Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
511512513514515516517518519520
7-12
Virtual Private Networks
IPsec Concepts
The TMS zl Module can establish SAs in two ways:
Manually
Using IKEv1
Defining an SA Manually
You can define the IPsec SA yourself. In this case, you must specify:
The SAs SPI
The authentication and encryption algorithms
The authentication and encryption keys, both inbound and outbound
The traffic selector
Because this method of configuration is relatively unsecure and complex,
ProCurve Networking does not generally recommend it. However, manual
keying is required when you specify ICMP Echo or ICMP Timestamp traffic
for the VPN.
“Configure an IPsec Site-to-Site VPN with Manual Keying” on page 7-122 and
“Configure a GRE over IPsec VPN with Manual Keying” on page 7-265 explain
how to set up a VPN using this method.
Defining an SA Using IKE
By far, the more secure and manageable solution for VPN configuration is to
allow IKE to negotiate the IPsec SA. IKE regulates the process as hosts
authenticate each other, agree upon hash and encryption algorithms, and
generate the unique keys used to secure packets. Using IPsec with IKE
provides increased security because keys are randomly generated and peri-
odically changed.
IKE also eases configuration. Instead of configuring the SA manually, you
configure IKE policies. (You must also set some security parameters and a
traffic selector in the IPsec policy.) These sections include instructions for
setting up IPsec SAs using IKE:
“Configure an IPsec Client-to-Site VPN” on page 7-27
“Configure an IPsec Site-to-Site VPN with IKE” on page 7-76
“Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts” on page 7-141
“Configure a GRE over IPsec VPN with Manual Keying” on page 7-265