TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

771

772

773

774

775

776

777

778

779

780

7-254

Virtual Private Networks

Configure a GRE over IPsec VPN with IKE

11. For Key Exchange Method, keep the default, Auto (with IKEv1).

12. For IKEv1 Policy, select a previously configured IKEv1 policy.

Select the IKEv1 policy that specifies the remote tunnel endpoint as the

remote gateway.

13. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check

box, which forces the tunnel endpoints to generate new keys for the IPsec

SA. In the list that is displayed, select one of the following:

• Group 1 (768)

• Group 2 (1024)

• Group 5 (1536)

The group determines the length of the prime number used during the

exchange. The larger the number, the more secure the key generated by

the exchange. You must match the settings on the remote tunnel endpoint.

14. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400

(24 hours). Or type 0 if you do not want to specify a lifetime in seconds

(in this case, you must specify a lifetime in kilobytes). You must match

the settings on the remote tunnel endpoint.

This setting determines how long the IPsec SA remains open. When the

lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl

Module checks whether the SA has experienced any activity. If it has, the

module negotiates a new SA and then deletes the old SA. If the SA is

inactive, the module waits for the complete lifetime to expire. Then, if the

SA is still inactive, the module deletes the SA.

The default value is 28800 (8 hours).

15. For SA Lifetime in Kilobytes, type a value between 2560 and 4194304. Or

leave the default 0 if you do not want to specify a lifetime in kilobytes (in

this case, you must specify a lifetime in seconds). You must match the

settings on the remote tunnel endpoint.

This setting determines when an SA expires based on the amount of data

passed over it, rather than by time. (The more traffic sent over a connec-

tion, the better chance a hacker has at cracking a key.)

The TMS zl Module checks an IPsec SA for inactivity when the SA has

transmitted and received 80 percent of the allowed bandwidth in kilo-

bytes. If the SA is active, the module renegotiates it, deleting the old SA

when the new one is established. The module deletes an inactive SA if it

is still inactive when the total lifetime in kilobytes is reached.