IPsec VPN Parameters: Quick Reference

Consult the table below for an alphabetical listing of each IPsec VPN parameter, a short description, and where to configure it.

To see equivalent names for the HP ProCurve Secure Router 7000dl series or the HP ProCurve VPN Client, click here.

To see a visual representation of some of these parameters, click here.

Parameter

Description

Where to Configure  

Action

How the TMS zl Module treats traffic that is selected for this policy

Add IPsec Policy
Step 1 of 4

AH Keys

SPI number and authentication keys for manually keyed IPsec SA s

Add IPsec Policy
Step 2 of 4

Anti-Replay Window Size

How far out of order the packets can arrive without being dropped

Add IPsec Policy
Step 4 of 4

Authentication Algorithm

MD5 or SHA -1 for the IKE SA

Add IKE Policy
Step 2 of 3

Authentication Algorithm

ESP or AH for the IPsec SA

Add IPsec
Proposal

Authentication Method

Preshared key or certificate (RSA signature or DSA signature) for the IKE SA

Add IKE Policy
Step 2 of 3

Copy DSCP Value

Whether to copy the DSCP value to the delivery header in tunnel mode

Add IPsec Policy
Step 4 of 4

DF Bit Handling

How to handle the Don't Fragment bit

Add IPsec Policy
Step 4 of 4

Diffie-Hellman Group

For secure key negotiation of the IKE SA

Add IKE Policy
Step 2 of 3

Diffie-Hellman Group

For PFS key renewal on the IPsec SA

Add IPsec Policy
Step 2 of 4

Direction

Apply an IPsec Bypass or Ignore policy to inbound or outbound traffic or both

Add IPsec Policy
Step 1 of 4

DNS Servers

IP addresses of DNS servers that the VPN client can access for IKE mode config

Add IPsec Policy
Step 3 of 4

DSCP Value

A value between 0 and 63 that can be used for QoS prioritization

Add IPsec Policy
Step 4 of 4

Encapsulation Mode

Tunnel or transport mode

Add IPsec
Proposal

Encryption Algorithm

The encryption algorithm for the IKE SA

Add IKE Policy
Step 2 of 3

Encryption Algorithm

The encryption algorithm for ESP

Add IPsec
Proposal

ESP Keys

SPI number, encryption keys, and authentication keys for manually keyed IPsec SAs

Add IPsec Policy
Step 2 of 4

Extended Sequence Number

Increase the sequence number from 32 bits to 64 bits

Add IPsec Policy
Step 4 of 4

Firewall Zone

Zone for the IKE mode config address ranges

Add IPsec Policy
Step 3 of 4

Fragment Before IPsec

Fragment IP packets before IPsec encryption

Add IPsec Policy
Step 4 of 4

IKE Mode Config

Virtual IP addresses for the remote VPN client to use on the private network

Add IPsec Policy
Step 3 of 4

IKEv1 Policy

Configured separately (Add IKE Policy), it contains the parameters for an IKE SA, which negotiates the encryption key for the IPsec SA.

Add IPsec Policy
Step 2 of 4

IKE Policy Type

The type of VPN connection: site-to-site or client-to-site

Add IKE Policy
Step 1 of 3

IP Compression

Compress IP packets before IPsec encryption

Add IPsec Policy
Step 4 of 4

IPsec Proposal

The encapsulation mode, security protocol, and security algorithms for the VPN policy, configured separately (Add IPsec Proposal) and later selected

Add IPsec Policy
Step 1 of 4
 

IRAS IP Address/Mask

IP address and mask of the IPsec remote access server for IKE Mode Config

Add IPsec Policy
Step 3 of 4

Key Exchange Method

IKEv1 or manual key exchange for the IPsec SA

Add IPsec Policy
Step 2 of 4

Key Exchange Mode

Main or aggressive

Add IKE Policy
Step 2 of 3

Local Address

Source IP address(es) of traffic to which the IPsec policy applies

Add IPsec Policy
Step 1 of 4

Local Gateway

IP address for the interface on which you want to receive IKE SA traffic

Add IKEv1 Policy
Step 1 of 3

Local Gateway

IP address for the interface on which you want to receive IPsec SA traffic

Add IPsec Policy
Step 2 of 4

Local ID

The name that the local device uses for authentication purposes.

Add IKE Policy
Step 1 of 3

Local Port

Source port of traffic to which the IPsec policy applies

Add IPsec Policy
Step 1 of 4

Persistent Tunnel

Maintain the SA after it expires

Add IPsec Policy
Step 4 of 4

PFS

The tunnel endpoints periodically generate new keys for the IPsec SA

Add IPsec Policy
Step 2 of 4

Position

Priority of the IPsec policy

Add IPsec Policy
Step 1 of 4

Pre-shared Key

Manually input key for IKE authentication

Add IKE Policy
Step 2 of 3

Primary DNS Server

IP address of a DNS server that VPN clients can access

Add IPsec Policy
Step 3 of 4

Primary WINS Server

IP address of a WINS server that VPN clients can access

Add IPsec Policy
Step 3 of 4

Protocol

Specifies which types of traffic can pass through the VPN tunnel that the IPsec policy creates; manual-keyed IPsec policies only

Add IPsec Policy
Step 1 of 4

Re-key on Sequence Number Overflow

Automatically renegotiate the SA before the last sequence number

Add IPsec Policy
Step 4 of 4

Remote Address

Destination IP address(es) of traffic to which the IPsec policy applies

Add IPsec Policy
Step 1 of 4

Remote Gateway

The IP address or FQDN of the interface that will receive VPN traffic on the remote VPN gateway

Add IKE Policy
Step 1 of 3

Add IPsec Policy
Step 2 of 4

Remote ID

The name that the remote device uses for authentication purposes

Add IKE Policy
Step 1 of 3

Remote Port

Destination port of traffic to which the IPsec policy applies

Add IPsec Policy
Step 1 of 4

SA Lifetime in Kilobytes

Duration of the IPsec SA in bandwidth

Add IPsec Policy
Step 2 of 4

SA Lifetime in Seconds

Duration of the IKE SA in seconds

Add IKE Policy
Step 2 of 3

SA Lifetime in Seconds

Duration of the IPsec SA in seconds

Add IPsec Policy
Step 2 of 4

SPI Number

Unique number that identifies a particular SA

Add IPsec Policy
Step 2 of 4

Traffic Selector

Specifies which traffic can use the IPsec VPN

Add IPsec Policy
Step 1 of 4

WINS Servers

IP addresses of WINS servers that VPN clients can access IKE Mode Config

Add IPsec Policy
Step 3 of 4

XAUTH Configuration

Optional layer of security for IKE

Add IKE Policy
Step 3 of 3