TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

531

532

533

534

535

536

537

538

539

540

7-12

Virtual Private Networks

IPsec Concepts

■ Data authentication algorithm and unique authentication keys

(optional if ESP encryption is used)—On the TMS zl Module, the algorithm

can be MD5, SHA 1 or AES XCBC.

■ Traffic selector—Valid IP header values such as source and destination

address for traffic that is carried by the SA

When receiving inbound packets, the TMS zl Module first checks the packet

for an IPsec header. If an IPsec header is present, the module uses the SPI to

identify the packet’s SA. The module then uses the keys in the SA to decrypt

and authenticate the packet.

When sending outbound packets (which have already passed firewall, NAT,

and IDS/IPS checks), the TMS zl Module checks whether the packet matches

the traffic selector in an active outbound SA. If it does, the module uses the

keys in the SA to encrypt and encapsulate the packet. The module also checks

whether the packet matches a traffic selector in an IPsec policy. If the packet

does, the module uses the associated IKE policy to establish an SA and then

uses the SA to encrypt and encapsulate the packet.

The TMS zl Module can establish SAs in two ways:

■ Manually

■ Using IKEv1

Defining an SA Manually

You can define the IPsec SA yourself. In this case, you must specify:

■ The SA’s SPI

■ The authentication and encryption algorithms

■ The authentication and encryption keys, both inbound and outbound

■ The traffic selector

Because this method of configuration is relatively unsecure and complex, HP

Networking does not generally recommend it. However, manual keying is

required when you specify ICMP Echo or ICMP Timestamp traffic for the VPN.

“Configure an IPsec Site-to-Site VPN with Manual Keying” on page 7-124 and

“Configure a GRE over IPsec VPN with Manual Keying” on page 7-267 explain

how to set up a VPN using this method.

Defining an SA Using IKE

By far, the more secure and manageable solution for VPN configuration is to

allow IKE to negotiate the IPsec SA. IKE regulates the process as hosts

authenticate each other, agree upon hash and encryption algorithms, and