HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

411

412

413

414

415

416

417

418

419

420

C-71

Configure VPNs Using the HP ProCurve Threat Management Services zl Module

Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients

5. Permit traffic from the remote endpoints to local endpoints:

a. For Action, leave the default, Permit Traffic.

b. For From, select the remote zone. For this example, select External.

c. For To, select the local zone.

d. For Service, leave Any Service.

This is the most basic configuration. You could create access policies that permit only

certain types of traffic.

e. For Source, select the address or address group object that you created for remote

clients. For this example, select MacClients.

f. For Destination, specify the local addresses that the remote endpoints are allowed to

reach. For this example, select LocalEndpoints.

g. Click Apply.

6. If necessary for your services, create access policies that permit local endpoints to send

traffic to remote clients.

7. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic somewhere between

the remote clients and the module), you must create two access policies to allow the NAT-

T traffic:

a. For Action, accept the default: Permit Traffic.

b. For From, select the remote zone. For this example, select External.

c. For To, select Self.

d. For Service, select ipsec-nat-t-udp.

e. For Source, select the address or address group object that you created for remote

clients. For this example, select MacClients.

f. For Destination, leave Any Address or specify the local gateway IP address. For this

example, select LocalGateway.

g. Click Apply.

h. For From, select Self.

i. For To, select the remote zone. For this example, select External

For Service, select ipsec-nat-t-udp.

k. For Source, leave Any Address or specify the local gateway IP address. For this example,

select LocalGateway.

l. For Destination, select the address or address group object that you created for remote

clients. For this example, select MacClients.

m. Click Apply.

8. In the Add Policy window, click Close.

Verify Routes

The TMS zl Module requires a route to the remote Macintosh clients. View the routes in the

Network > Routing > View Routes window. In this example, the module’s default gateway routes

traffic to these clients.