Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
431432433434435436437438439440
C-93
Configure VPNs Using the HP ProCurve Threat Management Services zl Module
Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients
Figure C-113. Add User Window
b. For Username, type the username for the user that you are adding.
c. For Password and Verify password, type the password for the user.
d. For Inactivity Timeout, type the number of seconds that you want an inactive session to
remain open.
e. Click OK. The user is now displayed in the Network > Authentication > Local Users
window.
8. Click Save.
Access Policies for an Client-to-Site IPsec VPN for HP ProCurve VPN
Clients
You must create firewall access policies to permit the remote clients to exchange IKE messages
with the TMS zl Module. Other policies must permit the remote clients to access local services.
Before you begin configuring firewall access policies, determine the zone on which traffic from
the remote clients arrives. This is the zone of the TMS VLAN on which remote clients reach
the module and on which the local VPN gateway address is configured. The instructions below
will refer to this zone as the “remote zone.” In this example, it is the External zone.
You should also determine the zone for local endpoints to which the remote clients are allowed
access. The instructions below will refer to this zone as the “local zone.” If remote clients are
allowed to access multiple zones, you must create policies for each of these zones. In this
example, the single local zone is the Internal zone.
1. In the left navigation bar of the Web browser interface, click Firewall > Access Policies >
Unicast.
2. Click Add a Policy.
3. Allow IKE messages from the remote endpoints.
a. For Action, leave the default Permit Traffic.
b. For From, select the remote zone. For this example, select External.
c. For To, select Self.
d. For Service, select isakmp.
e. For Source, accept the default, Any Address.
If you know the public addresses of all of your remote endpoints, you could create a
named object with those addresses and specify that object here. However, allowing
any IP address is the easiest way to set up the VPN.