HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

381

382

383

384

385

386

387

388

389

390

C-47

Configure VPNs Using the HP ProCurve Threat Management Services zl Module

Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients

c. For To, select the local zone. For this example, select Internal.

d. For Service, leave Any Address.

This is the most basic configuration. You could also permit only certain types of traffic.

e. For Source, specify the virtual addresses that the TMS zl Module assigns to L2TP

endpoints. For this example, select the DialIn address object.

f. For Destination, specify the local addresses that remote endpoints are allowed to

access.

g. Click Apply.

9. If you have specified multiple user groups in the L2TP dial-in user accounts, repeat step 7

and step 8 for each group.

10. If necessary for your services, create access policies that permit local endpoints to send

traffic to remote endpoints (at their virtual addresses and the External zone). The policies

should generally be configured in None user group.

11. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between

the remote clients and the module), you must create two access policies to allow the

NAT-T traffic:

a. Verify that for User Group, None is selected.

a. For Action, accept the default: Permit Traffic.

b. For From, select the remote zone. For this example, select External.

c. For To, select Self.

d. For Service, select ipsec-nat-t-udp.

e. For Source, specify Any Address.

If you know the public addresses of all of your remote endpoints, you could create a

named object with those addresses and specify that object here.

f. For Destination, leave Any Address or specify the local gateway IP address.

For this example, select the LocalGateway address object.

g. Click Apply.

h. For From, select Self.

i. For To, select the remote zone. For this example, select External.

j. For Service, select ipsec-nat-t-udp.

k. For So

urce, leave Any Address or specify the local gateway IP address.

For this example, select the LocalGateway address object.

l. For Destination, specify Any Address.

If you know the public addresses of all of your remote endpoints, you could create a

named object with those addresses and specify that object here.

m. Click Apply.

12. Click Close.

Verify Routes

The TMS zl Module requires a route to the remote Windows clients. View the module’s routes

in the Network > Routing > View Routes window. In this example, the module’s default gateway

routes traffic to these clients.