The IPsec VPN tunnel itself is called an IPsec SA Security Association. More specifically, a VPN tunnel is defined by two SAs, one for inbound traffic and the other for outbound traffic. An IPsec SA is configured using the following parameters:
Before the Threat Management Services (TMS) zl Module passes a packet through its IDS Intrusion Detection System/IPS Intrusion Prevention System, firewall, and NAT policies, it checks the packet for an IPsec header. The TMS zl Module can establish SAs in two ways: Defining an SA ManuallyYou can define the IPsec SA manually. In that case, you must specify:
Because this method of configuration is relatively unsecure, HP ProCurve Networking does not generally recommend it, except when manual keying is the only viable method. Defining an SA Using IKEBy far, the more secure and manageable solution for IPsec VPN configuration is to allow IKEv1 to negotiate the SA. IKE regulates the process as hosts authenticate each other, agree upon authentication and encryption algorithms, and generate the unique keys that are used to secure packets. Using IPsec with IKE provides increased security because keys are randomly generated and periodically changed. IKE also eases configuration. Instead of configuring the SA manually, you configure IKE policies, which automatically negotiate the keys to establish the IPsec SA.
|