Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
361362363364365366367368369370
C-26
Configure VPNs Using the HP ProCurve Threat Management Services zl Module
Configure a Site-to-Site IPsec VPN
Figure C-32. Add Policy Window
g. Click Apply.
8. Permit traffic from the remote endpoints to the local endpoints:
a. For Action, leave the default, Permit Traffic.
b. For From, select the remote zone. For this example, select External.
c. For To, select the local zone. For this example, select Internal.
d. For Service, leave Any Address.
This is the most basic configuration. You could also create access policies that permit
only certain services.
e. For Source, specify the remote IP addresses allowed to send traffic on the VPN.
For this example, select the RemoteEndpoints address object. (You can also click
Options, select Enter custom IP, IP/mask or IP-Range, and type the subnet or IP addresses
of the remote endpoints.)
f. For Destination, specify the local addresses which the remote users are allowed to
access.
For this example, select the LocalEndpoints address object. (You can also click Options,
select Enter custom IP, IP/mask or IP-Range, and type the subnet or IP addresses of the
local endpoints.)
g. Click Apply.
9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between
the gateways), you must create access policies to allow the NAT-T traffic between the
remote gateway and the module and vice versa:
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone. For this example, type External.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.
e. For Source, specify the remote gateway’s address.
For this example, select the RemoteGateway address object. (You can also click Options,
select Enter custom IP, IP/mask or IP-Range, and type the IP address of the remote
module.)