HP X Unified Security Platform manual 223

IKE Proposal

STEP 9 If you are using Pre-Shared Key with Aggressive Mode:

•From the Local ID Type drop-down list, select the identifier for the device to use for validation purposes, either IP Address, Email Address, or Domain Name.

•From the Peer ID Type drop-down list, select the identifier for the device to use for validation purposes, either IP Address, Email Address, or Domain Name.

You must select the same Local ID and Peer ID types that are configured on the remote device that will connect via the VPN tunnel.

STEP 10 If you are using X.509 Certificates (with either Aggressive Mode or Main Mode):

•Select the Local Certificate you want to use from the Local Certificate drop-down list

•Select the type of information in the certificate to use for validation purposes from the Peer ID Type drop-down list, either Distinguished Name, Email Address or Domain Name. You must select the same type that is used on the remote device.

•To specify the CA certificate you want to use to validate access to the VPN, check Only accept peer certificates signed by, and select the certificate from the drop-down list. This increases security on the VPN

Note If you do not specify a certificate, the device will by default use any of the available CA certificates. CA Certificates are imported from the X.509 Certificates page (Authentication > X.509 Certificates).

STEP 14 To delete all Phase 2 security associations if the Phase 1 security association terminates, check Delete Phase 2 SA when Phase 1 SA terminates.

Note Some VPN devices automatically delete all the phase 2 security associations if the phase 1 security association terminates. To improve interoperability with such devices, check this option.

Configure Phase 2 Setup Parameters for an IKE Proposal