HP 7000 dl Router manual Enable #configure terminal, Config#crypto ike local-id address

This example assumes that the Secure Router OS product has been configured with a WAN IP Address of

63.97.45.57on interface ppp 1 and a LAN IP Address of 10.10.10.254 on interface ethernet 0/1. The Peer Private IP Subnet is 10.10.20.0.

For more detailed information on VPN configuration, refer to the VPN Configuration Guide located on the Secure Router OS Documentation CD provided with your unit.

Step 1:

Enter the Global configuration mode (i.e., config terminal mode).

>enable

#configure terminal

Step 2:

Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.

(config)#ip crypto

Step 3:

Set the local ID. During IKE negotiation, local-ids are exchanged between the local device and the peer device. In the Secure Router OS, the default setting for all local-ids is configured by the crypto ike local-idcommand. The default setting is for all local-ids to be the IPv4 address of the interface over which the IKE negotiation is occurring. In the future, a unique system-wide Hostname or Fully Qualified Domain Name could be used for all IKE negotiation.

(config)#crypto ike local-id address

Step 4:

Create IKE policy. In order to use IKE negotiation, an IKE policy must be created. Within the system, a list of IKE policies is maintained. Each IKE policy is given a priority number in the system. That priority number defines the position of that IKE policy within the system list. When IKE negotiation is needed, the system searches through the list, starting with the policy with priority of 1, looking for a match to the peer IP address.

An individual IKE policy can override the system local-id setting by having the local-idcommand specified in the IKE policy definition. This command in the IKE policy is used to specify the type of local-id and the local-id data. The type can be of IPv4 address, Fully Qualified Domain Name, or User-Specified Fully Qualified Domain Name.

An IKE policy may specify one or more peer IP addresses that will be allowed to connect to this system. To specify multiple unique peer IP addresses, the peer A.B.C.D command is used multiple times within a single IKE policy. To specify that all possible peers can use a default IKE policy, the peer any command is given instead of the peer A.B.C.D command inside of the IKE policy. The policy with the peer any command specified will match to any peer IP address (and therefore should be given the highest numerical priority number). This will make the policy the last one to be compared against during IKE negotiation.