Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
381382383384385386387388389390
C-44
Configure VPNs Using the HP ProCurve Threat Management Services zl Module
Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients
Access Policies for an L2TP over IPsec VPN
You must configure firewall access policies to permit IKE traffic from the remote clients as
well as the permit the remote clients to access local services after they establish the L2TP
connection.
Before you begin configuring firewall access policies, determine the zone on which traffic from
the remote clients arrives. This is the zone of the TMS VLAN on which the clients contact the
module; the module’s IP address on the VLAN is the local VPN gateway address. The instruc-
tions below will refer to this zone as the “remote zone.” In this example, it is the External zone.
After the remote endpoints have received virtual IP addresses (configured in users’ dial-in
accounts), their traffic is considered to have originated in the External zone.
You should also determine the zone for local endpoints that the remote clients are allowed to
access. The instructions below will refer to this zone as the “local zone.” If remote clients should
be able to access local endpoints in multiple zones, you must create access policies to each of
these local zones. In this example, the only local zone is the Internal zone.
Finally, you must remember the name of the user group (or groups) that you configured for
L2TP dial-in users. Some of the access policies will be configured for those groups.
1. In the left navigation bar of the Web browser interface, select Firewall > Access Policies.
The Unicast tab should be selected.
2. Click Add a Policy. The Add Policy window is displayed.
3. Allow IKE messages from the remote endpoints.
a. For Action, leave the default Permit Traffic.
b. For From, select the remote zone. For this example, select External.
c. For To, select Self.
d. For Service, select isakmp.
e. For Source, accept the default, Any Address.
If you know the public addresses of all of your remote endpoints, you could create a
named object with those addresses and specify that object here. However, allowing
any IP address is the easiest way to set up the VPN.
f. For Destination, leave Any Address or specify the IP address configured for the local
gateway in the IKE policy.
For this example, select the LocalGateway address object.