Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
531532533534535536537538539540
7-13
Virtual Private Networks
IPsec Concepts
Defining an SA Using IKE
By far, the more secure and manageable solution for VPN configuration is to
allow IKE to negotiate the IPsec SA. IKE regulates the process as hosts
authenticate each other, agree upon hash and encryption algorithms, and
generate the unique keys used to secure packets. Using IPsec with IKE
provides increased security because keys are randomly generated and peri-
odically changed.
IKE also eases configuration. Instead of configuring the SA manually, you
configure IKE policies. (You must also set some security parameters and a
traffic selector in the IPsec policy.) These sections include instructions for
setting up IPsec SAs using IKE:
“Configure an IPsec Client-to-Site VPN” on page 7-28
“Configure an IPsec Site-to-Site VPN with IKE” on page 7-77
“Layer 2 Tunneling Protocol (L2TP) over IPsec Concepts” on page 7-142
“Configure a GRE over IPsec VPN with Manual Keying” on page 7-265
IKE version 1
IKEv1 follows a set process to negotiate the IPsec SA and passes through two
phases. The first phase establishes a preliminary tunnel, or IKE SA. The second
phase establishes the IPsec SA. When you understand this process, you will
find it much easier to configure VPNs on your TMS zl Module.
IKE Phase 1
During phase 1, IKE must complete three tasks:
Negotiate security parameters for the IKE SA
Generate the keys used to secure data sent over the IKE SA
Authenticate the endpoints of the tunnel (the two hosts)
Therefor, IKE phase 1 typically involves three exchanges between hosts, or
six total messages.