration is to allow IKE to negotiate the IPsec SA. IKE

regulates the process as hosts authenticate each other, agree upon hash and

encryption algorithms, and generate the unique keys used to secure packets.

Using IPsec with IKE provides increased security because keys are randomly

generated and periodically changed.

IKE also eases configuration. Instead of configuring the SA manually, you

configure IKE policies. See “Create an IKE Policy” on page 7-22.

IKE version 1

IKEv1 follows a set process to negotiate the IPsec SA and passes through two

phases. The first phase establishes a preliminary tunnel, or IKE SA. The second

phase establishes the IPsec SA. When you understand this process, you will

find it much easier to configure VPNs on your TMS zl Module.