Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
531532533534535536537538539540
7-16
Virtual Private Networks
IPsec Concepts
CertificatesThe endpoints exchange certificates, which must be
installed before IKE initiates. Each endpoint’s certificate must be signed
by a CA that is trusted by the other endpoint.
Figure 7-5. IKE Phase 1: Authentication
The tunnel endpoints also check each other’s IDs. When you set up an IKE
policy, you specify the TMS zl Modules local ID and the remote ID that it
expects from the remote VPN gateway or client.
The ID can be one of these:
An IP address
A local ID of this type should be the IP address for the interface that
handles incoming VPN traffic.
Similarly, a remote ID of this type should specify the remote interface to
which VPN traffic is destined. The remote ID on one peer must match the
local ID on the other peer.
A fully qualified domain name (FQDN)
A local ID of this type is typically the FQDN of the local VPN gateway.
Similarly, a remote ID of this type would be the FQDN of the remote VPN
gateway.
An email address
The IKE policy can specify an email address as the local or the remote ID.
The email address does not need to be valid. It simply needs to match the
ID expected or transmitted by the peer.
An Abstract Syntax Notation distinguished name (ASN.1 DN)
You typically use this type when the IKE policy specifies certificates for
the authentication method. The value is the ASN.1 DN that is associated
with the certificate, for example: /CN=TMSzl.company.edu.