MSM7xx Controllers Configuration Guide v6.4.0

ManualsBrandsHP ManualsNetwork HardwareHP 425 Wireless Dual Radio 802.11n (WW) Access Point

511

512

513

514

515

516

517

518

519

520

Auto-route discovery

Enable this option if you want the controller to automatically discover and add routes to IP

addresses on the other side of the PPTP tunnel. The addresses must be part of the specified

domain. Routes are added only when an attempt is made to access the addresses.

LCP echo requests

Certain VPN servers may terminate your connection if it is idle. If you enable this option,

the controller will send a packet from time to time to keep the connection alive.

Account

Username

Specify the username the controller will use to log on to the PPTP server. If you are logging

on to a Windows XP domain, specify domain_name\username

Password / Confirm password

Specify the password the controller will use to log on to the PPTP server.

Network Address Translation (NAT)

If you enable NAT, it effectively hides the addresses of all local computers so that they are not

visible on the other side of the PPTP connection.

If you disable NAT, then the appropriate IP routes must be added to send traffic through the

tunnel.

Keeping user traffic out of the VPN tunnel

NOTE: The VPN tunnel should not be used to transport user traffic. The tunnel should only be

used to carry management traffic (RADIUS, SNMP, and management sessions).

To prevent user traffic from entering the tunnel, you must define access list definitions to DENY

access to all subnets on the other side of the tunnel.

Consider the following scenario:

VPN tunnel

VPN server

Physical address

24.10.135.55

Address in VPN tunnel

192.168.30.1

Physical address

35.210.15.155

Address in VPN tunnel

192.168.30.2

Controller

To protect the VPN, add the following definitions to the site access list:

access-list=vpn,DENY,all,192.168.30.0/24,all

use-access-list=vpn

This definition applies to all users, whether they are authenticated or not. It blocks access to the

VPN subnet for all traffic. For more information on using the access list feature, see “Access list”

(page 460).

Additional IPSec configuration

The page Controller >> VPN > IPSec provides some additional configuration options and information.

For information about IPsec certificates see “IPSec certificates” (page 381).

IPSec VLAN mapping

Use these settings to define how IPSec traffic is routed on the LAN port (Access Network on

the MSM720) and Internet port (Internet Network on the MSM720). For an interface to be

514 Working with VPNs