SROS Command Line Interface Reference GuideCrypto Map Manual Command Set

Functional Notes (Continued)

AES-192-CBC

192-bits in length; 24 hexadecimal bytes

AES-256-CBC

256-bits in length; 32 hexadecimal bytes

md5

128-bits in length; 16 hexadecimal bytes

sha1

160-bits in length; 20 hexadecimal bytes

Technology Review

The following example configures an Secure Router OS product for VPN using IPSec manual keys. This example assumes that the Secure Router OS product has been configured with a WAN IP Address of

63.97.45.57on interface ppp 1 and a LAN IP Address of 10.10.10.254 on interface ethernet 0/1. The Peer Private IP Subnet is 10.10.20.0.

For more detailed information on VPN configuration, refer to the VPN Configuration Guide located on the ProCurve SROS Documentation CD provided with your unit.

Step 1:

Enter the Global configuration mode (i.e., config terminal mode).

>enable

#configure terminal

Step 2:

Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.

(config)#ip crypto

Step 3:

Define the transform-set. A transform-set defines the encryption and/or authentication algorithms to be used to secure the data transmitted over the VPN tunnel. Multiple transform-sets may be defined in a system. Once a transform-set is defined, many different crypto maps within the system can reference it. In this example, a transform-set named highly_secure has been created. This transform-set defines ESP with Authentication implemented using 3DES encryption and SHA1 authentication.

(config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac (cfg-crypto-trans)#mode tunnel

Step 4:

Define an ip-access list. An Extended Access Control List is used to specify which traffic needs to be sent securely over the VPN tunnel. The entries in the list are defined with respect to the local system. The source IP address will be the source of the traffic to be encrypted. The destination IP address will be the receiver of the data on the other side of the VPN tunnel.

(config)#ip access-list extended corporate_traffic (config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log

deny ip any any

5991-2114

© Copyright 2005 Hewlett-Packard Development Company, L.P.

412

Page 411 Page 413
Page 412
Image 412
HP 7000 dl Router manual Copyright 2005 Hewlett-Packard Development Company, L.P 412
Page 411 Page 413
Top Page Image Contents