Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
461462463464465466467468469470
7-14
Virtual Private Networks
IPsec VPNs
Figure 7-7. IKE Phase 2: Security Proposal
When negotiating the IPsec SA, IKE follows much the same process it did in
IKE phase 1. The initiator sends IKE packets (now secured by the IKE SA),
proposing security parameters:
IPsec SA lifetime—the time in seconds or amount of data in kilobytes
before the SA must be renegotiated
Perfect forward secrecy (PFS) group—an optional setting, required if you
want the endpoints to use Diffie-Hellman to generate new keys
One or more IPsec proposals. Each proposal includes:
An authentication algorithm
An encryption algorithm (if using ESP)
Traffic selectors—the traffic that is allowed over the IPsec SA (VPN
tunnel)
Other advanced options