HP X Unified Security Platform Configure an IPSec Security Association

IPSec Configuration

Enable and Configure IPSec Global Settings

After configuring IPSec, you need to create the Security Association that allows two devices to establish the secure IPSec tunnel for the VPN connection. You can edit the Default Security Association, or create a new one.

For details, see “Configure an IPSec Security Association” on page 189.

Configure an IPSec Security Association

An IPSec Security Association (IPSec SA) consists of configuration parameters that allow two devices to establish an IPSec tunnel. On the X family device, you need to configure an IPSec Security Association that allows the device to connect to the remote network (site-to-site) or device (client-to- site)

The device provides a Default Security Association (Default) mainly for Client-to-Site VPNs.

•The Default SA is typically used for the deployment of multiple VPN clients. All the clients can use this default SA, instead of creating one SA per client. The Default SA is for incoming connections only, and is used if the device cannot match the IKE identification to any other SA.

•The Default SA can also be used to terminate incoming VPN site-to-site connections if the Enable IPSec Tunnel connections option is selected.

Note You cannot delete the Default SA and you cannot edit the Default SA Name, Peer IP Address or Keying Mode.

If you want the device to initiate the VPN connection for a site-to-site connection, you must create a unique security association for each site-to-site VPN connection

The following is an overview of the Security Association configuration process.