HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

361

362

363

364

365

366

367

368

369

370

C-20

Configure VPNs Using the HP ProCurve Threat Management Services zl Module

Configure a Site-to-Site IPsec VPN

7. Leave the Position box empty.

When you leave this box empty, the IPsec policy is automatically added as the highest-

priority policy.

8. Next, configure the VPN traffic selector, which determines which endpoints can send and

receive traffic over the VPN tunnel:

9. For Traffic Selector, configure these settings:

a. For Protocol, specify the protocol for traffic allowed on the VPN:

– Any—Any IP protocol. Select this option when you want to allow all types of traffic

between local and remote endpoints.

– TCP or UDP—Select this option in conjunction with a remote port to allow local

traffic destined for a specific service in the remote network. Select this option in

conjunction with a local port to allow remote traffic destined for a specific service

in the local network.

– ICMP—Select this option when you want to allow only ICMP traffic.

– IP Protocols—Select one of these Layer 3 protocols, which are listed by their IANA

IP Protocol numbers.

Service objects and service groups will not appear in this list.

For this example, select Any.

b. For Local Address, specify the IP addresses of all local endpoints that are allowed to

send and receive traffic over the VPN.

For this example, select the LocalEndpoints address object that you created earlier. (You

could also manually type an IP address, an IP address range, or a network address in

CIDR format.)

c. Local Port is present if you selected TCP or UDP for Protocol. Type a specific port for the

service to which remote clients are allowed access or leave the field blank (which

allows traffic to any port in the specified protocol).

In this example, you do not configure this setting because you selected Any for the

protocol.

d. For Remote Address, specify the addresses for all remote endpoints allowed to send

and receive traffic over the VPN.

For this example, select the RemoteEndpoints address object that you created earlier.

(You could also manually type an IP address, an IP address range, or a network address

in CIDR format.)

e. Remote Port is present if you selected TCP or UDP for Service. Type the port number for

the service that you want to allow local endpoints to access in the remote network. Or

leave the field blank (which allows traffic to any port in the specified protocol).

In this example, you do not configure this setting because you selected Any for the

protocol.

. If you selected ICMP for the protocol, for ICMP Type, select Any.

Note Recheck the traffic selector settings and verify that the following traffic is not selected:

■ Management traffic from your management station to the TMS zl Module

■ Traffic between the local and remote modules’ gateway addresses

If this traffic is included within the traffic selector, you must either change the traffic selector

or configure Bypass policies to exclude management and IKE traffic. See the HP ProCurve

Threat Management Services zl Module Management and Configuration Guide.