HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

421

422

423

424

425

426

427

428

429

430

C-81

Configure VPNs Using the HP ProCurve Threat Management Services zl Module

Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients

4. Create an object for the local endpoints:

a. For Name, type a name that is meaningful to you. For this example, type LocalEndpoints.

b. For Type , select Network (IP/Mask) or IP Range. For this example, select Network (IP/

Mask).

c. Click Single-entry.

d. In the box below, specify the subnet or range of IP addresses for local endpoints that

the remote clients are allowed to access. For this example, type 192.168.4.0/24.

e. Click Apply.

5. Create an object for the virtual addresses that clients will use after establishing the VPN

connection:

a. For Name, type a name that is meaningful to you. For this example, type

ModeConfigAdds.

b. For Type , select Network (IP/Mask) or IP Range. For this example, select IP Range.

c. Click Single-entry.

d. In the box below, specify the subnet or range of IP addresses that will be assigned to

remote clients by IKE mode config. For this example, type 172.16.100.10-172.16.100.254.

e. Click Apply.

6. If you desire, you can create a multi-entry address object that includes the public IP address

of each remote client. Later, you will create firewall access policies to permit IKE and

possibly NAT-T traffic. At this time, you would use this address object to specify the

permitted sources of IKE and NAT-T messages. Alternatively, you can allow IKE and NAT-

T messages from any remote client. In this example, you opt for the second option and do

not create an address object for remote clients’ public addresses.

7. Click Save.

Create an IKE Policy for Connecting to HP ProCurve VPN Clients

Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate VPN

connections with remote VPN clients:

1. In the left navigation bar of the Web browser interface, click VPN > IPsec.

2. Click the IKEv1 Policies tab.

Figure C-99. VPN > IPsec > IKEv1 Policies Window

3. Click Add IKE Policy.

4. For IKE Policy Name, type a string that is unique to this policy. For this example, type

ProCurveClients.

The string can include 1 to 15 alphanumeric characters.

5. For IKE Policy Type, select Client-to-Site (Responder).