HP X Unified Security Platform manual 214

Chapter 7 VPN

Click Cancel to return to the IPSec Configuration page without saving the changes.

IKE Proposal

Internet Key Exchange (IKE) is used to negotiate the keying material used by the IPSec VPN encryption and integrity algorithms. IKE uses UDP port number 500 and precedes the actual IPSec data flow. IKE is a two-stage mechanism for automatically establishing IPSec tunnels with dynamically generated keying material.

IKE Proposals are divided into two phases:

•The device negotiates Phase 1 of the IKE and establishes a shared, secure connection. Phase 1 uses Aggressive Mode or Main Mode for packet exchange. The default is Main Mode.

•In Phase 2, the device establishes keying material for the VPN. Phase 2 is much quicker than Phase 1, since it can rely on the checks established during Phase 1, without needing to re-establish a shared, secure connection. Phase 2 uses Quick Mode for packet exchange.

Phase 1 of the IKE negotiation requires authentication between the two devices to be connected over the VPN tunnel. When you configure the IKE proposal, you can select one of the following Authentication methods based on your network security requirements.

•IKE with Pre-shared Key (Main Mode)

•IKE with Pre-shared Key (Aggressive Mode)

•IKE with X.509 Certificates (Main Mode)

•IKE with X.509 Certificates (Aggressive Mode)

•Manual Keying

Note To use the X.509 Certificate Authentication, you must first import matching X.509 CA Certificates and Local Certificates on the X family and the remote device (s). On the X family device, you can create certificates from the X.509 Certificates page (Authentication > X.509 Certificates).

On the X family device, you configure the IKE proposals with the authentication and encryption configuration (used for Phase 1 and Phase 2 IKE negotiation) required for the different types of remote devices that will connect via the VPN tunnel connection. Then, when you create the IPSec Security Association required for each remote device, you can select the IKE proposal to use for key exchange and specify the key information.

For additional information, see the following topics:

•“Manage IKE Proposals” on page 198

•“Configuring IKE Proposals” on page 200

Manage IKE Proposals

You can view, manage and configure IKE proposals from the IKE Proposals menu page (VPN > IKE Proposals) in the LSM.

198 X Family LSM User’s Guide V 2.5.1