Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series
411412413414415416417418419420
SROS Command Line Interface Reference Guide Crypto Map Manual Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 412
Technology Review
The following example configures an Secure Router OS product for VPN using IPSec manual keys. This
example assumes that the Secure Router OS product has been configured with a WAN IP Address of
63.97.45.57 on interface ppp 1 and a LAN IP Address of 10.10.10.254 on interface ethernet 0/1. The Peer
Private IP Subnet is 10.10.20.0.
For more detailed information on VPN configuration, refer to the
VPN
Configuration Guide located on the
ProCurve SROS Documentation CD provided with your unit.
Step 1:
Enter the Global configuration mode (i.e., config terminal mode).
>enable
#configure terminal
Step 2:
Enable VPN support using the ip crypto command. This command allows crypto maps to be applied to
interfaces, and enables the IKE server to listen for IKE negotiation sessions on UDP port 500.
(config)#ip crypto
Step 3:
Define the transform-set. A transform-set defines the encryption and/or authentication algorithms to be
used to secure the data transmitted over the VPN tunnel. Multiple transform-sets may be defined in a
system. Once a transform-set is defined, many different crypto maps within the system can reference it. In
this example, a transform-set named highly_secure has been created. This transform-set defines ESP
with Authentication implemented using 3DES encryption and SHA1 authentication.
(config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac
(cfg-crypto-trans)#mode tunnel
Step 4:
Define an ip-access list. An Extended Access Control List is used to specify which traffic needs to be sent
securely over the VPN tunnel. The entries in the list are defined with respect to the local system. The
source IP address will be the source of the traffic to be encrypted. The destination IP address will be the
receiver of the data on the other side of the VPN tunnel.
(config)#ip access-list extended corporate_traffic
(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log
deny ip any any
AES-192-CBC 192-bits in length; 24 hexadecimal bytes
AES-256-CBC 256-bits in length; 32 hexadecimal bytes
md5 128-bits in length; 16 hexadecimal bytes
sha1 160-bits in length; 20 hexadecimal bytes
Functional Notes (Continued)